Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FedExInvoice013.exe

Overview

General Information

Sample Name:FedExInvoice013.exe
Analysis ID:846588
MD5:c2744c4bab87079337e5040cec0c202c
SHA1:f9a492ebcd8647eb373e889329a12bc69beca10d
SHA256:0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3
Tags:exeFedEx
Infos:

Detection

Predator
Score:87
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Predator
Antivirus detection for dropped file
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Machine Learning detection for dropped file
Moves itself to temp directory
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • FedExInvoice013.exe (PID: 6772 cmdline: C:\Users\user\Desktop\FedExInvoice013.exe MD5: C2744C4BAB87079337E5040CEC0C202C)
    • FedExInvoice013.exe (PID: 860 cmdline: C:\Users\user\Desktop\FedExInvoice013.exe MD5: C2744C4BAB87079337E5040CEC0C202C)
      • Zip.exe (PID: 2884 cmdline: "C:\Users\user\AppData\Local\Temp\Zip.exe" MD5: AF07E88EC22CC90CEBFDA29517F101B9)
  • update_231408.exe (PID: 6800 cmdline: "C:\Users\user\AppData\Local\Temp\update_231408.exe" / start MD5: C2744C4BAB87079337E5040CEC0C202C)
  • update_231408.exe (PID: 7036 cmdline: "C:\Users\user\AppData\Local\Temp\update_231408.exe" / start MD5: C2744C4BAB87079337E5040CEC0C202C)
    • update_231408.exe (PID: 2944 cmdline: C:\Users\user\AppData\Local\Temp\update_231408.exe MD5: C2744C4BAB87079337E5040CEC0C202C)
    • update_231408.exe (PID: 6828 cmdline: C:\Users\user\AppData\Local\Temp\update_231408.exe MD5: C2744C4BAB87079337E5040CEC0C202C)
  • update_231408.exe (PID: 3388 cmdline: "C:\Users\user\AppData\Local\Temp\update_231408.exe" / start MD5: C2744C4BAB87079337E5040CEC0C202C)
  • update_231408.exe (PID: 2328 cmdline: "C:\Users\user\AppData\Local\Temp\update_231408.exe" / start MD5: C2744C4BAB87079337E5040CEC0C202C)
    • update_231408.exe (PID: 3312 cmdline: C:\Users\user\AppData\Local\Temp\update_231408.exe MD5: C2744C4BAB87079337E5040CEC0C202C)
    • update_231408.exe (PID: 7072 cmdline: C:\Users\user\AppData\Local\Temp\update_231408.exe MD5: C2744C4BAB87079337E5040CEC0C202C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
HawkEye Keylogger, Predator PainHawKeye is a keylogger that is distributed since 2013. Discovered by IBM X-Force, it is currently spread over phishing campaigns targeting businesses on a worldwide scale. It is designed to steal credentials from numerous applications but, in the last observed versions, new "loader capabilities" have been spotted. It is sold by its development team on dark web markets and hacking forums.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\Zip.exeWindows_Trojan_Lucifer_ce9d4cc8unknownunknown
  • 0x12e5:$a: 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.578657613.000000000296A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000001.00000002.578657613.0000000002995000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Lucifer_ce9d4cc8unknownunknown
    • 0xeda5:$a: 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48
    00000002.00000000.359880749.00000262D6582000.00000002.00000001.01000000.00000009.sdmpWindows_Trojan_Lucifer_ce9d4cc8unknownunknown
    • 0xee5:$a: 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48
    00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PredatorYara detected PredatorJoe Security
      00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Click to see the 10 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.0.Zip.exe.262d6580000.0.unpackWindows_Trojan_Lucifer_ce9d4cc8unknownunknown
        • 0x12e5:$a: 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48
        15.2.update_231408.exe.465ae8.2.raw.unpackJoeSecurity_PredatorYara detected PredatorJoe Security
          15.2.update_231408.exe.465ae8.2.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            15.2.update_231408.exe.465ae8.2.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              15.2.update_231408.exe.465ae8.2.raw.unpackINDICATOR_SUSPICIOUS_EXE_References_VPNDetects executables referencing many VPN software clients. Observed in infosteslersditekSHen
              • 0x1965e:$s1: \Vpn\NordVPN
              • 0x1cdc8:$s2: \VPN\OpenVPN
              • 0x1ce36:$s3: \VPN\ProtonVPN
              Click to see the 31 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: FedExInvoice013.exeReversingLabs: Detection: 32%
              Source: FedExInvoice013.exeVirustotal: Detection: 54%Perma Link
              Antivirus / Scanner detection for submitted sample
              Source: FedExInvoice013.exeAvira: detected
              Yara detected Predator
              Source: Yara matchFile source: 15.2.update_231408.exe.465ae8.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.FedExInvoice013.exe.4a40170.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.update_231408.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.update_231408.exe.402203.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.FedExInvoice013.exe.4a40773.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.FedExInvoice013.exe.4a40170.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.FedExInvoice013.exe.49b5d50.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.493171759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: FedExInvoice013.exe PID: 6772, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: FedExInvoice013.exe PID: 860, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: update_231408.exe PID: 6828, type: MEMORYSTR
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeAvira: detection malicious, Label: TR/Redcap.vxffz
              Machine Learning detection for sample
              Source: FedExInvoice013.exeJoe Sandbox ML: detected
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeJoe Sandbox ML: detected
              Source: 15.2.update_231408.exe.400000.1.unpackAvira: Label: TR/Redcap.vxffz
              Source: FedExInvoice013.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: FedExInvoice013.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: \??\C:\Windows\System.Windows.Forms.pdb source: FedExInvoice013.exe, 00000001.00000002.595882566.0000000006267000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Windows.Forms.pdb source: FedExInvoice013.exe, 00000001.00000002.595882566.000000000621B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdb source: FedExInvoice013.exe, 00000001.00000002.595882566.000000000624C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \gom_v_4.0\Zip\Zip\obj\Debug\Zip.pdb source: FedExInvoice013.exe, 00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.578657613.0000000002995000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000002.00000000.359897251.00000262D6588000.00000002.00000001.01000000.00000009.sdmp, update_231408.exe, 0000000F.00000002.493171759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Zip.exe.1.dr
              Source: Binary string: c:\Temp\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: FedExInvoice013.exe, 00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, update_231408.exe, 0000000F.00000002.493171759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, update_231408.exe, 0000000F.00000002.531181655.0000000004428000.00000004.00000800.00020000.00000000.sdmp, Newtonsoft.Json.dll0.1.dr, Newtonsoft.Json.dll.1.dr
              Source: Binary string: \gom_v_4.0\update_windows10\update_windows10\obj\Debug\update_windows10.pdb source: FedExInvoice013.exe, 00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000002.326182658.0000000002E1B000.00000004.00000800.00020000.00000000.sdmp, update_231408.exe, 00000008.00000002.427121077.00000000026BB000.00000004.00000800.00020000.00000000.sdmp, update_231408.exe, 0000000D.00000002.463715411.000000000316B000.00000004.00000800.00020000.00000000.sdmp, update_231408.exe, 0000000F.00000002.493171759.0000000000402000.00000040.00000400.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\FedExInvoice013.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]1_2_070AC71A
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 4x nop then dec eax2_2_00007FF9A5BA9DF9

              Networking

              barindex
              May check the online IP address of the machine
              Source: C:\Users\user\Desktop\FedExInvoice013.exeDNS query: name: ip-api.com
              Source: C:\Users\user\Desktop\FedExInvoice013.exeDNS query: name: ip-api.com
              Source: C:\Users\user\Desktop\FedExInvoice013.exeDNS query: name: ip-api.com
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeDNS query: name: ip-api.com
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeDNS query: name: ip-api.com
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeDNS query: name: ip-api.com
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeDNS query: name: ip-api.com
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeDNS query: name: ip-api.com
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeDNS query: name: ip-api.com
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeDNS query: name: ip-api.com
              Yara detected Generic Downloader
              Source: Yara matchFile source: 15.2.update_231408.exe.465ae8.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.update_231408.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.update_231408.exe.402203.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.FedExInvoice013.exe.4a40773.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.FedExInvoice013.exe.4a40170.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.FedExInvoice013.exe.49b5d50.9.raw.unpack, type: UNPACKEDPE
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.com
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.com
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.com
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
              Source: FedExInvoice013.exe, 00000000.00000003.311371742.0000000005FCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.w
              Source: FedExInvoice013.exe, 00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, update_231408.exe, 0000000F.00000002.493171759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, update_231408.exe, 0000000F.00000002.531181655.0000000004428000.00000004.00000800.00020000.00000000.sdmp, Newtonsoft.Json.dll0.1.dr, Newtonsoft.Json.dll.1.drString found in binary or memory: http://expression/newtonsoft.json.dll
              Source: FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
              Source: update_231408.exe, 0000000D.00000002.473833434.0000000004E9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gomorralla.publicvm.com/x/
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002876000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000002.00000002.461379695.00000262D8485000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000002.00000002.461379695.00000262D8462000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000002.00000002.461379695.00000262D8439000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000002.00000002.461379695.00000262D846E000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000002.00000002.461379695.00000262D841F000.00000004.00000800.00020000.00000000.sdmp, update_231408.exe, 0000000F.00000002.513567219.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
              Source: FedExInvoice013.exe, 00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.578657613.0000000002841000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.578657613.0000000002995000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000002.00000002.461379695.00000262D8439000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000002.00000002.461379695.00000262D846E000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000002.00000000.359880749.00000262D6582000.00000002.00000001.01000000.00000009.sdmp, Zip.exe, 00000002.00000002.461379695.00000262D83A1000.00000004.00000800.00020000.00000000.sdmp, update_231408.exe, 0000000F.00000002.513567219.0000000003261000.00000004.00000800.00020000.00000000.sdmp, update_231408.exe, 0000000F.00000002.493171759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, update_231408.exe, 00000013.00000002.541257187.00000000033CF000.00000004.00000800.00020000.00000000.sdmp, Zip.exe.1.drString found in binary or memory: http://ip-api.com/json/
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002876000.00000004.00000800.00020000.00000000.sdmp, update_231408.exe, 00000013.00000002.541257187.00000000033F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com4Xp
              Source: Zip.exe, 00000002.00000002.461379695.00000262D8439000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com8
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.comD8Xp
              Source: Zip.exe, 00000002.00000002.461379695.00000262D846E000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000002.00000002.461379695.00000262D841F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.comx
              Source: Newtonsoft.Json.dll.1.drString found in binary or memory: http://james.newtonking.com/projects/json
              Source: FedExInvoice013.exe, 00000001.00000003.387378522.00000000070ED000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000003.355422399.00000000070DB000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000003.387015252.00000000070EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/g
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002841000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000002.00000002.461379695.00000262D83A1000.00000004.00000800.00020000.00000000.sdmp, update_231408.exe, 0000000F.00000002.513567219.0000000003261000.00000004.00000800.00020000.00000000.sdmp, update_231408.exe, 00000013.00000002.541257187.00000000033C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: FedExInvoice013.exe, 00000000.00000003.313658784.0000000005FCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agfamonotype.
              Source: FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: FedExInvoice013.exe, 00000000.00000003.312696816.0000000005FD8000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.312613513.0000000005FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlt
              Source: FedExInvoice013.exe, 00000000.00000003.311225964.0000000005FF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: FedExInvoice013.exe, 00000000.00000003.313658784.0000000005FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: FedExInvoice013.exe, 00000000.00000003.314049917.000000000600E000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.314023857.000000000600E000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.314226328.000000000600E000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.313987894.000000000600E000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.314276524.000000000600E000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.314133778.000000000600E000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.314094032.000000000600E000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.314251404.000000000600E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlp
              Source: FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: FedExInvoice013.exe, 00000000.00000003.314368258.0000000005FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersj
              Source: FedExInvoice013.exe, 00000000.00000003.324163182.0000000005FC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
              Source: FedExInvoice013.exe, 00000000.00000003.324163182.0000000005FC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comoitu
              Source: FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
              Source: FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: FedExInvoice013.exe, 00000000.00000003.310227917.0000000005FEE000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.310149291.0000000005FEE000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.310669710.0000000005FEE000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.310726971.0000000005FF0000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.310767493.0000000005FF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
              Source: FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: FedExInvoice013.exe, 00000000.00000003.310550709.0000000005FED000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.310500839.0000000005FED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnn
              Source: FedExInvoice013.exe, 00000000.00000003.310550709.0000000005FED000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.310500839.0000000005FED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnont
              Source: FedExInvoice013.exe, 00000000.00000003.310550709.0000000005FED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cntR
              Source: FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
              Source: FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
              Source: FedExInvoice013.exe, 00000000.00000003.309879372.0000000005FD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.typography.net
              Source: FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
              Source: FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: FedExInvoice013.exe, 00000000.00000003.310867337.0000000005FF0000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: FedExInvoice013.exe, 00000000.00000003.310867337.0000000005FF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn?~
              Source: FedExInvoice013.exe, 00000000.00000003.310867337.0000000005FF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnA-
              Source: FedExInvoice013.exe, 00000000.00000003.310867337.0000000005FF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
              Source: FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: FedExInvoice013.exe, 00000001.00000002.591718237.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003DAB000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003E18000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003DF0000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: FedExInvoice013.exe, 00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.578657613.0000000002995000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.578657613.0000000002876000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.578657613.0000000002987000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000002.00000003.436209461.00000262F0ED4000.00000004.00000020.00020000.00000000.sdmp, Zip.exe, 00000002.00000003.437559171.00000262F0ED4000.00000004.00000020.00020000.00000000.sdmp, Zip.exe, 00000002.00000002.461379695.00000262D84AC000.00000004.00000800.00020000.00000000.sdmp, update_231408.exe, 0000000F.00000002.513567219.0000000003296000.00000004.00000800.00020000.00000000.sdmp, update_231408.exe, 0000000F.00000002.493171759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, update_231408.exe, 00000013.00000002.541257187.00000000033F6000.00000004.00000800.00020000.00000000.sdmp, info.txt.1.drString found in binary or memory: https://gomorrah.pw
              Source: Zip.exe, 00000002.00000003.436117864.00000262F11FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gorah.pw
              Source: FedExInvoice013.exe, 00000001.00000002.591718237.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003DAB000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003E18000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003DF0000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
              Source: FedExInvoice013.exe, 00000001.00000002.591718237.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003DAB000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003E18000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003DF0000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
              Source: FedExInvoice013.exe, 00000001.00000002.591718237.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003DAB000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003DF0000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
              Source: FedExInvoice013.exe, 00000001.00000002.591718237.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003DAB000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003E18000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003DF0000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
              Source: FedExInvoice013.exe, 00000001.00000002.591718237.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003DAB000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003E18000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003DF0000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: unknownDNS traffic detected: queries for: ip-api.com
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.com
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.com
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.com
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: FedExInvoice013.exe, 00000000.00000002.324504510.0000000000F40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              E-Banking Fraud

              barindex
              Yara detected Predator
              Source: Yara matchFile source: 15.2.update_231408.exe.465ae8.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.FedExInvoice013.exe.4a40170.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.update_231408.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.update_231408.exe.402203.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.FedExInvoice013.exe.4a40773.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.FedExInvoice013.exe.4a40170.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.FedExInvoice013.exe.49b5d50.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.493171759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: FedExInvoice013.exe PID: 6772, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: FedExInvoice013.exe PID: 860, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: update_231408.exe PID: 6828, type: MEMORYSTR

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 2.0.Zip.exe.262d6580000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
              Source: 15.2.update_231408.exe.465ae8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
              Source: 15.2.update_231408.exe.465ae8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
              Source: 0.2.FedExInvoice013.exe.4a40170.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
              Source: 0.2.FedExInvoice013.exe.4a40170.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
              Source: 15.2.update_231408.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
              Source: 15.2.update_231408.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
              Source: 15.2.update_231408.exe.402203.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
              Source: 15.2.update_231408.exe.402203.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
              Source: 1.2.FedExInvoice013.exe.29a2ac0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
              Source: 0.2.FedExInvoice013.exe.4a40773.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
              Source: 0.2.FedExInvoice013.exe.4a40773.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
              Source: 0.2.FedExInvoice013.exe.4a40170.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
              Source: 0.2.FedExInvoice013.exe.4a40170.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
              Source: 0.2.FedExInvoice013.exe.49b5d50.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
              Source: 0.2.FedExInvoice013.exe.49b5d50.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
              Source: 00000001.00000002.578657613.0000000002995000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
              Source: 00000002.00000000.359880749.00000262D6582000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
              Source: 00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
              Source: 0000000F.00000002.493171759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
              Source: C:\Users\user\AppData\Local\Temp\Zip.exe, type: DROPPEDMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: FedExInvoice013.exe
              Source: FedExInvoice013.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 2.0.Zip.exe.262d6580000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
              Source: 15.2.update_231408.exe.465ae8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
              Source: 15.2.update_231408.exe.465ae8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
              Source: 0.2.FedExInvoice013.exe.4a40170.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
              Source: 0.2.FedExInvoice013.exe.4a40170.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
              Source: 15.2.update_231408.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
              Source: 15.2.update_231408.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
              Source: 15.2.update_231408.exe.402203.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
              Source: 15.2.update_231408.exe.402203.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
              Source: 1.2.FedExInvoice013.exe.29a2ac0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
              Source: 0.2.FedExInvoice013.exe.4a40773.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
              Source: 0.2.FedExInvoice013.exe.4a40773.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
              Source: 0.2.FedExInvoice013.exe.4a40170.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
              Source: 0.2.FedExInvoice013.exe.4a40170.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
              Source: 0.2.FedExInvoice013.exe.49b5d50.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
              Source: 0.2.FedExInvoice013.exe.49b5d50.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
              Source: 00000001.00000002.578657613.0000000002995000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
              Source: 00000002.00000000.359880749.00000262D6582000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
              Source: 00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
              Source: 0000000F.00000002.493171759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
              Source: C:\Users\user\AppData\Local\Temp\Zip.exe, type: DROPPEDMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
              Source: C:\Users\user\Desktop\FedExInvoice013.exeCode function: 0_2_0529E1A20_2_0529E1A2
              Source: C:\Users\user\Desktop\FedExInvoice013.exeCode function: 0_2_0529E1B00_2_0529E1B0
              Source: C:\Users\user\Desktop\FedExInvoice013.exeCode function: 0_2_0529C22C0_2_0529C22C
              Source: C:\Users\user\Desktop\FedExInvoice013.exeCode function: 1_2_00D4DE591_2_00D4DE59
              Source: C:\Users\user\Desktop\FedExInvoice013.exeCode function: 1_2_027DB29C1_2_027DB29C
              Source: C:\Users\user\Desktop\FedExInvoice013.exeCode function: 1_2_027DC3101_2_027DC310
              Source: C:\Users\user\Desktop\FedExInvoice013.exeCode function: 1_2_027DB2901_2_027DB290
              Source: C:\Users\user\Desktop\FedExInvoice013.exeCode function: 1_2_027D99D01_2_027D99D0
              Source: C:\Users\user\Desktop\FedExInvoice013.exeCode function: 1_2_027DDFD01_2_027DDFD0
              Source: C:\Users\user\Desktop\FedExInvoice013.exeCode function: 1_2_070ABFE81_2_070ABFE8
              Source: C:\Users\user\Desktop\FedExInvoice013.exeCode function: 1_2_070AA5E81_2_070AA5E8
              Source: C:\Users\user\Desktop\FedExInvoice013.exeCode function: 1_2_070A22A81_2_070A22A8
              Source: C:\Users\user\Desktop\FedExInvoice013.exeCode function: 1_2_070ABFDA1_2_070ABFDA
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 2_2_00007FF9A5BA2D992_2_00007FF9A5BA2D99
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 2_2_00007FF9A5B933702_2_00007FF9A5B93370
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 2_2_00007FF9A5BA3B892_2_00007FF9A5BA3B89
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeCode function: 8_2_0242C22C8_2_0242C22C
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeCode function: 8_2_0242E1AA8_2_0242E1AA
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeCode function: 8_2_0242E1B08_2_0242E1B0
              Source: FedExInvoice013.exe, 00000000.00000002.324504510.0000000000F40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000000.00000002.348002343.0000000007BC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDiscompard.dll@ vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000000.00000000.305121050.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameIfGF.exe4 vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll4 vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZip.exe( vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameupdate_windows10.exeD vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000000.00000002.344912622.0000000005730000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePendulum.dll2 vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000000.00000002.326182658.0000000002E1B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameupdate_windows10.exeD vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000000.00000002.326182658.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePendulum.dll2 vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorlib.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Configuration.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Core.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Xml.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Remoting.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Web.Extensions.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\000004B0\\OriginalFilename vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Web.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Management.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCustomMarshalers.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A54000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorlib.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A54000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A54000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A54000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A54000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A54000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A54000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Configuration.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A54000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Core.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A54000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Xml.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A54000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A54000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Remoting.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A54000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Web.Extensions.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A54000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\000004B0\\OriginalFilename vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A54000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Web.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A54000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Management.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002A54000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCustomMarshalers.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZip.exe( vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.575553466.0000000000A9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs FedExInvoice013.exe
              Source: FedExInvoice013.exe, 00000001.00000002.591718237.0000000003AE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIfGF.exe4 vs FedExInvoice013.exe
              Source: FedExInvoice013.exeBinary or memory string: OriginalFilenamePendulum.dll2 vs FedExInvoice013.exe
              Source: FedExInvoice013.exeBinary or memory string: OriginalFilenameIfGF.exe4 vs FedExInvoice013.exe
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeSection loaded: sfc.dll
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeSection loaded: sfc.dll
              Source: FedExInvoice013.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: FedExInvoice013.exeReversingLabs: Detection: 32%
              Source: FedExInvoice013.exeVirustotal: Detection: 54%
              Source: C:\Users\user\Desktop\FedExInvoice013.exeFile read: C:\Users\user\Desktop\FedExInvoice013.exeJump to behavior
              Source: FedExInvoice013.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\FedExInvoice013.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\FedExInvoice013.exe C:\Users\user\Desktop\FedExInvoice013.exe
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess created: C:\Users\user\Desktop\FedExInvoice013.exe C:\Users\user\Desktop\FedExInvoice013.exe
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess created: C:\Users\user\AppData\Local\Temp\Zip.exe "C:\Users\user\AppData\Local\Temp\Zip.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\update_231408.exe "C:\Users\user\AppData\Local\Temp\update_231408.exe" / start
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\update_231408.exe "C:\Users\user\AppData\Local\Temp\update_231408.exe" / start
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\update_231408.exe "C:\Users\user\AppData\Local\Temp\update_231408.exe" / start
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\update_231408.exe "C:\Users\user\AppData\Local\Temp\update_231408.exe" / start
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess created: C:\Users\user\AppData\Local\Temp\update_231408.exe C:\Users\user\AppData\Local\Temp\update_231408.exe
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess created: C:\Users\user\AppData\Local\Temp\update_231408.exe C:\Users\user\AppData\Local\Temp\update_231408.exe
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess created: C:\Users\user\AppData\Local\Temp\update_231408.exe C:\Users\user\AppData\Local\Temp\update_231408.exe
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess created: C:\Users\user\AppData\Local\Temp\update_231408.exe C:\Users\user\AppData\Local\Temp\update_231408.exe
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess created: C:\Users\user\Desktop\FedExInvoice013.exe C:\Users\user\Desktop\FedExInvoice013.exeJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess created: C:\Users\user\AppData\Local\Temp\Zip.exe "C:\Users\user\AppData\Local\Temp\Zip.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess created: C:\Users\user\AppData\Local\Temp\update_231408.exe C:\Users\user\AppData\Local\Temp\update_231408.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess created: C:\Users\user\AppData\Local\Temp\update_231408.exe C:\Users\user\AppData\Local\Temp\update_231408.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess created: C:\Users\user\AppData\Local\Temp\update_231408.exe C:\Users\user\AppData\Local\Temp\update_231408.exe
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess created: C:\Users\user\AppData\Local\Temp\update_231408.exe C:\Users\user\AppData\Local\Temp\update_231408.exe
              Source: C:\Users\user\Desktop\FedExInvoice013.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
              Source: C:\Users\user\Desktop\FedExInvoice013.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
              Source: C:\Users\user\Desktop\FedExInvoice013.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
              Source: C:\Users\user\Desktop\FedExInvoice013.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FedExInvoice013.exe.logJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeFile created: C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dllJump to behavior
              Source: classification engineClassification label: mal87.troj.spyw.evad.winEXE@17/11@10/1
              Source: C:\Users\user\Desktop\FedExInvoice013.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: FedExInvoice013.exe, 00000001.00000002.578657613.0000000002940000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.578657613.0000000002934000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D1D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: FedExInvoice013.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\FedExInvoice013.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\FedExInvoice013.exeMutant created: \Sessions\1\BaseNamedObjects\update_windows10
              Source: C:\Users\user\Desktop\FedExInvoice013.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\Desktop\FedExInvoice013.exeAutomated click: Continue
              Source: C:\Users\user\Desktop\FedExInvoice013.exeAutomated click: Continue
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\FedExInvoice013.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: FedExInvoice013.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: FedExInvoice013.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: \??\C:\Windows\System.Windows.Forms.pdb source: FedExInvoice013.exe, 00000001.00000002.595882566.0000000006267000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Windows.Forms.pdb source: FedExInvoice013.exe, 00000001.00000002.595882566.000000000621B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdb source: FedExInvoice013.exe, 00000001.00000002.595882566.000000000624C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \gom_v_4.0\Zip\Zip\obj\Debug\Zip.pdb source: FedExInvoice013.exe, 00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.578657613.0000000002995000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000002.00000000.359897251.00000262D6588000.00000002.00000001.01000000.00000009.sdmp, update_231408.exe, 0000000F.00000002.493171759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Zip.exe.1.dr
              Source: Binary string: c:\Temp\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: FedExInvoice013.exe, 00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, update_231408.exe, 0000000F.00000002.493171759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, update_231408.exe, 0000000F.00000002.531181655.0000000004428000.00000004.00000800.00020000.00000000.sdmp, Newtonsoft.Json.dll0.1.dr, Newtonsoft.Json.dll.1.dr
              Source: Binary string: \gom_v_4.0\update_windows10\update_windows10\obj\Debug\update_windows10.pdb source: FedExInvoice013.exe, 00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000002.326182658.0000000002E1B000.00000004.00000800.00020000.00000000.sdmp, update_231408.exe, 00000008.00000002.427121077.00000000026BB000.00000004.00000800.00020000.00000000.sdmp, update_231408.exe, 0000000D.00000002.463715411.000000000316B000.00000004.00000800.00020000.00000000.sdmp, update_231408.exe, 0000000F.00000002.493171759.0000000000402000.00000040.00000400.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: FedExInvoice013.exe, Quantum/View.cs.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.FedExInvoice013.exe.9f0000.0.unpack, Quantum/View.cs.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 2_2_00007FF9A5B92DBD push F9A5C321h; ret 2_2_00007FF9A5B92E0A
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 2_2_00007FF9A5BA76F8 push ebx; retf 2_2_00007FF9A5BA771A
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 2_2_00007FF9A5BA5AD8 push eax; iretd 2_2_00007FF9A5BA5B79
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 2_2_00007FF9A5BA5A88 push eax; iretd 2_2_00007FF9A5BA5B79
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 2_2_00007FF9A5BA5A80 push eax; iretd 2_2_00007FF9A5BA5B79
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 2_2_00007FF9A5B9721E pushad ; iretd 2_2_00007FF9A5B9724D
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 2_2_00007FF9A5B9724E push eax; iretd 2_2_00007FF9A5B9725D
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 2_2_00007FF9A5B9F912 pushad ; iretd 2_2_00007FF9A5B9F93A
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 2_2_00007FF9A5BA5B48 push eax; iretd 2_2_00007FF9A5BA5B79
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 2_2_00007FF9A5BA5B58 push eax; iretd 2_2_00007FF9A5BA5B79
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 2_2_00007FF9A5BA5AE0 push eax; iretd 2_2_00007FF9A5BA5B79
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 2_2_00007FF9A5BA5B00 push eax; iretd 2_2_00007FF9A5BA5B79
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 2_2_00007FF9A5BA7313 push ebx; iretd 2_2_00007FF9A5BA731A
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 2_2_00007FF9A5BA5B18 push eax; iretd 2_2_00007FF9A5BA5B79
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 2_2_00007FF9A5BA5B10 push eax; iretd 2_2_00007FF9A5BA5B79
              Source: initial sampleStatic PE information: section name: .text entropy: 7.9628206163311415
              Source: C:\Users\user\Desktop\FedExInvoice013.exeFile created: C:\Users\user\Desktop\Newtonsoft.Json.dllJump to dropped file
              Source: C:\Users\user\Desktop\FedExInvoice013.exeFile created: C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dllJump to dropped file
              Source: C:\Users\user\Desktop\FedExInvoice013.exeFile created: C:\Users\user\AppData\Local\Temp\Zip.exeJump to dropped file
              Source: C:\Users\user\Desktop\FedExInvoice013.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Defender UpdaterJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Defender UpdaterJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Moves itself to temp directory
              Source: c:\users\user\desktop\fedexinvoice013.exeFile moved: C:\Users\user\AppData\Local\Temp\update_231408.exeJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\FedExInvoice013.exe TID: 6836Thread sleep time: -44102s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exe TID: 6812Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exe TID: 7092Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exe TID: 6608Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exe TID: 6608Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exe TID: 7032Thread sleep time: -44102s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exe TID: 6696Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exe TID: 6704Thread sleep time: -44102s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exe TID: 6536Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exe TID: 2460Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exe TID: 1092Thread sleep count: 9716 > 30
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exe TID: 2804Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exe TID: 2804Thread sleep time: -30000s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exe TID: 1392Thread sleep count: 9654 > 30
              Source: C:\Users\user\Desktop\FedExInvoice013.exeDropped PE file which has not been started: C:\Users\user\Desktop\Newtonsoft.Json.dllJump to dropped file
              Source: C:\Users\user\Desktop\FedExInvoice013.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dllJump to dropped file
              Source: C:\Users\user\Desktop\FedExInvoice013.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\FedExInvoice013.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
              Source: C:\Users\user\Desktop\FedExInvoice013.exeWindow / User API: threadDelayed 9726Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeWindow / User API: threadDelayed 9647Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeWindow / User API: threadDelayed 9716
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeWindow / User API: threadDelayed 9654
              Source: C:\Users\user\Desktop\FedExInvoice013.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
              Source: C:\Users\user\Desktop\FedExInvoice013.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
              Source: C:\Users\user\Desktop\FedExInvoice013.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeThread delayed: delay time: 44102Jump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeThread delayed: delay time: 44102Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeThread delayed: delay time: 44102
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeThread delayed: delay time: 922337203685477
              Source: FedExInvoice013.exe, 00000001.00000002.595882566.0000000006267000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\p5
              Source: FedExInvoice013.exe, 00000001.00000002.575553466.0000000000AC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
              Source: update_231408.exe, 0000000F.00000002.496633652.0000000001509000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@
              Source: Zip.exe, 00000002.00000002.453861323.00000262D67FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: update_231408.exe, 00000013.00000002.533601233.000000000164A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\FedExInvoice013.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Injects a PE file into a foreign processes
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeMemory written: C:\Users\user\AppData\Local\Temp\update_231408.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess created: C:\Users\user\Desktop\FedExInvoice013.exe C:\Users\user\Desktop\FedExInvoice013.exeJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeProcess created: C:\Users\user\AppData\Local\Temp\Zip.exe "C:\Users\user\AppData\Local\Temp\Zip.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess created: C:\Users\user\AppData\Local\Temp\update_231408.exe C:\Users\user\AppData\Local\Temp\update_231408.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess created: C:\Users\user\AppData\Local\Temp\update_231408.exe C:\Users\user\AppData\Local\Temp\update_231408.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess created: C:\Users\user\AppData\Local\Temp\update_231408.exe C:\Users\user\AppData\Local\Temp\update_231408.exe
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeProcess created: C:\Users\user\AppData\Local\Temp\update_231408.exe C:\Users\user\AppData\Local\Temp\update_231408.exe
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Users\user\Desktop\FedExInvoice013.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.DataVisualization\v4.0_4.0.0.0__31bf3856ad364e35\System.Windows.Forms.DataVisualization.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Users\user\Desktop\FedExInvoice013.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Zip.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Users\user\AppData\Local\Temp\update_231408.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.DataVisualization\v4.0_4.0.0.0__31bf3856ad364e35\System.Windows.Forms.DataVisualization.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Users\user\AppData\Local\Temp\update_231408.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.DataVisualization\v4.0_4.0.0.0__31bf3856ad364e35\System.Windows.Forms.DataVisualization.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Users\user\AppData\Local\Temp\update_231408.exe VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Users\user\AppData\Local\Temp\update_231408.exe VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\update_231408.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\Desktop\FedExInvoice013.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
              Source: C:\Users\user\Desktop\FedExInvoice013.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
              Source: FedExInvoice013.exe, 00000001.00000002.595882566.000000000621B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected Predator
              Source: Yara matchFile source: 15.2.update_231408.exe.465ae8.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.FedExInvoice013.exe.4a40170.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.update_231408.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.update_231408.exe.402203.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.FedExInvoice013.exe.4a40773.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.FedExInvoice013.exe.4a40170.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.FedExInvoice013.exe.49b5d50.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.493171759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: FedExInvoice013.exe PID: 6772, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: FedExInvoice013.exe PID: 860, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: update_231408.exe PID: 6828, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\FedExInvoice013.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\FedExInvoice013.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: Yara matchFile source: 15.2.update_231408.exe.465ae8.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.FedExInvoice013.exe.4a40170.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.update_231408.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.update_231408.exe.402203.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.FedExInvoice013.exe.4a40773.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.FedExInvoice013.exe.4a40170.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.FedExInvoice013.exe.49b5d50.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.578657613.000000000296A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.493171759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: FedExInvoice013.exe PID: 6772, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: FedExInvoice013.exe PID: 860, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: update_231408.exe PID: 6828, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Predator
              Source: Yara matchFile source: 15.2.update_231408.exe.465ae8.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.FedExInvoice013.exe.4a40170.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.update_231408.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.update_231408.exe.402203.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.FedExInvoice013.exe.4a40773.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.FedExInvoice013.exe.4a40170.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.FedExInvoice013.exe.49b5d50.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.493171759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: FedExInvoice013.exe PID: 6772, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: FedExInvoice013.exe PID: 860, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: update_231408.exe PID: 6828, type: MEMORYSTR

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts21
              Windows Management Instrumentation              		1
              Registry Run Keys / Startup Folder              		111
              Process Injection              		11
              Masquerading              		1
              OS Credential Dumping              		31
              Security Software Discovery              		Remote Services1
              Input Capture              		Exfiltration Over Other Network Medium1
              Encrypted Channel              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/Job1
              DLL Side-Loading              		1
              Registry Run Keys / Startup Folder              		1
              Disable or Modify Tools              		1
              Input Capture              		11
              Process Discovery              		Remote Desktop Protocol1
              Archive Collected Data              		Exfiltration Over Bluetooth1
              Ingress Tool Transfer              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)1
              DLL Side-Loading              		31
              Virtualization/Sandbox Evasion              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin Shares1
              Data from Local System              		Automated Exfiltration2
              Non-Application Layer Protocol              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput CaptureScheduled Transfer2
              Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script3
              Obfuscated Files or Information              		LSA Secrets1
              Remote System Discovery              		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common13
              Software Packing              		Cached Domain Credentials1
              System Network Configuration Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items1
              DLL Side-Loading              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem23
              System Information Discovery              		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 846588 Sample: FedExInvoice013.exe Startdate: 14/04/2023 Architecture: WINDOWS Score: 87 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 5 other signatures 2->52 7 FedExInvoice013.exe 3 2->7         started        11 update_231408.exe 2 2->11         started        13 update_231408.exe 2->13         started        15 2 other processes 2->15 process3 file4 40 C:\Users\user\...\FedExInvoice013.exe.log, ASCII 7->40 dropped 58 May check the online IP address of the machine 7->58 17 FedExInvoice013.exe 16 19 7->17         started        60 Injects a PE file into a foreign processes 11->60 22 update_231408.exe 11->22         started        24 update_231408.exe 11->24         started        26 update_231408.exe 15->26         started        28 update_231408.exe 15->28         started        signatures5 process6 dnsIp7 42 ip-api.com 208.95.112.1, 49698, 49699, 49700 TUT-ASUS United States 17->42 34 C:\Users\user\AppData\Local\Temp\Zip.exe, PE32 17->34 dropped 36 C:\Users\user\Desktop36ewtonsoft.Json.dll, PE32 17->36 dropped 38 C:\Users\user\AppData\...38ewtonsoft.Json.dll, PE32 17->38 dropped 54 Moves itself to temp directory 17->54 56 Tries to harvest and steal browser information (history, passwords, etc) 17->56 30 Zip.exe 14 4 17->30         started        file8 signatures9 process10 dnsIp11 44 ip-api.com 30->44 62 Antivirus detection for dropped file 30->62 64 May check the online IP address of the machine 30->64 66 Machine Learning detection for dropped file 30->66 signatures12

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              FedExInvoice013.exe32%ReversingLabs
              FedExInvoice013.exe54%VirustotalBrowse
              FedExInvoice013.exe100%AviraTR/AD.GenSteal.bxbpq
              FedExInvoice013.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\Zip.exe100%AviraTR/Redcap.vxffz
              C:\Users\user\AppData\Local\Temp\Zip.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll0%ReversingLabs

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              15.2.update_231408.exe.400000.1.unpack100%AviraTR/Redcap.vxffzDownload File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://ns.adobe.c/g0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.carterandcone.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.zhongyicts.com.cnA-0%Avira URL Cloudsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cnn0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.typography.net0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.agfamonotype.0%URL Reputationsafe
              http://www.fontbureau.coma0%URL Reputationsafe
              http://ip-api.comx0%URL Reputationsafe
              http://en.w0%URL Reputationsafe
              http://james.newtonking.com/projects/json0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.founder.com.cn/cn/0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.fontbureau.comoitu0%URL Reputationsafe
              http://www.ascendercorp.com/typedesigners.htmlt0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.zhongyicts.com.cno.0%URL Reputationsafe
              https://gorah.pw0%Avira URL Cloudsafe
              http://www.founder.com.cn/cnont0%Avira URL Cloudsafe
              http://ip-api.com80%Avira URL Cloudsafe
              https://gomorrah.pw0%Avira URL Cloudsafe
              http://www.zhongyicts.com.cn?~0%Avira URL Cloudsafe
              http://www.founder.com.cn/cnont0%VirustotalBrowse
              http://www.founder.com.cn/cntR0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              ip-api.com
              		208.95.112.1
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://ip-api.com/json/false
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://duckduckgo.com/chrome_newtabFedExInvoice013.exe, 00000001.00000002.591718237.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003DAB000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003E18000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003DF0000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D8E000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersGFedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://duckduckgo.com/ac/?q=FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D8E000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.zhongyicts.com.cnA-FedExInvoice013.exe, 00000000.00000003.310867337.0000000005FF0000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.founder.com.cn/cn/bTheFedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers?FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://search.yahoo.com?fr=crmas_sfpfFedExInvoice013.exe, 00000001.00000002.591718237.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003DAB000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003E18000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003DF0000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D8E000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.tiro.comFedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cnontFedExInvoice013.exe, 00000000.00000003.310550709.0000000005FED000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.310500839.0000000005FED000.00000004.00000020.00020000.00000000.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersFedExInvoice013.exe, 00000000.00000003.313658784.0000000005FD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://gorah.pwZip.exe, 00000002.00000003.436117864.00000262F11FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://ns.adobe.c/gFedExInvoice013.exe, 00000001.00000003.387378522.00000000070ED000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000003.355422399.00000000070DB000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000003.387015252.00000000070EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.goodfont.co.krFedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comFedExInvoice013.exe, 00000000.00000003.311225964.0000000005FF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://ip-api.com8Zip.exe, 00000002.00000002.461379695.00000262D8439000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sajatypeworks.comFedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDFedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cTheFedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnnFedExInvoice013.exe, 00000000.00000003.310550709.0000000005FED000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.310500839.0000000005FED000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmFedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comFedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersjFedExInvoice013.exe, 00000000.00000003.314368258.0000000005FD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.typography.netFedExInvoice013.exe, 00000000.00000003.309879372.0000000005FD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://ip-api.comFedExInvoice013.exe, 00000001.00000002.578657613.0000000002876000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000002.00000002.461379695.00000262D8485000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000002.00000002.461379695.00000262D8462000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000002.00000002.461379695.00000262D8439000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000002.00000002.461379695.00000262D846E000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000002.00000002.461379695.00000262D841F000.00000004.00000800.00020000.00000000.sdmp, update_231408.exe, 0000000F.00000002.513567219.0000000003261000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.galapagosdesign.com/DPleaseFedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fonts.comFedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krFedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.deDPleaseFedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnFedExInvoice013.exe, 00000000.00000003.310867337.0000000005FF0000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameFedExInvoice013.exe, 00000001.00000002.578657613.0000000002841000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000002.00000002.461379695.00000262D83A1000.00000004.00000800.00020000.00000000.sdmp, update_231408.exe, 0000000F.00000002.513567219.0000000003261000.00000004.00000800.00020000.00000000.sdmp, update_231408.exe, 00000013.00000002.541257187.00000000033C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.sakkal.comFedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://gomorrah.pwFedExInvoice013.exe, 00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.578657613.0000000002995000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.578657613.0000000002876000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.578657613.0000000002987000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000002.00000003.436209461.00000262F0ED4000.00000004.00000020.00020000.00000000.sdmp, Zip.exe, 00000002.00000003.437559171.00000262F0ED4000.00000004.00000020.00020000.00000000.sdmp, Zip.exe, 00000002.00000002.461379695.00000262D84AC000.00000004.00000800.00020000.00000000.sdmp, update_231408.exe, 0000000F.00000002.513567219.0000000003296000.00000004.00000800.00020000.00000000.sdmp, update_231408.exe, 0000000F.00000002.493171759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, update_231408.exe, 00000013.00000002.541257187.00000000033F6000.00000004.00000800.00020000.00000000.sdmp, info.txt.1.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://gomorralla.publicvm.com/x/update_231408.exe, 0000000D.00000002.473833434.0000000004E9C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.apache.org/licenses/LICENSE-2.0FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.comFedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.agfamonotype.FedExInvoice013.exe, 00000000.00000003.313658784.0000000005FCD000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icoFedExInvoice013.exe, 00000001.00000002.591718237.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003DAB000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003E18000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003DF0000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D8E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.fontbureau.com/designers/frere-jones.htmlpFedExInvoice013.exe, 00000000.00000003.314049917.000000000600E000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.314023857.000000000600E000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.314226328.000000000600E000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.313987894.000000000600E000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.314276524.000000000600E000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.314133778.000000000600E000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.314094032.000000000600E000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.314251404.000000000600E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D8E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchFedExInvoice013.exe, 00000001.00000002.591718237.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003DAB000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003E18000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003DF0000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D8E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.comaFedExInvoice013.exe, 00000000.00000003.324163182.0000000005FC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=FedExInvoice013.exe, 00000001.00000002.591718237.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003DAB000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003E18000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003DF0000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D8E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://ip-api.comxZip.exe, 00000002.00000002.461379695.00000262D846E000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000002.00000002.461379695.00000262D841F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://en.wFedExInvoice013.exe, 00000000.00000003.311371742.0000000005FCD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://james.newtonking.com/projects/jsonNewtonsoft.Json.dll.1.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.carterandcone.comlFedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.founder.com.cn/cn/FedExInvoice013.exe, 00000000.00000003.310227917.0000000005FEE000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.310149291.0000000005FEE000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.310669710.0000000005FEE000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.310726971.0000000005FF0000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.310767493.0000000005FF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://ac.ecosia.org/autocomplete?q=FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D8E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://search.yahoo.com?fr=crmas_sfpFedExInvoice013.exe, 00000001.00000002.591718237.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003DAB000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003DF0000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D66000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.com/designers/cabarga.htmlNFedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.founder.com.cn/cnFedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/frere-jones.htmlFedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.fontbureau.comoituFedExInvoice013.exe, 00000000.00000003.324163182.0000000005FC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.ascendercorp.com/typedesigners.htmltFedExInvoice013.exe, 00000000.00000003.312696816.0000000005FD8000.00000004.00000020.00020000.00000000.sdmp, FedExInvoice013.exe, 00000000.00000003.312613513.0000000005FD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.jiyu-kobo.co.jp/FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.zhongyicts.com.cn?~FedExInvoice013.exe, 00000000.00000003.310867337.0000000005FF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.zhongyicts.com.cno.FedExInvoice013.exe, 00000000.00000003.310867337.0000000005FF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers8FedExInvoice013.exe, 00000000.00000002.345282559.00000000071D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, FedExInvoice013.exe, 00000001.00000002.591718237.0000000003D8E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.founder.com.cn/cntRFedExInvoice013.exe, 00000000.00000003.310550709.0000000005FED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    208.95.112.1
                                                                    		ip-api.comUnited States
                                                                    		53334TUT-ASUSfalse

                                                                    General Information

                                                                    Joe Sandbox Version:37.0.0 Beryl
                                                                    Analysis ID:846588
                                                                    Start date and time:2023-04-14 08:14:25 +02:00
                                                                    Joe Sandbox Product:CloudBasic
                                                                    Overall analysis duration:0h 12m 42s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                    Number of analysed new started processes analysed:20
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:1
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • HDC enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample file name:FedExInvoice013.exe
                                                                    Detection:MAL
                                                                    Classification:mal87.troj.spyw.evad.winEXE@17/11@10/1
                                                                    EGA Information:
                                                                    • Successful, ratio: 100%
                                                                    HDC Information:Failed
                                                                    HCA Information:
                                                                    • Successful, ratio: 99%
                                                                    • Number of executed functions: 81
                                                                    • Number of non-executed functions: 2
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                                    • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    08:15:30API Interceptor569x Sleep call for process: FedExInvoice013.exe modified
                                                                    08:15:43AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Defender Updater C:\Users\user\AppData\Local\Temp\update_231408.exe / start
                                                                    08:15:52AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Defender Updater C:\Users\user\AppData\Local\Temp\update_231408.exe / start
                                                                    08:15:53API Interceptor129x Sleep call for process: Zip.exe modified
                                                                    08:16:05API Interceptor223x Sleep call for process: update_231408.exe modified

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    208.95.112.1Teklif-Formu.jarGet hashmaliciousSTRRATBrowse
                                                                    • ip-api.com/json/
                                                                    bin-cr.exeGet hashmaliciousAzorult, QuasarBrowse
                                                                    • ip-api.com/json/
                                                                    FB_5108.tmp.bin.exeGet hashmaliciousQuasarBrowse
                                                                    • ip-api.com/json/
                                                                    doc_zam#U00f3wienie_000040452.pdf.jarGet hashmaliciousSTRRATBrowse
                                                                    • ip-api.com/json/
                                                                    123009048-Teklif-Isteme-Formu.jarGet hashmaliciousSTRRATBrowse
                                                                    • ip-api.com/json/
                                                                    Tax_Returns_of_R48,765.jsGet hashmaliciousWSHRATBrowse
                                                                    • ip-api.com/json/
                                                                    22310-Teklif-Isteme-Formu.jarGet hashmaliciousSTRRATBrowse
                                                                    • ip-api.com/json/
                                                                    twfGwjtki.exeGet hashmaliciousOski Stealer, VidarBrowse
                                                                    • ip-api.com/line/
                                                                    signed_charter_agreement.jsGet hashmaliciousQuasarBrowse
                                                                    • ip-api.com/json/
                                                                    factura000000000000.pdf.jarGet hashmaliciousSTRRATBrowse
                                                                    • ip-api.com/json/
                                                                    Tax_Returns_of_R48,765.jsGet hashmaliciousWSHRATBrowse
                                                                    • ip-api.com/json/
                                                                    SKMBT_C454_23021608270.pdf.jarGet hashmaliciousSTRRATBrowse
                                                                    • ip-api.com/json/
                                                                    proof_of_payment.jsGet hashmaliciousWSHRATBrowse
                                                                    • ip-api.com/json/
                                                                    79vKnDO83L.exeGet hashmaliciousAzorult, QuasarBrowse
                                                                    • ip-api.com/json/
                                                                    SecuriteInfo.com.Trojan.GenericKD.66342135.3446.10413.exeGet hashmaliciousBlackshadesBrowse
                                                                    • ip-api.com/json/
                                                                    SecuriteInfo.com.IL.Trojan.MSILZilla.25609.10697.2823.exeGet hashmaliciousGurcu StealerBrowse
                                                                    • ip-api.com/line?fields=query
                                                                    factura000000000000.PDF.jarGet hashmaliciousSTRRATBrowse
                                                                    • ip-api.com/json/
                                                                    Fiyat-Talep-Formu-KRK-STF-230116.jarGet hashmaliciousSTRRATBrowse
                                                                    • ip-api.com/json/
                                                                    MERA_(1).exeGet hashmaliciousUnknownBrowse
                                                                    • ip-api.com/json/
                                                                    file.exeGet hashmaliciousEternity ClipperBrowse
                                                                    • ip-api.com/line?fields=query,country,city

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    ip-api.comTeklif-Formu.jarGet hashmaliciousSTRRATBrowse
                                                                    • 208.95.112.1
                                                                    bin-cr.exeGet hashmaliciousAzorult, QuasarBrowse
                                                                    • 208.95.112.1
                                                                    FB_5108.tmp.bin.exeGet hashmaliciousQuasarBrowse
                                                                    • 208.95.112.1
                                                                    doc_zam#U00f3wienie_000040452.pdf.jarGet hashmaliciousSTRRATBrowse
                                                                    • 208.95.112.1
                                                                    123009048-Teklif-Isteme-Formu.jarGet hashmaliciousSTRRATBrowse
                                                                    • 208.95.112.1
                                                                    Tax_Returns_of_R48,765.jsGet hashmaliciousWSHRATBrowse
                                                                    • 208.95.112.1
                                                                    22310-Teklif-Isteme-Formu.jarGet hashmaliciousSTRRATBrowse
                                                                    • 208.95.112.1
                                                                    twfGwjtki.exeGet hashmaliciousOski Stealer, VidarBrowse
                                                                    • 208.95.112.1
                                                                    signed_charter_agreement.jsGet hashmaliciousQuasarBrowse
                                                                    • 208.95.112.1
                                                                    factura000000000000.pdf.jarGet hashmaliciousSTRRATBrowse
                                                                    • 208.95.112.1
                                                                    Tax_Returns_of_R48,765.jsGet hashmaliciousWSHRATBrowse
                                                                    • 208.95.112.1
                                                                    SKMBT_C454_23021608270.pdf.jarGet hashmaliciousSTRRATBrowse
                                                                    • 208.95.112.1
                                                                    proof_of_payment.jsGet hashmaliciousWSHRATBrowse
                                                                    • 208.95.112.1
                                                                    79vKnDO83L.exeGet hashmaliciousAzorult, QuasarBrowse
                                                                    • 208.95.112.1
                                                                    SecuriteInfo.com.Trojan.GenericKD.66342135.3446.10413.exeGet hashmaliciousBlackshadesBrowse
                                                                    • 208.95.112.1
                                                                    SecuriteInfo.com.IL.Trojan.MSILZilla.25609.10697.2823.exeGet hashmaliciousGurcu StealerBrowse
                                                                    • 208.95.112.1
                                                                    factura000000000000.PDF.jarGet hashmaliciousSTRRATBrowse
                                                                    • 208.95.112.1
                                                                    Fiyat-Talep-Formu-KRK-STF-230116.jarGet hashmaliciousSTRRATBrowse
                                                                    • 208.95.112.1
                                                                    MERA_(1).exeGet hashmaliciousUnknownBrowse
                                                                    • 208.95.112.1
                                                                    file.exeGet hashmaliciousEternity ClipperBrowse
                                                                    • 208.95.112.1

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    TUT-ASUSTeklif-Formu.jarGet hashmaliciousSTRRATBrowse
                                                                    • 208.95.112.1
                                                                    bin-cr.exeGet hashmaliciousAzorult, QuasarBrowse
                                                                    • 208.95.112.1
                                                                    FB_5108.tmp.bin.exeGet hashmaliciousQuasarBrowse
                                                                    • 208.95.112.1
                                                                    doc_zam#U00f3wienie_000040452.pdf.jarGet hashmaliciousSTRRATBrowse
                                                                    • 208.95.112.1
                                                                    123009048-Teklif-Isteme-Formu.jarGet hashmaliciousSTRRATBrowse
                                                                    • 208.95.112.1
                                                                    Tax_Returns_of_R48,765.jsGet hashmaliciousWSHRATBrowse
                                                                    • 208.95.112.1
                                                                    22310-Teklif-Isteme-Formu.jarGet hashmaliciousSTRRATBrowse
                                                                    • 208.95.112.1
                                                                    twfGwjtki.exeGet hashmaliciousOski Stealer, VidarBrowse
                                                                    • 208.95.112.1
                                                                    signed_charter_agreement.jsGet hashmaliciousQuasarBrowse
                                                                    • 208.95.112.1
                                                                    factura000000000000.pdf.jarGet hashmaliciousSTRRATBrowse
                                                                    • 208.95.112.1
                                                                    Tax_Returns_of_R48,765.jsGet hashmaliciousWSHRATBrowse
                                                                    • 208.95.112.1
                                                                    SKMBT_C454_23021608270.pdf.jarGet hashmaliciousSTRRATBrowse
                                                                    • 208.95.112.1
                                                                    proof_of_payment.jsGet hashmaliciousWSHRATBrowse
                                                                    • 208.95.112.1
                                                                    79vKnDO83L.exeGet hashmaliciousAzorult, QuasarBrowse
                                                                    • 208.95.112.1
                                                                    SecuriteInfo.com.Trojan.GenericKD.66342135.3446.10413.exeGet hashmaliciousBlackshadesBrowse
                                                                    • 208.95.112.1
                                                                    SecuriteInfo.com.IL.Trojan.MSILZilla.25609.10697.2823.exeGet hashmaliciousGurcu StealerBrowse
                                                                    • 208.95.112.1
                                                                    factura000000000000.PDF.jarGet hashmaliciousSTRRATBrowse
                                                                    • 208.95.112.1
                                                                    Fiyat-Talep-Formu-KRK-STF-230116.jarGet hashmaliciousSTRRATBrowse
                                                                    • 208.95.112.1
                                                                    MERA_(1).exeGet hashmaliciousUnknownBrowse
                                                                    • 208.95.112.1
                                                                    file.exeGet hashmaliciousEternity ClipperBrowse
                                                                    • 208.95.112.1

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Zip.exe.log

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\Zip.exe
                                                                    File Type:CSV text
                                                                    Category:dropped
                                                                    Size (bytes):2343
                                                                    Entropy (8bit):5.374204171243879
                                                                    Encrypted:false
                                                                    SSDEEP:48:MxHKEYHKGD8Ao6+vxpNl1qHGiD0HKeGitHTG1hAHKKPJAmHKoAPHZHpH+5HK+HKs:iqEYqGgAo9ZPlwmI0qertzG1eqKPJ/qo
                                                                    MD5:3F114A073575263E59307B55548FD5F4
                                                                    SHA1:971459D541646C4C6B382F06AAFA9F4147716568
                                                                    SHA-256:2417EC96E49CF7352D91892438478E961D8DC870FEB8E8821C732383CD9351F2
                                                                    SHA-512:EA7B613DF726F230ADFEF841E4C8A753228B3AFAE7F2D2FDC2704892910F18254F2D9B31AA5E7D4C993137BCAE92B0FF77D9D31503E96D605DBF0589E42AD809
                                                                    Malicious:false
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\f2e0589ed6d670f264a5f65dd0ad000f\Microsoft.VisualBasic.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_6

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FedExInvoice013.exe.log

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\FedExInvoice013.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1329
                                                                    Entropy (8bit):5.35484142482796
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE49E4184j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzl
                                                                    MD5:F2B811D867CF13313AF96DD088C98CF5
                                                                    SHA1:895A75399A80D7B1C2EEEA56ADBE24F6668A2A22
                                                                    SHA-256:9A19DB007C48DEDB992696016B5FE69C6FC37957036FEB6729F92EAAD75B3A1E
                                                                    SHA-512:09F23A496F1597A5B024921D654A61C2C74168887DA69245C2FDEF97FF463F87F271DA35694D1BA82F47E460776A5F395565003AF1447303C95F9F189FC23F45
                                                                    Malicious:true
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\update_231408.exe.log

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\update_231408.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1329
                                                                    Entropy (8bit):5.35484142482796
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE49E4184j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzl
                                                                    MD5:F2B811D867CF13313AF96DD088C98CF5
                                                                    SHA1:895A75399A80D7B1C2EEEA56ADBE24F6668A2A22
                                                                    SHA-256:9A19DB007C48DEDB992696016B5FE69C6FC37957036FEB6729F92EAAD75B3A1E
                                                                    SHA-512:09F23A496F1597A5B024921D654A61C2C74168887DA69245C2FDEF97FF463F87F271DA35694D1BA82F47E460776A5F395565003AF1447303C95F9F189FC23F45
                                                                    Malicious:false
                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                    C:\Users\user\AppData\Local\Temp\CH_55F2DED6DB.zip

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\Zip.exe
                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                    Category:dropped
                                                                    Size (bytes):804067
                                                                    Entropy (8bit):7.998175809852622
                                                                    Encrypted:true
                                                                    SSDEEP:24576:vnLqSNnuJftmSouC1236Le4UCfZeYsEw/Py7ob:v+SuJfISoq3CexCh/Jw/Py7ob
                                                                    MD5:192953870676B2B4480087787CA41B47
                                                                    SHA1:AB29C18FCCD528D3C37DA3C107111DDC6C51D268
                                                                    SHA-256:1CE62F3032A9FE72766643D79AC029631833B4882B150572E972D9F0B41475F1
                                                                    SHA-512:28ED4D38732F840015E9B0FF19A673CA145DD4461583A03792AA565BE888464A1FE7AE1A1DB110F0F6CA4CC444A2D034678DB40355580A5D1A2C3C6097C41CE3
                                                                    Malicious:false
                                                                    Preview:PK.........A.V................Cards.txtPK.........C.V................Files\PK.........A.V .......L.......info.txt...N.0.EwK..;&.iZB.:..0.D.....p...4._...:..{.zu....K..7.b*.SO...'<.>P.Q...;..i..c..f'....../.k.pCG......iP.D.s.....w..G..$...cJ^.t..~.|...,+rl.....s<"..4j.,..Z............G...Q.iF..........;.....G..PK.........A.V................Passwords.txtPK.........A.V.9......=2......ProgramList.txt.[.r.6..g&.=.s.C..o.O...Dc.i....h(B.I.y..r....5......):1YZ.....!.....`w....XEa.t.^.3...../b.....3....'o.I........N.u|R.:I.,.c9AGa&.?..@.S.}"....>:U...f..t."..FOeZ..1..yj....oT.....=+.g.LNT..5.p.K.s-.].....a.c...A^...M.,...<.}....c.`.v....`A.............1.4Mt.:. .z.N.k.v..a...~.Z..d....lB......|>).@......-..!...J[<...g... .....^I.u..cb.g.".....`.aD|M?.D....q....%.....R.....t.T.....=..-2.QnT..V..6...X...|..qE.w..{.*C..ooG..H..=B...q...$ .v.V.....9 .......|.....I}....#......2...C.^..VIVC.....T....M....r.C.j......}pP ...k.z..}./~..J......V...+.....WJ....

                                                                    C:\Users\user\AppData\Local\Temp\CH_55F2DED6DB\ProgramList.txt

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\FedExInvoice013.exe
                                                                    File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):12861
                                                                    Entropy (8bit):5.146432365744317
                                                                    Encrypted:false
                                                                    SSDEEP:96:xwI1IzJ0Npt0KY0DpaS0dVSWI8VIu5fKM0Aoc9OGObO0OROZO99OXcgc0cAO7cDk:aq0R0zU/QVWB
                                                                    MD5:8EE4E55FCF30BE8A76950F6F520204F6
                                                                    SHA1:46F5E3DB3B5E93699735411382E396AA7365BE9D
                                                                    SHA-256:970BD559D3828648528EF99AFC845069153123289C9A20E3B6E57EA4BF2CFC6C
                                                                    SHA-512:7679C52085223EE619EF85F4249EF2F55B802C6390181104816C6CFCC6F0F421210E6E6D2609324740158726522FF2A5A1B9B16A7ECDDF01A74D528B7638BD8D
                                                                    Malicious:false
                                                                    Preview:Application Name : Google.Chrome....Version : 104.0.5112.81....Installed Date . 20220816....Application Name: Microsoft Office Professional Plus 2016....Application Name: Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501....Application Name : Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005....Version : 12.0.21005....Installed Date . 20190627....Application Name : Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319....Version : 10.0.30319....Installed Date . 20190627....Application Name : Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702....Version : 14.21.27702....Installed Date . 20190627....Application Name : Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702....Version : 14.21.27702....Installed Date . 20190627....Application Name : Java 8 Update 211....Version : 8.0.2110.12....Installed Date . 20190627....Application Name: Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030....Application Name: Microsoft Visu

                                                                    C:\Users\user\AppData\Local\Temp\CH_55F2DED6DB\ProsessList.txt

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\FedExInvoice013.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):4475
                                                                    Entropy (8bit):4.625899050301983
                                                                    Encrypted:false
                                                                    SSDEEP:12:BQawXgwXhHwXwRHwXgwXgwXgwXgwXgwXgwXgwXgwXhHwXhqRXRoHwXpqHwXhHwXi:WZly0N8pzpT
                                                                    MD5:285D94B467B7156F4DD4BF065F402BD5
                                                                    SHA1:FE2BCFB49DB531772EF20CADCD84E4F0E99EFE7B
                                                                    SHA-256:7694E6C949C1E5769E967C9D5F19FFF754E0E232790629E46C8A0D5B5D2AFF49
                                                                    SHA-512:1FEC8EEEC4CE786ACF71AE4651C12EAD76DD16037B99FA1AFDD81F17D7190C69F28A03CBC7C9D6E0E8B2CD708752EF9EF57CC6E5E8E4443055851F8081211713
                                                                    Malicious:false
                                                                    Preview:Name : svchost....Name : FedExInvoice013....Name : TtURyDZyNLaZuUevUxcqK....Name : TtURyDZyNLaZuUevUxcqK....Name : svchost....Name : TtURyDZyNLaZuUevUxcqK....Name : sihost....Name : svchost....Name : TtURyDZyNLaZuUevUxcqK....Name : TtURyDZyNLaZuUevUxcqK....Name : TtURyDZyNLaZuUevUxcqK....Name : TtURyDZyNLaZuUevUxcqK....Name : TtURyDZyNLaZuUevUxcqK....Name : TtURyDZyNLaZuUevUxcqK....Name : TtURyDZyNLaZuUevUxcqK....Name : TtURyDZyNLaZuUevUxcqK....Name : TtURyDZyNLaZuUevUxcqK....Name : svchost....Name : TtURyDZyNLaZuUevUxcqK....Name : svchost....Name : svchost....Name : csrss....Name : TtURyDZyNLaZuUevUxcqK....Name : ShellExperienceHost....Name : svchost....Name : TtURyDZyNLaZuUevUxcqK....Name : svchost....Name : TtURyDZyNLaZuUevUxcqK....Name : TtURyDZyNLaZuUevUxcqK....Name : TtURyDZyNLaZuUevUxcqK....Name : svchost....Name : TtURyDZyNLaZuUevUxcqK....Name : TtURyDZyNLaZuUevUxcqK....Name : svchost....Name : TtURyDZyNLaZuUevUxcqK....Name : svchost....Name : svchost....Name : TtURyDZyNLaZuUev

                                                                    C:\Users\user\AppData\Local\Temp\CH_55F2DED6DB\Screenshot.png

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\FedExInvoice013.exe
                                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                    Category:dropped
                                                                    Size (bytes):810114
                                                                    Entropy (8bit):7.947181059055855
                                                                    Encrypted:false
                                                                    SSDEEP:12288:hnMPg/ca6vgjLio2hkcxelRvor2Dya9sUnZGkKbTcCIQfT8GR5PEJCpddl5hyd8h:h9aXjel7hsUZGxllAsPESddl5Qd8qHo
                                                                    MD5:5BE98B740D8272F0C9960214417BF4D7
                                                                    SHA1:D20E8BAA692B4C3B655DA0DE6B209878BBCAE6D0
                                                                    SHA-256:E56328813D6A868B2E719FAE705D2CD78E03EF59A022F96C911E5BDFA7DBB746
                                                                    SHA-512:DA7DFD50271302475EDF44654110ADED326CAD3F6D4C832C7D42CA41357C89296A17BF1904D734D6A48DD954D495DA08DA1641B47C8ABD82717EEB9FCFE2F80A
                                                                    Malicious:false
                                                                    Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...,Gu.}....1A............6`.......k.E.09cr....r..B.$...k.....$$....(...Z.j.Z.UwWO.....~.....V}.zf....6...*..m.a...V.....ke............?,a..5;>.b...........#Rb8IW..'e.}...+..7.a.?...o.a..m....6....^.b...~P`e..u.....GL..m....3...B=kX.{.r....u..[L..{Wl.J..e.B_...?*#.-.....n....+[=0..^..#...[......Y.f...4....m3........-.~H`.........[.,amE..0+d..}c;..n*..a..6.'..Gde;o3x6l?abS..V......h...E+.<...G..v...7.....4.X...S..le.G.H.7'vyl9;?f...F.8>. }....u.+;UL.J.~.3G=...'..C...Y.z.....3H.....?....:|.>..'l............4.B..H....w...O..{.5....c..j.Z;.mT.[......0...=...........u...0.=......p..............v.....!. ..J.............`.:... m..U....',..i...DcCLi.g.Q.[..-,...@m.Oc_....@.}j..`.K.0..|],.....Y.z.....3H.....?....:|.>..'..............A..c.O.S.W;..yh."6.Eme...v....am/....w6L4......P.4..'4.}$.....k)..........M#.,....g.....'.... .:P........-8.....?....k......N@.....

                                                                    C:\Users\user\AppData\Local\Temp\CH_55F2DED6DB\info.txt

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\FedExInvoice013.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):332
                                                                    Entropy (8bit):4.579461777700594
                                                                    Encrypted:false
                                                                    SSDEEP:6:9llCF2Rpj1hx0+A7JRXWQuGsLf15Ro1WcEuo8T:fYIpxXKRXWQzsLN5RJcfV
                                                                    MD5:0564CDD871EA7AC474F23905220CA531
                                                                    SHA1:DB461CB3D58DAE3DFBAEB8CCBE705ADF85CA799F
                                                                    SHA-256:87E29A84554F713D4A6B2B36112023BA323CD7848DDA8F666F1CF15F42D3F221
                                                                    SHA-512:67789D9170B2A20E2C51A3B5B2F5327EE896898C8AF642178DFFD5BCAA26ABDF0F0C916086FA1F4CFB17D5C8AE10A17B3782427755EC3879BC9E1187951859D9
                                                                    Malicious:false
                                                                    Preview:PC Name : 745481..Operating System : Microsoft Windows 10 Pro..Anti virus : Windows Defender..Firewall : None..Processor : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..Memory (RAM) : 8.00 GB..-----------------------------------------------------------------------..-------------Developed By th3darkly [ https://gomorrah.pw ]-------------

                                                                    C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\FedExInvoice013.exe
                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:modified
                                                                    Size (bytes):407776
                                                                    Entropy (8bit):6.080910017085125
                                                                    Encrypted:false
                                                                    SSDEEP:6144:/+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzbWk:WPw2PjCLe3a6Q70zbR
                                                                    MD5:F75FE8D06448D07720D5456F2A327F08
                                                                    SHA1:DBA5D60848A7C24CE837225709D9E23690BB5CB3
                                                                    SHA-256:977998AEC486395EABA6CE5661648425A1A181CE18C2C87C6288AF62B87D5ECA
                                                                    SHA-512:EB05696F92881A698B7DEF0F8852286212A5EB235A2FF8A41460DEDBC6AE1964BFBEF613D3BEC736DF66525BF6E5A6C95FF5E0A71C904FA70B5C6675E2275A34
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:Q.P...........!..................... ... ....... .......................`............@.................................\...O.... ..0................>...@......$................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H.......`e..............c..X...P .......................................R..p..4j../ux..;....B.6z.R...K.KT....i.r.p>.m~.p.?YQ.~16~v....J.h.}..k.......&...E....p..Ix..t;.uT7Ph..(.Rv:...y..qp...dX3...bu..{....*"..}....*V.(i.....(......}....*2.{....oj...*2.{....ok...*B..(....&..(....*...0...........oj........YE....{...............{...f...............f.......A...A...A...A...1...A...V...8<....t......{.....om...ol....or.....+U..om.....{.....o....oj...on.....o....o{...t.....o....o}.

                                                                    C:\Users\user\AppData\Local\Temp\Zip.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\FedExInvoice013.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):32256
                                                                    Entropy (8bit):5.050531187823917
                                                                    Encrypted:false
                                                                    SSDEEP:384:KfkVQ748aUKN6C8/3g2L4QDL0Lk24jXPlfLoem/xYUIoPBsNJc:RW7PTKF8fPdDL42XPUIc
                                                                    MD5:AF07E88EC22CC90CEBFDA29517F101B9
                                                                    SHA1:A9E6F4AE24ABF76966D7DB03AF9C802E83760143
                                                                    SHA-256:1632FBFF8EDC50F2C7EF7BB2FE9B2C17E6472094F0D365A98E0DEC2A12FA8EC2
                                                                    SHA-512:B4575AF98071FC8D46C022E24BFB2C1567D7E5F3DE0D8FB5FEE6F876985C7780A5B145F645725FF27A15367162AA08490AC2F8DD59D705663094FE4E1EEEC7BC
                                                                    Malicious:true
                                                                    Yara Hits:
                                                                    • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Zip.exe, Author: unknown
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................D...6.......c... ........@.. ....................................`..................................b..K........1........................................................................... ............... ..H............text....C... ...D.................. ..`.sdata..8............H..............@....rsrc....1.......2...J..............@..@.reloc...............|..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\Desktop\Newtonsoft.Json.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\FedExInvoice013.exe
                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):407776
                                                                    Entropy (8bit):6.080910017085125
                                                                    Encrypted:false
                                                                    SSDEEP:6144:/+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzbWk:WPw2PjCLe3a6Q70zbR
                                                                    MD5:F75FE8D06448D07720D5456F2A327F08
                                                                    SHA1:DBA5D60848A7C24CE837225709D9E23690BB5CB3
                                                                    SHA-256:977998AEC486395EABA6CE5661648425A1A181CE18C2C87C6288AF62B87D5ECA
                                                                    SHA-512:EB05696F92881A698B7DEF0F8852286212A5EB235A2FF8A41460DEDBC6AE1964BFBEF613D3BEC736DF66525BF6E5A6C95FF5E0A71C904FA70B5C6675E2275A34
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:Q.P...........!..................... ... ....... .......................`............@.................................\...O.... ..0................>...@......$................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H.......`e..............c..X...P .......................................R..p..4j../ux..;....B.6z.R...K.KT....i.r.p>.m~.p.?YQ.~16~v....J.h.}..k.......&...E....p..Ix..t;.uT7Ph..(.Rv:...y..qp...dX3...bu..{....*"..}....*V.(i.....(......}....*2.{....oj...*2.{....ok...*B..(....&..(....*...0...........oj........YE....{...............{...f...............f.......A...A...A...A...1...A...V...8<....t......{.....om...ol....or.....+U..om.....{.....o....oj...on.....o....o{...t.....o....o}.

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):7.956910484132956
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    File name:FedExInvoice013.exe
                                                                    File size:898560
                                                                    MD5:c2744c4bab87079337e5040cec0c202c
                                                                    SHA1:f9a492ebcd8647eb373e889329a12bc69beca10d
                                                                    SHA256:0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3
                                                                    SHA512:b4500903b5d30bdd558f241ac31d2405a966ef3b6444674b3b35d01741402ce08a55deeed0bbd85bbe673491a4d4ce4e7b30608e19f008b309ebc91b448ceabf
                                                                    SSDEEP:12288:OqxiRq8Wzhy7/G5F4MkyzlvMjSp2O28Bu7O1mwlF6jiFOhG4q3N4X5Krg:3iRKhy7/G5GMxt67/m6uJMr
                                                                    TLSH:1015237274A00F6BC72893F29964C52903329877E860C1CD8DD169ED6FD2B235FA2B57
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;P7d..............0.................. ........@.. ....................... ............@................................

                                                                    File Icon

                                                                    Icon Hash:0060c4c6e4e42800

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x4dc6c2
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x6437503B [Thu Apr 13 00:43:39 2023 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax+eax+78h], dh
                                                                    add byte ptr [eax+eax+00h], dh
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xdc6700x4f.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xde0000x824.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xe00000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000xda6d00xda800False0.9615777406321511data7.9628206163311415IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0xde0000x8240xa00False0.441796875data4.6860587215467975IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0xe00000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountry
                                                                    RT_ICON0xde0c80x4e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                    RT_GROUP_ICON0xde5c00x14data
                                                                    RT_VERSION0xde5e40x23cdata

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Apr 14, 2023 08:15:34.468559027 CEST4969880192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:15:34.504718065 CEST8049698208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:15:34.505512953 CEST4969880192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:15:34.506021976 CEST4969880192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:15:34.543526888 CEST8049698208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:15:34.597419024 CEST4969880192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:15:42.293776989 CEST4969880192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:15:42.330094099 CEST8049698208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:15:42.330183983 CEST4969880192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:15:42.370471001 CEST4969980192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:15:42.406847954 CEST8049699208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:15:42.406945944 CEST4969980192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:15:42.407303095 CEST4969980192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:15:42.446984053 CEST8049699208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:15:42.504281044 CEST4969980192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:15:45.584171057 CEST4969980192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:15:45.620426893 CEST8049699208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:15:45.620583057 CEST4969980192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:15:45.703480959 CEST4970080192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:15:45.739768028 CEST8049700208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:15:45.740020990 CEST4970080192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:15:45.740189075 CEST4970080192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:15:45.785005093 CEST8049700208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:15:46.004580975 CEST4970080192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:15:50.867568970 CEST4970180192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:15:50.903748989 CEST8049701208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:15:50.903971910 CEST4970180192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:15:50.905534029 CEST4970180192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:15:50.943051100 CEST8049701208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:15:51.005059004 CEST4970180192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:10.278739929 CEST4970180192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:10.314961910 CEST8049701208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:16:10.315090895 CEST4970180192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:10.395726919 CEST4970280192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:10.432022095 CEST8049702208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:16:10.432359934 CEST4970280192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:10.432730913 CEST4970280192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:10.470344067 CEST8049702208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:16:10.678539991 CEST4970280192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:11.168919086 CEST4970380192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:11.205189943 CEST8049703208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:16:11.205384016 CEST4970380192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:11.206224918 CEST4970380192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:11.245042086 CEST8049703208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:16:11.366127968 CEST4970380192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:22.896394014 CEST4970580192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:22.933423996 CEST8049705208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:16:22.933576107 CEST4970580192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:22.934082031 CEST4970580192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:22.971714973 CEST8049705208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:16:23.179502010 CEST4970580192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:30.330440998 CEST4970380192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:30.330873966 CEST4970280192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:42.852404118 CEST4970680192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:42.888735056 CEST8049706208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:16:42.889022112 CEST4970680192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:42.894695997 CEST4970680192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:42.932326078 CEST8049706208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:16:43.009128094 CEST4970680192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:43.926122904 CEST4970580192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:43.962488890 CEST8049705208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:16:43.962717056 CEST4970580192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:44.067389011 CEST4970780192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:44.103533030 CEST8049707208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:16:44.103698969 CEST4970780192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:44.103967905 CEST4970780192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:44.141978025 CEST8049707208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:16:44.196737051 CEST4970780192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:51.233340979 CEST4970780192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:16:56.218878031 CEST8049700208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:17:03.798621893 CEST4970680192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:17:03.834817886 CEST8049706208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:17:03.835021973 CEST4970680192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:17:03.875175953 CEST4970880192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:17:03.911786079 CEST8049708208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:17:03.911886930 CEST4970880192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:17:03.912244081 CEST4970880192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:17:03.949599981 CEST8049708208.95.112.1192.168.2.5
                                                                    Apr 14, 2023 08:17:04.010950089 CEST4970880192.168.2.5208.95.112.1
                                                                    Apr 14, 2023 08:17:09.677037954 CEST4970880192.168.2.5208.95.112.1

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Apr 14, 2023 08:15:34.425494909 CEST6084153192.168.2.58.8.8.8
                                                                    Apr 14, 2023 08:15:34.452737093 CEST53608418.8.8.8192.168.2.5
                                                                    Apr 14, 2023 08:15:42.332782984 CEST6189353192.168.2.58.8.8.8
                                                                    Apr 14, 2023 08:15:42.369009972 CEST53618938.8.8.8192.168.2.5
                                                                    Apr 14, 2023 08:15:45.600755930 CEST6064953192.168.2.58.8.8.8
                                                                    Apr 14, 2023 08:15:45.629513979 CEST53606498.8.8.8192.168.2.5
                                                                    Apr 14, 2023 08:15:50.824959040 CEST5144153192.168.2.58.8.8.8
                                                                    Apr 14, 2023 08:15:50.855010986 CEST53514418.8.8.8192.168.2.5
                                                                    Apr 14, 2023 08:16:10.370781898 CEST4917753192.168.2.58.8.8.8
                                                                    Apr 14, 2023 08:16:10.390831947 CEST53491778.8.8.8192.168.2.5
                                                                    Apr 14, 2023 08:16:11.138619900 CEST4972453192.168.2.58.8.8.8
                                                                    Apr 14, 2023 08:16:11.167447090 CEST53497248.8.8.8192.168.2.5
                                                                    Apr 14, 2023 08:16:22.829914093 CEST6532353192.168.2.58.8.8.8
                                                                    Apr 14, 2023 08:16:22.865674973 CEST53653238.8.8.8192.168.2.5
                                                                    Apr 14, 2023 08:16:42.795260906 CEST5148453192.168.2.58.8.8.8
                                                                    Apr 14, 2023 08:16:42.815645933 CEST53514848.8.8.8192.168.2.5
                                                                    Apr 14, 2023 08:16:44.026685953 CEST6344653192.168.2.58.8.8.8
                                                                    Apr 14, 2023 08:16:44.062144995 CEST53634468.8.8.8192.168.2.5
                                                                    Apr 14, 2023 08:17:03.828217030 CEST5675153192.168.2.58.8.8.8
                                                                    Apr 14, 2023 08:17:03.871936083 CEST53567518.8.8.8192.168.2.5

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Apr 14, 2023 08:15:34.425494909 CEST192.168.2.58.8.8.80xffa4Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                    Apr 14, 2023 08:15:42.332782984 CEST192.168.2.58.8.8.80x408fStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                    Apr 14, 2023 08:15:45.600755930 CEST192.168.2.58.8.8.80xc47eStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                    Apr 14, 2023 08:15:50.824959040 CEST192.168.2.58.8.8.80xfd8dStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                    Apr 14, 2023 08:16:10.370781898 CEST192.168.2.58.8.8.80xa0c9Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                    Apr 14, 2023 08:16:11.138619900 CEST192.168.2.58.8.8.80x6f92Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                    Apr 14, 2023 08:16:22.829914093 CEST192.168.2.58.8.8.80x5613Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                    Apr 14, 2023 08:16:42.795260906 CEST192.168.2.58.8.8.80x8566Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                    Apr 14, 2023 08:16:44.026685953 CEST192.168.2.58.8.8.80xc9f1Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                    Apr 14, 2023 08:17:03.828217030 CEST192.168.2.58.8.8.80x78a1Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Apr 14, 2023 08:15:34.452737093 CEST8.8.8.8192.168.2.50xffa4No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                    Apr 14, 2023 08:15:42.369009972 CEST8.8.8.8192.168.2.50x408fNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                    Apr 14, 2023 08:15:45.629513979 CEST8.8.8.8192.168.2.50xc47eNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                    Apr 14, 2023 08:15:50.855010986 CEST8.8.8.8192.168.2.50xfd8dNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                    Apr 14, 2023 08:16:10.390831947 CEST8.8.8.8192.168.2.50xa0c9No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                    Apr 14, 2023 08:16:11.167447090 CEST8.8.8.8192.168.2.50x6f92No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                    Apr 14, 2023 08:16:22.865674973 CEST8.8.8.8192.168.2.50x5613No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                    Apr 14, 2023 08:16:42.815645933 CEST8.8.8.8192.168.2.50x8566No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                    Apr 14, 2023 08:16:44.062144995 CEST8.8.8.8192.168.2.50xc9f1No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                    Apr 14, 2023 08:17:03.871936083 CEST8.8.8.8192.168.2.50x78a1No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • ip-api.com

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    0192.168.2.549698208.95.112.180C:\Users\user\Desktop\FedExInvoice013.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Apr 14, 2023 08:15:34.506021976 CEST94OUTGET /json/ HTTP/1.1
                                                                    Host: ip-api.com
                                                                    Connection: Keep-Alive
                                                                    Apr 14, 2023 08:15:34.543526888 CEST94INHTTP/1.1 200 OK
                                                                    Date: Fri, 14 Apr 2023 06:15:33 GMT
                                                                    Content-Type: application/json; charset=utf-8
                                                                    Content-Length: 286
                                                                    Access-Control-Allow-Origin: *
                                                                    X-Ttl: 60
                                                                    X-Rl: 44
                                                                    Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 48 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 22 3a 22 38 30 34 30 22 2c 22 6c 61 74 22 3a 34 37 2e 33 36 38 32 2c 22 6c 6f 6e 22 3a 38 2e 35 36 37 31 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 38 34 2e 31 37 2e 35 32 2e 32 22 7d
                                                                    Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8040","lat":47.3682,"lon":8.5671,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"Datacamp Limited","as":"AS212238 Datacamp Limited","query":"84.17.52.2"}


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    1192.168.2.549699208.95.112.180C:\Users\user\Desktop\FedExInvoice013.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Apr 14, 2023 08:15:42.407303095 CEST95OUTGET /json/ HTTP/1.1
                                                                    Host: ip-api.com
                                                                    Connection: Keep-Alive
                                                                    Apr 14, 2023 08:15:42.446984053 CEST96INHTTP/1.1 200 OK
                                                                    Date: Fri, 14 Apr 2023 06:15:41 GMT
                                                                    Content-Type: application/json; charset=utf-8
                                                                    Content-Length: 286
                                                                    Access-Control-Allow-Origin: *
                                                                    X-Ttl: 52
                                                                    X-Rl: 43
                                                                    Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 48 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 22 3a 22 38 30 34 30 22 2c 22 6c 61 74 22 3a 34 37 2e 33 36 38 32 2c 22 6c 6f 6e 22 3a 38 2e 35 36 37 31 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 38 34 2e 31 37 2e 35 32 2e 32 22 7d
                                                                    Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8040","lat":47.3682,"lon":8.5671,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"Datacamp Limited","as":"AS212238 Datacamp Limited","query":"84.17.52.2"}


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    2192.168.2.549700208.95.112.180C:\Users\user\Desktop\FedExInvoice013.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Apr 14, 2023 08:15:45.740189075 CEST96OUTGET /json/ HTTP/1.1
                                                                    Host: ip-api.com
                                                                    Apr 14, 2023 08:15:45.785005093 CEST97INHTTP/1.1 200 OK
                                                                    Date: Fri, 14 Apr 2023 06:15:45 GMT
                                                                    Content-Type: application/json; charset=utf-8
                                                                    Content-Length: 286
                                                                    Access-Control-Allow-Origin: *
                                                                    X-Ttl: 48
                                                                    X-Rl: 42
                                                                    Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 48 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 22 3a 22 38 30 34 30 22 2c 22 6c 61 74 22 3a 34 37 2e 33 36 38 32 2c 22 6c 6f 6e 22 3a 38 2e 35 36 37 31 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 38 34 2e 31 37 2e 35 32 2e 32 22 7d
                                                                    Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8040","lat":47.3682,"lon":8.5671,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"Datacamp Limited","as":"AS212238 Datacamp Limited","query":"84.17.52.2"}


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    3192.168.2.549701208.95.112.180C:\Users\user\Desktop\FedExInvoice013.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Apr 14, 2023 08:15:50.905534029 CEST97OUTGET /json/ HTTP/1.1
                                                                    Host: ip-api.com
                                                                    Connection: Keep-Alive
                                                                    Apr 14, 2023 08:15:50.943051100 CEST98INHTTP/1.1 200 OK
                                                                    Date: Fri, 14 Apr 2023 06:15:50 GMT
                                                                    Content-Type: application/json; charset=utf-8
                                                                    Content-Length: 286
                                                                    Access-Control-Allow-Origin: *
                                                                    X-Ttl: 43
                                                                    X-Rl: 41
                                                                    Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 48 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 22 3a 22 38 30 34 30 22 2c 22 6c 61 74 22 3a 34 37 2e 33 36 38 32 2c 22 6c 6f 6e 22 3a 38 2e 35 36 37 31 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 38 34 2e 31 37 2e 35 32 2e 32 22 7d
                                                                    Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8040","lat":47.3682,"lon":8.5671,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"Datacamp Limited","as":"AS212238 Datacamp Limited","query":"84.17.52.2"}


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    4192.168.2.549702208.95.112.180C:\Users\user\Desktop\FedExInvoice013.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Apr 14, 2023 08:16:10.432730913 CEST99OUTGET /json/ HTTP/1.1
                                                                    Host: ip-api.com
                                                                    Apr 14, 2023 08:16:10.470344067 CEST99INHTTP/1.1 200 OK
                                                                    Date: Fri, 14 Apr 2023 06:16:09 GMT
                                                                    Content-Type: application/json; charset=utf-8
                                                                    Content-Length: 286
                                                                    Access-Control-Allow-Origin: *
                                                                    X-Ttl: 24
                                                                    X-Rl: 40
                                                                    Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 48 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 22 3a 22 38 30 34 30 22 2c 22 6c 61 74 22 3a 34 37 2e 33 36 38 32 2c 22 6c 6f 6e 22 3a 38 2e 35 36 37 31 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 38 34 2e 31 37 2e 35 32 2e 32 22 7d
                                                                    Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8040","lat":47.3682,"lon":8.5671,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"Datacamp Limited","as":"AS212238 Datacamp Limited","query":"84.17.52.2"}


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    5192.168.2.549703208.95.112.180C:\Users\user\Desktop\FedExInvoice013.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Apr 14, 2023 08:16:11.206224918 CEST100OUTGET /json/ HTTP/1.1
                                                                    Host: ip-api.com
                                                                    Connection: Keep-Alive
                                                                    Apr 14, 2023 08:16:11.245042086 CEST100INHTTP/1.1 200 OK
                                                                    Date: Fri, 14 Apr 2023 06:16:10 GMT
                                                                    Content-Type: application/json; charset=utf-8
                                                                    Content-Length: 286
                                                                    Access-Control-Allow-Origin: *
                                                                    X-Ttl: 23
                                                                    X-Rl: 39
                                                                    Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 48 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 22 3a 22 38 30 34 30 22 2c 22 6c 61 74 22 3a 34 37 2e 33 36 38 32 2c 22 6c 6f 6e 22 3a 38 2e 35 36 37 31 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 38 34 2e 31 37 2e 35 32 2e 32 22 7d
                                                                    Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8040","lat":47.3682,"lon":8.5671,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"Datacamp Limited","as":"AS212238 Datacamp Limited","query":"84.17.52.2"}


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    6192.168.2.549705208.95.112.180C:\Users\user\Desktop\FedExInvoice013.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Apr 14, 2023 08:16:22.934082031 CEST112OUTGET /json/ HTTP/1.1
                                                                    Host: ip-api.com
                                                                    Connection: Keep-Alive
                                                                    Apr 14, 2023 08:16:22.971714973 CEST113INHTTP/1.1 200 OK
                                                                    Date: Fri, 14 Apr 2023 06:16:22 GMT
                                                                    Content-Type: application/json; charset=utf-8
                                                                    Content-Length: 286
                                                                    Access-Control-Allow-Origin: *
                                                                    X-Ttl: 11
                                                                    X-Rl: 38
                                                                    Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 48 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 22 3a 22 38 30 34 30 22 2c 22 6c 61 74 22 3a 34 37 2e 33 36 38 32 2c 22 6c 6f 6e 22 3a 38 2e 35 36 37 31 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 38 34 2e 31 37 2e 35 32 2e 32 22 7d
                                                                    Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8040","lat":47.3682,"lon":8.5671,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"Datacamp Limited","as":"AS212238 Datacamp Limited","query":"84.17.52.2"}


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    7192.168.2.549706208.95.112.180C:\Users\user\Desktop\FedExInvoice013.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Apr 14, 2023 08:16:42.894695997 CEST113OUTGET /json/ HTTP/1.1
                                                                    Host: ip-api.com
                                                                    Connection: Keep-Alive
                                                                    Apr 14, 2023 08:16:42.932326078 CEST114INHTTP/1.1 200 OK
                                                                    Date: Fri, 14 Apr 2023 06:16:42 GMT
                                                                    Content-Type: application/json; charset=utf-8
                                                                    Content-Length: 286
                                                                    Access-Control-Allow-Origin: *
                                                                    X-Ttl: 60
                                                                    X-Rl: 44
                                                                    Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 48 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 22 3a 22 38 30 34 30 22 2c 22 6c 61 74 22 3a 34 37 2e 33 36 38 32 2c 22 6c 6f 6e 22 3a 38 2e 35 36 37 31 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 38 34 2e 31 37 2e 35 32 2e 32 22 7d
                                                                    Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8040","lat":47.3682,"lon":8.5671,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"Datacamp Limited","as":"AS212238 Datacamp Limited","query":"84.17.52.2"}


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    8192.168.2.549707208.95.112.180C:\Users\user\Desktop\FedExInvoice013.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Apr 14, 2023 08:16:44.103967905 CEST114OUTGET /json/ HTTP/1.1
                                                                    Host: ip-api.com
                                                                    Apr 14, 2023 08:16:44.141978025 CEST115INHTTP/1.1 200 OK
                                                                    Date: Fri, 14 Apr 2023 06:16:43 GMT
                                                                    Content-Type: application/json; charset=utf-8
                                                                    Content-Length: 286
                                                                    Access-Control-Allow-Origin: *
                                                                    X-Ttl: 58
                                                                    X-Rl: 43
                                                                    Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 48 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 22 3a 22 38 30 34 30 22 2c 22 6c 61 74 22 3a 34 37 2e 33 36 38 32 2c 22 6c 6f 6e 22 3a 38 2e 35 36 37 31 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 38 34 2e 31 37 2e 35 32 2e 32 22 7d
                                                                    Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8040","lat":47.3682,"lon":8.5671,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"Datacamp Limited","as":"AS212238 Datacamp Limited","query":"84.17.52.2"}


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    9192.168.2.549708208.95.112.180C:\Users\user\Desktop\FedExInvoice013.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Apr 14, 2023 08:17:03.912244081 CEST116OUTGET /json/ HTTP/1.1
                                                                    Host: ip-api.com
                                                                    Connection: Keep-Alive
                                                                    Apr 14, 2023 08:17:03.949599981 CEST116INHTTP/1.1 200 OK
                                                                    Date: Fri, 14 Apr 2023 06:17:03 GMT
                                                                    Content-Type: application/json; charset=utf-8
                                                                    Content-Length: 286
                                                                    Access-Control-Allow-Origin: *
                                                                    X-Ttl: 38
                                                                    X-Rl: 42
                                                                    Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 48 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 22 3a 22 38 30 34 30 22 2c 22 6c 61 74 22 3a 34 37 2e 33 36 38 32 2c 22 6c 6f 6e 22 3a 38 2e 35 36 37 31 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 38 34 2e 31 37 2e 35 32 2e 32 22 7d
                                                                    Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8040","lat":47.3682,"lon":8.5671,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"Datacamp Limited","as":"AS212238 Datacamp Limited","query":"84.17.52.2"}


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:08:15:23
                                                                    Start date:14/04/2023
                                                                    Path:C:\Users\user\Desktop\FedExInvoice013.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\Desktop\FedExInvoice013.exe
                                                                    Imagebase:0x9f0000
                                                                    File size:898560 bytes
                                                                    MD5 hash:C2744C4BAB87079337E5040CEC0C202C
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Predator, Description: Yara detected Predator, Source: 00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: 00000000.00000002.329464106.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                    Reputation:low

                                                                    General

                                                                    Target ID:1
                                                                    Start time:08:15:31
                                                                    Start date:14/04/2023
                                                                    Path:C:\Users\user\Desktop\FedExInvoice013.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\Desktop\FedExInvoice013.exe
                                                                    Imagebase:0x4a0000
                                                                    File size:898560 bytes
                                                                    MD5 hash:C2744C4BAB87079337E5040CEC0C202C
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.578657613.000000000296A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: 00000001.00000002.578657613.0000000002995000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                    Reputation:low

                                                                    General

                                                                    Target ID:2
                                                                    Start time:08:15:48
                                                                    Start date:14/04/2023
                                                                    Path:C:\Users\user\AppData\Local\Temp\Zip.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\Zip.exe"
                                                                    Imagebase:0x262d6580000
                                                                    File size:32256 bytes
                                                                    MD5 hash:AF07E88EC22CC90CEBFDA29517F101B9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: 00000002.00000000.359880749.00000262D6582000.00000002.00000001.01000000.00000009.sdmp, Author: unknown
                                                                    • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Zip.exe, Author: unknown
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    Reputation:moderate

                                                                    General

                                                                    Target ID:3
                                                                    Start time:08:15:52
                                                                    Start date:14/04/2023
                                                                    Path:C:\Users\user\AppData\Local\Temp\update_231408.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\update_231408.exe" / start
                                                                    Imagebase:0x850000
                                                                    File size:898560 bytes
                                                                    MD5 hash:C2744C4BAB87079337E5040CEC0C202C
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low

                                                                    General

                                                                    Target ID:8
                                                                    Start time:08:15:53
                                                                    Start date:14/04/2023
                                                                    Path:C:\Users\user\AppData\Local\Temp\update_231408.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\update_231408.exe" / start
                                                                    Imagebase:0xa0000
                                                                    File size:898560 bytes
                                                                    MD5 hash:C2744C4BAB87079337E5040CEC0C202C
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Reputation:low

                                                                    General

                                                                    Target ID:9
                                                                    Start time:08:16:00
                                                                    Start date:14/04/2023
                                                                    Path:C:\Users\user\AppData\Local\Temp\update_231408.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\update_231408.exe" / start
                                                                    Imagebase:0xa20000
                                                                    File size:898560 bytes
                                                                    MD5 hash:C2744C4BAB87079337E5040CEC0C202C
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low

                                                                    General

                                                                    Target ID:13
                                                                    Start time:08:16:04
                                                                    Start date:14/04/2023
                                                                    Path:C:\Users\user\AppData\Local\Temp\update_231408.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\update_231408.exe" / start
                                                                    Imagebase:0xd20000
                                                                    File size:898560 bytes
                                                                    MD5 hash:C2744C4BAB87079337E5040CEC0C202C
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Reputation:low

                                                                    General

                                                                    Target ID:14
                                                                    Start time:08:16:10
                                                                    Start date:14/04/2023
                                                                    Path:C:\Users\user\AppData\Local\Temp\update_231408.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Users\user\AppData\Local\Temp\update_231408.exe
                                                                    Imagebase:0x180000
                                                                    File size:898560 bytes
                                                                    MD5 hash:C2744C4BAB87079337E5040CEC0C202C
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low

                                                                    General

                                                                    Target ID:15
                                                                    Start time:08:16:11
                                                                    Start date:14/04/2023
                                                                    Path:C:\Users\user\AppData\Local\Temp\update_231408.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\AppData\Local\Temp\update_231408.exe
                                                                    Imagebase:0xeb0000
                                                                    File size:898560 bytes
                                                                    MD5 hash:C2744C4BAB87079337E5040CEC0C202C
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Predator, Description: Yara detected Predator, Source: 0000000F.00000002.493171759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.493171759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: 0000000F.00000002.493171759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                    Reputation:low

                                                                    General

                                                                    Target ID:18
                                                                    Start time:08:16:29
                                                                    Start date:14/04/2023
                                                                    Path:C:\Users\user\AppData\Local\Temp\update_231408.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Users\user\AppData\Local\Temp\update_231408.exe
                                                                    Imagebase:0x120000
                                                                    File size:898560 bytes
                                                                    MD5 hash:C2744C4BAB87079337E5040CEC0C202C
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low

                                                                    General

                                                                    Target ID:19
                                                                    Start time:08:16:30
                                                                    Start date:14/04/2023
                                                                    Path:C:\Users\user\AppData\Local\Temp\update_231408.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\AppData\Local\Temp\update_231408.exe
                                                                    Imagebase:0xe80000
                                                                    File size:898560 bytes
                                                                    MD5 hash:C2744C4BAB87079337E5040CEC0C202C
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Reputation:low

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:10.5%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:105
                                                                      Total number of Limit Nodes:7
                                                                      execution_graph 13720 529b6d8 13721 529b73e 13720->13721 13725 529b898 13721->13725 13728 529b88a 13721->13728 13722 529b7ed 13732 529ac2c 13725->13732 13729 529b898 13728->13729 13730 529ac2c DuplicateHandle 13729->13730 13731 529b8c6 13730->13731 13731->13722 13733 529b900 DuplicateHandle 13732->13733 13734 529b8c6 13733->13734 13734->13722 13735 52992d8 13738 52993d0 13735->13738 13736 52992e7 13739 52993e3 13738->13739 13740 52993fb 13739->13740 13746 5299658 13739->13746 13750 529964a 13739->13750 13740->13736 13741 52993f3 13741->13740 13742 52995f8 GetModuleHandleW 13741->13742 13743 5299625 13742->13743 13743->13736 13747 529966c 13746->13747 13749 5299691 13747->13749 13754 5298e38 13747->13754 13749->13741 13751 5299658 13750->13751 13752 5299691 13751->13752 13753 5298e38 LoadLibraryExW 13751->13753 13752->13741 13753->13752 13755 5299838 LoadLibraryExW 13754->13755 13757 52998b1 13755->13757 13757->13749 13758 5293e50 13759 5293e5a 13758->13759 13763 5293f40 13758->13763 13768 5293624 13759->13768 13761 5293e75 13764 5293f65 13763->13764 13772 5294030 13764->13772 13776 5294040 13764->13776 13769 529362f 13768->13769 13784 5295214 13769->13784 13771 5296755 13771->13761 13773 5294040 13772->13773 13774 5294144 13773->13774 13780 5293dec 13773->13780 13777 5294067 13776->13777 13778 5294144 13777->13778 13779 5293dec CreateActCtxA 13777->13779 13779->13778 13781 52954d0 CreateActCtxA 13780->13781 13783 5295593 13781->13783 13785 529521f 13784->13785 13788 5295244 13785->13788 13787 52967fd 13787->13771 13789 529524f 13788->13789 13792 5295274 13789->13792 13791 52968da 13791->13787 13793 529527f 13792->13793 13796 52952a4 13793->13796 13795 52969ca 13795->13791 13797 52952af 13796->13797 13799 52970de 13797->13799 13802 52993d0 2 API calls 13797->13802 13798 529711c 13798->13795 13799->13798 13803 529b401 13799->13803 13809 529b410 13799->13809 13802->13799 13804 529b3a8 13803->13804 13805 529b40a 13803->13805 13804->13798 13806 529b455 13805->13806 13814 529b5c0 13805->13814 13818 529b5b0 13805->13818 13806->13798 13810 529b431 13809->13810 13811 529b455 13810->13811 13812 529b5b0 3 API calls 13810->13812 13813 529b5c0 3 API calls 13810->13813 13811->13798 13812->13811 13813->13811 13815 529b5cd 13814->13815 13817 529b607 13815->13817 13822 529aba4 13815->13822 13817->13806 13819 529b5cd 13818->13819 13820 529aba4 3 API calls 13819->13820 13821 529b607 13819->13821 13820->13821 13821->13806 13823 529abaf 13822->13823 13825 529bef8 13823->13825 13826 529ac8c 13823->13826 13825->13825 13827 529ac97 13826->13827 13828 52952a4 3 API calls 13827->13828 13829 529bf67 13828->13829 13833 529dcd0 13829->13833 13843 529dce8 13829->13843 13830 529bfa0 13830->13825 13834 529dc9b 13833->13834 13835 529dcda 13833->13835 13834->13830 13837 529dd25 13835->13837 13840 529e168 LoadLibraryExW GetModuleHandleW 13835->13840 13841 529e158 LoadLibraryExW GetModuleHandleW 13835->13841 13842 529e1a2 LoadLibraryExW GetModuleHandleW 13835->13842 13836 529dd65 13838 529ef38 CreateWindowExW 13836->13838 13839 529ef2e CreateWindowExW 13836->13839 13837->13830 13838->13837 13839->13837 13840->13836 13841->13836 13842->13836 13845 529dd19 13843->13845 13847 529de0a 13843->13847 13844 529dd25 13844->13830 13845->13844 13850 529e168 LoadLibraryExW GetModuleHandleW 13845->13850 13851 529e158 LoadLibraryExW GetModuleHandleW 13845->13851 13852 529e1a2 LoadLibraryExW GetModuleHandleW 13845->13852 13846 529dd65 13848 529ef38 CreateWindowExW 13846->13848 13849 529ef2e CreateWindowExW 13846->13849 13847->13830 13848->13847 13849->13847 13850->13846 13851->13846 13852->13846

                                                                      Executed Functions

                                                                      Function 0529E1A2 Relevance: .2, Instructions: 236COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.342569748.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5290000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e4e5dbf976544bd533371d3c8117051e4a3264437af1a551e6594f482fc6fb12
                                                                      • Instruction ID: 69dd88b5195df3724a8cc33b7b22af135f0fb3a412bc7f3a423acb9487da89d0
                                                                      • Opcode Fuzzy Hash: e4e5dbf976544bd533371d3c8117051e4a3264437af1a551e6594f482fc6fb12
                                                                      • Instruction Fuzzy Hash: F5C17CB1C927268BD710DF64E8883A93BB0FB853A8FD04B09D165AF6D0D7B4106ACF44
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052993D0 Relevance: 1.7, APIs: 1, Instructions: 191COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 05299616
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.342569748.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5290000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 9438ebd2055fe42a35e51ef7240ceec573001a5d4549012fa5330248ef6f9acb
                                                                      • Instruction ID: 8522564f655b226a400042147a1ad5b138b2ed667f3e84b10c49c2147a35938f
                                                                      • Opcode Fuzzy Hash: 9438ebd2055fe42a35e51ef7240ceec573001a5d4549012fa5330248ef6f9acb
                                                                      • Instruction Fuzzy Hash: 0C7103B0A10B068FDB68DF6AD1547AABBF1BF88310F00892DD48AD7B40D775E8458B91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529EBDC Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 55 529ebdc-529fd9e 57 529fda9-529fdb0 55->57 58 529fda0-529fda6 55->58 59 529fdbb-529fe5a CreateWindowExW 57->59 60 529fdb2-529fdb8 57->60 58->57 62 529fe5c-529fe62 59->62 63 529fe63-529fe9b 59->63 60->59 62->63 67 529fea8 63->67 68 529fe9d-529fea0 63->68 69 529fea9 67->69 68->67 69->69
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0529FE4A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.342569748.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5290000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: a5ab64feb299c5591a6811689926ecec10477479711583a739b820ecd791ec9b
                                                                      • Instruction ID: 5e192c0b10a6aefc3fab657ae5461c4c2f5de0ae624fef45544f020a1a93088f
                                                                      • Opcode Fuzzy Hash: a5ab64feb299c5591a6811689926ecec10477479711583a739b820ecd791ec9b
                                                                      • Instruction Fuzzy Hash: D151BEB1D103099FDF15CF9AC984ADEBBB5BF88310F64812AE819AB310D7749985CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529FD2E Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 70 529fd2e-529fd9e 71 529fda9-529fdb0 70->71 72 529fda0-529fda6 70->72 73 529fdbb-529fdf3 71->73 74 529fdb2-529fdb8 71->74 72->71 75 529fdfb-529fe5a CreateWindowExW 73->75 74->73 76 529fe5c-529fe62 75->76 77 529fe63-529fe9b 75->77 76->77 81 529fea8 77->81 82 529fe9d-529fea0 77->82 83 529fea9 81->83 82->81 83->83
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0529FE4A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.342569748.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5290000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: 8d9187b299b0cdce89430741a3ca41cd79d70afdd21c68d67e137a16d5c3cc38
                                                                      • Instruction ID: e0626ecce9dee3730879c1ef4a43a013a71be23f362481a574fb759e3d608dca
                                                                      • Opcode Fuzzy Hash: 8d9187b299b0cdce89430741a3ca41cd79d70afdd21c68d67e137a16d5c3cc38
                                                                      • Instruction Fuzzy Hash: E951CDB1D103099FDF15CFA9D984ADEBBB1BF88314F24812AE819AB210D7749885CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05293DEC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 84 5293dec-5295591 CreateActCtxA 87 529559a-52955f4 84->87 88 5295593-5295599 84->88 95 5295603-5295607 87->95 96 52955f6-52955f9 87->96 88->87 97 5295609-5295615 95->97 98 5295618 95->98 96->95 97->98 99 5295619 98->99 99->99
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?), ref: 05295581
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.342569748.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5290000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: 95e21a3cb67d8ae15bb0520b6401532342fe760d728255a7c453f28e6a92c753
                                                                      • Instruction ID: ddb93b4614fe7a986684cf8022f5ee613c893ef76bd0d61ff8f7232afe54eb59
                                                                      • Opcode Fuzzy Hash: 95e21a3cb67d8ae15bb0520b6401532342fe760d728255a7c453f28e6a92c753
                                                                      • Instruction Fuzzy Hash: 7E41D0B1D10719CFDB24DFA9C884BDEBBB2BF48304F60806AD409AB251D7B56945CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052954C5 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 101 52954c5-52954c6 102 52954d1-5295591 CreateActCtxA 101->102 104 529559a-52955f4 102->104 105 5295593-5295599 102->105 112 5295603-5295607 104->112 113 52955f6-52955f9 104->113 105->104 114 5295609-5295615 112->114 115 5295618 112->115 113->112 114->115 116 5295619 115->116 116->116
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?), ref: 05295581
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.342569748.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5290000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: 5cf10d38a07adba9f9650864b45620bfc394fe390a5e40b136d67805c7e60b59
                                                                      • Instruction ID: f9d7254db6e5f4ee1ab5c096d1e746752a489bb43279373be387ca551c4a6394
                                                                      • Opcode Fuzzy Hash: 5cf10d38a07adba9f9650864b45620bfc394fe390a5e40b136d67805c7e60b59
                                                                      • Instruction Fuzzy Hash: 3941D1B1D10319CFDB24DFA9C8847DEBBB2BF48304F24846AD409AB251DBB56945CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05298E50 Relevance: 1.6, APIs: 1, Instructions: 74libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 118 5298e50-5298e58 120 5298e5a-5298e68 118->120 121 5298e3e-5298e3f 118->121 128 5298e6a-5298e88 120->128 129 5298e4f 120->129 122 5299838-5299878 121->122 123 529987a-529987d 122->123 124 5299880-52998af LoadLibraryExW 122->124 123->124 126 52998b8-52998d5 124->126 127 52998b1-52998b7 124->127 127->126 128->122 129->118
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05299691,00000800,00000000,00000000), ref: 052998A2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.342569748.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5290000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 0dd0eeb2bef25c2c4cdc53470c639058eb066cdba422514c4e64dbbf4e4ea413
                                                                      • Instruction ID: f5d5033834dfd9f28525526dff94d4a3a284cb4c6b0a01bbd68c1d25b1e0d647
                                                                      • Opcode Fuzzy Hash: 0dd0eeb2bef25c2c4cdc53470c639058eb066cdba422514c4e64dbbf4e4ea413
                                                                      • Instruction Fuzzy Hash: AA2148B28153498FDB14CFAAC884BDABFF4BF59360F14842ED459AB700C374A545CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529AC2C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 132 529ac2c-529b994 DuplicateHandle 134 529b99d-529b9ba 132->134 135 529b996-529b99c 132->135 135->134
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0529B8C6,?,?,?,?,?), ref: 0529B987
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.342569748.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5290000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 88632b369f3ee560c012d4bd0625f683a0520c5580961c46269c2feaa4114dca
                                                                      • Instruction ID: 414bf28acf615243a1c432140616524ee827551af8c3b986b998d5fb0dae229b
                                                                      • Opcode Fuzzy Hash: 88632b369f3ee560c012d4bd0625f683a0520c5580961c46269c2feaa4114dca
                                                                      • Instruction Fuzzy Hash: 6321B2B5D142099FDB10CF9AD984ADEBBF4EF48320F14841AE919B7310D378A954CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529B8F8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 138 529b8f8-529b994 DuplicateHandle 139 529b99d-529b9ba 138->139 140 529b996-529b99c 138->140 140->139
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0529B8C6,?,?,?,?,?), ref: 0529B987
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.342569748.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5290000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 35561437e5776f86280c3c2c74173a5d46a5808e440827e50e9ba617afeb547c
                                                                      • Instruction ID: e038fe18d8c897b27a4d57c24bdea59a266a5a8df1a4f5ddab24629d236a1693
                                                                      • Opcode Fuzzy Hash: 35561437e5776f86280c3c2c74173a5d46a5808e440827e50e9ba617afeb547c
                                                                      • Instruction Fuzzy Hash: 5D21E0B5D002499FDB10CFAAD584ADEBBF4FF08320F14841AE918A7350D378A944CFA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05298E38 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 143 5298e38-5299878 145 529987a-529987d 143->145 146 5299880-52998af LoadLibraryExW 143->146 145->146 147 52998b8-52998d5 146->147 148 52998b1-52998b7 146->148 148->147
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05299691,00000800,00000000,00000000), ref: 052998A2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.342569748.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5290000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 8f0ed0be8d456a357c976c1298d46f5fffd563c2e67ddf02ac9f66a439e8ef57
                                                                      • Instruction ID: 29f7ea162afd3a8d396ae98f7b3922e1c16d97e2c47c3e47277f607d77940401
                                                                      • Opcode Fuzzy Hash: 8f0ed0be8d456a357c976c1298d46f5fffd563c2e67ddf02ac9f66a439e8ef57
                                                                      • Instruction Fuzzy Hash: 7711C0B69102099FDB14CF9AC544ADEBBF4BF98320F14842ED419A7200C3B5A985CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05299830 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 151 5299830-5299878 153 529987a-529987d 151->153 154 5299880-52998af LoadLibraryExW 151->154 153->154 155 52998b8-52998d5 154->155 156 52998b1-52998b7 154->156 156->155
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05299691,00000800,00000000,00000000), ref: 052998A2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.342569748.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5290000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 6eeafee97b0d729c0fd2a983a8a38c7ab50b4012142bf0ccb27049771711b72c
                                                                      • Instruction ID: 938362c18a812f9789b76f3822de868827fe40bcebdc818dd13231ffab647a2e
                                                                      • Opcode Fuzzy Hash: 6eeafee97b0d729c0fd2a983a8a38c7ab50b4012142bf0ccb27049771711b72c
                                                                      • Instruction Fuzzy Hash: 1311C2B6D002499FDB14CFAAD548ADEFBF4BF88320F14842ED419A7600C375A545CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 052995B0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 159 52995b0-52995f0 160 52995f8-5299623 GetModuleHandleW 159->160 161 52995f2-52995f5 159->161 162 529962c-5299640 160->162 163 5299625-529962b 160->163 161->160 163->162
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 05299616
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.342569748.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5290000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 6566cecab12785b97e4e18f724d384b3d000448dbc5aac6afa5b39e99c09faae
                                                                      • Instruction ID: 832441b21c0a26e17c11fc3857097e623478f718b15d30b8d6cb7acd6585ba57
                                                                      • Opcode Fuzzy Hash: 6566cecab12785b97e4e18f724d384b3d000448dbc5aac6afa5b39e99c09faae
                                                                      • Instruction Fuzzy Hash: B611CDB6C002498FDB24CF9AC544ADEFBF4AF88224F14846AD429B7610C379A585CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 010AD4C4 Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.325344170.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_10ad000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 927990c4a434441bb3d5830774e73730b5843d3900df24f6d061323fecc83476
                                                                      • Instruction ID: aeeb300eaa54f5b318113190b8a4c0af0a84ec7b7820964e060d5b30f8d1212a
                                                                      • Opcode Fuzzy Hash: 927990c4a434441bb3d5830774e73730b5843d3900df24f6d061323fecc83476
                                                                      • Instruction Fuzzy Hash: A8213A71504240DFDB15DFA8D9C0B2ABFA5FB88318F64C6A9E8850B606C336D446C7A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 010BD01C Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.325476566.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_10bd000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a7bb4815e955880f07f6d0505d2be9cf0acf1ad6880e2f137955e9b93bb0f4de
                                                                      • Instruction ID: 0db20cbcf14f9e5d09555a1db4195a74c8737372e4a7e3022d6fc9deea67593b
                                                                      • Opcode Fuzzy Hash: a7bb4815e955880f07f6d0505d2be9cf0acf1ad6880e2f137955e9b93bb0f4de
                                                                      • Instruction Fuzzy Hash: 77210375514340DFDB15CF58D5C0B56FBA1EB84358F24C9A9E8890B246C33AD847CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 010BD1D4 Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.325476566.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_10bd000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 61c79288d17c05a02fde51dec1b557dd5eb932fb0690fddf165e34a88aff0350
                                                                      • Instruction ID: 42293b1e8fc218e2de5eae3d540f607fc83a920e82f151bd0737c7f7f5e5157a
                                                                      • Opcode Fuzzy Hash: 61c79288d17c05a02fde51dec1b557dd5eb932fb0690fddf165e34a88aff0350
                                                                      • Instruction Fuzzy Hash: 22213771504380EFDB05CF98D5C0B56FBA1FB84328F20CAADD8894B246C336D846CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 010BD006 Relevance: .1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.325476566.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_10bd000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0009274ccfb59c332854d21bdc5d31c3246f1c916288d96a8a51d6ed12834f0c
                                                                      • Instruction ID: ab5b84db6904d842fd498975b2e8ee76f1ceec587f62316da7397960ea003269
                                                                      • Opcode Fuzzy Hash: 0009274ccfb59c332854d21bdc5d31c3246f1c916288d96a8a51d6ed12834f0c
                                                                      • Instruction Fuzzy Hash: 8B2141755083809FDB12CF54D994B11BFB1EB46214F28C5EAD8898B257C33AD856CB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 010AD4BF Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.325344170.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_10ad000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 29d2f0100e3109f4613dfdff40d42613bb56894c0d784d201462b3ed20c718eb
                                                                      • Instruction ID: 59709e82407e7f8fdb27abc9e44398b192da1de9269889b15d17b7b6936b2e12
                                                                      • Opcode Fuzzy Hash: 29d2f0100e3109f4613dfdff40d42613bb56894c0d784d201462b3ed20c718eb
                                                                      • Instruction Fuzzy Hash: 5711D376904280CFDB12CF54D5C4B16BFB1FB84324F28C6A9D8850B656C336D456CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 010BD1CF Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.325476566.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_10bd000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f45dc8ffff706fb05bcde3a42111e7466e20ebf3dc7f5347bf588368a02ed7e4
                                                                      • Instruction ID: 1465cab65e10f90f05adf5cf898283c55b59cf133277a68c0d9e9243842b1b3c
                                                                      • Opcode Fuzzy Hash: f45dc8ffff706fb05bcde3a42111e7466e20ebf3dc7f5347bf588368a02ed7e4
                                                                      • Instruction Fuzzy Hash: 5111BB75904280DFDB42CF54C5C0B55FFA1FB84328F28C6ADD8894B656C33AD84ACB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 010AD781 Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.325344170.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_10ad000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: db61b68127b0dbebac6fbb7b789c87153bc5c6a3a74503b25e54314070e01de5
                                                                      • Instruction ID: 34d83669294b669c886a73afed24bae8b31aee981f87002fd7123afcfb3495ba
                                                                      • Opcode Fuzzy Hash: db61b68127b0dbebac6fbb7b789c87153bc5c6a3a74503b25e54314070e01de5
                                                                      • Instruction Fuzzy Hash: A801D4314043C49AE7154A9DCC8076EFFD8FF41770F18849AED851A642D7789840CBB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 010AD780 Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.325344170.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_10ad000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c1d282385676567a75fd1343f08cccacada3ced646d6123787c69df8af929127
                                                                      • Instruction ID: 33636ddccbdcec7d711f0a0e7ee3da0447060bcc2a5ec89d8597cac4274d1376
                                                                      • Opcode Fuzzy Hash: c1d282385676567a75fd1343f08cccacada3ced646d6123787c69df8af929127
                                                                      • Instruction Fuzzy Hash: 85F0CD72404384AEE7258A5ACC84B67FFD8EF81734F18C49AED481F682D3799844CBB0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 0529E1B0 Relevance: .3, Instructions: 315COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.342569748.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5290000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1c7c27ecc134b8c512c99846e26b6ae5c5b8ce5dfd7057ba8185c837e8e868a3
                                                                      • Instruction ID: b1c95dc680ed21d896fdeeb3794e3587aa173b68002fa8fa43099646356414a5
                                                                      • Opcode Fuzzy Hash: 1c7c27ecc134b8c512c99846e26b6ae5c5b8ce5dfd7057ba8185c837e8e868a3
                                                                      • Instruction Fuzzy Hash: F712F8F1CD37668BE310CF65E4883A93BA0B7413A9BD04B09D2699F6D0D7B4016ACF44
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0529C22C Relevance: .3, Instructions: 265COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.342569748.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5290000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 459f7f58b87b185039e5511f17e190287f1e87b9a3683d7cf885c7dd95c6d730
                                                                      • Instruction ID: 07b5a875817c555e298f6cc45157be9e2935b0ef4303a23262755ba791c47231
                                                                      • Opcode Fuzzy Hash: 459f7f58b87b185039e5511f17e190287f1e87b9a3683d7cf885c7dd95c6d730
                                                                      • Instruction Fuzzy Hash: CFA17F32E1021ACFCF19DFA5C8445EEBBB2FF85300B15856AE905BB321DB71A955CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Execution Graph

                                                                      Execution Coverage:16.8%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:211
                                                                      Total number of Limit Nodes:19
                                                                      execution_graph 18540 70a4d28 18541 70a4d4e 18540->18541 18543 70a4e16 18541->18543 18544 70a3d50 18541->18544 18545 70a3d5b 18544->18545 18546 70a5135 18545->18546 18549 27dad30 18545->18549 18553 27d99b0 18545->18553 18546->18543 18550 27dad40 18549->18550 18551 27d6a74 2 API calls 18550->18551 18552 27dadd5 18550->18552 18551->18552 18552->18546 18554 27d99bb 18553->18554 18555 27d6a74 2 API calls 18554->18555 18556 27dadd5 18554->18556 18555->18556 18556->18546 18561 70a7748 SetTimer 18562 70a77a7 18561->18562 18563 70a37c8 18564 70a37ec 18563->18564 18567 70a3af7 18564->18567 18571 70a3f30 18567->18571 18578 70a3f40 18567->18578 18568 70a3834 18572 70a3f40 18571->18572 18576 70a3f30 MoveFileExW 18572->18576 18577 70a3f40 MoveFileExW 18572->18577 18573 70a3f89 18575 70a403a 18573->18575 18585 70a0be0 18573->18585 18575->18568 18576->18573 18577->18573 18579 70a3f6b 18578->18579 18583 70a3f30 MoveFileExW 18579->18583 18584 70a3f40 MoveFileExW 18579->18584 18580 70a403a 18580->18568 18581 70a3f89 18581->18580 18582 70a0be0 MoveFileExW 18581->18582 18582->18580 18583->18581 18584->18581 18587 70a4740 MoveFileExW 18585->18587 18588 70a47dc 18587->18588 18588->18575 18655 70a5d68 18657 70a5d7e 18655->18657 18656 70a5dcb 18657->18656 18659 70a60e8 18657->18659 18660 70a60f9 18659->18660 18661 70a6107 18660->18661 18662 27db878 2 API calls 18660->18662 18663 27db890 2 API calls 18660->18663 18661->18656 18662->18661 18663->18661 18411 27d6bf8 GetCurrentProcess 18412 27d6c72 GetCurrentThread 18411->18412 18414 27d6c6b 18411->18414 18413 27d6caf GetCurrentProcess 18412->18413 18416 27d6ca8 18412->18416 18415 27d6ce5 18413->18415 18414->18412 18417 27d6d0d GetCurrentThreadId 18415->18417 18416->18413 18418 27d6d3e 18417->18418 18557 27ddcd8 18558 27ddd40 CreateWindowExW 18557->18558 18560 27dddfc 18558->18560 18560->18560 18664 27db688 18665 27dafe4 2 API calls 18664->18665 18666 27db6bf 18664->18666 18665->18666 18589 d4d01c 18590 d4d034 18589->18590 18591 d4d08e 18590->18591 18596 27dde7f 18590->18596 18602 27ddfb0 18590->18602 18606 27dde90 18590->18606 18612 27db264 18590->18612 18616 27ddee1 18596->18616 18620 27ddef0 18596->18620 18597 27ddeb6 18598 27db264 SetWindowLongW 18597->18598 18599 27ddec2 18598->18599 18599->18591 18603 27ddfc0 18602->18603 18626 27db29c 18603->18626 18605 27ddfc7 18605->18591 18607 27ddeb6 18606->18607 18610 27ddee1 SetWindowLongW 18606->18610 18611 27ddef0 SetWindowLongW 18606->18611 18608 27db264 SetWindowLongW 18607->18608 18609 27ddec2 18608->18609 18609->18591 18610->18607 18611->18607 18613 27db26f 18612->18613 18614 27db29c SetWindowLongW 18613->18614 18615 27ddfc7 18614->18615 18615->18591 18617 27ddef0 18616->18617 18623 27db284 18617->18623 18621 27db284 SetWindowLongW 18620->18621 18622 27ddf08 18621->18622 18622->18597 18624 27ddf20 SetWindowLongW 18623->18624 18625 27ddf08 18624->18625 18625->18597 18628 27db2a7 18626->18628 18627 27de219 18628->18627 18629 27ddef0 SetWindowLongW 18628->18629 18629->18627 18630 70a5340 18631 70a5350 18630->18631 18632 70a5354 18631->18632 18634 70a53d8 18631->18634 18637 70a5433 18634->18637 18636 70a549c 18638 70a5569 18636->18638 18641 70a54fc GetCurrentThreadId 18636->18641 18637->18636 18648 70a3e04 18637->18648 18639 70a55a6 18638->18639 18640 70a3e04 EnumThreadWindows 18638->18640 18639->18632 18640->18639 18642 70a5527 18641->18642 18644 70a3e14 18642->18644 18646 70a56c0 EnumThreadWindows 18644->18646 18647 70a5740 18646->18647 18647->18638 18650 70a3e0f 18648->18650 18649 70a564f 18649->18636 18650->18649 18651 70a570e EnumThreadWindows 18650->18651 18652 70a5740 18651->18652 18652->18636 18419 27d63f0 18420 27d6400 18419->18420 18424 27d6527 18420->18424 18429 27d6460 18420->18429 18421 27d6411 18425 27d652c 18424->18425 18426 27d6591 18425->18426 18434 27d6ae0 18425->18434 18438 27d6ac0 18425->18438 18426->18421 18430 27d649a 18429->18430 18431 27d6591 18430->18431 18432 27d6ae0 5 API calls 18430->18432 18433 27d6ac0 5 API calls 18430->18433 18431->18421 18432->18431 18433->18431 18436 27d6aed 18434->18436 18435 27d6b27 18435->18426 18436->18435 18442 27d693c 18436->18442 18440 27d6ac5 18438->18440 18439 27d6b27 18439->18426 18440->18439 18441 27d693c 5 API calls 18440->18441 18441->18439 18444 27d6947 18442->18444 18443 27d7418 18444->18443 18446 27d6a34 18444->18446 18447 27d6a3f 18446->18447 18458 27d9a91 18447->18458 18468 27d9aa0 18447->18468 18448 27d7495 18449 27d6a64 LoadLibraryExW GetModuleHandleW 18448->18449 18450 27d74af 18449->18450 18451 27d6a74 LoadLibraryExW GetModuleHandleW 18450->18451 18452 27d74b6 18451->18452 18454 27db878 LoadLibraryExW GetModuleHandleW 18452->18454 18455 27db890 LoadLibraryExW GetModuleHandleW 18452->18455 18453 27d74c0 18453->18443 18454->18453 18455->18453 18459 27d9aa0 18458->18459 18463 27d9daa 18459->18463 18464 27d9af7 18459->18464 18482 27d8888 18459->18482 18461 27d9c0b 18461->18463 18478 70a4938 18461->18478 18462 27d9b9f 18462->18461 18486 27d6a74 18462->18486 18464->18461 18464->18462 18466 27d9b9a KiUserCallbackDispatcher 18464->18466 18466->18462 18469 27d9ace 18468->18469 18470 27d8888 GetFocus 18469->18470 18473 27d9af7 18469->18473 18475 27d9daa 18469->18475 18470->18473 18471 27d9b9f 18472 27d6a74 2 API calls 18471->18472 18476 27d9c0b 18471->18476 18472->18476 18473->18471 18474 27d9b9a KiUserCallbackDispatcher 18473->18474 18473->18476 18474->18471 18476->18475 18477 70a4938 2 API calls 18476->18477 18477->18475 18479 70a4962 18478->18479 18490 70a4bf8 18479->18490 18480 70a4985 18480->18463 18483 27d8893 18482->18483 18503 27d9700 18483->18503 18485 27da0b5 18485->18464 18487 27d6a7f 18486->18487 18507 27dafe4 18487->18507 18489 27db6bf 18489->18461 18491 70a4c1c 18490->18491 18492 70a4c4c 18491->18492 18495 27da758 18491->18495 18499 27da747 18491->18499 18492->18480 18496 27da775 18495->18496 18497 27d6a74 2 API calls 18496->18497 18498 27da7b9 18496->18498 18497->18498 18498->18492 18500 27da758 18499->18500 18501 27d6a74 2 API calls 18500->18501 18502 27da7b9 18500->18502 18501->18502 18502->18492 18504 27d970b 18503->18504 18505 27da170 GetFocus 18504->18505 18506 27da169 18504->18506 18505->18506 18506->18485 18508 27dafef 18507->18508 18509 27db831 18508->18509 18511 27db792 18508->18511 18514 27db878 18508->18514 18520 27db890 18508->18520 18509->18489 18510 27dafe4 2 API calls 18510->18511 18511->18509 18511->18510 18516 27db8c1 18514->18516 18517 27db90e 18514->18517 18515 27db8cd 18515->18511 18516->18515 18526 27dbbd8 18516->18526 18529 27dbbc8 18516->18529 18517->18511 18521 27db8c1 18520->18521 18523 27db90e 18520->18523 18522 27db8cd 18521->18522 18524 27dbbd8 2 API calls 18521->18524 18525 27dbbc8 2 API calls 18521->18525 18522->18511 18523->18511 18524->18523 18525->18523 18532 27dbc18 18526->18532 18527 27dbbe2 18527->18517 18530 27dbbe2 18529->18530 18531 27dbc18 2 API calls 18529->18531 18530->18517 18531->18530 18533 27dbc28 18532->18533 18534 27dbc53 18533->18534 18538 27dbeb0 LoadLibraryExW 18533->18538 18539 27dbea3 LoadLibraryExW 18533->18539 18534->18527 18535 27dbc4b 18535->18534 18536 27dbe50 GetModuleHandleW 18535->18536 18537 27dbe7d 18536->18537 18537->18527 18538->18535 18539->18535 18653 27d6e20 DuplicateHandle 18654 27d6eb6 18653->18654

                                                                      Executed Functions

                                                                      Function 070AC71A Relevance: .3, Instructions: 311COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.598775133.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_70a0000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6739a58a9b3745824922656b206eea601a24e671f35304c0e4b29bb132ba4da8
                                                                      • Instruction ID: 01b2b9d6e850d918a28626b9c9268478b740a5b0d86d54be3023d1aa1dcaad7f
                                                                      • Opcode Fuzzy Hash: 6739a58a9b3745824922656b206eea601a24e671f35304c0e4b29bb132ba4da8
                                                                      • Instruction Fuzzy Hash: F3D15670900259DFEB14DFA8C848B9EFBF1FF44305F1582A9E408AB392DB749985CB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 027D6BEB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32 ref: 027D6C58
                                                                      • GetCurrentThread.KERNEL32 ref: 027D6C95
                                                                      • GetCurrentProcess.KERNEL32 ref: 027D6CD2
                                                                      • GetCurrentThreadId.KERNEL32 ref: 027D6D2B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577990896.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_27d0000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: Current$ProcessThread
                                                                      • String ID: uu"p
                                                                      • API String ID: 2063062207-3626504725
                                                                      • Opcode ID: a5b1fbc093d41d5ee6524cf13ebf2e3b4e5463dfadb353da29eb59d1a4c22c9a
                                                                      • Instruction ID: 61adc5c61b2be27583e1a9833ea31514b7a2318d732f1ee3240bcd18dcd32f14
                                                                      • Opcode Fuzzy Hash: a5b1fbc093d41d5ee6524cf13ebf2e3b4e5463dfadb353da29eb59d1a4c22c9a
                                                                      • Instruction Fuzzy Hash: CD5158B4D006498FDB14CFAAD64879EBFF4FF48304F24889AE419A7250D7746888CF65
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 027D6BF8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32 ref: 027D6C58
                                                                      • GetCurrentThread.KERNEL32 ref: 027D6C95
                                                                      • GetCurrentProcess.KERNEL32 ref: 027D6CD2
                                                                      • GetCurrentThreadId.KERNEL32 ref: 027D6D2B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577990896.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_27d0000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: Current$ProcessThread
                                                                      • String ID: uu"p
                                                                      • API String ID: 2063062207-3626504725
                                                                      • Opcode ID: 8bab1b3076deec385bda1c27856647f376b0619894600e6aca5add4b8c36c589
                                                                      • Instruction ID: 24a164f925a7e7918de804416919a492502da962bde39c2f3eedc23d85c3f6d3
                                                                      • Opcode Fuzzy Hash: 8bab1b3076deec385bda1c27856647f376b0619894600e6aca5add4b8c36c589
                                                                      • Instruction Fuzzy Hash: 6D5146B4E012498FDB14CFAAD64879EBBF4FF48314F248859E419B7250D774A888CF65
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 027DDCCD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 38 27ddccd-27ddd3e 39 27ddd49-27ddd50 38->39 40 27ddd40-27ddd46 38->40 41 27ddd5b-27ddd93 39->41 42 27ddd52-27ddd58 39->42 40->39 43 27ddd9b-27dddfa CreateWindowExW 41->43 42->41 44 27dddfc-27dde02 43->44 45 27dde03-27dde3b 43->45 44->45 49 27dde3d-27dde40 45->49 50 27dde48 45->50 49->50 51 27dde49 50->51 51->51
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 027DDDEA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577990896.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_27d0000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID: uu"p$uu"p
                                                                      • API String ID: 716092398-648047737
                                                                      • Opcode ID: 91f4f78587a920c6f0db3e2b902001088f931ad90136f57746c163e01dacf364
                                                                      • Instruction ID: 144f0f0b7f61b361975c962b8d4ed93a8927010713ce589011fad2fb6a15d093
                                                                      • Opcode Fuzzy Hash: 91f4f78587a920c6f0db3e2b902001088f931ad90136f57746c163e01dacf364
                                                                      • Instruction Fuzzy Hash: 5851C3B1D00219DFDF14CFAAD984ADEFBB5BF48314F24816AE819AB210D7749985CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 027DDCD8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 52 27ddcd8-27ddd3e 53 27ddd49-27ddd50 52->53 54 27ddd40-27ddd46 52->54 55 27ddd5b-27dddfa CreateWindowExW 53->55 56 27ddd52-27ddd58 53->56 54->53 58 27dddfc-27dde02 55->58 59 27dde03-27dde3b 55->59 56->55 58->59 63 27dde3d-27dde40 59->63 64 27dde48 59->64 63->64 65 27dde49 64->65 65->65
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 027DDDEA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577990896.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_27d0000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID: uu"p$uu"p
                                                                      • API String ID: 716092398-648047737
                                                                      • Opcode ID: bba7bb0f03649376e4cf5c11246d19f8b9b063e62628984458ae82b310d95d8f
                                                                      • Instruction ID: ce3420e6fbd32bdce43d60aafaefcbeb6db8554700e4af1550d6356606c230a1
                                                                      • Opcode Fuzzy Hash: bba7bb0f03649376e4cf5c11246d19f8b9b063e62628984458ae82b310d95d8f
                                                                      • Instruction Fuzzy Hash: D141A0B1D003199FDB24CFAAD984ADEBBB5BF48314F24812AE819AB214D7749945CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 027DBC18 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 202COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 102 27dbc18-27dbc26 103 27dbc28-27dbc29 102->103 104 27dbc2a-27dbc3d call 27db0bc 102->104 103->104 107 27dbc3f 104->107 108 27dbc53-27dbc57 104->108 157 27dbc45 call 27dbeb0 107->157 158 27dbc45 call 27dbea3 107->158 109 27dbc59-27dbc63 108->109 110 27dbc6b-27dbcac 108->110 109->110 115 27dbcae-27dbcb6 110->115 116 27dbcb9-27dbcc7 110->116 111 27dbc4b-27dbc4d 111->108 112 27dbd88-27dbe48 111->112 152 27dbe4a-27dbe4d 112->152 153 27dbe50-27dbe7b GetModuleHandleW 112->153 115->116 118 27dbcc9-27dbcce 116->118 119 27dbceb-27dbced 116->119 121 27dbcd9 118->121 122 27dbcd0-27dbcd7 call 27db0c8 118->122 120 27dbcf0-27dbcf7 119->120 124 27dbcf9-27dbd01 120->124 125 27dbd04-27dbd0b 120->125 123 27dbcdb-27dbce9 121->123 122->123 123->120 124->125 129 27dbd0d-27dbd15 125->129 130 27dbd18-27dbd21 call 27db0d8 125->130 129->130 135 27dbd2e-27dbd33 130->135 136 27dbd23-27dbd2b 130->136 137 27dbd35-27dbd3c 135->137 138 27dbd51-27dbd5e 135->138 136->135 137->138 140 27dbd3e-27dbd4e call 27d9960 call 27db0e8 137->140 145 27dbd81-27dbd87 138->145 146 27dbd60-27dbd7e 138->146 140->138 146->145 152->153 154 27dbe7d-27dbe83 153->154 155 27dbe84-27dbe98 153->155 154->155 157->111 158->111
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577990896.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_27d0000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: uu"p
                                                                      • API String ID: 0-3626504725
                                                                      • Opcode ID: e72426ff1c4cd4f86d35a98eb117d778188d3cd5431000dab88db68e966d6cf3
                                                                      • Instruction ID: b65cc1be5de24f3797918607b97d0436a1595f258c3de455d72ca2083371df83
                                                                      • Opcode Fuzzy Hash: e72426ff1c4cd4f86d35a98eb117d778188d3cd5431000dab88db68e966d6cf3
                                                                      • Instruction Fuzzy Hash: 0F812270A00B058FD724DF2AD54476ABBF1FF88308F018A29D48AD7A50DB75E84ACF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 070A53D8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 160threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 159 70a53d8-70a5435 161 70a547c-70a5486 call 70a3df4 159->161 162 70a5437-70a5442 159->162 166 70a5488-70a5497 call 70a3df4 call 70a3e04 161->166 167 70a549c-70a54b4 161->167 168 70a5451-70a5474 162->168 169 70a5444-70a544f 162->169 166->167 176 70a54ba-70a5525 GetCurrentThreadId 167->176 177 70a5572 167->177 168->161 169->161 169->168 197 70a552e-70a5564 call 70a3e14 176->197 198 70a5527-70a552d 176->198 179 70a557a-70a557e 177->179 182 70a5598-70a559a 179->182 183 70a5580-70a558f 179->183 185 70a559c-70a55a1 call 70a3e04 182->185 186 70a55a6-70a55aa 182->186 183->182 185->186 189 70a55ac-70a55be call 70a3e20 186->189 190 70a55c3-70a55c7 186->190 189->190 191 70a55c9 190->191 192 70a55d1-70a55de 190->192 191->192 203 70a5569 197->203 198->197 203->177
                                                                      APIs
                                                                      • GetCurrentThreadId.KERNEL32 ref: 070A5514
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.598775133.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_70a0000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentThread
                                                                      • String ID: uu"p
                                                                      • API String ID: 2882836952-3626504725
                                                                      • Opcode ID: 1402b6029d6a8e02515ad220754f291a4f435c9f64a419f30cf0fe2e9b93d077
                                                                      • Instruction ID: 4de899413aff7f18d178efa6eea10ec15184d3029150626be4b96418a8959247
                                                                      • Opcode Fuzzy Hash: 1402b6029d6a8e02515ad220754f291a4f435c9f64a419f30cf0fe2e9b93d077
                                                                      • Instruction Fuzzy Hash: 3E51ECB1E00208AFDB58DFA9E99469DFBF5FF88304F108629E415AB364DB70A845CF51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 070A3E04 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 122threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 204 70a3e04-70a5639 208 70a563b-70a5644 204->208 209 70a5646 204->209 210 70a5648-70a564d 208->210 209->210 211 70a564f-70a566c 210->211 212 70a566d-70a5702 210->212 220 70a570e-70a573e EnumThreadWindows 212->220 221 70a5704-70a570c 212->221 222 70a5740-70a5746 220->222 223 70a5747-70a5774 220->223 221->220 222->223
                                                                      APIs
                                                                      • EnumThreadWindows.USER32(?,00000000,?), ref: 070A5731
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.598775133.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_70a0000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: EnumThreadWindows
                                                                      • String ID: uu"p
                                                                      • API String ID: 2941952884-3626504725
                                                                      • Opcode ID: 4697cd338f57ed185159824e2f4b7279cb3c8257bcbcfb1deedcc66be36f2d5f
                                                                      • Instruction ID: aa3f9750e99ccd622d767b92184e101f6dd0163df1fb6bf242c53756e10ccee4
                                                                      • Opcode Fuzzy Hash: 4697cd338f57ed185159824e2f4b7279cb3c8257bcbcfb1deedcc66be36f2d5f
                                                                      • Instruction Fuzzy Hash: 8041C1B1A00215AFCB14DFAAD8447EEBBF5FF84320F14852AD415A7350CB78A945CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 070A0BE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 227 70a0be0-70a4792 230 70a479d-70a47a1 227->230 231 70a4794-70a479a 227->231 232 70a47a9-70a47da MoveFileExW 230->232 233 70a47a3-70a47a6 230->233 231->230 234 70a47dc-70a47e2 232->234 235 70a47e3-70a480b 232->235 233->232 234->235
                                                                      APIs
                                                                      • MoveFileExW.KERNEL32(?,00000000,?), ref: 070A47CD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.598775133.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_70a0000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: FileMove
                                                                      • String ID: uu"p
                                                                      • API String ID: 3562171763-3626504725
                                                                      • Opcode ID: 487cde74db338727d9d658afdd21411fddb7a641dba12bc367021baec90d1e2a
                                                                      • Instruction ID: 55f5ec82b7af9cefa1a6c05937b7231cffce6e70d5699187fe49507e89097475
                                                                      • Opcode Fuzzy Hash: 487cde74db338727d9d658afdd21411fddb7a641dba12bc367021baec90d1e2a
                                                                      • Instruction Fuzzy Hash: 9D2128B5C012599FCB50CF9AD5847EEFBF0EF48320F14866AE818AB245D7749A40CBA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 027D6E18 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 238 27d6e18-27d6eb4 DuplicateHandle 239 27d6ebd-27d6eda 238->239 240 27d6eb6-27d6ebc 238->240 240->239
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 027D6EA7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577990896.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_27d0000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID: uu"p
                                                                      • API String ID: 3793708945-3626504725
                                                                      • Opcode ID: 1f8bd81c4d62a09bb140b5d92407f1fbb1ba89aef5b36e837b71e2e6d546ceec
                                                                      • Instruction ID: fffe0716bf219c1dbcaff0d9def572bf48b1a1672c5853d0eb42ce3630558c29
                                                                      • Opcode Fuzzy Hash: 1f8bd81c4d62a09bb140b5d92407f1fbb1ba89aef5b36e837b71e2e6d546ceec
                                                                      • Instruction Fuzzy Hash: C921E3B5D00249AFDB10CFAAD984ADEBFF4FB48320F14845AE819A7250D374A955CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 070A56B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 243 70a56b8-70a5702 245 70a570e-70a573e EnumThreadWindows 243->245 246 70a5704-70a570c 243->246 247 70a5740-70a5746 245->247 248 70a5747-70a5774 245->248 246->245 247->248
                                                                      APIs
                                                                      • EnumThreadWindows.USER32(?,00000000,?), ref: 070A5731
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.598775133.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_70a0000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: EnumThreadWindows
                                                                      • String ID: uu"p
                                                                      • API String ID: 2941952884-3626504725
                                                                      • Opcode ID: 56ed3810b58153690b3ddc1e3bc26ad81e3faf5f60d6a154b811810a7e9054d2
                                                                      • Instruction ID: 41c1eb0d31242f356e5c1c7504515498bc49ead88a041b53a17d8356e9de6fca
                                                                      • Opcode Fuzzy Hash: 56ed3810b58153690b3ddc1e3bc26ad81e3faf5f60d6a154b811810a7e9054d2
                                                                      • Instruction Fuzzy Hash: 942137B190021A9FDB10CFAAD844BEEFBF4BB88320F14852AD454A7250D774A945CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 027D6E20 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 252 27d6e20-27d6eb4 DuplicateHandle 253 27d6ebd-27d6eda 252->253 254 27d6eb6-27d6ebc 252->254 254->253
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 027D6EA7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577990896.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_27d0000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID: uu"p
                                                                      • API String ID: 3793708945-3626504725
                                                                      • Opcode ID: 4d9b803c75c099842a7c86796aede148ce7c91110b6d84cbbcf3919fa75d5206
                                                                      • Instruction ID: 6706194142ef2bf447017111407321ae8b9507af9752c1e583ae75f11b824272
                                                                      • Opcode Fuzzy Hash: 4d9b803c75c099842a7c86796aede148ce7c91110b6d84cbbcf3919fa75d5206
                                                                      • Instruction Fuzzy Hash: BE21B0B5D00219AFDB10CFAAD984ADEBBF8FB48320F14841AE914A7210D374A954CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 070A3E14 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 257 70a3e14-70a5702 259 70a570e-70a573e EnumThreadWindows 257->259 260 70a5704-70a570c 257->260 261 70a5740-70a5746 259->261 262 70a5747-70a5774 259->262 260->259 261->262
                                                                      APIs
                                                                      • EnumThreadWindows.USER32(?,00000000,?), ref: 070A5731
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.598775133.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_70a0000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: EnumThreadWindows
                                                                      • String ID: uu"p
                                                                      • API String ID: 2941952884-3626504725
                                                                      • Opcode ID: e8f889261d2534e2495cd3a67c69f9849e0a531852a4ce273669691f7f396f4a
                                                                      • Instruction ID: 1c3ca3dc0a22a4e5724b7da1849d3e43d0298813878d7059f35b32b2f78e4c0c
                                                                      • Opcode Fuzzy Hash: e8f889261d2534e2495cd3a67c69f9849e0a531852a4ce273669691f7f396f4a
                                                                      • Instruction Fuzzy Hash: 1D2127B1D002199FDB60DF9AD844BEEFBF4FB88320F14842AD854A7250D7B4A945CFA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 027DB110 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 266 27db110-27dc0d0 268 27dc0d8-27dc107 LoadLibraryExW 266->268 269 27dc0d2-27dc0d5 266->269 270 27dc109-27dc10f 268->270 271 27dc110-27dc12d 268->271 269->268 270->271
                                                                      APIs
                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,027DBEE9,00000800,00000000,00000000), ref: 027DC0FA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577990896.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_27d0000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID: uu"p
                                                                      • API String ID: 1029625771-3626504725
                                                                      • Opcode ID: 878a5b96d3b8c13c78f2700dc23473bee2e50db87e3aa6eb170332fd2f684fcc
                                                                      • Instruction ID: eb06932a67a16dab597802af82ad42384121e19af1cd49ef5a818ce7910a20cc
                                                                      • Opcode Fuzzy Hash: 878a5b96d3b8c13c78f2700dc23473bee2e50db87e3aa6eb170332fd2f684fcc
                                                                      • Instruction Fuzzy Hash: 681103B6D002099FCB20CFAAD944BDEFBF4AB48314F14842EE419B7600C775A545CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 027DC088 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,027DBEE9,00000800,00000000,00000000), ref: 027DC0FA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577990896.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_27d0000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID: uu"p
                                                                      • API String ID: 1029625771-3626504725
                                                                      • Opcode ID: 60488ccd8d712fba8bd07aa7f099e0c63e414fc24cc5df7fcbb2b469bec795f4
                                                                      • Instruction ID: d13c7628714f0c49aacfc9b40450ed47929d84b707400be5dcdbeacfc04b8a82
                                                                      • Opcode Fuzzy Hash: 60488ccd8d712fba8bd07aa7f099e0c63e414fc24cc5df7fcbb2b469bec795f4
                                                                      • Instruction Fuzzy Hash: 6411E2B6D402098FDB10CF9AD544BDEFBF0AB48314F14856ED829A7610C779A546CFA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 070A7740 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.598775133.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_70a0000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: Timer
                                                                      • String ID: uu"p
                                                                      • API String ID: 2870079774-3626504725
                                                                      • Opcode ID: 50761da434dde7f184412232537dbb6afd9812296f5eb879ad8620b75653d93b
                                                                      • Instruction ID: 0cd0445834d892423ea1d99d7902c62ed746924082987c4b109795956689e429
                                                                      • Opcode Fuzzy Hash: 50761da434dde7f184412232537dbb6afd9812296f5eb879ad8620b75653d93b
                                                                      • Instruction Fuzzy Hash: E3110AB58003599FDB20CF9AD588BDEFBF8EB48320F10841AD955A7600D374A544CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 027DB284 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 027DDF7D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577990896.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_27d0000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: LongWindow
                                                                      • String ID: uu"p
                                                                      • API String ID: 1378638983-3626504725
                                                                      • Opcode ID: aa6fbe9bfae93f057f01b84ee73c2c364b0083c56a40e5191ad04e4e61d6d296
                                                                      • Instruction ID: 1e10375f765387246ae0cf169ea679847843fdfd289c684ecca26f929f3d8453
                                                                      • Opcode Fuzzy Hash: aa6fbe9bfae93f057f01b84ee73c2c364b0083c56a40e5191ad04e4e61d6d296
                                                                      • Instruction Fuzzy Hash: E711F5B69042099FDB20DF9AD584BDEBBF8EB48320F10845AE915B7700C374A944CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 027DBE08 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 027DBE6E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577990896.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_27d0000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID: uu"p
                                                                      • API String ID: 4139908857-3626504725
                                                                      • Opcode ID: 8143c6eb1b584e1987acabbfe6ebb0b263cafd5f1885477bc6f89750e7f5716f
                                                                      • Instruction ID: e6b3b26e65536afe13024f91a639c9f94f79f7597ffbee0c12a3341ce3afc894
                                                                      • Opcode Fuzzy Hash: 8143c6eb1b584e1987acabbfe6ebb0b263cafd5f1885477bc6f89750e7f5716f
                                                                      • Instruction Fuzzy Hash: C31113B6C002498FCB20CFAAC544ADFFBF4EF88324F15852AD419A7210C374A545CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 070A7748 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.598775133.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_70a0000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: Timer
                                                                      • String ID: uu"p
                                                                      • API String ID: 2870079774-3626504725
                                                                      • Opcode ID: dd103f32dd71d996e04b7b9a000e5a2bfea58ccfe77310804359611ce166bfe9
                                                                      • Instruction ID: 7964c053ac539e8d384d41212d92446c6d57636064c9eb74b4103f5e76252bb4
                                                                      • Opcode Fuzzy Hash: dd103f32dd71d996e04b7b9a000e5a2bfea58ccfe77310804359611ce166bfe9
                                                                      • Instruction Fuzzy Hash: EB11E5B58003599FDB20DF9AD988BDEFBF8FB48324F14845AD815A7610C374A544CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 027DDF19 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 027DDF7D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577990896.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_27d0000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID: LongWindow
                                                                      • String ID: uu"p
                                                                      • API String ID: 1378638983-3626504725
                                                                      • Opcode ID: 7c6d39773de76c24d86a0771b62aa57ac885ecc4631f9a01798681543633216f
                                                                      • Instruction ID: 6d5df096ed23faa2036c74bc9b951eee31c345a5eea2dce5d4962eb75b8e87ef
                                                                      • Opcode Fuzzy Hash: 7c6d39773de76c24d86a0771b62aa57ac885ecc4631f9a01798681543633216f
                                                                      • Instruction Fuzzy Hash: BF11F2B6900209CFDB20DF9AD584BDEBBF4EB48324F24842AD958A7210C374A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00D3D690 Relevance: .1, Instructions: 77COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577487389.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_d3d000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 18f8ba544ba102d80946f34c6517e44143efcf12409bf3c462182beabf584627
                                                                      • Instruction ID: 8c6e2512e669c3df3f262aa9e1ef318ddb434c38e4930593add133328f583e4c
                                                                      • Opcode Fuzzy Hash: 18f8ba544ba102d80946f34c6517e44143efcf12409bf3c462182beabf584627
                                                                      • Instruction Fuzzy Hash: 9F2106B6504284DFCF05DF14E9C0B16BFA6FB88314F248669E9490B24AC336D816DF71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00D3D4D8 Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577487389.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_d3d000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2d2c4e1f4193445fda7fd80fabae9b337fab03de57822c2e42d456e6ad58d1a3
                                                                      • Instruction ID: b8852ef13e38289e0ced29d18030cf8bcdf6e92f65167c7f4f206348112aa983
                                                                      • Opcode Fuzzy Hash: 2d2c4e1f4193445fda7fd80fabae9b337fab03de57822c2e42d456e6ad58d1a3
                                                                      • Instruction Fuzzy Hash: 20210772604340DFDB15DF14E9C0B16BFA6FB98328F248569E8050B25AC336D856DFB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00D3D3EC Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577487389.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_d3d000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ea6a74ec6d8315703003de597fe3f2df9a61a19d4c550498af30e5b74e49c5f7
                                                                      • Instruction ID: 25944bd0511086677bcd4f9275e29a75cdc7cadc6e91194c78eb317321e26845
                                                                      • Opcode Fuzzy Hash: ea6a74ec6d8315703003de597fe3f2df9a61a19d4c550498af30e5b74e49c5f7
                                                                      • Instruction Fuzzy Hash: C9210771504344EFDB05DF14E9C0B26BF66FB94324F24C669E9490B246C336E856DBB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00D4D1D4 Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577556010.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_d4d000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 57131a097d28b1002adcae141ae81067d8e3d709a6851fc87be93f3c48fc8784
                                                                      • Instruction ID: 09186776c593470b12de0825e411cc1f7bb155ea11e4eb1f1d3a6bdc1c913ceb
                                                                      • Opcode Fuzzy Hash: 57131a097d28b1002adcae141ae81067d8e3d709a6851fc87be93f3c48fc8784
                                                                      • Instruction Fuzzy Hash: 72210471604340EFDB05DF14D9C0B26BBA6FB84314F24CAADE8495B346C3B6D846CA75
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00D4D390 Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577556010.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_d4d000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3c7aae65485de9e8492fc2084843b17b893f0cbe941402c2ccf7db89b4c052b4
                                                                      • Instruction ID: f2f908696a52ebff4425090a95dbdd3639693a4d72f4a1c7a9c45f95f1397595
                                                                      • Opcode Fuzzy Hash: 3c7aae65485de9e8492fc2084843b17b893f0cbe941402c2ccf7db89b4c052b4
                                                                      • Instruction Fuzzy Hash: 5F213871604344DFDB11DF14D5C4B2ABBA6FB84724F24C569D84D0B246C37AE846CA72
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00D4D01C Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577556010.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_d4d000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c92c9917dd8c2efbe0df211b29ff185211855dcb593f0c55c87ca54c7d1fc9c5
                                                                      • Instruction ID: d95d6a8a88dad3efdfe07f0d6b80dc17ef2a852d5580c248d679b41509050626
                                                                      • Opcode Fuzzy Hash: c92c9917dd8c2efbe0df211b29ff185211855dcb593f0c55c87ca54c7d1fc9c5
                                                                      • Instruction Fuzzy Hash: 2521F275604340DFDB14DF14D9C4B16BBA6FB84314F24C9ADE8494B246C33AD847CA71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00D4D2BC Relevance: .1, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577556010.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_d4d000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: df4e0e99b89205e3e865c500ba5d0c967eb6198f97dadae160fd31662d8bb988
                                                                      • Instruction ID: c205af1949b09f20b8ff87525c5c5399550ad17f182cce26c09ab638bf2c898c
                                                                      • Opcode Fuzzy Hash: df4e0e99b89205e3e865c500ba5d0c967eb6198f97dadae160fd31662d8bb988
                                                                      • Instruction Fuzzy Hash: EF213AB1604340DFDB04DF18D6C8B2ABBA6FB84724F34C66DD8495B245C379E806C6B2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00D4D005 Relevance: .1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577556010.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_d4d000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d3960cf37d60323bcc189475b5ca8f1ba2aef9b1cb1c36d42ff0678d04e972ae
                                                                      • Instruction ID: e2fe92785ef78c5cfbed3a8f53e63b9d4f0cf28d17c50e7dd77ff75b69272b1a
                                                                      • Opcode Fuzzy Hash: d3960cf37d60323bcc189475b5ca8f1ba2aef9b1cb1c36d42ff0678d04e972ae
                                                                      • Instruction Fuzzy Hash: FD2150755093C08FDB12CF24D994715BF72EB46314F28C5EAD8498B697C33AD84ACB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00D3D68B Relevance: .1, Instructions: 58COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577487389.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_d3d000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: aed364435f26c38b1f37ec609ef487dd3ff222591fd3d6c38061ae2a0c9683d0
                                                                      • Instruction ID: bba60d399d3b3aa5b78ba0d0b230df0838e356d1f41ca86c70b13c923c5d7b63
                                                                      • Opcode Fuzzy Hash: aed364435f26c38b1f37ec609ef487dd3ff222591fd3d6c38061ae2a0c9683d0
                                                                      • Instruction Fuzzy Hash: 0121A2B6504280DFCF06CF10D9C4B16BF72FB88314F2886A9D9490B656C33AD856CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00D3D4D3 Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577487389.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_d3d000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 29d2f0100e3109f4613dfdff40d42613bb56894c0d784d201462b3ed20c718eb
                                                                      • Instruction ID: b1115a84335304dd0d5bf46a314bb87438f2c27449c7ec1f0a71379f69c68034
                                                                      • Opcode Fuzzy Hash: 29d2f0100e3109f4613dfdff40d42613bb56894c0d784d201462b3ed20c718eb
                                                                      • Instruction Fuzzy Hash: D811D376504280CFCB12CF14D9C4B16BF72FB95324F2886A9D8090B656C33AD856CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00D3D3E7 Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577487389.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_d3d000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 29d2f0100e3109f4613dfdff40d42613bb56894c0d784d201462b3ed20c718eb
                                                                      • Instruction ID: d049a45ae2e4ca7c47f308e9bd0223c200be0891c7bfa088b817d277e5ece058
                                                                      • Opcode Fuzzy Hash: 29d2f0100e3109f4613dfdff40d42613bb56894c0d784d201462b3ed20c718eb
                                                                      • Instruction Fuzzy Hash: F711E676504280DFCB02CF10D5C4B16BF72FB94324F28C6A9D8480B656C33AE856CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00D4D1CF Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577556010.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_d4d000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f45dc8ffff706fb05bcde3a42111e7466e20ebf3dc7f5347bf588368a02ed7e4
                                                                      • Instruction ID: d837296704de449aa24562e3398c5f501766ad1ed662ff7e4d2226d25c2afcce
                                                                      • Opcode Fuzzy Hash: f45dc8ffff706fb05bcde3a42111e7466e20ebf3dc7f5347bf588368a02ed7e4
                                                                      • Instruction Fuzzy Hash: 02119D75904280DFDB12CF14D5C4B15FBB2FB84324F28C6ADD8494B656C37AD84ACB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00D4D38B Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577556010.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_d4d000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0bfc54da5199e54ac29bb95c303e1f9d0456aef68e3c8f2039d41b65c1a2cd17
                                                                      • Instruction ID: 123013ed09c1a91fb9de71d161f7ee8633920c008b05e5691b4edf54537ee395
                                                                      • Opcode Fuzzy Hash: 0bfc54da5199e54ac29bb95c303e1f9d0456aef68e3c8f2039d41b65c1a2cd17
                                                                      • Instruction Fuzzy Hash: 14118276504284DFDB11CF14D5C4B15FBA2FB84324F28C6AAD8494B646C33AE84ACB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00D4D2B7 Relevance: .1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577556010.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_d4d000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a32f8b5301d520f97a745f1cf21a85d993a089121ee8739b1b9e92feef739b5b
                                                                      • Instruction ID: 2947a235e6dbbb17e6d060cf4ad1b67ea43349b78eaa50675d5b0571f38fa8a3
                                                                      • Opcode Fuzzy Hash: a32f8b5301d520f97a745f1cf21a85d993a089121ee8739b1b9e92feef739b5b
                                                                      • Instruction Fuzzy Hash: C211E776504280CFD701CF14D5C4719FBB2FB84324F28C6A9D8494B645C339D84ACBA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00D3D61B Relevance: .0, Instructions: 37COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577487389.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_d3d000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 49c61d28a1c640a6544b5754c1308ae8efc8d08601985c044b2870a84e6d8395
                                                                      • Instruction ID: 3645ab4e3be5fee16eea84626932fe3ef14717541bd84a24dd4e247294024c84
                                                                      • Opcode Fuzzy Hash: 49c61d28a1c640a6544b5754c1308ae8efc8d08601985c044b2870a84e6d8395
                                                                      • Instruction Fuzzy Hash: 63F03772200600AF93208F0AD885C26FBA9EBC5770719C15AE84A4B611C671EC42CEB0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00D3D60C Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.577487389.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_2_d3d000_FedExInvoice013.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7d146d77ef7b5f0c73af3402a43e09c205abf2f4da1872a97cdab4586a8cb214
                                                                      • Instruction ID: f95414eb6f43d22197041537afbfe9123a0b763bc6cea3f5adceef6bbb5e27b2
                                                                      • Opcode Fuzzy Hash: 7d146d77ef7b5f0c73af3402a43e09c205abf2f4da1872a97cdab4586a8cb214
                                                                      • Instruction Fuzzy Hash: 7CF03775104680AFD325CF16C885C22BFB9EB8A7607198489E89A5B222C670FC42CFB0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Execution Graph

                                                                      Execution Coverage:13.5%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:3
                                                                      Total number of Limit Nodes:0
                                                                      execution_graph 10450 7ff9a5b9909c 10451 7ff9a5b9909f LoadLibraryW 10450->10451 10453 7ff9a5b9912d 10451->10453

                                                                      Executed Functions

                                                                      Function 00007FF9A5B986AA Relevance: 1.6, APIs: 1, Instructions: 99libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.481761926.00007FF9A5B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5B90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ff9a5b90000_Zip.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 26a6f5364f14bab86d5b66a7c3be3c87709f2de66f2b71f48ddb3119c9bcb9ba
                                                                      • Instruction ID: 0ce56de747ad8d7e4f3fc1b17722af169dbf23c31c79feb26e6d30380c57054d
                                                                      • Opcode Fuzzy Hash: 26a6f5364f14bab86d5b66a7c3be3c87709f2de66f2b71f48ddb3119c9bcb9ba
                                                                      • Instruction Fuzzy Hash: 3221A071908A1C9FDB58DB9CD449BF9BBE0FB69321F00822ED04ED3251DB70A4468B81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FF9A5B9909C Relevance: 1.6, APIs: 1, Instructions: 98libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.481761926.00007FF9A5B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5B90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ff9a5b90000_Zip.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: f7a75e1f5e5c32875a4ba0f274a36c7f49b46bfdabd94cd99b769e379463ca67
                                                                      • Instruction ID: 7ca5924f65011e704e41bd712a117b515f871ba776b51fc4621a1d1e34b77eb4
                                                                      • Opcode Fuzzy Hash: f7a75e1f5e5c32875a4ba0f274a36c7f49b46bfdabd94cd99b769e379463ca67
                                                                      • Instruction Fuzzy Hash: 1A21A07190CA1C9FDB58DF9C9849BE9BBE0FB65721F00822FD049D3251DB70A8468B81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FF9A5A6F0DA Relevance: .1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.479657935.00007FF9A5A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5A6D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ff9a5a6d000_Zip.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cd7ee3810c47d97e8c2c0c6ee72ca515d34183d434a9d10b1d547c37bf200558
                                                                      • Instruction ID: ebafaf19a47b68a5def022856664c3043e9e7580b758f8a93d4a1babc49a4b4a
                                                                      • Opcode Fuzzy Hash: cd7ee3810c47d97e8c2c0c6ee72ca515d34183d434a9d10b1d547c37bf200558
                                                                      • Instruction Fuzzy Hash: A601DB3264DE088FDB98EB2DE045D9577D0FF44360710096FD149CB56ADA71F886CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FF9A5A6F0EF Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.479657935.00007FF9A5A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5A6D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ff9a5a6d000_Zip.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c4d990c3b072020f78d18eec9c7073cce7c0057e5c8754d18fbe43519d84a9c8
                                                                      • Instruction ID: 2970ed05fef0154c9e56e79bfed2e5bf52e7703aa0281ecd1e35107b57720f5f
                                                                      • Opcode Fuzzy Hash: c4d990c3b072020f78d18eec9c7073cce7c0057e5c8754d18fbe43519d84a9c8
                                                                      • Instruction Fuzzy Hash: DEF0DA30619E099F8F94EF2DC485E1237E1FB98750B110958D45EC7669D674F892CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Execution Graph

                                                                      Execution Coverage:11%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:100
                                                                      Total number of Limit Nodes:9
                                                                      execution_graph 13175 2423e50 13176 2423e5a 13175->13176 13180 2423f40 13175->13180 13185 2423624 13176->13185 13178 2423e75 13181 2423f65 13180->13181 13189 2424030 13181->13189 13193 2424040 13181->13193 13186 242362f 13185->13186 13201 2425214 13186->13201 13188 2426755 13188->13178 13190 2424040 13189->13190 13192 2424144 13190->13192 13197 2423dec 13190->13197 13194 2424067 13193->13194 13195 2424144 13194->13195 13196 2423dec CreateActCtxA 13194->13196 13196->13195 13198 24254d0 CreateActCtxA 13197->13198 13200 2425593 13198->13200 13202 242521f 13201->13202 13205 2425244 13202->13205 13204 24267fd 13204->13188 13206 242524f 13205->13206 13209 2425274 13206->13209 13208 24268da 13208->13204 13210 242527f 13209->13210 13213 24252a4 13210->13213 13212 24269ca 13212->13208 13214 24252af 13213->13214 13215 24270de 13214->13215 13221 24292a2 13214->13221 13225 24293d0 13214->13225 13233 24293c0 13214->13233 13216 242711c 13215->13216 13241 242b401 13215->13241 13216->13212 13246 24292d7 13221->13246 13250 24292d8 13221->13250 13222 24292b6 13222->13215 13226 24293e3 13225->13226 13228 24293fb 13226->13228 13254 2429658 13226->13254 13258 242964a 13226->13258 13227 24293f3 13227->13228 13229 24295f8 GetModuleHandleW 13227->13229 13228->13215 13230 2429625 13229->13230 13230->13215 13234 24293e3 13233->13234 13235 24293fb 13234->13235 13239 242964a LoadLibraryExW 13234->13239 13240 2429658 LoadLibraryExW 13234->13240 13235->13215 13236 24293f3 13236->13235 13237 24295f8 GetModuleHandleW 13236->13237 13238 2429625 13237->13238 13238->13215 13239->13236 13240->13236 13242 242b431 13241->13242 13243 242b455 13242->13243 13266 242b5c0 13242->13266 13270 242b5b0 13242->13270 13243->13216 13248 24293c0 2 API calls 13246->13248 13249 24293d0 2 API calls 13246->13249 13247 24292e7 13247->13222 13248->13247 13249->13247 13251 24292e7 13250->13251 13252 24293c0 2 API calls 13250->13252 13253 24293d0 2 API calls 13250->13253 13251->13222 13252->13251 13253->13251 13255 242966c 13254->13255 13256 2429691 13255->13256 13262 2428e38 13255->13262 13256->13227 13259 2429658 13258->13259 13260 2429691 13259->13260 13261 2428e38 LoadLibraryExW 13259->13261 13260->13227 13261->13260 13263 2429838 LoadLibraryExW 13262->13263 13265 24298b1 13263->13265 13265->13256 13267 242b5cd 13266->13267 13268 242b607 13267->13268 13274 242aba4 13267->13274 13268->13243 13271 242b5c0 13270->13271 13272 242b607 13271->13272 13273 242aba4 3 API calls 13271->13273 13272->13243 13273->13272 13275 242abaf 13274->13275 13277 242bef8 13275->13277 13278 242ac8c 13275->13278 13277->13277 13279 242ac97 13278->13279 13280 24252a4 3 API calls 13279->13280 13281 242bf67 13280->13281 13284 242dd3b 13281->13284 13286 242dd48 13284->13286 13285 242dd65 13287 242e158 LoadLibraryExW GetModuleHandleW 13286->13287 13288 242e168 LoadLibraryExW GetModuleHandleW 13286->13288 13287->13285 13288->13285 13289 242b900 DuplicateHandle 13290 242b996 13289->13290 13291 242fd38 13292 242fda0 CreateWindowExW 13291->13292 13294 242fe5c 13292->13294 13295 242b6d8 GetCurrentProcess 13296 242b752 GetCurrentThread 13295->13296 13297 242b74b 13295->13297 13298 242b78f GetCurrentProcess 13296->13298 13299 242b788 13296->13299 13297->13296 13302 242b7c5 13298->13302 13299->13298 13300 242b7ed GetCurrentThreadId 13301 242b81e 13300->13301 13302->13300

                                                                      Executed Functions

                                                                      Function 0242B6C8 Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32 ref: 0242B738
                                                                      • GetCurrentThread.KERNEL32 ref: 0242B775
                                                                      • GetCurrentProcess.KERNEL32 ref: 0242B7B2
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0242B80B
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.416335242.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_2420000_update_231408.jbxd
                                                                      Similarity
                                                                      • API ID: Current$ProcessThread
                                                                      • String ID:
                                                                      • API String ID: 2063062207-0
                                                                      • Opcode ID: 4b001da5a8db545df38be8120f0c80a8fddb5745ed144794a655b9e170d50723
                                                                      • Instruction ID: 8a82004706f9e0adbb6af1953f6f8b5c5be728360a33a6ca2b7358c13c95c99e
                                                                      • Opcode Fuzzy Hash: 4b001da5a8db545df38be8120f0c80a8fddb5745ed144794a655b9e170d50723
                                                                      • Instruction Fuzzy Hash: D55134B09007498FDB14CFAAD6487DEBBF1FF89314F20849AE409A7390D7745988CB65
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0242B6D8 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32 ref: 0242B738
                                                                      • GetCurrentThread.KERNEL32 ref: 0242B775
                                                                      • GetCurrentProcess.KERNEL32 ref: 0242B7B2
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0242B80B
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.416335242.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_2420000_update_231408.jbxd
                                                                      Similarity
                                                                      • API ID: Current$ProcessThread
                                                                      • String ID:
                                                                      • API String ID: 2063062207-0
                                                                      • Opcode ID: 1e5c53281385c5c02648ffffdc04273ad476377c15c089f2221214609385de9d
                                                                      • Instruction ID: d32d7cb0c2d2eeacbeaf0328aed4a5ce0d1c639fd124fee8eb56bec316e5b0fa
                                                                      • Opcode Fuzzy Hash: 1e5c53281385c5c02648ffffdc04273ad476377c15c089f2221214609385de9d
                                                                      • Instruction Fuzzy Hash: 3B5105B0D006498FDB14DFAAD6487DEBBF1FF88314F20845AE419A7350D7746988CB65
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 024293D0 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 39 24293d0-24293d8 40 24293e3-24293e5 39->40 41 24293de call 2428dd4 39->41 42 24293e7 40->42 43 24293fb-24293ff 40->43 41->40 93 24293ed call 242964a 42->93 94 24293ed call 2429658 42->94 44 2429413-2429454 43->44 45 2429401-242940b 43->45 50 2429461-242946f 44->50 51 2429456-242945e 44->51 45->44 46 24293f3-24293f5 46->43 47 2429530-24295f0 46->47 88 24295f2-24295f5 47->88 89 24295f8-2429623 GetModuleHandleW 47->89 53 2429493-2429495 50->53 54 2429471-2429476 50->54 51->50 55 2429498-242949f 53->55 56 2429481 54->56 57 2429478-242947f call 2428de0 54->57 58 24294a1-24294a9 55->58 59 24294ac-24294b3 55->59 62 2429483-2429491 56->62 57->62 58->59 63 24294c0-24294c9 call 2428df0 59->63 64 24294b5-24294bd 59->64 62->55 69 24294d6-24294db 63->69 70 24294cb-24294d3 63->70 64->63 72 24294f9-2429506 69->72 73 24294dd-24294e4 69->73 70->69 78 2429508-2429526 72->78 79 2429529-242952f 72->79 73->72 74 24294e6-24294f6 call 2428e00 call 2428e10 73->74 74->72 78->79 88->89 90 2429625-242962b 89->90 91 242962c-2429640 89->91 90->91 93->46 94->46
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 02429616
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.416335242.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_2420000_update_231408.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 7dea53d7d04d6a912fb367facca3385e6174d71517cd9fb0f2b33143ffdbb448
                                                                      • Instruction ID: 75a821f2766857dfb9a9a6935c09f4ee2d1c8c05c1b1a541c7f7cacfcb76fe85
                                                                      • Opcode Fuzzy Hash: 7dea53d7d04d6a912fb367facca3385e6174d71517cd9fb0f2b33143ffdbb448
                                                                      • Instruction Fuzzy Hash: EA711370A00B158FDB24DF6AD54476BBBF5BF88304F50892ED44AD7B40DB74E8498B91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0242FD2E Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 95 242fd2e-242fd9e 96 242fda0-242fda6 95->96 97 242fda9-242fdb0 95->97 96->97 98 242fdb2-242fdb8 97->98 99 242fdbb-242fdf3 97->99 98->99 100 242fdfb-242fe5a CreateWindowExW 99->100 101 242fe63-242fe9b 100->101 102 242fe5c-242fe62 100->102 106 242fea8 101->106 107 242fe9d-242fea0 101->107 102->101 108 242fea9 106->108 107->106 108->108
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0242FE4A
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.416335242.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_2420000_update_231408.jbxd
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: 6cd6aa43e47bce4dc199c36719e2b23c604203ac65a3c53186e5973a6e133226
                                                                      • Instruction ID: cf36bae40aaa0cb79c6de42cc773a5296e46efc685ff47039d24aaf776ad5a2b
                                                                      • Opcode Fuzzy Hash: 6cd6aa43e47bce4dc199c36719e2b23c604203ac65a3c53186e5973a6e133226
                                                                      • Instruction Fuzzy Hash: 8E51D2B1D103199FDB15CF9AC884ADEBFB1FF88314F65812AE419AB210D7749989CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0242FD38 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 109 242fd38-242fd9e 110 242fda0-242fda6 109->110 111 242fda9-242fdb0 109->111 110->111 112 242fdb2-242fdb8 111->112 113 242fdbb-242fe5a CreateWindowExW 111->113 112->113 115 242fe63-242fe9b 113->115 116 242fe5c-242fe62 113->116 120 242fea8 115->120 121 242fe9d-242fea0 115->121 116->115 122 242fea9 120->122 121->120 122->122
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0242FE4A
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.416335242.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_2420000_update_231408.jbxd
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: b94a2cec5a73455b373589edd0eae59f6d13d511985e3627eef1dacc1582ba01
                                                                      • Instruction ID: 08b6edd69034db70d6e853b9d87e04c0341da8d03bd2c1ad4b8dc21876af0dcc
                                                                      • Opcode Fuzzy Hash: b94a2cec5a73455b373589edd0eae59f6d13d511985e3627eef1dacc1582ba01
                                                                      • Instruction Fuzzy Hash: A641D1B1D10319DFDB15CF9AC884ADEBFB5BF88304F65812AE419AB210D7749889CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 024254C5 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 123 24254c5-24254ce 124 24254d0-2425591 CreateActCtxA 123->124 126 2425593-2425599 124->126 127 242559a-24255f4 124->127 126->127 134 2425603-2425607 127->134 135 24255f6-24255f9 127->135 136 2425618 134->136 137 2425609-2425615 134->137 135->134 139 2425619 136->139 137->136 139->139
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?), ref: 02425581
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.416335242.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_2420000_update_231408.jbxd
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: 3f3fbafa04fdfa6051ca567e8ff8f50cd0cbe3e16c70b61d7b3c8c54674ea653
                                                                      • Instruction ID: 99a362196edd074d75f9589b34e43fe1d183dbbfb0646cdc90ed5e817d356247
                                                                      • Opcode Fuzzy Hash: 3f3fbafa04fdfa6051ca567e8ff8f50cd0cbe3e16c70b61d7b3c8c54674ea653
                                                                      • Instruction Fuzzy Hash: 784107B1C40318CFDB14DFAAC8447DEBBB5BF45304F64806AD409AB255D775698ACF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02423DEC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 140 2423dec-2425591 CreateActCtxA 143 2425593-2425599 140->143 144 242559a-24255f4 140->144 143->144 151 2425603-2425607 144->151 152 24255f6-24255f9 144->152 153 2425618 151->153 154 2425609-2425615 151->154 152->151 156 2425619 153->156 154->153 156->156
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?), ref: 02425581
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.416335242.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_2420000_update_231408.jbxd
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: 36464d239a31dd909b7eb7365f1a11eb2f2375bf4d8f1b780bf13faf00794cca
                                                                      • Instruction ID: 3d09e84d1f253ca0c98f7b96d366efa9a36fee725d5321a29c3abe67b71a87b9
                                                                      • Opcode Fuzzy Hash: 36464d239a31dd909b7eb7365f1a11eb2f2375bf4d8f1b780bf13faf00794cca
                                                                      • Instruction Fuzzy Hash: 6741E571C0072CCFDB24DFAAC94479EBBB5BF48304F60846AD409AB255D7716989CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02428E50 Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 157 2428e50-2428e58 159 2428e5a-2428e68 157->159 160 2428e3e-2428e3f 157->160 165 2428e6a-2428e88 159->165 166 2428e4f 159->166 161 2429838-2429878 160->161 162 2429880-24298af LoadLibraryExW 161->162 163 242987a-242987d 161->163 167 24298b1-24298b7 162->167 168 24298b8-24298d5 162->168 163->162 165->161 166->157 167->168
                                                                      APIs
                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02429691,00000800,00000000,00000000), ref: 024298A2
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.416335242.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_2420000_update_231408.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: de9242c9b55e3b77a8cf48298f983298056374606c7d0bd79385a8a667b230ce
                                                                      • Instruction ID: e44eb4fde7f9f18bf286754f4800b41166c9810288ac5f8e23057e366011b0b7
                                                                      • Opcode Fuzzy Hash: de9242c9b55e3b77a8cf48298f983298056374606c7d0bd79385a8a667b230ce
                                                                      • Instruction Fuzzy Hash: 5D3189B28053998FCB11DFAAC844ADABFF0AF59350F18846BC455AB240C3789549CBA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0242B8F8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 171 242b8f8-242b8fe 172 242b900-242b994 DuplicateHandle 171->172 173 242b996-242b99c 172->173 174 242b99d-242b9ba 172->174 173->174
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0242B987
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.416335242.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_2420000_update_231408.jbxd
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 612e739304cd5764bfcaedb52f7ea50f49c6c74c0fe8d347ea7411892bf5fc0e
                                                                      • Instruction ID: baaee710833a6437db1ae9f705852e27b948293fb73fadac722afaef94c7940c
                                                                      • Opcode Fuzzy Hash: 612e739304cd5764bfcaedb52f7ea50f49c6c74c0fe8d347ea7411892bf5fc0e
                                                                      • Instruction Fuzzy Hash: D521F4B5D00249AFDB10CFAAD584ADEBBF4FF48310F14841AE954A7310D374A944CFA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0242B900 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 177 242b900-242b994 DuplicateHandle 178 242b996-242b99c 177->178 179 242b99d-242b9ba 177->179 178->179
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0242B987
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.416335242.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_2420000_update_231408.jbxd
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 0c0324b4b521aa6d660ee93ef39744c3721f26027b98e3d8fde4cb44d4ebc70c
                                                                      • Instruction ID: 27ea93f6724179103fed5eab6cd11059464d150100ef6b485df11df19df734ce
                                                                      • Opcode Fuzzy Hash: 0c0324b4b521aa6d660ee93ef39744c3721f26027b98e3d8fde4cb44d4ebc70c
                                                                      • Instruction Fuzzy Hash: EF21E0B59002189FDB10CFAAD984ADEBBF4EF48314F14841AE958A7310C374A944CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02429830 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 182 2429830-2429878 183 2429880-24298af LoadLibraryExW 182->183 184 242987a-242987d 182->184 185 24298b1-24298b7 183->185 186 24298b8-24298d5 183->186 184->183 185->186
                                                                      APIs
                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02429691,00000800,00000000,00000000), ref: 024298A2
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.416335242.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_2420000_update_231408.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 889d9fa6270fa8ed0b28782c8a0d5c007a52e5b8cc8767942f7170585605a4cd
                                                                      • Instruction ID: fc89b761273ab22478e581d2d0227f0a4c7bf763169a9ae2e9c79f2b7f42bedd
                                                                      • Opcode Fuzzy Hash: 889d9fa6270fa8ed0b28782c8a0d5c007a52e5b8cc8767942f7170585605a4cd
                                                                      • Instruction Fuzzy Hash: D51117B5D002498FCB10CFAAC584ADEFBF4EF88324F14852ED859A7200C375A949CFA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02428E38 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 189 2428e38-2429878 191 2429880-24298af LoadLibraryExW 189->191 192 242987a-242987d 189->192 193 24298b1-24298b7 191->193 194 24298b8-24298d5 191->194 192->191 193->194
                                                                      APIs
                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02429691,00000800,00000000,00000000), ref: 024298A2
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.416335242.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_2420000_update_231408.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: f4352d22de535207b16da0916033989bad9093c82e24ed2806e7f8b6e8085626
                                                                      • Instruction ID: 5de5918f5536a9198a977266975a8bc7a93af3d4c1eae2ace579a5f2f02f3924
                                                                      • Opcode Fuzzy Hash: f4352d22de535207b16da0916033989bad9093c82e24ed2806e7f8b6e8085626
                                                                      • Instruction Fuzzy Hash: DF11D3B6D002199FDB10CF9AC544ADEFBF4EF98714F14842AD819A7200C375A949CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 024295B0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 197 24295b0-24295f0 198 24295f2-24295f5 197->198 199 24295f8-2429623 GetModuleHandleW 197->199 198->199 200 2429625-242962b 199->200 201 242962c-2429640 199->201 200->201
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 02429616
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.416335242.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_2420000_update_231408.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 29f4b91bbcee9df34931731f73230cea1bddbcd792828c57660d6cc9e8dbc48a
                                                                      • Instruction ID: 62ae2016485796c9dd506e695f1f8a614406b3ee3e4879bf37357c88b834d45f
                                                                      • Opcode Fuzzy Hash: 29f4b91bbcee9df34931731f73230cea1bddbcd792828c57660d6cc9e8dbc48a
                                                                      • Instruction Fuzzy Hash: FF110FB2D002598FCB10CF9AC544ADEFBF4AF89224F20846AD429B7200C378A549CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00A3D3D8 Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.413679313.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_a3d000_update_231408.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6d58ec12393f85d1d087ca063f4ecae4233b6dd851e376944cec2c1fba710fcf
                                                                      • Instruction ID: 526aeea3d910816316da5c8fd00fdd52acedf7729c56fbf780a5f65f7df428a8
                                                                      • Opcode Fuzzy Hash: 6d58ec12393f85d1d087ca063f4ecae4233b6dd851e376944cec2c1fba710fcf
                                                                      • Instruction Fuzzy Hash: F521F5B5604244DFDB15DF14E9C0B16BF65FB98324F24C669E8090F24AC336E856DBA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00A4D1D4 Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.414104140.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_a4d000_update_231408.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: faadeca97caf37c5d6b5d07e7657d6d4c8805a1569db5c5fd3df68980cc91418
                                                                      • Instruction ID: faf36b38de3fe800236d1b26669c46ceff553ecc5096995abbc49985c72c2d25
                                                                      • Opcode Fuzzy Hash: faadeca97caf37c5d6b5d07e7657d6d4c8805a1569db5c5fd3df68980cc91418
                                                                      • Instruction Fuzzy Hash: 6C21F2B9604240EFDB05CF14D9C0B66BBA1FBC4314F20CAADE8495B246C3B6D846CA61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00A4D01C Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.414104140.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_a4d000_update_231408.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a1f10ea1252afb5310aae3cf3f4d92044a9217e29973ac763a397ad85039ac21
                                                                      • Instruction ID: 4b3e7efb1927819f0151df91cdd1c49bbdd55e0f605a0ddccdce71f9e2f0fea2
                                                                      • Opcode Fuzzy Hash: a1f10ea1252afb5310aae3cf3f4d92044a9217e29973ac763a397ad85039ac21
                                                                      • Instruction Fuzzy Hash: 9021F279604340DFDB14CF24D9C4B16BBA1FBC4314F20C9ADD84A4B246C37AD847CA61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00A3D3D3 Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.413679313.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_a3d000_update_231408.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: de9ef51e22e2ea3db6f00f69f6bfeb88c36ad3cca29d5602731809a0d4d5a965
                                                                      • Instruction ID: f2bec5846b18d9cb6f0a384cbb96e31edfd06b5d3f42867e6a97a45c87798205
                                                                      • Opcode Fuzzy Hash: de9ef51e22e2ea3db6f00f69f6bfeb88c36ad3cca29d5602731809a0d4d5a965
                                                                      • Instruction Fuzzy Hash: C911D376504280DFDB12CF14E5C4B16BF72FB94324F24C6A9E8490B656C33AE856CBA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00A4D017 Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.414104140.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_a4d000_update_231408.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 54cc2b53825d2ceffba46433efce6c2e7ea50d5f1211fdc6c8da4c21be7c4112
                                                                      • Instruction ID: 40d86200b72b315ad136734c86686ed3a21c4f1f7d4ddeded03b86dcfbdb211d
                                                                      • Opcode Fuzzy Hash: 54cc2b53825d2ceffba46433efce6c2e7ea50d5f1211fdc6c8da4c21be7c4112
                                                                      • Instruction Fuzzy Hash: 2B119D79504280DFDB15CF14D5C4B16FBA2FB84314F24C6AED84A4B656C33AD84ACBA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00A4D1CF Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.414104140.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_a4d000_update_231408.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 54cc2b53825d2ceffba46433efce6c2e7ea50d5f1211fdc6c8da4c21be7c4112
                                                                      • Instruction ID: 6e3dbab175516b95a5be3c654e69aee93983abd5800a1c7820bbcab53c528d7a
                                                                      • Opcode Fuzzy Hash: 54cc2b53825d2ceffba46433efce6c2e7ea50d5f1211fdc6c8da4c21be7c4112
                                                                      • Instruction Fuzzy Hash: 6C119D79904280DFDB12CF14D5C4B55FBA2FB84314F24C6ADD8494B696C3BAD84ACB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00A3D781 Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.413679313.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_a3d000_update_231408.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f2383253ce11b25691cee4303f2b7f512af73017f51d296ddfe93a9d1d103593
                                                                      • Instruction ID: 66a36a07ed059482063c1861e987b927590e69757db497a2f76b8c588208843a
                                                                      • Opcode Fuzzy Hash: f2383253ce11b25691cee4303f2b7f512af73017f51d296ddfe93a9d1d103593
                                                                      • Instruction Fuzzy Hash: DF01A271509384DAE7218B29ED84766FF98EF41724F18845AFD051F286C379AC44D6B1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00A3D780 Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.413679313.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_a3d000_update_231408.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a42085a9bed56b4d3dbb81e75b0f732abf1c86ae537767d49b0498b47f6cd610
                                                                      • Instruction ID: 4a1b78901b7735d5aee8270d8a481217f51438d914dae569b5cb8fad73f1695c
                                                                      • Opcode Fuzzy Hash: a42085a9bed56b4d3dbb81e75b0f732abf1c86ae537767d49b0498b47f6cd610
                                                                      • Instruction Fuzzy Hash: A5F062714043849EE7218B1ADD84B62FF98EF91734F18C55AFD495F286C379AC44CAB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%