Edit tour

Windows Analysis Report
shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Overview

General Information

Sample Name:	shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Analysis ID:	876162
MD5:	278d48d9ea2fe8350796279e5d08a72a
SHA1:	30a693e39b775de6afbd146722d07bba0e4f16bf
SHA256:	53823b0378b9a17181fef455b3625e7909e703d600b480ffccc9a1c6d4232c4a
Tags:	exe
Infos:

Detection

AgentTesla, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected zgRAT

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AgentTesla

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Installs a global keyboard hook

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Machine Learning detection for dropped file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Drops PE files

Binary contains a suspicious time stamp

Creates a window with clipboard capturing capabilities

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

shipmentReceipt(22kb).pdf__customInvoice12074408.exe (PID: 6492 cmdline: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe MD5: 278D48D9EA2FE8350796279E5D08A72A)

shipmentReceipt(22kb).pdf__customInvoice12074408.exe (PID: 6684 cmdline: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe MD5: 278D48D9EA2FE8350796279E5D08A72A)

shipmentReceipt(22kb).pdf__customInvoice12074408.exe (PID: 6672 cmdline: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe MD5: 278D48D9EA2FE8350796279E5D08A72A)

shipmentReceipt(22kb).pdf__customInvoice12074408.exe (PID: 6764 cmdline: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe MD5: 278D48D9EA2FE8350796279E5D08A72A)

kmk.exe (PID: 2400 cmdline: "C:\Users\user\AppData\Roaming\kmk\kmk.exe" MD5: 278D48D9EA2FE8350796279E5D08A72A)

kmk.exe (PID: 4588 cmdline: C:\Users\user\AppData\Roaming\kmk\kmk.exe MD5: 278D48D9EA2FE8350796279E5D08A72A)

kmk.exe (PID: 3276 cmdline: "C:\Users\user\AppData\Roaming\kmk\kmk.exe" MD5: 278D48D9EA2FE8350796279E5D08A72A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/ https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
zgRAT		No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/sendDocumentsendMessage?chat_id=document"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.799586620.0000000000430000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x1696:$a11: get_securityProfile 0x1537:$a12: get_useSeparateFolderTree 0x1946:$a14: get_archivingScope 0x176e:$a15: get_providerName 0x12fd:$a20: get_LastAccessed 0x19e0:$a21: get_avatarType 0x17eb:$a26: set_accountName 0xc94:$a28: set_bindingConfigurationUID 0x1846:$a31: set_username 0x13e8:$a33: get_Clipboard 0x13f6:$a34: get_Keyboard 0x1403:$a37: get_Password
00000005.00000002.804401224.0000000003012000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.804401224.0000000003012000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.573264210.0000000004D80000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.573264210.0000000004D80000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.573264210.0000000004D80000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x314ed:$a3: MailAccountConfiguration 0x31506:$a5: SmtpAccountConfiguration 0x314cd:$a8: set_BindingAccountConfiguration 0x3043e:$a11: get_securityProfile 0x302df:$a12: get_useSeparateFolderTree 0x31c30:$a13: get_DnsResolver 0x306ee:$a14: get_archivingScope 0x30516:$a15: get_providerName 0x32c1b:$a17: get_priority 0x321ef:$a18: get_advancedParameters 0x31607:$a19: get_disabledByRestriction 0x300a5:$a20: get_LastAccessed 0x30788:$a21: get_avatarType 0x32306:$a22: get_signaturePresets 0x30dac:$a23: get_enableLog 0x30593:$a26: set_accountName 0x32751:$a27: set_InternalServerPort 0x2fa3c:$a28: set_bindingConfigurationUID 0x322cc:$a29: set_IdnAddress 0x32acf:$a30: set_GuidMasterKey 0x305ee:$a31: set_username
00000006.00000002.658231003.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.658231003.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000006.00000002.658231003.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x6aa45:$a3: MailAccountConfiguration 0xa0265:$a3: MailAccountConfiguration 0x6aa5e:$a5: SmtpAccountConfiguration 0xa027e:$a5: SmtpAccountConfiguration 0x6aa25:$a8: set_BindingAccountConfiguration 0xa0245:$a8: set_BindingAccountConfiguration 0x69996:$a11: get_securityProfile 0x9f1b6:$a11: get_securityProfile 0x69837:$a12: get_useSeparateFolderTree 0x9f057:$a12: get_useSeparateFolderTree 0x6b188:$a13: get_DnsResolver 0xa09a8:$a13: get_DnsResolver 0x69c46:$a14: get_archivingScope 0x9f466:$a14: get_archivingScope 0x69a6e:$a15: get_providerName 0x9f28e:$a15: get_providerName 0x6c173:$a17: get_priority 0xa1993:$a17: get_priority 0x6b747:$a18: get_advancedParameters 0xa0f67:$a18: get_advancedParameters 0x6ab5f:$a19: get_disabledByRestriction
00000007.00000002.799586439.0000000000432000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x745:$a3: MailAccountConfiguration 0x75e:$a5: SmtpAccountConfiguration 0x725:$a8: set_BindingAccountConfiguration 0xe88:$a13: get_DnsResolver 0x85f:$a19: get_disabledByRestriction 0x4:$a23: get_enableLog 0x66b:$a32: set_version 0x9f2:$a35: get_ShiftKeyDown 0xa03:$a36: get_AltKeyDown 0x55:$a38: get_PasswordHash
00000000.00000002.573264210.0000000004462000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.573264210.0000000004462000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.573264210.0000000004462000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x6a8ad:$a3: MailAccountConfiguration 0xa00cd:$a3: MailAccountConfiguration 0x6a8c6:$a5: SmtpAccountConfiguration 0xa00e6:$a5: SmtpAccountConfiguration 0x6a88d:$a8: set_BindingAccountConfiguration 0xa00ad:$a8: set_BindingAccountConfiguration 0x697fe:$a11: get_securityProfile 0x9f01e:$a11: get_securityProfile 0x6969f:$a12: get_useSeparateFolderTree 0x9eebf:$a12: get_useSeparateFolderTree 0x6aff0:$a13: get_DnsResolver 0xa0810:$a13: get_DnsResolver 0x69aae:$a14: get_archivingScope 0x9f2ce:$a14: get_archivingScope 0x698d6:$a15: get_providerName 0x9f0f6:$a15: get_providerName 0x6bfdb:$a17: get_priority 0xa17fb:$a17: get_priority 0x6b5af:$a18: get_advancedParameters 0xa0dcf:$a18: get_advancedParameters 0x6a9c7:$a19: get_disabledByRestriction
00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x21b4:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x26bf:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B 0x2c0b:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x22d5:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x20ac:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x25b7:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B 0x2b03:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x21cd:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6492	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6492	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xba80d:$a3: MailAccountConfiguration 0xe8e95:$a3: MailAccountConfiguration 0xba826:$a5: SmtpAccountConfiguration 0xe8eae:$a5: SmtpAccountConfiguration 0xba7ed:$a8: set_BindingAccountConfiguration 0xe8e75:$a8: set_BindingAccountConfiguration 0xb98e9:$a11: get_securityProfile 0xe7f71:$a11: get_securityProfile 0xb978d:$a12: get_useSeparateFolderTree 0xe7e15:$a12: get_useSeparateFolderTree 0xbaeab:$a13: get_DnsResolver 0xe9533:$a13: get_DnsResolver 0xb9b95:$a14: get_archivingScope 0xe821d:$a14: get_archivingScope 0xb99c1:$a15: get_providerName 0xe8049:$a15: get_providerName 0xbbd77:$a17: get_priority 0xea3ff:$a17: get_priority 0xbb43a:$a18: get_advancedParameters 0xe9ac2:$a18: get_advancedParameters 0xba927:$a19: get_disabledByRestriction
Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6764	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6764	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6764	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6764	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x619f:$s3: set_passwordIsSet 0x7bd3:$g1: get_Clipboard 0x7be1:$g2: get_Keyboard 0x7bee:$g3: get_Password 0x18926:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x1aab1:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x18e31:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B 0x1afbb:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B 0x1937d:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x1b507:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x18a47:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera 0x1abd2:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6764	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x7e66:$a11: get_securityProfile 0x7d0a:$a12: get_useSeparateFolderTree 0x8112:$a14: get_archivingScope 0x7f3e:$a15: get_providerName 0x67af:$a17: get_priority 0x5e72:$a18: get_advancedParameters 0x7afc:$a20: get_LastAccessed 0x81ac:$a21: get_avatarType 0x5f89:$a22: get_signaturePresets 0x7fbb:$a26: set_accountName 0x63b3:$a27: set_InternalServerPort 0x78e9:$a28: set_bindingConfigurationUID 0x5f4f:$a29: set_IdnAddress 0x666d:$a30: set_GuidMasterKey 0x8016:$a31: set_username 0x7bd3:$a33: get_Clipboard 0x7be1:$a34: get_Keyboard 0x7bee:$a37: get_Password 0x5cee:$a39: get_DefaultCredentials
Process Memory Space: kmk.exe PID: 2400	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: kmk.exe PID: 2400	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31889:$a3: MailAccountConfiguration 0x318a2:$a5: SmtpAccountConfiguration 0x31869:$a8: set_BindingAccountConfiguration 0x30965:$a11: get_securityProfile 0x30809:$a12: get_useSeparateFolderTree 0x31f27:$a13: get_DnsResolver 0x30c11:$a14: get_archivingScope 0x30a3d:$a15: get_providerName 0x32df3:$a17: get_priority 0x324b6:$a18: get_advancedParameters 0x319a3:$a19: get_disabledByRestriction 0x305fb:$a20: get_LastAccessed 0x30cab:$a21: get_avatarType 0x325cd:$a22: get_signaturePresets 0x31274:$a23: get_enableLog 0x30aba:$a26: set_accountName 0x329f7:$a27: set_InternalServerPort 0x303e8:$a28: set_bindingConfigurationUID 0x32593:$a29: set_IdnAddress 0x32cb1:$a30: set_GuidMasterKey 0x30b15:$a31: set_username
Process Memory Space: kmk.exe PID: 4588	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: kmk.exe PID: 4588	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: kmk.exe PID: 4588	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: kmk.exe PID: 4588	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x3bf8a:$s1: get_kbok 0x3c80a:$s2: get_CHoo 0x3be36:$s4: get_enableLog 0x3c6e4:$g4: get_CtrlKeyDown 0x3c6f4:$g5: get_ShiftKeyDown 0x3c705:$g6: get_AltKeyDown 0x196e1:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x1b86c:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x19bec:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B 0x1bd76:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B 0x1a138:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x1c2c2:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x19802:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera 0x1b98d:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
Process Memory Space: kmk.exe PID: 4588	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x3c44b:$a3: MailAccountConfiguration 0x3c464:$a5: SmtpAccountConfiguration 0x3c42b:$a8: set_BindingAccountConfiguration 0x3cae9:$a13: get_DnsResolver 0x3c565:$a19: get_disabledByRestriction 0x3be36:$a23: get_enableLog 0x3c371:$a32: set_version 0x3c6f4:$a35: get_ShiftKeyDown 0x3c705:$a36: get_AltKeyDown 0x3be60:$a38: get_PasswordHash
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2e600:$s1: get_kbok 0x2ef34:$s2: get_CHoo 0x2fb8f:$s3: set_passwordIsSet 0x2e404:$s4: get_enableLog 0x32b27:$s8: torbrowser 0x3150a:$s10: logins 0x30dd8:$s11: credential 0x2d7e8:$g1: get_Clipboard 0x2d7f6:$g2: get_Keyboard 0x2d803:$g3: get_Password 0x2ede2:$g4: get_CtrlKeyDown 0x2edf2:$g5: get_ShiftKeyDown 0x2ee03:$g6: get_AltKeyDown
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2eb45:$a3: MailAccountConfiguration 0x2eb5e:$a5: SmtpAccountConfiguration 0x2eb25:$a8: set_BindingAccountConfiguration 0x2da96:$a11: get_securityProfile 0x2d937:$a12: get_useSeparateFolderTree 0x2f288:$a13: get_DnsResolver 0x2dd46:$a14: get_archivingScope 0x2db6e:$a15: get_providerName 0x30273:$a17: get_priority 0x2f847:$a18: get_advancedParameters 0x2ec5f:$a19: get_disabledByRestriction 0x2d6fd:$a20: get_LastAccessed 0x2dde0:$a21: get_avatarType 0x2f95e:$a22: get_signaturePresets 0x2e404:$a23: get_enableLog 0x2dbeb:$a26: set_accountName 0x2fda9:$a27: set_InternalServerPort 0x2d094:$a28: set_bindingConfigurationUID 0x2f924:$a29: set_IdnAddress 0x30127:$a30: set_GuidMasterKey 0x2dc46:$a31: set_username
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2e600:$s1: get_kbok 0x2ef34:$s2: get_CHoo 0x2fb8f:$s3: set_passwordIsSet 0x2e404:$s4: get_enableLog 0x32b27:$s8: torbrowser 0x3150a:$s10: logins 0x30dd8:$s11: credential 0x2d7e8:$g1: get_Clipboard 0x2d7f6:$g2: get_Keyboard 0x2d803:$g3: get_Password 0x2ede2:$g4: get_CtrlKeyDown 0x2edf2:$g5: get_ShiftKeyDown 0x2ee03:$g6: get_AltKeyDown
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2eb45:$a3: MailAccountConfiguration 0x2eb5e:$a5: SmtpAccountConfiguration 0x2eb25:$a8: set_BindingAccountConfiguration 0x2da96:$a11: get_securityProfile 0x2d937:$a12: get_useSeparateFolderTree 0x2f288:$a13: get_DnsResolver 0x2dd46:$a14: get_archivingScope 0x2db6e:$a15: get_providerName 0x30273:$a17: get_priority 0x2f847:$a18: get_advancedParameters 0x2ec5f:$a19: get_disabledByRestriction 0x2d6fd:$a20: get_LastAccessed 0x2dde0:$a21: get_avatarType 0x2f95e:$a22: get_signaturePresets 0x2e404:$a23: get_enableLog 0x2dbeb:$a26: set_accountName 0x2fda9:$a27: set_InternalServerPort 0x2d094:$a28: set_bindingConfigurationUID 0x2f924:$a29: set_IdnAddress 0x30127:$a30: set_GuidMasterKey 0x2dc46:$a31: set_username
6.2.kmk.exe.3cbb920.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.kmk.exe.3cbb920.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.2.kmk.exe.3cbb920.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.kmk.exe.3cbb920.7.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30400:$s1: get_kbok 0x30d34:$s2: get_CHoo 0x3198f:$s3: set_passwordIsSet 0x30204:$s4: get_enableLog 0x34927:$s8: torbrowser 0x3330a:$s10: logins 0x32bd8:$s11: credential 0x2f5e8:$g1: get_Clipboard 0x2f5f6:$g2: get_Keyboard 0x2f603:$g3: get_Password 0x30be2:$g4: get_CtrlKeyDown 0x30bf2:$g5: get_ShiftKeyDown 0x30c03:$g6: get_AltKeyDown
6.2.kmk.exe.3cbb920.7.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30945:$a3: MailAccountConfiguration 0x3095e:$a5: SmtpAccountConfiguration 0x30925:$a8: set_BindingAccountConfiguration 0x2f896:$a11: get_securityProfile 0x2f737:$a12: get_useSeparateFolderTree 0x31088:$a13: get_DnsResolver 0x2fb46:$a14: get_archivingScope 0x2f96e:$a15: get_providerName 0x32073:$a17: get_priority 0x31647:$a18: get_advancedParameters 0x30a5f:$a19: get_disabledByRestriction 0x2f4fd:$a20: get_LastAccessed 0x2fbe0:$a21: get_avatarType 0x3175e:$a22: get_signaturePresets 0x30204:$a23: get_enableLog 0x2f9eb:$a26: set_accountName 0x31ba9:$a27: set_InternalServerPort 0x2ee94:$a28: set_bindingConfigurationUID 0x31724:$a29: set_IdnAddress 0x31f27:$a30: set_GuidMasterKey 0x2fa46:$a31: set_username
7.2.kmk.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30945:$a3: MailAccountConfiguration 0x3095e:$a5: SmtpAccountConfiguration 0x30925:$a8: set_BindingAccountConfiguration 0x31088:$a13: get_DnsResolver 0x30a5f:$a19: get_disabledByRestriction 0x30204:$a23: get_enableLog 0x3086b:$a32: set_version 0x30bf2:$a35: get_ShiftKeyDown 0x30c03:$a36: get_AltKeyDown 0x30255:$a38: get_PasswordHash
6.2.kmk.exe.3cbb920.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.kmk.exe.3cbb920.7.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.2.kmk.exe.3cbb920.7.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2e600:$s1: get_kbok 0x2ef34:$s2: get_CHoo 0x2fb8f:$s3: set_passwordIsSet 0x2e404:$s4: get_enableLog 0x32b27:$s8: torbrowser 0x3150a:$s10: logins 0x30dd8:$s11: credential 0x2d7e8:$g1: get_Clipboard 0x2d7f6:$g2: get_Keyboard 0x2d803:$g3: get_Password 0x2ede2:$g4: get_CtrlKeyDown 0x2edf2:$g5: get_ShiftKeyDown 0x2ee03:$g6: get_AltKeyDown
6.2.kmk.exe.3cbb920.7.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2eb45:$a3: MailAccountConfiguration 0x2eb5e:$a5: SmtpAccountConfiguration 0x2eb25:$a8: set_BindingAccountConfiguration 0x2da96:$a11: get_securityProfile 0x2d937:$a12: get_useSeparateFolderTree 0x2f288:$a13: get_DnsResolver 0x2dd46:$a14: get_archivingScope 0x2db6e:$a15: get_providerName 0x30273:$a17: get_priority 0x2f847:$a18: get_advancedParameters 0x2ec5f:$a19: get_disabledByRestriction 0x2d6fd:$a20: get_LastAccessed 0x2dde0:$a21: get_avatarType 0x2f95e:$a22: get_signaturePresets 0x2e404:$a23: get_enableLog 0x2dbeb:$a26: set_accountName 0x2fda9:$a27: set_InternalServerPort 0x2d094:$a28: set_bindingConfigurationUID 0x2f924:$a29: set_IdnAddress 0x30127:$a30: set_GuidMasterKey 0x2dc46:$a31: set_username
6.2.kmk.exe.3c86100.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.kmk.exe.3c86100.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.2.kmk.exe.3c86100.6.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2e600:$s1: get_kbok 0x2ef34:$s2: get_CHoo 0x2fb8f:$s3: set_passwordIsSet 0x2e404:$s4: get_enableLog 0x32b27:$s8: torbrowser 0x3150a:$s10: logins 0x30dd8:$s11: credential 0x2d7e8:$g1: get_Clipboard 0x2d7f6:$g2: get_Keyboard 0x2d803:$g3: get_Password 0x2ede2:$g4: get_CtrlKeyDown 0x2edf2:$g5: get_ShiftKeyDown 0x2ee03:$g6: get_AltKeyDown
6.2.kmk.exe.3c86100.6.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2eb45:$a3: MailAccountConfiguration 0x2eb5e:$a5: SmtpAccountConfiguration 0x2eb25:$a8: set_BindingAccountConfiguration 0x2da96:$a11: get_securityProfile 0x2d937:$a12: get_useSeparateFolderTree 0x2f288:$a13: get_DnsResolver 0x2dd46:$a14: get_archivingScope 0x2db6e:$a15: get_providerName 0x30273:$a17: get_priority 0x2f847:$a18: get_advancedParameters 0x2ec5f:$a19: get_disabledByRestriction 0x2d6fd:$a20: get_LastAccessed 0x2dde0:$a21: get_avatarType 0x2f95e:$a22: get_signaturePresets 0x2e404:$a23: get_enableLog 0x2dbeb:$a26: set_accountName 0x2fda9:$a27: set_InternalServerPort 0x2d094:$a28: set_bindingConfigurationUID 0x2f924:$a29: set_IdnAddress 0x30127:$a30: set_GuidMasterKey 0x2dc46:$a31: set_username
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x69e20:$s1: get_kbok 0x9f640:$s1: get_kbok 0x6a754:$s2: get_CHoo 0x9ff74:$s2: get_CHoo 0x6b3af:$s3: set_passwordIsSet 0xa0bcf:$s3: set_passwordIsSet 0x69c24:$s4: get_enableLog 0x9f444:$s4: get_enableLog 0x6e347:$s8: torbrowser 0xa3b67:$s8: torbrowser 0x6cd2a:$s10: logins 0xa254a:$s10: logins 0x6c5f8:$s11: credential 0xa1e18:$s11: credential 0x69008:$g1: get_Clipboard 0x9e828:$g1: get_Clipboard 0x69016:$g2: get_Keyboard 0x9e836:$g2: get_Keyboard 0x69023:$g3: get_Password 0x9e843:$g3: get_Password 0x6a602:$g4: get_CtrlKeyDown
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xe252b:$s1: file:/// 0xe2487:$s2: {11111-22222-10009-11112} 0xe24bb:$s3: {11111-22222-50001-00000} 0xe04b3:$s4: get_Module 0x696ee:$s5: Reverse 0x9ef0e:$s5: Reverse 0x6b9f6:$s6: BlockCopy 0xa1216:$s6: BlockCopy 0xe19ad:$s6: BlockCopy 0x6998f:$s7: ReadByte 0x9f1af:$s7: ReadByte 0xe198d:$s7: ReadByte 0xe253d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x6a365:$a3: MailAccountConfiguration 0x9fb85:$a3: MailAccountConfiguration 0x6a37e:$a5: SmtpAccountConfiguration 0x9fb9e:$a5: SmtpAccountConfiguration 0x6a345:$a8: set_BindingAccountConfiguration 0x9fb65:$a8: set_BindingAccountConfiguration 0x692b6:$a11: get_securityProfile 0x9ead6:$a11: get_securityProfile 0x69157:$a12: get_useSeparateFolderTree 0x9e977:$a12: get_useSeparateFolderTree 0x6aaa8:$a13: get_DnsResolver 0xa02c8:$a13: get_DnsResolver 0x69566:$a14: get_archivingScope 0x9ed86:$a14: get_archivingScope 0x6938e:$a15: get_providerName 0x9ebae:$a15: get_providerName 0x6ba93:$a17: get_priority 0xa12b3:$a17: get_priority 0x6b067:$a18: get_advancedParameters 0xa0887:$a18: get_advancedParameters 0x6a47f:$a19: get_disabledByRestriction
6.2.kmk.exe.3c86100.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.kmk.exe.3c86100.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.2.kmk.exe.3c86100.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.kmk.exe.3c86100.6.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30400:$s1: get_kbok 0x65c20:$s1: get_kbok 0x30d34:$s2: get_CHoo 0x66554:$s2: get_CHoo 0x3198f:$s3: set_passwordIsSet 0x671af:$s3: set_passwordIsSet 0x30204:$s4: get_enableLog 0x65a24:$s4: get_enableLog 0x34927:$s8: torbrowser 0x6a147:$s8: torbrowser 0x3330a:$s10: logins 0x68b2a:$s10: logins 0x32bd8:$s11: credential 0x683f8:$s11: credential 0x2f5e8:$g1: get_Clipboard 0x64e08:$g1: get_Clipboard 0x2f5f6:$g2: get_Keyboard 0x64e16:$g2: get_Keyboard 0x2f603:$g3: get_Password 0x64e23:$g3: get_Password 0x30be2:$g4: get_CtrlKeyDown
6.2.kmk.exe.3c86100.6.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30945:$a3: MailAccountConfiguration 0x66165:$a3: MailAccountConfiguration 0x3095e:$a5: SmtpAccountConfiguration 0x6617e:$a5: SmtpAccountConfiguration 0x30925:$a8: set_BindingAccountConfiguration 0x66145:$a8: set_BindingAccountConfiguration 0x2f896:$a11: get_securityProfile 0x650b6:$a11: get_securityProfile 0x2f737:$a12: get_useSeparateFolderTree 0x64f57:$a12: get_useSeparateFolderTree 0x31088:$a13: get_DnsResolver 0x668a8:$a13: get_DnsResolver 0x2fb46:$a14: get_archivingScope 0x65366:$a14: get_archivingScope 0x2f96e:$a15: get_providerName 0x6518e:$a15: get_providerName 0x32073:$a17: get_priority 0x67893:$a17: get_priority 0x31647:$a18: get_advancedParameters 0x66e67:$a18: get_advancedParameters 0x30a5f:$a19: get_disabledByRestriction
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30400:$s1: get_kbok 0x65c20:$s1: get_kbok 0x30d34:$s2: get_CHoo 0x66554:$s2: get_CHoo 0x3198f:$s3: set_passwordIsSet 0x671af:$s3: set_passwordIsSet 0x30204:$s4: get_enableLog 0x65a24:$s4: get_enableLog 0x34927:$s8: torbrowser 0x6a147:$s8: torbrowser 0x3330a:$s10: logins 0x68b2a:$s10: logins 0x32bd8:$s11: credential 0x683f8:$s11: credential 0x2f5e8:$g1: get_Clipboard 0x64e08:$g1: get_Clipboard 0x2f5f6:$g2: get_Keyboard 0x64e16:$g2: get_Keyboard 0x2f603:$g3: get_Password 0x64e23:$g3: get_Password 0x30be2:$g4: get_CtrlKeyDown
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xa8b0b:$s1: file:/// 0xa8a67:$s2: {11111-22222-10009-11112} 0xa8a9b:$s3: {11111-22222-50001-00000} 0xa6a93:$s4: get_Module 0x2fcce:$s5: Reverse 0x654ee:$s5: Reverse 0x31fd6:$s6: BlockCopy 0x677f6:$s6: BlockCopy 0xa7f8d:$s6: BlockCopy 0x2ff6f:$s7: ReadByte 0x6578f:$s7: ReadByte 0xa7f6d:$s7: ReadByte 0xa8b1d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30945:$a3: MailAccountConfiguration 0x66165:$a3: MailAccountConfiguration 0x3095e:$a5: SmtpAccountConfiguration 0x6617e:$a5: SmtpAccountConfiguration 0x30925:$a8: set_BindingAccountConfiguration 0x66145:$a8: set_BindingAccountConfiguration 0x2f896:$a11: get_securityProfile 0x650b6:$a11: get_securityProfile 0x2f737:$a12: get_useSeparateFolderTree 0x64f57:$a12: get_useSeparateFolderTree 0x31088:$a13: get_DnsResolver 0x668a8:$a13: get_DnsResolver 0x2fb46:$a14: get_archivingScope 0x65366:$a14: get_archivingScope 0x2f96e:$a15: get_providerName 0x6518e:$a15: get_providerName 0x32073:$a17: get_priority 0x67893:$a17: get_priority 0x31647:$a18: get_advancedParameters 0x66e67:$a18: get_advancedParameters 0x30a5f:$a19: get_disabledByRestriction
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30400:$s1: get_kbok 0x30d34:$s2: get_CHoo 0x3198f:$s3: set_passwordIsSet 0x30204:$s4: get_enableLog 0x34927:$s8: torbrowser 0x3330a:$s10: logins 0x32bd8:$s11: credential 0x2f5e8:$g1: get_Clipboard 0x2f5f6:$g2: get_Keyboard 0x2f603:$g3: get_Password 0x30be2:$g4: get_CtrlKeyDown 0x30bf2:$g5: get_ShiftKeyDown 0x30c03:$g6: get_AltKeyDown
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x732eb:$s1: file:/// 0x73247:$s2: {11111-22222-10009-11112} 0x7327b:$s3: {11111-22222-50001-00000} 0x71273:$s4: get_Module 0x2fcce:$s5: Reverse 0x31fd6:$s6: BlockCopy 0x7276d:$s6: BlockCopy 0x2ff6f:$s7: ReadByte 0x7274d:$s7: ReadByte 0x732fd:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30945:$a3: MailAccountConfiguration 0x3095e:$a5: SmtpAccountConfiguration 0x30925:$a8: set_BindingAccountConfiguration 0x2f896:$a11: get_securityProfile 0x2f737:$a12: get_useSeparateFolderTree 0x31088:$a13: get_DnsResolver 0x2fb46:$a14: get_archivingScope 0x2f96e:$a15: get_providerName 0x32073:$a17: get_priority 0x31647:$a18: get_advancedParameters 0x30a5f:$a19: get_disabledByRestriction 0x2f4fd:$a20: get_LastAccessed 0x2fbe0:$a21: get_avatarType 0x3175e:$a22: get_signaturePresets 0x30204:$a23: get_enableLog 0x2f9eb:$a26: set_accountName 0x31ba9:$a27: set_InternalServerPort 0x2ee94:$a28: set_bindingConfigurationUID 0x31724:$a29: set_IdnAddress 0x31f27:$a30: set_GuidMasterKey 0x2fa46:$a31: set_username
6.2.kmk.exe.3c4c6e0.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.kmk.exe.3c4c6e0.5.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.2.kmk.exe.3c4c6e0.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.kmk.exe.3c4c6e0.5.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x69e20:$s1: get_kbok 0x9f640:$s1: get_kbok 0x6a754:$s2: get_CHoo 0x9ff74:$s2: get_CHoo 0x6b3af:$s3: set_passwordIsSet 0xa0bcf:$s3: set_passwordIsSet 0x69c24:$s4: get_enableLog 0x9f444:$s4: get_enableLog 0x6e347:$s8: torbrowser 0xa3b67:$s8: torbrowser 0x6cd2a:$s10: logins 0xa254a:$s10: logins 0x6c5f8:$s11: credential 0xa1e18:$s11: credential 0x69008:$g1: get_Clipboard 0x9e828:$g1: get_Clipboard 0x69016:$g2: get_Keyboard 0x9e836:$g2: get_Keyboard 0x69023:$g3: get_Password 0x9e843:$g3: get_Password 0x6a602:$g4: get_CtrlKeyDown
6.2.kmk.exe.3c4c6e0.5.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x6a365:$a3: MailAccountConfiguration 0x9fb85:$a3: MailAccountConfiguration 0x6a37e:$a5: SmtpAccountConfiguration 0x9fb9e:$a5: SmtpAccountConfiguration 0x6a345:$a8: set_BindingAccountConfiguration 0x9fb65:$a8: set_BindingAccountConfiguration 0x692b6:$a11: get_securityProfile 0x9ead6:$a11: get_securityProfile 0x69157:$a12: get_useSeparateFolderTree 0x9e977:$a12: get_useSeparateFolderTree 0x6aaa8:$a13: get_DnsResolver 0xa02c8:$a13: get_DnsResolver 0x69566:$a14: get_archivingScope 0x9ed86:$a14: get_archivingScope 0x6938e:$a15: get_providerName 0x9ebae:$a15: get_providerName 0x6ba93:$a17: get_priority 0xa12b3:$a17: get_priority 0x6b067:$a18: get_advancedParameters 0xa0887:$a18: get_advancedParameters 0x6a47f:$a19: get_disabledByRestriction
Click to see the 48 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/sendDocumentsendMessage?chat_id=document"}
Source: kmk.exe.4588.7.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/sendMessage"}

Multi AV Scanner detection for submitted file

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe	ReversingLabs: Detection: 16%
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Virustotal: Detection: 27%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe

Avira: detection malicious, Label: HEUR/AGEN.1309734

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe

ReversingLabs: Detection: 16%

Machine Learning detection for sample

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe

Joe Sandbox ML: detected

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mOdw.pdb source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, kmk.exe.5.dr
Source:	Binary string: mOdw.pdbSHA256 source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, kmk.exe.5.dr

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Code function: 4x nop then jmp 07FD925Bh

0_2_07FD86A0

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 6.2.kmk.exe.3cbb920.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.kmk.exe.3c86100.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.kmk.exe.3c4c6e0.5.raw.unpack, type: UNPACKEDPE

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: kmk.exe, 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: kmk.exe, 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://UZQtUP.com
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.538649666.00000000064EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.wikiphD
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539693492.00000000064E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comams/R
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539693492.00000000064E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comdol
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539693492.00000000064E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comes
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539693492.00000000064E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comg
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.547482112.00000000064E3000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.547482112.00000000064E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comdia
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.553540335.00000000064E4000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.547482112.00000000064E3000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.553420022.00000000064E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.commTTF
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.547482112.00000000064E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.commpKF
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539103728.00000000064EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539103728.00000000064EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn(
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539230782.00000000064EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/uG
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539103728.00000000064EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnN
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539103728.00000000064EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnr-t
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539103728.00000000064EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnsk
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/.Kp
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//r$
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/CK
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Sue
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/fK(
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/%Ki
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/oK?
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/on
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/yKM
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.573264210.0000000004D80000.00000004.00000800.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.573264210.0000000004462000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000006.00000002.658231003.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000007.00000002.799586439.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/sendDocumentdocument-----
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.573264210.0000000004D80000.00000004.00000800.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.573264210.0000000004462000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000006.00000002.658231003.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000007.00000002.799586439.0000000000436000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Jump to behavior

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.565506875.00000000015DB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 6.2.kmk.exe.3cbb920.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.2.kmk.exe.3cbb920.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 7.2.kmk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 6.2.kmk.exe.3cbb920.7.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.2.kmk.exe.3cbb920.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 6.2.kmk.exe.3c86100.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.2.kmk.exe.3c86100.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 6.2.kmk.exe.3c86100.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.2.kmk.exe.3c86100.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 6.2.kmk.exe.3c4c6e0.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.2.kmk.exe.3c4c6e0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000005.00000002.799586620.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.573264210.0000000004D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000006.00000002.658231003.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000007.00000002.799586439.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.573264210.0000000004462000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6492, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6764, type: MEMORYSTR	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6764, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: kmk.exe PID: 2400, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: kmk.exe PID: 4588, type: MEMORYSTR	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: kmk.exe PID: 4588, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Source: initial sample	Static PE information: Filename: shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 6.2.kmk.exe.3cbb920.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.2.kmk.exe.3cbb920.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 7.2.kmk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 6.2.kmk.exe.3cbb920.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.2.kmk.exe.3cbb920.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 6.2.kmk.exe.3c86100.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.2.kmk.exe.3c86100.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 6.2.kmk.exe.3c86100.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.2.kmk.exe.3c86100.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 6.2.kmk.exe.3c4c6e0.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.2.kmk.exe.3c4c6e0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000005.00000002.799586620.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.573264210.0000000004D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000006.00000002.658231003.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000007.00000002.799586439.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.573264210.0000000004462000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6492, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6764, type: MEMORYSTR	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6764, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: kmk.exe PID: 2400, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: kmk.exe PID: 4588, type: MEMORYSTR	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: kmk.exe PID: 4588, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 0_2_0317B440	0_2_0317B440
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 0_2_065E77F0	0_2_065E77F0
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 0_2_065E4796	0_2_065E4796
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 0_2_065E4518	0_2_065E4518
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 0_2_065EA528	0_2_065EA528
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 0_2_065E8360	0_2_065E8360
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 0_2_065E77E0	0_2_065E77E0
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 0_2_065EA518	0_2_065EA518
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 0_2_065ED517	0_2_065ED517
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 0_2_065E4509	0_2_065E4509
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 0_2_065E8351	0_2_065E8351
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 0_2_065ECE71	0_2_065ECE71
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 0_2_065E7F79	0_2_065E7F79
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 0_2_065E7F88	0_2_065E7F88
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 0_2_065EEA00	0_2_065EEA00
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 0_2_065EF828	0_2_065EF828
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 0_2_07FD86A0	0_2_07FD86A0
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 0_2_07FDA468	0_2_07FDA468
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 0_2_07FD8690	0_2_07FD8690
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 0_2_07FD19B8	0_2_07FD19B8
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 0_2_07FD0040	0_2_07FD0040
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_00D7B058	5_2_00D7B058
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_00D76220	5_2_00D76220
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_00D97030	5_2_00D97030
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_00D91170	5_2_00D91170
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_00D9C2E8	5_2_00D9C2E8
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_00D91250	5_2_00D91250
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_00D9A518	5_2_00D9A518
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_00D9DAA8	5_2_00D9DAA8
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_00D98380	5_2_00D98380
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_00D965FF	5_2_00D965FF
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_00D96589	5_2_00D96589
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_00D965B9	5_2_00D965B9
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_00D965B0	5_2_00D965B0
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_00D9655F	5_2_00D9655F
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_00D96568	5_2_00D96568
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_013556F8	5_2_013556F8
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_01352BF8	5_2_01352BF8
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_01354AC1	5_2_01354AC1
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_01355E30	5_2_01355E30
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_0135E1E8	5_2_0135E1E8
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_013595F6	5_2_013595F6
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_0135CE18	5_2_0135CE18
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_014946E0	5_2_014946E0
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_014945F0	5_2_014945F0
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_0149DA41	5_2_0149DA41
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Code function: 6_2_02A3B440	6_2_02A3B440
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Code function: 6_2_05B4C2D0	6_2_05B4C2D0
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Code function: 6_2_05B48CAC	6_2_05B48CAC
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Code function: 6_2_05B4C697	6_2_05B4C697
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Code function: 6_2_05C7318C	6_2_05C7318C
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Code function: 6_2_05C7A320	6_2_05C7A320
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Code function: 6_2_05B50006	6_2_05B50006
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Code function: 6_2_05B50040	6_2_05B50040

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000000.533329782.0000000000E52000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemOdw.exe< vs shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.579322003.0000000009E10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRegive.dll4 vs shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.565506875.00000000015DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.567910784.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJxIIaRUTvaLxexPWTLbbe.exe4 vs shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.573264210.0000000004462000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJxIIaRUTvaLxexPWTLbbe.exe4 vs shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.573264210.0000000004462000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRegive.dll4 vs shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.534648107.000000000162D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000005.00000002.799586620.0000000000438000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJxIIaRUTvaLxexPWTLbbe.exe4 vs shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000005.00000002.801240956.000000000125A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000005.00000002.800819168.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Binary or memory string: OriginalFilenamemOdw.exe< vs shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: kmk.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe	ReversingLabs: Detection: 16%
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Virustotal: Detection: 27%

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe

File read: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Jump to behavior

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process created: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process created: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process created: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\kmk\kmk.exe "C:\Users\user\AppData\Roaming\kmk\kmk.exe"
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process created: C:\Users\user\AppData\Roaming\kmk\kmk.exe C:\Users\user\AppData\Roaming\kmk\kmk.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\kmk\kmk.exe "C:\Users\user\AppData\Roaming\kmk\kmk.exe"
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process created: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process created: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process created: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process created: C:\Users\user\AppData\Roaming\kmk\kmk.exe C:\Users\user\AppData\Roaming\kmk\kmk.exe	Jump to behavior

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\shipmentReceipt(22kb).pdf__customInvoice12074408.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/4@0/0

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000005.00000002.804401224.000000000303E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe

Mutant created: \Sessions\1\BaseNamedObjects\XQpCtCOJSxKgTAA

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mOdw.pdb source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, kmk.exe.5.dr
Source:	Binary string: mOdw.pdbSHA256 source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, kmk.exe.5.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, frmPizzaProj.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.e50000.0.unpack, frmPizzaProj.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: kmk.exe.5.dr, frmPizzaProj.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 0_2_07FD5799 push eax; ret	0_2_07FD579C
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_00D9598B push 8BFFFFFFh; retf	5_2_00D95998
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_013589A8 push ds; retf	5_2_013589AF
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Code function: 5_2_0135AB17 push edi; retn 0000h	5_2_0135AB19

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Static PE information: 0xB67E188C [Sat Jan 8 12:58:52 2067 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.743534616199072
Source: initial sample	Static PE information: section name: .text entropy: 7.743534616199072

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe

File created: C:\Users\user\AppData\Roaming\kmk\kmk.exe

Jump to dropped file

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kmk			Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kmk			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe

File opened: C:\Users\user\AppData\Roaming\kmk\kmk.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe TID: 6488	Thread sleep time: -41202s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe TID: 5472	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe TID: 7068	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe TID: 6840	Thread sleep count: 9847 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe TID: 4092	Thread sleep time: -41202s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe TID: 5708	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe TID: 4544	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe TID: 6972	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe TID: 6960	Thread sleep count: 9850 > 30	Jump to behavior

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Window / User API: threadDelayed 9847			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Window / User API: threadDelayed 9850			Jump to behavior

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Thread delayed: delay time: 41202	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Thread delayed: delay time: 41202	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Code function: 5_2_00D9D818 LdrInitializeThunk,

5_2_00D9D818

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Memory written: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Memory written: C:\Users\user\AppData\Roaming\kmk\kmk.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process created: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process created: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Process created: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Process created: C:\Users\user\AppData\Roaming\kmk\kmk.exe C:\Users\user\AppData\Roaming\kmk\kmk.exe	Jump to behavior

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Queries volume information: C:\Users\user\AppData\Roaming\kmk\kmk.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Queries volume information: C:\Users\user\AppData\Roaming\kmk\kmk.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Queries volume information: C:\Users\user\AppData\Roaming\kmk\kmk.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected zgRAT

Source: Yara match	File source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack, type: UNPACKEDPE

Yara detected Telegram RAT

Source: Yara match	File source: 00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kmk.exe PID: 4588, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.kmk.exe.3cbb920.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.kmk.exe.3cbb920.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.kmk.exe.3c86100.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.kmk.exe.3c86100.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.kmk.exe.3c4c6e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.573264210.0000000004D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.658231003.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.573264210.0000000004462000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.804401224.0000000003012000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kmk.exe PID: 2400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kmk.exe PID: 4588, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000005.00000002.804401224.0000000003012000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kmk.exe PID: 4588, type: MEMORYSTR

Remote Access Functionality

Yara detected zgRAT

Source: Yara match	File source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack, type: UNPACKEDPE

Yara detected Telegram RAT

Source: Yara match	File source: 00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kmk.exe PID: 4588, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.kmk.exe.3cbb920.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.kmk.exe.3cbb920.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.kmk.exe.3c86100.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.kmk.exe.3c86100.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.kmk.exe.3c4c6e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.573264210.0000000004D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.658231003.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.573264210.0000000004462000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.804401224.0000000003012000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kmk.exe PID: 2400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kmk.exe PID: 4588, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	121 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	111 Process Injection	1 Masquerading	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	111 Input Capture	1 Process Discovery	Remote Desktop Protocol	111 Input Capture	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	1 Data from Local System	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	24 System Information Discovery	SSH	1 Clipboard Data	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	12 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
shipmentReceipt(22kb).pdf__customInvoice12074408.exe	17%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
shipmentReceipt(22kb).pdf__customInvoice12074408.exe	27%	Virustotal		Browse
shipmentReceipt(22kb).pdf__customInvoice12074408.exe	100%	Avira	HEUR/AGEN.1309734
shipmentReceipt(22kb).pdf__customInvoice12074408.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\kmk\kmk.exe	100%	Avira	HEUR/AGEN.1309734
C:\Users\user\AppData\Roaming\kmk\kmk.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\kmk\kmk.exe	17%	ReversingLabs	ByteCode-MSIL.Trojan.Generic

Source	Detection	Scanner	Label	Link
http://www.founder.com.cn/cnN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.carterandcone.comes	0%	URL Reputation	safe
http://www.carterandcone.comdol	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.fontbureau.comdia	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnr-t	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/on	0%	URL Reputation	safe
http://www.carterandcone.comg	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Sue	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/s	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.founder.com.cn/cn(	0%	URL Reputation	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.fontbureau.commpKF	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/uG	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp//r$	0%	Avira URL Cloud	safe
http://en.wikiphD	0%	Avira URL Cloud	safe
http://UZQtUP.com	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/CK	0%	Avira URL Cloud	safe
http://www.carterandcone.comams/R	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp//r$	0%	Virustotal		Browse
http://www.fontbureau.commTTF	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/.Kp	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/yKM	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/oK?	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/fK(	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnsk	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/%Ki	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.founder.com.cn/cnN	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539103728.00000000064EC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:HTTP/1.1	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.commpKF	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.547482112.00000000064E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/uG	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539230782.00000000064EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comes	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539693492.00000000064E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false		high
http://UZQtUP.com	kmk.exe, 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comdol	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539693492.00000000064E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp//r$	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://en.wikiphD	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.538649666.00000000064EE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comdia	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.547482112.00000000064E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/CK	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comams/R	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539693492.00000000064E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnr-t	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539103728.00000000064EC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.commTTF	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.553540335.00000000064E4000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.547482112.00000000064E3000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.553420022.00000000064E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/sendDocumentdocument-----	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.573264210.0000000004D80000.00000004.00000800.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.573264210.0000000004462000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000006.00000002.658231003.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000007.00000002.799586439.0000000000436000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.547482112.00000000064E3000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false		high
http://DynDns.comDynDNS	kmk.exe, 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/.Kp	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/yKM	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/on	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comg	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539693492.00000000064E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Sue	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/fK(	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539103728.00000000064EC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/s	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/%Ki	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cnsk	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539103728.00000000064EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn(	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539103728.00000000064EC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.573264210.0000000004D80000.00000004.00000800.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.573264210.0000000004462000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000006.00000002.658231003.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000007.00000002.799586439.0000000000434000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/oK?	shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	876162
Start date and time:	2023-05-26 11:39:13 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@11/4@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 98% Number of executed functions: 143 Number of non-executed functions: 12
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): audiodg.exe, WMIADAP.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:40:15	API Interceptor	698x Sleep call for process: shipmentReceipt(22kb).pdf__customInvoice12074408.exe modified
11:40:42	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run kmk C:\Users\user\AppData\Roaming\kmk\kmk.exe
11:40:50	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run kmk C:\Users\user\AppData\Roaming\kmk\kmk.exe
11:40:56	API Interceptor	400x Sleep call for process: kmk.exe modified

Process:	C:\Users\user\AppData\Roaming\kmk\kmk.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1302
Entropy (8bit):	5.3499841584777394
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4bE4K5AE4Kzr7RKDE4KhK3VZ9pKhPKIE4oKFKHKorE4x84j:MIHK5HKXE1qHbHK5AHKzvRYHKhQnoPtW
MD5:	E2C3A19FF3EBB1649BF9F41DFE3B7E8F
SHA1:	5DA8AB9561D3C096BB9103413F64EE6E50D5AD88
SHA-256:	18E921771341555EF6167DEBBD7C83727518897E9B4B3545B7CCDB48E2043B74
SHA-512:	6B62A68EC358699D55E4CCD0BBDD4ADDC0F38641D82A019697893CEB503E853A5F087FAF9F4408425AD6631C9CBA31C3354FD98B45F051F2F59A0ECC3CA2FA06
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assem

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\shipmentReceipt(22kb).pdf__customInvoice12074408.exe.log

Download File

Process:	C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1302
Entropy (8bit):	5.3499841584777394
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4bE4K5AE4Kzr7RKDE4KhK3VZ9pKhPKIE4oKFKHKorE4x84j:MIHK5HKXE1qHbHK5AHKzvRYHKhQnoPtW
MD5:	E2C3A19FF3EBB1649BF9F41DFE3B7E8F
SHA1:	5DA8AB9561D3C096BB9103413F64EE6E50D5AD88
SHA-256:	18E921771341555EF6167DEBBD7C83727518897E9B4B3545B7CCDB48E2043B74
SHA-512:	6B62A68EC358699D55E4CCD0BBDD4ADDC0F38641D82A019697893CEB503E853A5F087FAF9F4408425AD6631C9CBA31C3354FD98B45F051F2F59A0ECC3CA2FA06
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assem

C:\Users\user\AppData\Roaming\kmk\kmk.exe

Download File

Process:	C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	740864
Entropy (8bit):	7.721307853882747
Encrypted:	false
SSDEEP:	12288:1KK7z5GoJiGaq5aub+2QsKn/KOOfyXuKMu+h3pLGU+arbVifvHehJes:z5GoR5aa+jHOA4h/+cVifvH8
MD5:	278D48D9EA2FE8350796279E5D08A72A
SHA1:	30A693E39B775DE6AFBD146722D07BBA0E4F16BF
SHA-256:	53823B0378B9A17181FEF455B3625E7909E703D600B480FFCCC9A1C6D4232C4A
SHA-512:	2522BBD936BCE6A0849892FE5C49850C74C0BECEA7567D21E27C0B8A314C29E44BBCB20B5D6E6AD8B44D0009A4304A4C64A8C935BD2284BD98931FABA93B324D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....~...............0..2...........Q... ...`....@.. ....................................@.................................BQ..O....`...............................0..p............................................ ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............L..............@..B................vQ......H.......T...l^......m........8..........................................^..}.....(.......(.....&..(.....&..(......0..+.........,..{.......+....,...{....o........(.......0............s....}......{....s....}.....(......{.....o......{.... ....o......{...........s....o......"...@"..PAs....( ......(!......o"..... .... ....s#...($......o%.....r...p(&.....r...po'............s....((......()....".(....".(.....0............{.....+..&...}.......0............{.....+..&...}...

C:\Users\user\AppData\Roaming\kmk\kmk.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.721307853882747
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	shipmentReceipt(22kb).pdf__customInvoice12074408.exe
File size:	740864
MD5:	278d48d9ea2fe8350796279e5d08a72a
SHA1:	30a693e39b775de6afbd146722d07bba0e4f16bf
SHA256:	53823b0378b9a17181fef455b3625e7909e703d600b480ffccc9a1c6d4232c4a
SHA512:	2522bbd936bce6a0849892fe5c49850c74c0becea7567d21e27c0b8a314c29e44bbcb20b5d6e6ad8b44d0009a4304a4c64a8c935bd2284bd98931faba93b324d
SSDEEP:	12288:1KK7z5GoJiGaq5aub+2QsKn/KOOfyXuKMu+h3pLGU+arbVifvHehJes:z5GoR5aa+jHOA4h/+cVifvH8
TLSH:	28F4028472A98B07F1BA3BF552429AB017F6BD67B070E20A0DD233DF5AB1F049651B47
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....~...............0..2...........Q... ...`....@.. ....................................@................................

File Icon


Icon Hash:	05292b2323232b00

Static PE Info

General

Entrypoint:	0x4b5196
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xB67E188C [Sat Jan 8 12:58:52 2067 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb5142	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb6000	0x1710	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb30b8	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb319c	0xb3200	False	0.9080273028611305	data	7.743534616199072	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb6000	0x1710	0x1800	False	0.2373046875	data	3.7239302603938516	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb8000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xb6130	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096
RT_GROUP_ICON	0xb71d8	0x14	data
RT_VERSION	0xb71ec	0x338	data
RT_MANIFEST	0xb7524	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	11:40:05
Start date:	26/05/2023
Path:	C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Imagebase:	0xe50000
File size:	740864 bytes
MD5 hash:	278D48D9EA2FE8350796279E5D08A72A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.573264210.0000000004D80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.573264210.0000000004D80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.573264210.0000000004D80000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.573264210.0000000004462000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.573264210.0000000004462000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.573264210.0000000004462000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	3
Start time:	11:40:17
Start date:	26/05/2023
Path:	C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Imagebase:	0x80000
File size:	740864 bytes
MD5 hash:	278D48D9EA2FE8350796279E5D08A72A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	4
Start time:	11:40:17
Start date:	26/05/2023
Path:	C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Imagebase:	0x130000
File size:	740864 bytes
MD5 hash:	278D48D9EA2FE8350796279E5D08A72A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	5
Start time:	11:40:17
Start date:	26/05/2023
Path:	C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Imagebase:	0xbc0000
File size:	740864 bytes
MD5 hash:	278D48D9EA2FE8350796279E5D08A72A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000005.00000002.799586620.0000000000430000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.804401224.0000000003012000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.804401224.0000000003012000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Show Windows behavior

Target ID:	6
Start time:	11:40:50
Start date:	26/05/2023
Path:	C:\Users\user\AppData\Roaming\kmk\kmk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\kmk\kmk.exe"
Imagebase:	0x560000
File size:	740864 bytes
MD5 hash:	278D48D9EA2FE8350796279E5D08A72A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.658231003.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000002.658231003.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000006.00000002.658231003.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 17%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	7
Start time:	11:40:58
Start date:	26/05/2023
Path:	C:\Users\user\AppData\Roaming\kmk\kmk.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\kmk\kmk.exe
Imagebase:	0x8d0000
File size:	740864 bytes
MD5 hash:	278D48D9EA2FE8350796279E5D08A72A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000007.00000002.799586439.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Show Windows behavior

Target ID:	8
Start time:	11:40:59
Start date:	26/05/2023
Path:	C:\Users\user\AppData\Roaming\kmk\kmk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\kmk\kmk.exe"
Imagebase:	0xa60000
File size:	740864 bytes
MD5 hash:	278D48D9EA2FE8350796279E5D08A72A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	13.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	20.4%
Total number of Nodes:	235
Total number of Limit Nodes:	9

Executed Functions

Function 065E8360 Relevance: 3.5, Strings: 2, Instructions: 983
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UUUU, xrefs: 065E8832
(D8O, xrefs: 065E87D5

Memory Dump Source

Source File: 00000000.00000002.577706573.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65e0000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID: (D8O$UUUU
API String ID: 0-1767718379
Opcode ID: 2d90adc242c135b56de02faf8c6097ea3cf8a3a773d607acb748a96fd1c925e1
Instruction ID: a6bc504ccbd5bff026ef5a7063fb026de75d5416071bf16a6fb5dc239c856621
Opcode Fuzzy Hash: 2d90adc242c135b56de02faf8c6097ea3cf8a3a773d607acb748a96fd1c925e1
Instruction Fuzzy Hash: DAA2B475E00628CFDB64CF69C984A99BBB2FF89304F1581E9D509AB325DB319E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07FD86A0 Relevance: 1.9, Strings: 1, Instructions: 663
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 07FD8EAE

Memory Dump Source

Source File: 00000000.00000002.579230654.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fd0000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 39e5290f0e457fc22fc23e4cba3d3bc7c461276aa9e6bce219a01393111dafed
Instruction ID: 91e9b8634f93fb5c0d7d6713dc2e69df9bdb8dca2476e8a65ff7f48863df0d8b
Opcode Fuzzy Hash: 39e5290f0e457fc22fc23e4cba3d3bc7c461276aa9e6bce219a01393111dafed
Instruction Fuzzy Hash: BF62D374E012298FDB64DF69C898BDDBBB2FB89305F1480EAD509A7250DB346E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 065EA528 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.577706573.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65e0000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4077e1ce3c326487ad6c5f2c107fc139e0a4ae404a6623d338f7c8ec9875a740
Instruction ID: acbe6bd9b26c579a767a35a28494c716c0e0cfe115fcfb004148fd91ed26387f
Opcode Fuzzy Hash: 4077e1ce3c326487ad6c5f2c107fc139e0a4ae404a6623d338f7c8ec9875a740
Instruction Fuzzy Hash: A3428F74E11229CFDB54CFA9C985B9DBBF2BF48300F1581A9E809A7355D731AA81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 065E77F0 Relevance: .5, Instructions: 488COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.577706573.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65e0000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03aa61a188256d3871cbf84227de5c0c29d27f31b3478d6fd50d5e27e46324ef
Instruction ID: 50465f6682d343d61b3969f4d5de102702350cde1f7733f0cdf4d44759dec544
Opcode Fuzzy Hash: 03aa61a188256d3871cbf84227de5c0c29d27f31b3478d6fd50d5e27e46324ef
Instruction Fuzzy Hash: 4C32A174E0021ACFEB54DFA9C984A9EFBB2BF48751F59C195C508AB211DB30D985CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0317B440 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.566271363.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3170000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8967dc2a3e7a12421f8eda4f66574b7e5d41b48eb4de6f687434807b1b03243f
Instruction ID: 717108fb2fdd46076f94a7096f93dc69fd041199b01a5825202e747b6c13a2fb
Opcode Fuzzy Hash: 8967dc2a3e7a12421f8eda4f66574b7e5d41b48eb4de6f687434807b1b03243f
Instruction Fuzzy Hash: B2D18075A046058FC714CF69C884AAAFBF6FF88310F19C669D5599B792D730E841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07FDA468 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.579230654.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fd0000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873e0649267e236cce87632a9bc4a27133b7c4610af5ac7b47d491b5ff2254f3
Instruction ID: 8355d791b7ddec98b58cd7457985c0d92ac7a6581c2bbe411a19c50af2932c58
Opcode Fuzzy Hash: 873e0649267e236cce87632a9bc4a27133b7c4610af5ac7b47d491b5ff2254f3
Instruction Fuzzy Hash: 65C169B1B016058FDB29DB75D460B6EB7F6AF89600F18846DD146DB2A0DB34ED02CB61

Uniqueness

Uniqueness Score: -1.00%

Function 065E4796 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.577706573.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65e0000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c7b51ac20496f2b0b53854b183a8eedb497b22cc70869245e978a73a2d803a
Instruction ID: cee9c1c6c60cd43ca81be33900cd519c8e2fd2c9cd21dedd2ea65c216a078fb3
Opcode Fuzzy Hash: e8c7b51ac20496f2b0b53854b183a8eedb497b22cc70869245e978a73a2d803a
Instruction Fuzzy Hash: 53A1C274E052198FCF58CFA9D5849AEBBF2BF89310F24856AD818EB355D7309942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 065EA518 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.577706573.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65e0000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d90eda7caf386c8cb387fcf41a778203a4f21c351755394f916eacb829b8979
Instruction ID: 022b4ceb31069e209da3f066443c5aaef295ae4e2efcc38b3c854ada7b8ee342
Opcode Fuzzy Hash: 8d90eda7caf386c8cb387fcf41a778203a4f21c351755394f916eacb829b8979
Instruction Fuzzy Hash: CC61A574E01218CFDB18CF6AD985B9DBBF2BF88300F1481A9E809AB354DB359942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 065E4518 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.577706573.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65e0000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4df79fdf9121a2299d85346a9cdcb7ac6af9ebb8c4b9378d0133ea54e5c9b9
Instruction ID: a49d85d0d54c8434dc116482a80aa0132373be5e207116eee0aa992c47b4b77c
Opcode Fuzzy Hash: 4f4df79fdf9121a2299d85346a9cdcb7ac6af9ebb8c4b9378d0133ea54e5c9b9
Instruction Fuzzy Hash: 75516D75E002199FDF08DFEAD844AEEBBB2FF89300F14902AE519AB254DB745946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 065E77E0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.577706573.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65e0000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90822aa934ef5c2cf218375c07ca05a05444dc4e6b5bf094a4893f41688de48
Instruction ID: 8dcea120eabbb2b8cdac15fedf3ac4c54ac9f9ac514a49ba92c22e860e334976
Opcode Fuzzy Hash: b90822aa934ef5c2cf218375c07ca05a05444dc4e6b5bf094a4893f41688de48
Instruction Fuzzy Hash: CD41D974E006198FEB58DFAAD85479EBBB2BFC8200F14C4AAC558A7264DA300A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 065E4509 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.577706573.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65e0000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e04e8ac999e5479f1580b22c6e8489456c9150dcbf09a23ae38f597009b78500
Instruction ID: ec4a25d2f2d994f6d4fab39a980601c107e48a44c74517e3cb3c2977e3360a5b
Opcode Fuzzy Hash: e04e8ac999e5479f1580b22c6e8489456c9150dcbf09a23ae38f597009b78500
Instruction Fuzzy Hash: 62418EB5E042198FDB48CFAAD9856AEFBF2BF88300F14C12AD519AB254DB345946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07FD9CC8 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDecodePointer.NTDLL ref: 07FD9D2F
RtlDecodePointer.NTDLL ref: 07FD9D74
RtlEncodePointer.NTDLL(00000000), ref: 07FD9DDF
RtlDecodePointer.NTDLL(-000000FC), ref: 07FD9E29
RtlEncodePointer.NTDLL(00000000), ref: 07FD9E69
RtlDecodePointer.NTDLL ref: 07FD9EAF
RtlDecodePointer.NTDLL ref: 07FD9EF3

Memory Dump Source

Source File: 00000000.00000002.579230654.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fd0000_shipmentReceipt(22kb).jbxd

Similarity

API ID: Pointer$Decode$Encode
String ID:
API String ID: 1638560559-0
Opcode ID: 5d8c3b14846371b41fc47b0b8eddad836f27fc17d170e72f1430d16f18db8f02
Instruction ID: 252c96df5cbaaeac8f806365f883ce59916b15722f9f0986d147ca2af784c430
Opcode Fuzzy Hash: 5d8c3b14846371b41fc47b0b8eddad836f27fc17d170e72f1430d16f18db8f02
Instruction Fuzzy Hash: 918108B4C05258DFDB21DFA9D1887CDBBF6EB18318F28844AE855A7290C7B56884CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07FD9CB3 Relevance: 10.7, APIs: 7, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDecodePointer.NTDLL ref: 07FD9D2F
RtlDecodePointer.NTDLL ref: 07FD9D74
RtlEncodePointer.NTDLL(00000000), ref: 07FD9DDF
RtlDecodePointer.NTDLL(-000000FC), ref: 07FD9E29
RtlEncodePointer.NTDLL(00000000), ref: 07FD9E69
RtlDecodePointer.NTDLL ref: 07FD9EAF
RtlDecodePointer.NTDLL ref: 07FD9EF3

Memory Dump Source

Source File: 00000000.00000002.579230654.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fd0000_shipmentReceipt(22kb).jbxd

Similarity

API ID: Pointer$Decode$Encode
String ID:
API String ID: 1638560559-0
Opcode ID: f88ff1da9164e9424389419d2f5258fbacef5541d9a0746284bdf99b88dab0a1
Instruction ID: 95c5e32687d782f67c68af6ca418b3c10adf439fd09ceb9891bdcc2cc6c763af
Opcode Fuzzy Hash: f88ff1da9164e9424389419d2f5258fbacef5541d9a0746284bdf99b88dab0a1
Instruction Fuzzy Hash: 627128B0C052589FDB21DFA9D1887CDBFF1EB18314F28844AE854A7290C7B56884CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07FD095D Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07FD0B9E

Memory Dump Source

Source File: 00000000.00000002.579230654.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fd0000_shipmentReceipt(22kb).jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b5f17fbe3cea299b4964f5d29155deaa91e04b92ab88b666345dc1bb515a65e1
Instruction ID: 222cca530cdf3b3d177afd559b5a68701529f17dd60f21bce7352501611926f0
Opcode Fuzzy Hash: b5f17fbe3cea299b4964f5d29155deaa91e04b92ab88b666345dc1bb515a65e1
Instruction Fuzzy Hash: 07A12CB1D00219DFDB14DFA8C881BEEBBB2BF44314F1885A9D819A7290DB749D85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07FD0968 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07FD0B9E

Memory Dump Source

Source File: 00000000.00000002.579230654.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fd0000_shipmentReceipt(22kb).jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 10ebd4cc4e972d23923f036cc8b7934200ef6057d7007b8c7cdd5dd17020ff4c
Instruction ID: edc79804d530c5660fd5425ed6bf4e0d9f3fa2c792803de62d700721f9afab0f
Opcode Fuzzy Hash: 10ebd4cc4e972d23923f036cc8b7934200ef6057d7007b8c7cdd5dd17020ff4c
Instruction Fuzzy Hash: 37912CB1D00219DFDF14DFA9C880BDEBBB2BB48314F1885A9E819A7250DB749D85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 03174004 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 03175551

Memory Dump Source

Source File: 00000000.00000002.566271363.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3170000_shipmentReceipt(22kb).jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b82b3a55ee11a6f4aff6663ca8a8e8c2fb17117def70160eeb2e65a1165705a4
Instruction ID: 939c15b916962309781da116c3008e58446a4c4b08c64ac9a57ce6235703f491
Opcode Fuzzy Hash: b82b3a55ee11a6f4aff6663ca8a8e8c2fb17117def70160eeb2e65a1165705a4
Instruction Fuzzy Hash: D641DFB1C0061CCBDB24DFA9C884B8EBBF6BF59304F24806AD408AB251DB756945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03175495 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 03175551

Memory Dump Source

Source File: 00000000.00000002.566271363.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3170000_shipmentReceipt(22kb).jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 37232d0d6fd3010c8f9105520e13765b487c8b3717551ffb07dac7a198dc0556
Instruction ID: ae4ecc0d1c396e9722351b559b013068e383252419e5c2afa1252ae8f38124e5
Opcode Fuzzy Hash: 37232d0d6fd3010c8f9105520e13765b487c8b3717551ffb07dac7a198dc0556
Instruction Fuzzy Hash: EF41FEB1C00659CFDB24DFA9C984BCEBBF2BF59304F24816AD408AB250DB756946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07FD0648 Relevance: 1.6, APIs: 1, Instructions: 74
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07FD06E0

Memory Dump Source

Source File: 00000000.00000002.579230654.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fd0000_shipmentReceipt(22kb).jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b4e3a378630774abff63a7fc8ea142bbe1bab5c1b198e9b73a03c21b1633e664
Instruction ID: 6f5a64a9d3e13aa4a842c06a1ba9c31510cd54919d91b7f01a4a8e43a219ab07
Opcode Fuzzy Hash: b4e3a378630774abff63a7fc8ea142bbe1bab5c1b198e9b73a03c21b1633e664
Instruction Fuzzy Hash: B42117B1D003599FCB14DFA9C8847EEBBF5FF88314F14852AE959A7250CB789944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07FD0650 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07FD06E0

Memory Dump Source

Source File: 00000000.00000002.579230654.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fd0000_shipmentReceipt(22kb).jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 83b6065d463068d575f6057bbaee768e11f27893318df9b360436951295abeee
Instruction ID: da0e33f0948bbea839ffb3643de976acaa8fd1b0f0a2d088e74d4924fd950d48
Opcode Fuzzy Hash: 83b6065d463068d575f6057bbaee768e11f27893318df9b360436951295abeee
Instruction Fuzzy Hash: B321F8B19003599FCB10DFA9C8847DEBBF5FF48314F54842AE959A7240DB789944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 065EFCC0 Relevance: 1.6, APIs: 1, Instructions: 67
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 065EFD46

Memory Dump Source

Source File: 00000000.00000002.577706573.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65e0000_shipmentReceipt(22kb).jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 1444bb53c4a5bfb590698cce27a555ea91e2f7f3c499d3e0adcff3a38ce46df8
Instruction ID: 4bfd7e2c9c99dac1afc0463c21f33c70892fdb69a99481219aa33a369e72c860
Opcode Fuzzy Hash: 1444bb53c4a5bfb590698cce27a555ea91e2f7f3c499d3e0adcff3a38ce46df8
Instruction Fuzzy Hash: 58213871D002098FCB54DFAAC5847EEBBF4FF98324F54852AD469A7280DB789945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07FD0769 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07FD07F0

Memory Dump Source

Source File: 00000000.00000002.579230654.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fd0000_shipmentReceipt(22kb).jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d068b34424e82808fbf6389d469a200285d34e7614fd118c2c47c98dc43f6fd1
Instruction ID: c85f84040361270aa5bbbef6dc1cb82cc66b3a5e5e5b9ce0234123ad31718d08
Opcode Fuzzy Hash: d068b34424e82808fbf6389d469a200285d34e7614fd118c2c47c98dc43f6fd1
Instruction Fuzzy Hash: 052136B1C002599FCB10DFAAC880AEEBBF5FF48310F14852AE519A7250C7389951CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 065EFCC8 Relevance: 1.6, APIs: 1, Instructions: 63
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 065EFD46

Memory Dump Source

Source File: 00000000.00000002.577706573.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65e0000_shipmentReceipt(22kb).jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 6e419b13abf4c237fc6868016d39c997972516fd3c45f20093f69d759f4307af
Instruction ID: e1d1cb958ff0bf42a7547734aee71e1cd1d17a847e7f58e7d962178f5fa0a22f
Opcode Fuzzy Hash: 6e419b13abf4c237fc6868016d39c997972516fd3c45f20093f69d759f4307af
Instruction Fuzzy Hash: CA213571D002098FCB50DFAAC5847EEBBF4EF48324F54842AD459A7240DB78A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07FD0770 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07FD07F0

Memory Dump Source

Source File: 00000000.00000002.579230654.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fd0000_shipmentReceipt(22kb).jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d003c236cb5ebaf2cad10a141f8733b1d949a6f03a5113d32f85859a51151198
Instruction ID: 5fbe5a24f878390875cc66a313899107e3566d192e029e327f8dbf244cd0a856
Opcode Fuzzy Hash: d003c236cb5ebaf2cad10a141f8733b1d949a6f03a5113d32f85859a51151198
Instruction Fuzzy Hash: 582137B1C003599FCF10DFAAC880AEEBBF5FF48320F54842AE519A7240D7789940CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03177EB8 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 03177F3D

Memory Dump Source

Source File: 00000000.00000002.566271363.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3170000_shipmentReceipt(22kb).jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 726469c120f0132dcc100df01007bac5b7ded0c69d77f0efc575cc80fa0ac85b
Instruction ID: 6b398642e0cb46fd2e5ca0e82710cfb72547a94e992fff996a174f5dd29063d6
Opcode Fuzzy Hash: 726469c120f0132dcc100df01007bac5b7ded0c69d77f0efc575cc80fa0ac85b
Instruction Fuzzy Hash: 9E218EB18003498FDB60DF99D5087EABFF8EB18314F188469E465E7280CB79A544CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03177C08 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 03177C92

Memory Dump Source

Source File: 00000000.00000002.566271363.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3170000_shipmentReceipt(22kb).jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: e9c69f74c6d5cf5c814e6f5bb7e765b9b4614273b66829c0b659f0a60477555e
Instruction ID: ebe260e0ceff612fc13940e79500fcf9386e3a598235333f2892e3d165244b6a
Opcode Fuzzy Hash: e9c69f74c6d5cf5c814e6f5bb7e765b9b4614273b66829c0b659f0a60477555e
Instruction Fuzzy Hash: BE216AB49003498FDB60DFAAC5487DABFF8EB49318F28846AD805A3641C779A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0317D8A8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0317E7E9,00000800,00000000,00000000), ref: 0317E9DA

Memory Dump Source

Source File: 00000000.00000002.566271363.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3170000_shipmentReceipt(22kb).jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 50dbf2a151e425ce1c4b2a5d0221176d0a1b8841043f2ead5039d932e86ca184
Instruction ID: 2001d4e652afbbc00cb4ace5be6210eaaebe2f946c424eb58dfb1083f89e28df
Opcode Fuzzy Hash: 50dbf2a151e425ce1c4b2a5d0221176d0a1b8841043f2ead5039d932e86ca184
Instruction Fuzzy Hash: 9D1112B69002098FCB50CF9AC484BDEFBF8EB58324F14856AE459B7600C379A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 07FD0558 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07FD05CE

Memory Dump Source

Source File: 00000000.00000002.579230654.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fd0000_shipmentReceipt(22kb).jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1a583d336c42ee66bce45b61d9314c324f779d550f7fe161d50311eb4da2d88f
Instruction ID: acf443a51e1c6a8ac033115335559e95fde888552f7e939d2071c3aeb4da48b7
Opcode Fuzzy Hash: 1a583d336c42ee66bce45b61d9314c324f779d550f7fe161d50311eb4da2d88f
Instruction Fuzzy Hash: E61117B19002499FCB10DFAAC844BDFBFF5EF58324F24882AE519A7250D7759944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03177C18 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 03177C92

Memory Dump Source

Source File: 00000000.00000002.566271363.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3170000_shipmentReceipt(22kb).jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: bfe538d874005dae3ab5721134ed755071a160b9f4eda84d638b17fbcadb4db9
Instruction ID: 229c6a9b8c6e88b10cd6ca69f077245980855767d62dad33bb547fb773aef516
Opcode Fuzzy Hash: bfe538d874005dae3ab5721134ed755071a160b9f4eda84d638b17fbcadb4db9
Instruction Fuzzy Hash: EE1167B49003098FDB60DFAAC6487EBBBF8EB48328F248429D405A3740D7796544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07FD0560 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07FD05CE

Memory Dump Source

Source File: 00000000.00000002.579230654.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fd0000_shipmentReceipt(22kb).jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f148e753dd179de4c1b6042cf8d974745d534c348f9d6342a897410ff059fe99
Instruction ID: b62b690346da4feefd6c4c7cc0de51dadf53cdf0520337252fbb62279132a0b3
Opcode Fuzzy Hash: f148e753dd179de4c1b6042cf8d974745d534c348f9d6342a897410ff059fe99
Instruction Fuzzy Hash: 8B11F6B19002499BCB10DFAAC844BEEBBF5EF58324F14841AE555A7250DB79A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 065EF750 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 065EF7BA

Memory Dump Source

Source File: 00000000.00000002.577706573.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65e0000_shipmentReceipt(22kb).jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ed3a3557d44c77a733579665d737f1057e832b71ff9c804693ed119912189dd8
Instruction ID: cbd56c027e0bcd00900d7c4be2f40869ccec158b37b25646861d6c70ab635458
Opcode Fuzzy Hash: ed3a3557d44c77a733579665d737f1057e832b71ff9c804693ed119912189dd8
Instruction Fuzzy Hash: 251149B1D002088FCB14DFAAC4447EEFBF5EF88324F20856AD029A7650DB78A545CF94

Uniqueness

Uniqueness Score: -1.00%

Function 065EF758 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 065EF7BA

Memory Dump Source

Source File: 00000000.00000002.577706573.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65e0000_shipmentReceipt(22kb).jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 01ba11faf4d84ebb78ad6801c426354c790f4bc5da8c6be48bc371af7159fbdd
Instruction ID: 4f8e6d0d8646c7f24c971c96a249f48539faac04a09b72619034a7350d68e3c2
Opcode Fuzzy Hash: 01ba11faf4d84ebb78ad6801c426354c790f4bc5da8c6be48bc371af7159fbdd
Instruction Fuzzy Hash: 41113AB1D002498BCB14DFAAC4447EEFBF9EF88324F24841AD419A7640CB79A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0317E708 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0317E76E

Memory Dump Source

Source File: 00000000.00000002.566271363.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3170000_shipmentReceipt(22kb).jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3c917b5ccddcd247de9ad3a1b3bf870afa6eaa8824f3d218ee7014bebf090afa
Instruction ID: 752caafe89b073703ac15eb23288811e482aff19e9a30b032a4df2108affc241
Opcode Fuzzy Hash: 3c917b5ccddcd247de9ad3a1b3bf870afa6eaa8824f3d218ee7014bebf090afa
Instruction Fuzzy Hash: 3211DFB6C006498FCB10CF9AC544ADEFBF9EB88224F14855AD429A7610D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07FD99C8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07FD9A2D

Memory Dump Source

Source File: 00000000.00000002.579230654.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fd0000_shipmentReceipt(22kb).jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: aabea731eaecc0847217b09059ba9ecde61820ac682dfb70612649ad83cf419a
Instruction ID: ca5ccbaadb58e01f6986f2f65bb2e49809d706419dfc2173fdf4e206eaf7fae9
Opcode Fuzzy Hash: aabea731eaecc0847217b09059ba9ecde61820ac682dfb70612649ad83cf419a
Instruction Fuzzy Hash: 551106B68003499FDB10DF9AD584BDEFFF8EB58324F14845AE458A7600D375AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07FD99D0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07FD9A2D

Memory Dump Source

Source File: 00000000.00000002.579230654.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fd0000_shipmentReceipt(22kb).jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: af878206d73559090eb8df1a3d1a7c30214bc6e6cc9960e9a64d3daf3ea86e41
Instruction ID: 3ca8a9fb75f0067253da6323582d03e04e6b569a45c36babbeeeb2400ed4d0b7
Opcode Fuzzy Hash: af878206d73559090eb8df1a3d1a7c30214bc6e6cc9960e9a64d3daf3ea86e41
Instruction Fuzzy Hash: C01115B58003499FCB10DF9AD584BDEFFF8EB58324F14841AE458A3600D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014BD528 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.564942032.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14bd000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4801201027f01ca5388ff710af1bf7281ecd9a723bca4c971356775e79462f7
Instruction ID: 948b6ca788dcef7ec94900ba449b6802722c9b2ae6558abe8505a4975d083f61
Opcode Fuzzy Hash: d4801201027f01ca5388ff710af1bf7281ecd9a723bca4c971356775e79462f7
Instruction Fuzzy Hash: 9F21D671904244DFDB06DF58D9C0B67BF65FB9432CF2485AAE9050A226C33AD456CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 014BD43C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.564942032.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14bd000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02a28bb880ed886ec2b4605b9d4781c4aa37892d559e002963ef8d0fe5bfa1e
Instruction ID: dfd61398e145cbb071efcaa7aae218f14e509d6079eb341f132546b37a54e256
Opcode Fuzzy Hash: f02a28bb880ed886ec2b4605b9d4781c4aa37892d559e002963ef8d0fe5bfa1e
Instruction Fuzzy Hash: BC210871900240DFDB05DF54D9C0B97BF65FB84318F24C5BAE9090B656C33AE456C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 014CD32C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.564994284.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cd000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ad8ba11c4e82ee45d72c2e1e7eff9ebe703b4f349b86efe9dcbd3be1d3e15e
Instruction ID: 08c26662855367b820b592ca0dd26c4ab7326bb186b267495bcac14080f92d44
Opcode Fuzzy Hash: e2ad8ba11c4e82ee45d72c2e1e7eff9ebe703b4f349b86efe9dcbd3be1d3e15e
Instruction Fuzzy Hash: E4213779A00240DFDB41CF98D5C0B16BFA5FB84714F24C67EE94A4B362C33AD806CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 014CD174 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.564994284.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cd000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a65d03f1845dd02e5a1f9c49bfda1b12e82888dfb6feeb0bb3f1e05516641cf8
Instruction ID: e707c40481998d5baab5202055b2703ff55476a8d7de2f251042f2c9b1111775
Opcode Fuzzy Hash: a65d03f1845dd02e5a1f9c49bfda1b12e82888dfb6feeb0bb3f1e05516641cf8
Instruction Fuzzy Hash: 48214F79904240DFDB41DF94D4C0B26BB66FB84724F20C57EE8094B356C73AD806C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 014BD523 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.564942032.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14bd000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
Instruction ID: 3a79b23383482ceffffa206405edb5d81ebaa63f350b3341a4e84f3d6d976b2b
Opcode Fuzzy Hash: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
Instruction Fuzzy Hash: 4B11B176904280DFDB16CF54D5C4B56BF72FB84328F2886AAD8490B626C33AD456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014BD437 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.564942032.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14bd000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
Instruction ID: 134c516e33c99e2b5bac2b59d9cec04b91ba732510b78547b22461eaf94ff43d
Opcode Fuzzy Hash: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
Instruction Fuzzy Hash: B211B476904280DFDB16CF54D5C4B56BF72FB84328F24C6AAD8444B626C33AD456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014CD16F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.564994284.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cd000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9987972c5ad5a0bbdfc3a90a2c4a8b6c80251489d692dd004c95719536adb841
Instruction ID: a4c877289cd5af996a13bfb5966ed551f2d8f897d5efe4f49ceb7718a08cba44
Opcode Fuzzy Hash: 9987972c5ad5a0bbdfc3a90a2c4a8b6c80251489d692dd004c95719536adb841
Instruction Fuzzy Hash: F9118E79904280DFDB12CF54D5C4B16BB72FB88724F24C6AED8494B766C33AD44ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 014CD327 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.564994284.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cd000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9987972c5ad5a0bbdfc3a90a2c4a8b6c80251489d692dd004c95719536adb841
Instruction ID: 08c9c29e49ae8172ea5b1c3702b8173728ec083027c9c02089f8b55e8f4c9907
Opcode Fuzzy Hash: 9987972c5ad5a0bbdfc3a90a2c4a8b6c80251489d692dd004c95719536adb841
Instruction Fuzzy Hash: 6B11BE79904280DFDB02CF18D5C0B16BB61FB84724F24C6AED8494B766C33AD44ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014BD651 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.564942032.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14bd000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269813358e642754c63948280b913e96b60d572c7f4d6491125dbf6fba9a1892
Instruction ID: c1e370bc9d0032a692ff84991c22c4d74254dac9e6373026b9ccec514407a76d
Opcode Fuzzy Hash: 269813358e642754c63948280b913e96b60d572c7f4d6491125dbf6fba9a1892
Instruction Fuzzy Hash: 3201F2719083849AE7109A69CCC4BE7BF98EF54338F18849BEE4C1B352D37D9841CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 014BD650 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.564942032.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14bd000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52da358081f7e5a82ca356eaf7bc9c620005ba22a246a3eb17517bfe7fa67336
Instruction ID: fc0356a359dda33741ad57707a95b8ca0bf98ff275517e7c9738debe50931d60
Opcode Fuzzy Hash: 52da358081f7e5a82ca356eaf7bc9c620005ba22a246a3eb17517bfe7fa67336
Instruction Fuzzy Hash: BBF0C2728042849BE7118A0ACDC4BA3FF98EB40338F18C59BED4C5F392C3789844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 065ECE71 Relevance: 1.6, Strings: 1, Instructions: 350COMMON

Download Yara Rule

Strings

`., xrefs: 065ED09C

Memory Dump Source

Source File: 00000000.00000002.577706573.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65e0000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID: `.
API String ID: 0-2943270798
Opcode ID: df3a8c099b947456823f1fb8dda66cfee9a7843cd9b3a0c8fc8ccc6120c2d9f3
Instruction ID: 3589477db9a686b5ae51341cc71246b49b90b61ab8408067e11430d61f2b7d83
Opcode Fuzzy Hash: df3a8c099b947456823f1fb8dda66cfee9a7843cd9b3a0c8fc8ccc6120c2d9f3
Instruction Fuzzy Hash: 8DF15B74E002598FDB14DFA9D584AAEFBB2FF89300F248169D915AB355CB34AD42CF60

Uniqueness

Uniqueness Score: -1.00%

Function 065ED517 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.577706573.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65e0000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c403d9b6d1b3d2b0d63257fc5785789262875ef5ee3bdbbf3404b46722889aad
Instruction ID: c0a8c4b711ead201e9a987160c41e4e436bf08928d59aab7444798db32e263c6
Opcode Fuzzy Hash: c403d9b6d1b3d2b0d63257fc5785789262875ef5ee3bdbbf3404b46722889aad
Instruction Fuzzy Hash: A2E15C74E002598FDB14DFA9C994AAEFBB2FF88300F248269D515AB355DB34AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 065EEA00 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.577706573.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65e0000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0f426b9d6061f4f30aba42c2df4a7e63b9f27a6719589fbfc4e1a8666a13bf
Instruction ID: 0567fd8b34a24fff476fee4350868a731d6494cda2caefa7c8578c42dbd66ba8
Opcode Fuzzy Hash: 3e0f426b9d6061f4f30aba42c2df4a7e63b9f27a6719589fbfc4e1a8666a13bf
Instruction Fuzzy Hash: DDE14A74E1025A8FDB14DFA9C9859AEFBB2FF88300F248169D919AB355C730AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 065EF828 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.577706573.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65e0000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e9a703e0e2aa50e524f1a3865795bba3623d06ad926972dafa25d9bb93cf8f1
Instruction ID: a5e55c17ee57068eaf41a164a00cbf95d4b3bae467a403f9e0ae3640f9dacd97
Opcode Fuzzy Hash: 3e9a703e0e2aa50e524f1a3865795bba3623d06ad926972dafa25d9bb93cf8f1
Instruction Fuzzy Hash: 71E13874E0025A8FDB14DFA9D9949AEFBB2FF88300F248169D915AB355DB30AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07FD0040 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.579230654.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fd0000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4004c76fd2f9ac501c1016dfd55f11bc6f353556cc8d6aef052f016ba3ed30
Instruction ID: 52ff73f8c7587d8ef078494a9b8514c684430ca41f9538a5a4c1d882b6f87d46
Opcode Fuzzy Hash: 4d4004c76fd2f9ac501c1016dfd55f11bc6f353556cc8d6aef052f016ba3ed30
Instruction Fuzzy Hash: 72E139B4E0025A8FDB14DFA9C9849AEFBB2FF89301F288169D514A7355DB34AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 065E8351 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.577706573.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65e0000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2ea74abb6428c5316c2ed2302472b9e0e781060b6fa0c2d998592d4a41b465
Instruction ID: ffb851652bf7837e9466a010a9f12222b34518ef065e0f3e3dd1473a33c2c697
Opcode Fuzzy Hash: 0e2ea74abb6428c5316c2ed2302472b9e0e781060b6fa0c2d998592d4a41b465
Instruction Fuzzy Hash: 37C15275E016598FDB58DF6AC944AD9BBF2BF89300F14C0EAD809AB364DA305E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 065E7F79 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.577706573.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65e0000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc79aa48053e10ab9f189e9f2e116ea60eed24a64e77d1e295a0b5616c7dc99
Instruction ID: 29612fbc5e9dacd7031ca96148385be9234a65acd5888264381fcd9a2d1633db
Opcode Fuzzy Hash: cfc79aa48053e10ab9f189e9f2e116ea60eed24a64e77d1e295a0b5616c7dc99
Instruction Fuzzy Hash: 9A611C70A016898FDB48EFBBE89969EBFF2FF94300F14C529D1099B264DE745806CB50

Uniqueness

Uniqueness Score: -1.00%

Function 065E7F88 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.577706573.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65e0000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aca1a528c289daf949de98323c8314639d95c4cb11940c5b8cbf5e608200a7c
Instruction ID: 4b97c90e95ae1be6407700cebec4edf11b4b814e5a1e959ec3954febcf91c992
Opcode Fuzzy Hash: 7aca1a528c289daf949de98323c8314639d95c4cb11940c5b8cbf5e608200a7c
Instruction Fuzzy Hash: EB610B70A016498FDB48EFBBE85969EBFF2FF94300F14C529D5089B264EE745806CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07FD19B8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.579230654.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fd0000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 640a14cb6fde1f8b9ba0d1f1b0641b8f0b09e6435e8ea1a8c0d71d2957b1f6e0
Instruction ID: bf5979dbf4f28702eaa812e110dadd16368d95a1465ed0930c1581b4fc451995
Opcode Fuzzy Hash: 640a14cb6fde1f8b9ba0d1f1b0641b8f0b09e6435e8ea1a8c0d71d2957b1f6e0
Instruction Fuzzy Hash: 5B4145B1D156588BEB5CCF6BDD4169AFAF3AFC9300F18C1FA850CAA224DB3149558F11

Uniqueness

Uniqueness Score: -1.00%

Function 07FD8690 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.579230654.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fd0000_shipmentReceipt(22kb).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01b6936c577e32f9b4a14e6d08c51f6eaf7bc5ae68db39b9026dc8c069bec103
Instruction ID: df93f7a232fac01f228e82636a4b9722241431d5e6e8ae029fd9e2ea2cfdd292
Opcode Fuzzy Hash: 01b6936c577e32f9b4a14e6d08c51f6eaf7bc5ae68db39b9026dc8c069bec103
Instruction Fuzzy Hash: B73198B1D056288FEB28CF6B89153DABAF2AFC9304F04C5AAC50CA6254DB7509858F41

Uniqueness

Uniqueness Score: -1.00%

Function 07FDA040 Relevance: 10.6, APIs: 7, Instructions: 146COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL ref: 07FDA09C
RtlDecodePointer.NTDLL ref: 07FDA0DB
RtlEncodePointer.NTDLL(00000000), ref: 07FDA142
RtlDecodePointer.NTDLL(00000000), ref: 07FDA17E
RtlEncodePointer.NTDLL(00000000), ref: 07FDA1B8
RtlDecodePointer.NTDLL ref: 07FDA1F8
RtlDecodePointer.NTDLL ref: 07FDA236

Memory Dump Source

Source File: 00000000.00000002.579230654.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fd0000_shipmentReceipt(22kb).jbxd

Similarity

API ID: Pointer$Decode$Encode
String ID:
API String ID: 1638560559-0
Opcode ID: ea3b27d2e758de85d2fe18e33093e75fed85647d1bb59739eec25c259f6e4fa2
Instruction ID: cdeedd90e5d43337c51aceeefa9b6cffd7438ea46f074c460f73a673cb12b898
Opcode Fuzzy Hash: ea3b27d2e758de85d2fe18e33093e75fed85647d1bb59739eec25c259f6e4fa2
Instruction Fuzzy Hash: DC6148B1C0035A8FDF219FAAC54C3DEBBF1EB18319F188919D46563690C3B91984DF96

Uniqueness

Uniqueness Score: -1.00%

Function 07FDA02F Relevance: 10.6, APIs: 7, Instructions: 144COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL ref: 07FDA09C
RtlDecodePointer.NTDLL ref: 07FDA0DB
RtlEncodePointer.NTDLL(00000000), ref: 07FDA142
RtlDecodePointer.NTDLL(00000000), ref: 07FDA17E
RtlEncodePointer.NTDLL(00000000), ref: 07FDA1B8
RtlDecodePointer.NTDLL ref: 07FDA1F8
RtlDecodePointer.NTDLL ref: 07FDA236

Memory Dump Source

Source File: 00000000.00000002.579230654.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fd0000_shipmentReceipt(22kb).jbxd

Similarity

API ID: Pointer$Decode$Encode
String ID:
API String ID: 1638560559-0
Opcode ID: 13af8f2cd6e3ed86dc94a159c2b201f091e7c89bd59048c5477228a2a4a1f261
Instruction ID: 3d78c77955ed7ca50d0c5415cb9e67f292899902dc1e1b1c441b4dde155374f7
Opcode Fuzzy Hash: 13af8f2cd6e3ed86dc94a159c2b201f091e7c89bd59048c5477228a2a4a1f261
Instruction Fuzzy Hash: 48616AB0C0035A8FDF218FAAC54C3DEBFF1AB19319F188919D455A3690D3B90984DF96

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: shipmentReceipt(22kb).pdf__customInvoice12074408.exePID: 6764, Parent PID: 6492COMMON

Execution Graph

Execution Coverage:	15.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.5%
Total number of Nodes:	114
Total number of Limit Nodes:	7

Executed Functions

Function 00D9D818 Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00D9D877

Memory Dump Source

Source File: 00000005.00000002.800498280.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d90000_shipmentReceipt(22kb).jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1be9049ff7bde06855260b376f851b608b670fe1f1febb07fcc81295e94696c9
Instruction ID: 03a7c252d365588148fe99d1861f76e851e63bdf6e2a7e956d024f6677768dc0
Opcode Fuzzy Hash: 1be9049ff7bde06855260b376f851b608b670fe1f1febb07fcc81295e94696c9
Instruction Fuzzy Hash: AE51AA71B0020A9FCF14FBB5D888AAEB7B6BF94304F148969E5029B255DF34D805CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01496950 Relevance: 6.1, APIs: 4, Instructions: 138
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 014969E0
GetCurrentThread.KERNEL32 ref: 01496A1D
GetCurrentProcess.KERNEL32 ref: 01496A5A
GetCurrentThreadId.KERNEL32 ref: 01496AB3

Memory Dump Source

Source File: 00000005.00000002.803039119.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1490000_shipmentReceipt(22kb).jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 949a289cf63f8b864957328598f4adc6ff89730284e71765c87c00d6f2a70ed0
Instruction ID: 79a16cade64ebf48ae02b086d2c74643edd68585e4a9a5a098fb22f0bcbe9c82
Opcode Fuzzy Hash: 949a289cf63f8b864957328598f4adc6ff89730284e71765c87c00d6f2a70ed0
Instruction Fuzzy Hash: C95188B0D002888FDB15CFAAC688BDEBFF1EF59314F24859AE449A7361D7385844CB65

Uniqueness

Uniqueness Score: -1.00%

Function 01496980 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 014969E0
GetCurrentThread.KERNEL32 ref: 01496A1D
GetCurrentProcess.KERNEL32 ref: 01496A5A
GetCurrentThreadId.KERNEL32 ref: 01496AB3

Memory Dump Source

Source File: 00000005.00000002.803039119.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1490000_shipmentReceipt(22kb).jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 23852d0e646c43f024dc356ccd2f9ae25490b4ac5c5a9d8d21a7da2d8bd237a2
Instruction ID: 676fa3f3b502a090304683c8c0b6b4ff37e4312bc0a06d058d709528438bcea8
Opcode Fuzzy Hash: 23852d0e646c43f024dc356ccd2f9ae25490b4ac5c5a9d8d21a7da2d8bd237a2
Instruction Fuzzy Hash: 2D5133B0D006498FDB14CFAAC648B9EBFF5EF48314F20855AE119A7360D7785884CB65

Uniqueness

Uniqueness Score: -1.00%

Function 01350A84 Relevance: 2.1, APIs: 1, Instructions: 575
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 01351060

Memory Dump Source

Source File: 00000005.00000002.802660634.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1350000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f6feff081034094bf620f2a33421e2b45f74247d1c7d814173fc6c4c8450e091
Instruction ID: 7036a955ab6b5891a83b91bd9dbfa9eced49d06b730b8fc41f8cc926972ec746
Opcode Fuzzy Hash: f6feff081034094bf620f2a33421e2b45f74247d1c7d814173fc6c4c8450e091
Instruction Fuzzy Hash: DB420874A01269CFCB68EF24D958A9DBBB6BF88305F1041EAD40AA7350DF359E81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01350AA5 Relevance: 1.8, APIs: 1, Instructions: 306
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 01351060

Memory Dump Source

Source File: 00000005.00000002.802660634.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1350000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: eec95e4c5ad7404970ada50e8eafd1dbe0215c3f0394e1e1d7ab8ad4fe709998
Instruction ID: 3f8ee43f6aeef6381e7effc5a420a56af9e691735aaa09d6d01b8e74d9e2c920
Opcode Fuzzy Hash: eec95e4c5ad7404970ada50e8eafd1dbe0215c3f0394e1e1d7ab8ad4fe709998
Instruction Fuzzy Hash: 04E10974A0526DCFCBA8DF24C94865DB7B6BF45205F1042EAD80AA3310DF3A9E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01350AE1 Relevance: 1.8, APIs: 1, Instructions: 301
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 01351060

Memory Dump Source

Source File: 00000005.00000002.802660634.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1350000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 01f569c82a9f313e9e07dbb045eb3e635502d0d1307779ebba3f5df80b6cc5eb
Instruction ID: bbb8703872cad0148e06a33d8b83cb4276f7a621109dd4d29cd5bfbe097e728d
Opcode Fuzzy Hash: 01f569c82a9f313e9e07dbb045eb3e635502d0d1307779ebba3f5df80b6cc5eb
Instruction Fuzzy Hash: 60E1F974A0526DCFCBA8DB24C94865DB7B6BF49205F1042EAD80AA3350DF3A9E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01350B26 Relevance: 1.8, APIs: 1, Instructions: 294
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 01351060

Memory Dump Source

Source File: 00000005.00000002.802660634.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1350000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 222b78588c310cff0937ff67557119f9fdad7ce6a89ebb6b33b6aaf03feac827
Instruction ID: bb4f9df8163df56a01fcf571a3a9a66bf94014f357509ae4302e31b9226af640
Opcode Fuzzy Hash: 222b78588c310cff0937ff67557119f9fdad7ce6a89ebb6b33b6aaf03feac827
Instruction Fuzzy Hash: B6D10874A0526DCFCBA8DB24C94865DBBB6BF45205F1042EAD80AA3350DF3A9E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01350B6B Relevance: 1.8, APIs: 1, Instructions: 287
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 01351060

Memory Dump Source

Source File: 00000005.00000002.802660634.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1350000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 38900134f565d9669423d8127b89976e2c4449be978609ffab223f6935948ba2
Instruction ID: 3e34903765218471c550863ec36e0541051a7b4b5f020e71032bdf7c3e2ced0f
Opcode Fuzzy Hash: 38900134f565d9669423d8127b89976e2c4449be978609ffab223f6935948ba2
Instruction Fuzzy Hash: 76D11874A0526DCFCBA8EB24C94865DBBB6BF45305F1041EAD80AA3350DF3A9E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01350BB0 Relevance: 1.8, APIs: 1, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 01351060

Memory Dump Source

Source File: 00000005.00000002.802660634.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1350000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8f50bb74e8744d88daa9a9c8fd61d409cfa8f5c88f985136c416eae3a5fa0925
Instruction ID: 91694b33da3d324169f77ad89d9c1a752658dd488ca14d83d81b6faa209f34e1
Opcode Fuzzy Hash: 8f50bb74e8744d88daa9a9c8fd61d409cfa8f5c88f985136c416eae3a5fa0925
Instruction Fuzzy Hash: FDD11874A0526DCFCBA8EB24C94865DBBB6BF45205F1041EAD80AA3350DF3A9E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01350BF5 Relevance: 1.8, APIs: 1, Instructions: 273
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 01351060

Memory Dump Source

Source File: 00000005.00000002.802660634.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1350000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5f2f9a134c6249ac2ee665060a9d19ac0cab824f6811ac8bd80b2839fb8243d9
Instruction ID: ae67d79b6fe6dc2dd458d28d6ebc1541b059b687db9a0326809c42617b6e23de
Opcode Fuzzy Hash: 5f2f9a134c6249ac2ee665060a9d19ac0cab824f6811ac8bd80b2839fb8243d9
Instruction Fuzzy Hash: A6C11974A0526DCFCBA8DB24C85865DBBB6BF49205F1081EAD80AA3350DF399E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01350C3A Relevance: 1.8, APIs: 1, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 01351060

Memory Dump Source

Source File: 00000005.00000002.802660634.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1350000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 74e53a6ea525004690302a51a88182cf3091e2b1f4041562c1ee9321fe592327
Instruction ID: a7ba3e5f695506324026ecb03d61230d0dd8bdaa071a2e3c74ab6d4fc1ac8f75
Opcode Fuzzy Hash: 74e53a6ea525004690302a51a88182cf3091e2b1f4041562c1ee9321fe592327
Instruction Fuzzy Hash: A6C12A74A0526DCFCBA8EB24C85865DBBB6BF45305F1081EAD80AA3350DF399E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01350C7F Relevance: 1.8, APIs: 1, Instructions: 259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 01351060

Memory Dump Source

Source File: 00000005.00000002.802660634.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1350000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 574e117c63c70d7621a8d988212438384b984fc9c2b1b6ee9c810c72f42e544b
Instruction ID: d8124aa916bfd92b4de479f96e2c2c43110b7ba3b976ce8001a9b2fde73e0127
Opcode Fuzzy Hash: 574e117c63c70d7621a8d988212438384b984fc9c2b1b6ee9c810c72f42e544b
Instruction Fuzzy Hash: 8CC12974A0526DCFCBA8EB24C948A5DBBB6BF45205F1081EAD40AA3350DF399E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01350CC4 Relevance: 1.8, APIs: 1, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 01351060

Memory Dump Source

Source File: 00000005.00000002.802660634.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1350000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 90ccfe7bb1bd7a0a9d41ad5b7aec11db86dc59d2ffb7897b0d568a1063081e2e
Instruction ID: 5dc1c6395642f861154aa7615f368941c34a56e4a0baf0e760e9541000a8600a
Opcode Fuzzy Hash: 90ccfe7bb1bd7a0a9d41ad5b7aec11db86dc59d2ffb7897b0d568a1063081e2e
Instruction Fuzzy Hash: DFB12A74A0526DCFCBA8EB24C958B5DBBB6BF44205F1081EAD40AA3350DF399E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01350D09 Relevance: 1.7, APIs: 1, Instructions: 245
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 01351060

Memory Dump Source

Source File: 00000005.00000002.802660634.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1350000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5db6608b75617998ef3b69ec42973bb4b1ccff555efe54d76e84a9b951074cc2
Instruction ID: e71a0fa575434a23536e7d7cf74ff2743319d5e2b58fb58003582251c3aef4a1
Opcode Fuzzy Hash: 5db6608b75617998ef3b69ec42973bb4b1ccff555efe54d76e84a9b951074cc2
Instruction Fuzzy Hash: 44B12B74A01269CFCBA8DF24C95875DBBB6BF44205F1081EAD40AA3350DF399E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01350D4E Relevance: 1.7, APIs: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 01351060

Memory Dump Source

Source File: 00000005.00000002.802660634.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1350000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 07214bdcf745d112c9da4fde3150d081a1f69be4db94bff8264f7eb779b0b9ec
Instruction ID: 3d71746fa2350e46e137432e1215e59de8466b1cca242ef17f92801335744f8b
Opcode Fuzzy Hash: 07214bdcf745d112c9da4fde3150d081a1f69be4db94bff8264f7eb779b0b9ec
Instruction Fuzzy Hash: 9FB11A74A01269CFCBA8EB24C95875DBBB6BF85205F1081EAD40AA3350DF399E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01350D93 Relevance: 1.7, APIs: 1, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 01351060

Memory Dump Source

Source File: 00000005.00000002.802660634.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1350000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 09fd8621797868cd42c1102d2a84a7a1fa23a1410c6904879bd647afd9e00dea
Instruction ID: d5b9cea0c6d7576efc0aa9719d72279aaf07e079ca417e7d593a1bbd6a20b462
Opcode Fuzzy Hash: 09fd8621797868cd42c1102d2a84a7a1fa23a1410c6904879bd647afd9e00dea
Instruction Fuzzy Hash: 14A11974A01269CFCBA8EB24C95875DBBB6BF84605F1081EAD40AA3350DF399E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01350DD8 Relevance: 1.7, APIs: 1, Instructions: 224COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01351060

Memory Dump Source

Source File: 00000005.00000002.802660634.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1350000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 02375b7cf4b615e8d8b5611b684c0ba8a7672bcb063391f58a705482d0973f09
Instruction ID: 0134339ee3c789803d68dd512a707064472567248baf7112ef7ef625f9186761
Opcode Fuzzy Hash: 02375b7cf4b615e8d8b5611b684c0ba8a7672bcb063391f58a705482d0973f09
Instruction Fuzzy Hash: 9CA12A74A01269CFCBA8EF24C95875DBBB6BF84605F1081EAD40AA3350DF399E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01350E1D Relevance: 1.7, APIs: 1, Instructions: 217COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01351060

Memory Dump Source

Source File: 00000005.00000002.802660634.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1350000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e9dc47be0ece2e1306b2cc16ffd604120a173c2913f04b6914ebcbd206f9498a
Instruction ID: 88a0c82b98937cadbb51d893b6eddbab167805100dcf0cda8199751a85808e33
Opcode Fuzzy Hash: e9dc47be0ece2e1306b2cc16ffd604120a173c2913f04b6914ebcbd206f9498a
Instruction Fuzzy Hash: 05A12B74A00269CFCB68EF24C85875DBBB6BF88605F1081EAD40AA3350DF399E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01350E62 Relevance: 1.7, APIs: 1, Instructions: 210COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01351060

Memory Dump Source

Source File: 00000005.00000002.802660634.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1350000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 78f5612276a114b0dbd0a5e03ca1f1e0d4ae224cc00637f1e93d2a097f110583
Instruction ID: c9e75dfd0dfc7a9389e6ad5213d150dd825e9f94e4756a231ffb90d004f70cea
Opcode Fuzzy Hash: 78f5612276a114b0dbd0a5e03ca1f1e0d4ae224cc00637f1e93d2a097f110583
Instruction Fuzzy Hash: CF913B74A01269CFCB68EF24C85875DBBB6BF85605F1081EAD40AA3350DF399E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01350EA7 Relevance: 1.7, APIs: 1, Instructions: 203COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01351060

Memory Dump Source

Source File: 00000005.00000002.802660634.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1350000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 17ac25668c53974cffb01427f7c13f1f819a2018e1dd19ffafc80fb95f864294
Instruction ID: 11239c009c050dfb1e7ef21632c949f4cb9b7e6c0277828eed76c2edb8512c2e
Opcode Fuzzy Hash: 17ac25668c53974cffb01427f7c13f1f819a2018e1dd19ffafc80fb95f864294
Instruction Fuzzy Hash: 83911A74A00269CFCB68EF24C95876DBBB6BF85605F1081EAD40AA3350DF399E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01350EEC Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01351060

Memory Dump Source

Source File: 00000005.00000002.802660634.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1350000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: bb57768b42d450d6298f520d41eb426b6c7bbabfa4ab8f9b37c26d82396ea2fb
Instruction ID: d7baca3dc60e14d49a2df90017238eff69c84b1537983dada46cb7173c6c0903
Opcode Fuzzy Hash: bb57768b42d450d6298f520d41eb426b6c7bbabfa4ab8f9b37c26d82396ea2fb
Instruction Fuzzy Hash: 9E813B74A00269CFCB68EF24C95876DBBB6BF84605F1081EAD40AA3350DF399E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01350F28 Relevance: 1.7, APIs: 1, Instructions: 189COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01351060

Memory Dump Source

Source File: 00000005.00000002.802660634.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1350000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 331709ccb88a708332afbcde94096673a941002e7763a5c9d035cab699db08ea
Instruction ID: 3b529f3f114e3dfedd28b0b8f9cc4efd7bb2f84b6cc75cf62a563d711a58e8bd
Opcode Fuzzy Hash: 331709ccb88a708332afbcde94096673a941002e7763a5c9d035cab699db08ea
Instruction Fuzzy Hash: BA811C74A00269CFCB69EF24C85876DBBB6BF85605F1081EAD40AA3350DF399E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01350F6D Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01351060

Memory Dump Source

Source File: 00000005.00000002.802660634.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1350000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 546313f428e23b565520c251b72ab6ff755f7fbc0d80e7ae490dfa3206915929
Instruction ID: cd0fbb98ee9fe49343ab8cbd262e55704c183a820e6fd110d9474c5137deeb2b
Opcode Fuzzy Hash: 546313f428e23b565520c251b72ab6ff755f7fbc0d80e7ae490dfa3206915929
Instruction Fuzzy Hash: 22712C74A00269CFCB65EB24C85876DBBBABF84605F1081E9D40AA3350DF399E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01350FB2 Relevance: 1.7, APIs: 1, Instructions: 175COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01351060

Memory Dump Source

Source File: 00000005.00000002.802660634.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1350000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8b3fdbd083fd8d695e84711dce1b5da150fb367a7d635ee1970d13317be4cfbd
Instruction ID: a3affdb4ece1a1acbc10e8f1eba2f3ab53193dce1555d9675f26b5ef1ff6c7e7
Opcode Fuzzy Hash: 8b3fdbd083fd8d695e84711dce1b5da150fb367a7d635ee1970d13317be4cfbd
Instruction Fuzzy Hash: B3712B74A002698FCF69EB34C85876DBBBABF84605F1081E9D40AA3350DF399E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01350FF7 Relevance: 1.7, APIs: 1, Instructions: 168COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01351060

Memory Dump Source

Source File: 00000005.00000002.802660634.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1350000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: df65e674879a5f3d6094902fba747103d75c8c5cc0662edf6d70fb557e618a25
Instruction ID: f0b3bf9633c02be99eff5d753ede4bdb93bc7fddacc60e3ef7f23307480f1506
Opcode Fuzzy Hash: df65e674879a5f3d6094902fba747103d75c8c5cc0662edf6d70fb557e618a25
Instruction Fuzzy Hash: 05613D74A002698FCF65EF34C958B6DBBBAAF84605F1081E9D40AA3350DF399E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0135103C Relevance: 1.7, APIs: 1, Instructions: 161COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01351060

Memory Dump Source

Source File: 00000005.00000002.802660634.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1350000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 96a541e36e351a86c4861290736213d03440ac2a0a479848be79843f25b57824
Instruction ID: 81e9274e926bf9863e9d1972d417edc14b80fb36f9e858516c428690cc61015e
Opcode Fuzzy Hash: 96a541e36e351a86c4861290736213d03440ac2a0a479848be79843f25b57824
Instruction Fuzzy Hash: A6612D74A002699FCF65EB34C85876DBBBABF84605F1081E9D40AA3354DF399E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00D9D80C Relevance: 1.6, APIs: 1, Instructions: 139libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00D9D877

Memory Dump Source

Source File: 00000005.00000002.800498280.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d90000_shipmentReceipt(22kb).jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f005e75ea6ffce1200bc337858a0a20ea02fa410d050a77ad48c253f1c64a56c
Instruction ID: 83e09e224182844f904a6e5885e85da81e1bb875ac72706e5fab6104d344dad8
Opcode Fuzzy Hash: f005e75ea6ffce1200bc337858a0a20ea02fa410d050a77ad48c253f1c64a56c
Instruction Fuzzy Hash: 2B418971B102099FCF14EFB4D888AAEB7B6BF98304F148969E4129B255DF34D905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014950C5 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014951E2

Memory Dump Source

Source File: 00000005.00000002.803039119.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1490000_shipmentReceipt(22kb).jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d4b545fb3505ca0fc7b5096822478ec5bd7bc50441ce2eee3405c572712ade02
Instruction ID: c24f73a296de1239c89a60f57af0763c089d578e007e4cfbc339a678848ccc93
Opcode Fuzzy Hash: d4b545fb3505ca0fc7b5096822478ec5bd7bc50441ce2eee3405c572712ade02
Instruction Fuzzy Hash: 6851B2B1D102499FDF15CFA9D884ADEBFB5BF48310F24862AE419AB210D7749945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 014950D0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014951E2

Memory Dump Source

Source File: 00000005.00000002.803039119.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1490000_shipmentReceipt(22kb).jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: bb2e7d263455786874f4eed0551ac326a29856e1e14687b0749c9767309429ee
Instruction ID: 0dc91b26b1009bcd38b494e6db7d1617ee66b5f781e7c26718e80138beb373bc
Opcode Fuzzy Hash: bb2e7d263455786874f4eed0551ac326a29856e1e14687b0749c9767309429ee
Instruction Fuzzy Hash: AD41AEB1D103499FDF15CF9AD884ADEBFB5BF48310F24862AE819AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 014977CC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 01497F41

Memory Dump Source

Source File: 00000005.00000002.803039119.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1490000_shipmentReceipt(22kb).jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 961f64fd908bf24a24750159d6006ec6c190130e923d02704aa8390c104515e2
Instruction ID: 32886bde57fbdd2b13a3e04fcf34e930522b9c6c5a1e180e45d3984626f51094
Opcode Fuzzy Hash: 961f64fd908bf24a24750159d6006ec6c190130e923d02704aa8390c104515e2
Instruction Fuzzy Hash: 404129B5A102098FDB14CF99C488AABBBF5FF88324F248559E519A7321D734A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0149C1D9 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0149C262

Memory Dump Source

Source File: 00000005.00000002.803039119.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1490000_shipmentReceipt(22kb).jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: e208296b7e9327fa1adfd6c64b9409607f9a9bc07f1cf1eb6eab717d33d2ad38
Instruction ID: 31ec85639ce64b80e96d1404e68a7e47fb97388e610f3143b732a2c84c682ba2
Opcode Fuzzy Hash: e208296b7e9327fa1adfd6c64b9409607f9a9bc07f1cf1eb6eab717d33d2ad38
Instruction Fuzzy Hash: 5931CBB18053898FCB11DFA9D54839EBFF0EB45318F14849AE449A7252C7799405CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 01496BA1 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01496C2F

Memory Dump Source

Source File: 00000005.00000002.803039119.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1490000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 447d67d538d8e35cab134164a23ed628302fa2d90608350a8a196859e7a1b582
Instruction ID: 229399be38a5218b32e61268bcca020c03be8fef4d3b4d1b979efe6b4562c0fb
Opcode Fuzzy Hash: 447d67d538d8e35cab134164a23ed628302fa2d90608350a8a196859e7a1b582
Instruction Fuzzy Hash: CF2103B5D002489FDB10CFAAD584AEEBFF4EB48324F14801AE854A3310D378A945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01496BA8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01496C2F

Memory Dump Source

Source File: 00000005.00000002.803039119.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1490000_shipmentReceipt(22kb).jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ab977e0ce5a9c69612c6e97bf1a41ec055ab89ec813b40e169fa468b6613626e
Instruction ID: c1ba62187bb7f137979326a36c0e1e2bba3cded8b23f37520aea713c8875739d
Opcode Fuzzy Hash: ab977e0ce5a9c69612c6e97bf1a41ec055ab89ec813b40e169fa468b6613626e
Instruction Fuzzy Hash: 2A21E4B5D002489FDB10CF9AD984ADEBFF8EB48320F14841AE914A3310D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D9E675 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00D9E6F3

Memory Dump Source

Source File: 00000005.00000002.800498280.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d90000_shipmentReceipt(22kb).jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: ba98669bd92ef76969a5bb67c303edd430f4a84a181e3a90968f12342352f29c
Instruction ID: 5b9938cb235b097f4644108b83f623ae175b40417754322917c50eb9e5768590
Opcode Fuzzy Hash: ba98669bd92ef76969a5bb67c303edd430f4a84a181e3a90968f12342352f29c
Instruction Fuzzy Hash: 932135B5D002098FCB14CF9AD884BEEFBF5EB88320F14841AE459A3250CB74A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D9E678 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00D9E6F3

Memory Dump Source

Source File: 00000005.00000002.800498280.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d90000_shipmentReceipt(22kb).jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 3ba664c9ff30e41a7fcd4b76c14575ad1c970c9fca3224939e760e4828d10413
Instruction ID: 825966c66a3fb27f385be332ba9d88bbe29baf87f46346be239075c3dd08978d
Opcode Fuzzy Hash: 3ba664c9ff30e41a7fcd4b76c14575ad1c970c9fca3224939e760e4828d10413
Instruction Fuzzy Hash: 2F2127B5D002199FCB14DF9AD844BEEFBF5FB88320F14841AE419A7250CB74A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D775E9 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,00D775C9,00000800), ref: 00D7765A

Memory Dump Source

Source File: 00000005.00000002.800303330.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d70000_shipmentReceipt(22kb).jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e9ed5a27bfd489ffb162beb89b5c7b9e0d12cd0d8aaf34b951d6847914004b66
Instruction ID: 97719702cfc38a819de3344deb79947183f9c2f637e62ccf72d2a55027186c9e
Opcode Fuzzy Hash: e9ed5a27bfd489ffb162beb89b5c7b9e0d12cd0d8aaf34b951d6847914004b66
Instruction Fuzzy Hash: 6E1117B6D042098FDB10CFAAD884ADEFBF4EB98324F14852ED459B7600C378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D76378 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,00D775C9,00000800), ref: 00D7765A

Memory Dump Source

Source File: 00000005.00000002.800303330.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d70000_shipmentReceipt(22kb).jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 592ca696d76e607da3830c7ddba199dc1f7847f14c719bec3057a4e959da79eb
Instruction ID: 861906d0ffdd5b2a55eae766c0e45ef50beedfa9071c5ee6ed1956c9556bdc9a
Opcode Fuzzy Hash: 592ca696d76e607da3830c7ddba199dc1f7847f14c719bec3057a4e959da79eb
Instruction Fuzzy Hash: DA1112B69047098FCB10CF9AC844ADEFBF8EB58320F14852AE419B7700D378A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0149C1E8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0149C262

Memory Dump Source

Source File: 00000005.00000002.803039119.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1490000_shipmentReceipt(22kb).jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 8fa22bc060769b5d8af56c30a6e40f83c99e385fb19aeb8e56afb92e37427a1b
Instruction ID: e8077488f9ddf2b2ea63a1ac4886054fc05f7d50e1f205e2d65a7fdc112dd5eb
Opcode Fuzzy Hash: 8fa22bc060769b5d8af56c30a6e40f83c99e385fb19aeb8e56afb92e37427a1b
Instruction Fuzzy Hash: FE1147B1D002098FDB50DFAAC54879EBFF4EB48724F2084AAE409B3640D738A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01492E7C Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01494156

Memory Dump Source

Source File: 00000005.00000002.803039119.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1490000_shipmentReceipt(22kb).jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 37373d1f8d4ffd85e3955004679a555341f28ca1e1a4a4d830b198ec56e47f34
Instruction ID: 8e28a57aef4d26e64fef981c0af94706605d42acbfc150017661f841b011a16a
Opcode Fuzzy Hash: 37373d1f8d4ffd85e3955004679a555341f28ca1e1a4a4d830b198ec56e47f34
Instruction Fuzzy Hash: 161123B1D002498BDB10CF9AC548BDEFBF4EB48224F14852AD429B7710D374A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014940EA Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01494156

Memory Dump Source

Source File: 00000005.00000002.803039119.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1490000_shipmentReceipt(22kb).jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 65f4eabf5e3fad3c546ada28a97c6b253b2a005161ab861747a14d538c275dc7
Instruction ID: 1993d9385097a4496f0f4b905ac958f7b2ce54034c383db3774433796f96e554
Opcode Fuzzy Hash: 65f4eabf5e3fad3c546ada28a97c6b253b2a005161ab861747a14d538c275dc7
Instruction Fuzzy Hash: 4F1120B1D002098BDB10DF9AC948ACEFBF4EF88324F14855AD429B7610D378A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: kmk.exePID: 2400, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	14.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	238
Total number of Limit Nodes:	2

Executed Functions

Function 05B50040 Relevance: 12.1, Instructions: 12088COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ac7162fe49f05d02defac8bfd246da2f8dd02cc4ef0d184bbff66e584fe2bf
Instruction ID: 052f353854e072224865317e9bccd7633226b31a3342497f1c66f42d376bc77b
Opcode Fuzzy Hash: 06ac7162fe49f05d02defac8bfd246da2f8dd02cc4ef0d184bbff66e584fe2bf
Instruction Fuzzy Hash: 4754C334A01219DFDB24EB64C894AE9B7B2FF89304F1545E9E509AB361DB31AEC1CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05B50006 Relevance: 12.0, Instructions: 12039COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f955ca6383a543d6f15d07f463ebbe64bcd16c777ed69a2a201894dfa38d1c99
Instruction ID: 1785ee6683ee4431430517c644ede16a8a6dec46bad2cef262d95a962bece091
Opcode Fuzzy Hash: f955ca6383a543d6f15d07f463ebbe64bcd16c777ed69a2a201894dfa38d1c99
Instruction Fuzzy Hash: EA54C334A01219DFDB24EB64C894AE9B7B2FF89304F1545E9E509AB361DB31AEC1CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02A35495 Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02A35551

Memory Dump Source

Source File: 00000006.00000002.653676213.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a30000_kmk.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c62d312d5bff14efe89241765cd827750e0df537e73ac62da1ab2150ba9d08a8
Instruction ID: 04e2932758e2500b3bd74c881d8b290bad7966b592e347560adf30e804ac4297
Opcode Fuzzy Hash: c62d312d5bff14efe89241765cd827750e0df537e73ac62da1ab2150ba9d08a8
Instruction Fuzzy Hash: FC41E2B1C00618CFDB25DFA9C984BDEBBB6BF58304F60815AE409AB250DBB56945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02A34004 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02A35551

Memory Dump Source

Source File: 00000006.00000002.653676213.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a30000_kmk.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 71c93fc393228559d3a2c09e09e89c56111dcd27d70cfbb1c5dfc6072d335208
Instruction ID: fdd842945f47ed4509f73ec6e430811ff583e5766baa262e8a7254797f7fc241
Opcode Fuzzy Hash: 71c93fc393228559d3a2c09e09e89c56111dcd27d70cfbb1c5dfc6072d335208
Instruction Fuzzy Hash: 0D41E2B1C00728CBDB24DFA9C984B8EBBF6BF58314F608159E409BB250DBB56945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02A37EB9 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 02A37F3D

Memory Dump Source

Source File: 00000006.00000002.653676213.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a30000_kmk.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 0bd900a8faec3603b4e5d4ea61e1935d7aacf205949ab45f65965a6d20b51af7
Instruction ID: 95b8c87ec33363d38ed14f2fec27419072df9c91258c55ec2aa5248ff0940c84
Opcode Fuzzy Hash: 0bd900a8faec3603b4e5d4ea61e1935d7aacf205949ab45f65965a6d20b51af7
Instruction Fuzzy Hash: 4C218CB19043848FDB61DFA9DA447DAFBF4FB18324F14845AE405E3641D739A905CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A37C08 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 02A37C92

Memory Dump Source

Source File: 00000006.00000002.653676213.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a30000_kmk.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 8b513413c6cef29c319c3788ea7044274cd46af01d11927a779746bba8beae5c
Instruction ID: 119ce516d431c995a7c558bf3e63b497eae64b1df3d94b65744dcedec79c9b56
Opcode Fuzzy Hash: 8b513413c6cef29c319c3788ea7044274cd46af01d11927a779746bba8beae5c
Instruction Fuzzy Hash: 97219AB1D013458FEBA0CFA9D98879ABBF4EB19324F14842AE405A3641C7786945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A3D8A8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02A3E7E9,00000800,00000000,00000000), ref: 02A3E9DA

Memory Dump Source

Source File: 00000006.00000002.653676213.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a30000_kmk.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6bf025c5a1f3c5df888a6e5dc0d1723b0c0f3476213dd5a5cb4d0040b551257a
Instruction ID: 2c2256049dc3c0b1bb8420b0aff3c778247c140d7b13698cab738e0d08333111
Opcode Fuzzy Hash: 6bf025c5a1f3c5df888a6e5dc0d1723b0c0f3476213dd5a5cb4d0040b551257a
Instruction Fuzzy Hash: B011F2B6D002199FDB10CF9AC584ADEFBF8EB58324F10846AE459A7600C774A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05B4DA00 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,05B4E471,?,?), ref: 05B4E618

Memory Dump Source

Source File: 00000006.00000002.662920881.0000000005B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b40000_kmk.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8681249348355c273b64caf307f64d977264d22ee78d04483376bc24d73bc7a6
Instruction ID: 2ebeabcdf1fc7c353552dc8e19d892a816a13ef4565435c14cc6725018e99902
Opcode Fuzzy Hash: 8681249348355c273b64caf307f64d977264d22ee78d04483376bc24d73bc7a6
Instruction Fuzzy Hash: 761179B28002488FCB10DF99C4847EEBBF8EF68324F10845AD499A7240D738A645CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02A37C18 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 02A37C92

Memory Dump Source

Source File: 00000006.00000002.653676213.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a30000_kmk.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: a547740bea5db3ca193f179427bb3cd52e05284b5e735f24fcb547816834035a
Instruction ID: 18697d1bdcf38591daaf960b80387f098fc4daa757119e49acd9d7941a945d1f
Opcode Fuzzy Hash: a547740bea5db3ca193f179427bb3cd52e05284b5e735f24fcb547816834035a
Instruction Fuzzy Hash: 7A114FB09013098FDB60DFAAD98879EBBF4FB49325F108429E405A3740DB796944CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02A37EC8 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 02A37F3D

Memory Dump Source

Source File: 00000006.00000002.653676213.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a30000_kmk.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: f7c39898debc74b05af6e64e8794cc905622a94bfab17411164e882cab2826f6
Instruction ID: 571312d8409894b01db12b024229395f03984c115b0ae5cfde5ceb53eade125d
Opcode Fuzzy Hash: f7c39898debc74b05af6e64e8794cc905622a94bfab17411164e882cab2826f6
Instruction Fuzzy Hash: 4E1151B19003498FDB21DF99DA4479AFBF8FB08325F10841AE405E3740CB7AA944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02A3C394 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,02A3E53B), ref: 02A3E76E

Memory Dump Source

Source File: 00000006.00000002.653676213.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a30000_kmk.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 24dd42e60137c02e2cc16280361d2bc847975cac93e4db046cbe1bfe6942ab75
Instruction ID: eaa124ee3959b53d8f533b736c838edd06b813cfe1361306f1923124697b20ae
Opcode Fuzzy Hash: 24dd42e60137c02e2cc16280361d2bc847975cac93e4db046cbe1bfe6942ab75
Instruction Fuzzy Hash: 861120B5D00648CBDB10CF9AC584BDEFBF4EF48228F10851AE929B7600D7B8A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05B4D814 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,05B4E471,?,?), ref: 05B4E618

Memory Dump Source

Source File: 00000006.00000002.662920881.0000000005B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b40000_kmk.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a3d106c91c55353ecd51e0d21018dbf66498cfe92d7b4c816207303beef02827
Instruction ID: 24ac7133a9ee406c481c15b90fcb20b81a4dd659f6b87ab7ad9ffcdfe07f050a
Opcode Fuzzy Hash: a3d106c91c55353ecd51e0d21018dbf66498cfe92d7b4c816207303beef02827
Instruction Fuzzy Hash: B1113AB58006098FCB20DF99C5847DEBBF8FB58320F108459E555A7740D778A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05B4E5BB Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,05B4E471,?,?), ref: 05B4E618

Memory Dump Source

Source File: 00000006.00000002.662920881.0000000005B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b40000_kmk.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 53a048c7346b49ef7f7ce556893f263fef1ef6ae229367c4eedea3dbde1d8263
Instruction ID: 4ead6f933b91a73ec35a40272734371df8a390e0b567e617e5498c7fc8311e06
Opcode Fuzzy Hash: 53a048c7346b49ef7f7ce556893f263fef1ef6ae229367c4eedea3dbde1d8263
Instruction Fuzzy Hash: 001136B68006098FCB10DF9AC584BDEBBF8FF58320F14846AE559A7740D778A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05C72EDC Relevance: 1.5, APIs: 1, Instructions: 47
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetTimer.USER32(?,04DF6190,?,?,?,?,?,?,?,05C73D28,00000000,?,00000000), ref: 05C73EBD

Memory Dump Source

Source File: 00000006.00000002.663217646.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c70000_kmk.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 002d43678d009a0295202b8e408bb96a5a108332c49c9b83b1dd613c232eb9df
Instruction ID: cc21579734235833cfe54ad2908b77c2416a07cd1e41161a198633bbea7100ff
Opcode Fuzzy Hash: 002d43678d009a0295202b8e408bb96a5a108332c49c9b83b1dd613c232eb9df
Instruction Fuzzy Hash: 581110B59002589FDB10DF8AC884BDEBBF8EB48324F10881AE959A3600C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C73E58 Relevance: 1.5, APIs: 1, Instructions: 45
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetTimer.USER32(?,04DF6190,?,?,?,?,?,?,?,05C73D28,00000000,?,00000000), ref: 05C73EBD

Memory Dump Source

Source File: 00000006.00000002.663217646.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c70000_kmk.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 243ab60e2dafa4bcd2f36f923d50784e8e5dd2c1658d3080cb672fee6891379c
Instruction ID: 961f84d86231c8b488b4b9706b3d74f2801b004623e40996af8369083cd3dd0b
Opcode Fuzzy Hash: 243ab60e2dafa4bcd2f36f923d50784e8e5dd2c1658d3080cb672fee6891379c
Instruction Fuzzy Hash: D011F2B58006489FDB10DF9AD884BDEBFF8FB58324F10885AE559A7640C379A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05B5D1E2 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 348048967466cf4d066cb248976c35ae664affdb3cc11aeeb0b4cd2a6d99dd95
Instruction ID: a8f83df775e863545d484f4d4ff04f1c0a99928ae9e561cc072448937535bf6a
Opcode Fuzzy Hash: 348048967466cf4d066cb248976c35ae664affdb3cc11aeeb0b4cd2a6d99dd95
Instruction Fuzzy Hash: A851C412A9E3C00FF30B637549226A57F7ADB53669B0A41EFD0D2CE9A3C55D580B8372

Uniqueness

Uniqueness Score: -1.00%

Function 05B5DE68 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c24a7206510fecfa36188a656ff99cde993eb6cb24a1dcd15acf78d1bb9b57a2
Instruction ID: 7a363d2874b5b81796f482f23c25bbb3cdf981b10b8ef6fbade86eb4d6ef9ad9
Opcode Fuzzy Hash: c24a7206510fecfa36188a656ff99cde993eb6cb24a1dcd15acf78d1bb9b57a2
Instruction Fuzzy Hash: FD516B30900A1A9FDB19CF58C980ABAF7F5FF44310B51CA99E966A7280D730FA15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05B5DE57 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e6454234563f0c33190e183c7c65c1bb54e011b495660497a86557800bbed93
Instruction ID: 1c3acb8caa11d1305f994b1f10649110534d9cc0ab8aed53ab793e5393713b4d
Opcode Fuzzy Hash: 1e6454234563f0c33190e183c7c65c1bb54e011b495660497a86557800bbed93
Instruction Fuzzy Hash: 3C514B31900A1A9FDB19CF58C980ABEF7F5FF44320B558A59E966A7284D730FE15CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05B5E750 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fecb025477a4cfb18869d23b05616ee5fb94c95a7ad59f24c42a3211ef2e7ef
Instruction ID: 9884ad202929b7f4a47a7a67ed5bae85f4aee05f65038424510f21a9c516138d
Opcode Fuzzy Hash: 0fecb025477a4cfb18869d23b05616ee5fb94c95a7ad59f24c42a3211ef2e7ef
Instruction Fuzzy Hash: 54417270940215CFEF18FBB4C4547AD7AB6EF88324F1445ADD811BB240DB35A982CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05B5FE58 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 281ff135541cce31ca0c2c24440449a8d430e771daff3b44d5ecf28998d6ff49
Instruction ID: 20e011d3e74ad58198e814e20579fba1c8073c693977e9b3d81371354f2ae0a8
Opcode Fuzzy Hash: 281ff135541cce31ca0c2c24440449a8d430e771daff3b44d5ecf28998d6ff49
Instruction Fuzzy Hash: 8F415870B016198FCB19DBA8D884AAEBBF2FF49310F1045A9E506A7341DB75AD41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05B5FD08 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4573ad914277022c278694aa4706740ea8eaf4ccae85495c3cabe780ba71709
Instruction ID: 6413a0223270f13590e2c80ec1a8bd32d8f6d4c6e3dd2b29bff1510143cee3ee
Opcode Fuzzy Hash: c4573ad914277022c278694aa4706740ea8eaf4ccae85495c3cabe780ba71709
Instruction Fuzzy Hash: 7141B230A006068FCB15DF38D4548AEFBB2FF883147108AADD459AB351DB35F942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05B5E3F8 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 795bd4497799d6416ac1427e03adcba5446d251bac380f62d1d1a571e14a71dd
Instruction ID: 67750ec529ceb9ec6c0bc1f7c692d58edf7724ded4746cd51cf90e8b13ae53d4
Opcode Fuzzy Hash: 795bd4497799d6416ac1427e03adcba5446d251bac380f62d1d1a571e14a71dd
Instruction Fuzzy Hash: 2F3170317001048FDB19EB7DD844AAD73EAEF89625B1401FED91ACB3A1DB31E902CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05B5DAB8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2fbc4c924ff723434ed7fd6d2b96456b3936bb45c6bdc83110532aee141936
Instruction ID: 46797ff6bf6f9555b45dfd8227ff418c6a5c37877d6eb650a992fefc43c8d24d
Opcode Fuzzy Hash: 4d2fbc4c924ff723434ed7fd6d2b96456b3936bb45c6bdc83110532aee141936
Instruction Fuzzy Hash: 5F31F8343047018FE778DF28D585B2AB7E3FB49220B144BAAE897CB660D770FA458B51

Uniqueness

Uniqueness Score: -1.00%

Function 05B5E740 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ff77d28b252499500f8701030bcb25a439087e292afc5f0d15b6a5bb0eb60e
Instruction ID: 8a96bb428e09ce013449148bdfa931ebf94cdf3734f918a24a9f491d58e3632a
Opcode Fuzzy Hash: b1ff77d28b252499500f8701030bcb25a439087e292afc5f0d15b6a5bb0eb60e
Instruction Fuzzy Hash: 7231C1709002558FEF2CFBB4C4547BD7AA6EF89324F1448ACC812AB240DA35A942CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05B5FE47 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6729124fa951b2afe6d3cd1df7d5deabec9ef7de17bea40036f391dcc7505736
Instruction ID: ea0172a87e90dc2e3331ad3a1f9f36bde260f80f8ef042720c7d20dcf2c4e539
Opcode Fuzzy Hash: 6729124fa951b2afe6d3cd1df7d5deabec9ef7de17bea40036f391dcc7505736
Instruction Fuzzy Hash: B531BC70B016499FCB19DBA9D8947ADFBB2EF4A310F1045A9E902A7340EB71A901CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05B5F000 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79ff08987b1b03d3f413e9c0ec65b1b834c39a0379ae34134f73d88407223a75
Instruction ID: a4ac21c3cef74ec2b2511a0b310e8006450655948dc1b416e2cc9a2d4ed6a6de
Opcode Fuzzy Hash: 79ff08987b1b03d3f413e9c0ec65b1b834c39a0379ae34134f73d88407223a75
Instruction Fuzzy Hash: 3B31E875A00209EFDB09AFE0E8589AEBBB7EF89314F048559F5016B260DB747815DB90

Uniqueness

Uniqueness Score: -1.00%

Function 05B5D458 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a368d9196d1fdf40d7b72998281f357849b5bfff07a30fad5f5cce8fa11a28e
Instruction ID: ccce3f454a63602eeb349fc9ad4dcbd9474a6250d22c4da9a994842c0c1aa8b5
Opcode Fuzzy Hash: 5a368d9196d1fdf40d7b72998281f357849b5bfff07a30fad5f5cce8fa11a28e
Instruction Fuzzy Hash: 09311432C00B0ADECB01EF68C854499F7B1FF95314B118B9AE95967121FB30E6D5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05B5DAA8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f158cdaff8028dd8987a68350ca6c9001f52db95dcf1cd5d5215e00490bbca5
Instruction ID: 5d30800c9eea4c0e5b94eae85fd748cbc049395b455c0a66c551a0888d0df593
Opcode Fuzzy Hash: 6f158cdaff8028dd8987a68350ca6c9001f52db95dcf1cd5d5215e00490bbca5
Instruction Fuzzy Hash: 6D212A343046418FD764DF39D485B2AB7F6FF4A220B184EA9E496CB621D770F9058B51

Uniqueness

Uniqueness Score: -1.00%

Function 00DCD43C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.653140828.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dcd000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef0468fabb9aa47aff61b2f2470eae553c238f9e037f0767adc892c4e5f7644
Instruction ID: 9f709b50c0d32e42ccc2f2be626046592c10d896ef9c3eea7f693b3e1225f5cc
Opcode Fuzzy Hash: 4ef0468fabb9aa47aff61b2f2470eae553c238f9e037f0767adc892c4e5f7644
Instruction Fuzzy Hash: 90210271504241EFCB059F04C9C0F16BF66FB94324F24C57DE9090B646C33AE806D6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCD528 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.653140828.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dcd000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778ef03297baba8b5cd3b907b8ff22d2607b62e21e8201a07247c14e20b16915
Instruction ID: da21930d207bf67a1ee82f9f94ad397e0a08e29a46da5d23fbd9c51a96ce32fe
Opcode Fuzzy Hash: 778ef03297baba8b5cd3b907b8ff22d2607b62e21e8201a07247c14e20b16915
Instruction Fuzzy Hash: A72103B5504241EFDB01CF14D9C0F26BF66FB99328F24857DE9450B206C33AD846DAB1

Uniqueness

Uniqueness Score: -1.00%

Function 05B5F010 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2680d3fa6db1b8cef0fbfd82847a551955d132103c2d55c682e13a6b13f7afda
Instruction ID: 160bdc32996057ad4f761c1bfb7245c0d9a2150b6303a88d00aac14c67a0014e
Opcode Fuzzy Hash: 2680d3fa6db1b8cef0fbfd82847a551955d132103c2d55c682e13a6b13f7afda
Instruction Fuzzy Hash: 2C21E775A00219EFDB09AFA0E85899EBBB7FF88304F058519F5027B360DB74A815DF90

Uniqueness

Uniqueness Score: -1.00%

Function 05B5D468 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1808e87c71c17f29f56e6b06a159fe05a466837d566bd58150ebef2ae14f7f0d
Instruction ID: ab1c55d87b958c3902a11879a2cdf82c15726acf4bacebb4a67a7147f8155a46
Opcode Fuzzy Hash: 1808e87c71c17f29f56e6b06a159fe05a466837d566bd58150ebef2ae14f7f0d
Instruction Fuzzy Hash: 27310332D10B0ADECB01EFA9C854499FBB1FF95310B118B5AE95967121FB30E695CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00DDD32C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.653206418.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ddd000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61cd13ae4bb5909b5fd7de86116f576e6856464d1a94fb96b5d4444af5637ac1
Instruction ID: d2c77da7a21909ae9971679e7fd9e73601d6d73b58fb38092b344c04a2b542e3
Opcode Fuzzy Hash: 61cd13ae4bb5909b5fd7de86116f576e6856464d1a94fb96b5d4444af5637ac1
Instruction Fuzzy Hash: 50210775504244EFDF05DF14D9C0B26BB66FB84314F24C66EE9494B346C33AD846CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00DDD174 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.653206418.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ddd000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2424c1551f4f09428f3a17ae1747da8b6b549244b383bf7fab11262b3809e4
Instruction ID: feb08cb6a79c80dddb514c2d6e63235068537e6a1e1354495894e03debf35eed
Opcode Fuzzy Hash: 2f2424c1551f4f09428f3a17ae1747da8b6b549244b383bf7fab11262b3809e4
Instruction Fuzzy Hash: 4D21D075504240EFDF05DF54D9C0B26BFA6FB88314F24CAAAE8494B346C73AD846CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05B5FCF4 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b76ecce87fb05a9e0b995c559e03f17e9203ce9445450ad3ea2505963516dba
Instruction ID: 23a81f57f00d02559906a3be73591191418cc784cf30d13554c8aea7d2669015
Opcode Fuzzy Hash: 4b76ecce87fb05a9e0b995c559e03f17e9203ce9445450ad3ea2505963516dba
Instruction Fuzzy Hash: A1214C70A0060ACFCB24DF64C5849AEFBB6FF88314B104AADD54A97351EB35B906CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05B5D2C8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 168a72968a19594876c53a29d38c8b657c74974023abf40ebc553590958f3de9
Instruction ID: db72b5a9106cd210792441339947c7f233838310a7d08fc7a18174d72ded51bf
Opcode Fuzzy Hash: 168a72968a19594876c53a29d38c8b657c74974023abf40ebc553590958f3de9
Instruction Fuzzy Hash: B411C1343402144FEB05B769D451B2F72EBEBC8B08F00482AE102DB7E5CEB9EC0297A1

Uniqueness

Uniqueness Score: -1.00%

Function 05B5E2B0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1704702ca1cf2bce724cc89b6ec6fece1f05416fda4c8d984e7523ad7160e444
Instruction ID: 70cc7e36ae40bf6a6b5bbf25e878de80cdfb1c81336257dea9261eb84f20ee7d
Opcode Fuzzy Hash: 1704702ca1cf2bce724cc89b6ec6fece1f05416fda4c8d984e7523ad7160e444
Instruction Fuzzy Hash: 5C11E3317043005BD3259B68E4A175B77EBFBC8314F144869E286C7381DFB4B8008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DCD437 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.653140828.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dcd000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
Instruction ID: 8b741e5d4449904b5c1395f59a4357fc83ec5e16e2b54cc8e8b781cdba441087
Opcode Fuzzy Hash: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
Instruction Fuzzy Hash: 0B11B176504281DFCB16CF10D9C4B16BF72FB94324F28C6ADD9444B616C33AD856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCD523 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.653140828.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dcd000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
Instruction ID: a621d1ca9df7ac5024562cc00628eb0a72a092cf0f992e80736416afb797e81c
Opcode Fuzzy Hash: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
Instruction Fuzzy Hash: E011D376504280DFCB12CF14DAC4B16BF72FB95324F28C6ADD8490B616C33AD856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05B5E2C0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a4070a6966b101626ace69cc59e83593929c7c06415c43cb503f9e77a19e920
Instruction ID: e94af219a5ff74886b2dd88871f44923aba6c134ada033c371ca8c83160451ec
Opcode Fuzzy Hash: 0a4070a6966b101626ace69cc59e83593929c7c06415c43cb503f9e77a19e920
Instruction Fuzzy Hash: 3E11C4317147005BE325AB68E4A5B5B73EBFBC8314F148869E287C7781DF78B8418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DDD16F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.653206418.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ddd000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9987972c5ad5a0bbdfc3a90a2c4a8b6c80251489d692dd004c95719536adb841
Instruction ID: 6d84dc202be7af68a6cf866fea060f7778eb7ffcc9aa7a504568267988ec0789
Opcode Fuzzy Hash: 9987972c5ad5a0bbdfc3a90a2c4a8b6c80251489d692dd004c95719536adb841
Instruction Fuzzy Hash: B9118B75504280DFDB12CF54D5C4B15BFB2FB89324F28C6AAD8494B756C33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DDD327 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.653206418.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ddd000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9987972c5ad5a0bbdfc3a90a2c4a8b6c80251489d692dd004c95719536adb841
Instruction ID: e9a9f8ae2cbd8c1954960e763ddce33d5869f9f90f431e014a1ffc8bf0093886
Opcode Fuzzy Hash: 9987972c5ad5a0bbdfc3a90a2c4a8b6c80251489d692dd004c95719536adb841
Instruction Fuzzy Hash: 2D119D79504284DFDB16CF14D5C4B15BBB2FB84324F28C6AAD8494B756C33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 05B5E7DA Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27dc2ed2670a6953ad945a2091f55124219ef1f48294041ad2150976551c3d15
Instruction ID: d71a9b52224b6dfb61a8f852801287d98df67145f81355ba019ebaf315920c0d
Opcode Fuzzy Hash: 27dc2ed2670a6953ad945a2091f55124219ef1f48294041ad2150976551c3d15
Instruction Fuzzy Hash: B7118270940105CFEB18FFB5D4547BD7AB2EB48329F1444ADD402A7290CB38AA41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DCD651 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.653140828.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dcd000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50fdfb4fee6a9fb40610e7dce0b09678fcc17ddf8b7f69962376bde0ee232eae
Instruction ID: 066bd02fa4ce2eaaa9666f8a7f021d42c7b3f49ccf9a5eecd68fe62092781ba7
Opcode Fuzzy Hash: 50fdfb4fee6a9fb40610e7dce0b09678fcc17ddf8b7f69962376bde0ee232eae
Instruction Fuzzy Hash: 1B01F271448389AAE7109A29DC84B66FFD8EF50334F28852EFD8D1B242C778D840CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 05B5DDB9 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc53529c4684a8cdb7bb0e7f1a4c30f2d8d7f977d02f07e4b44993beee8da02
Instruction ID: 8cf2852ac35003b92a63ed6c57508d1569d4eaca297de4cbf6457cc42d0ded8b
Opcode Fuzzy Hash: 2bc53529c4684a8cdb7bb0e7f1a4c30f2d8d7f977d02f07e4b44993beee8da02
Instruction Fuzzy Hash: F4F0FC32A041555FDF14DB95D8406BFFBBAFFC5631F044576E40583200DA745801C3C4

Uniqueness

Uniqueness Score: -1.00%

Function 05B5D7C8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b46aabac35a13c7e5b04e96117b3c4b22a995800df253684f9372ed8b312bb5
Instruction ID: 00e210e4389df59ecbe53057e65bd253cf55599384a6389b885141140885e2db
Opcode Fuzzy Hash: 6b46aabac35a13c7e5b04e96117b3c4b22a995800df253684f9372ed8b312bb5
Instruction Fuzzy Hash: 9BF0F631700B04DBC7167B29D84886EBBA6FFC9321701415EF80AC7320DF748982C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 05B5DDC8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb94c0c867d416692616c0b2ee183865bf251e959bd9985c9032543da81b261
Instruction ID: 9c59970f4eb48a2c76ab00ad8b4268fdb8f8b8a0ec7f42a2a22e4de9c23fe32d
Opcode Fuzzy Hash: 7cb94c0c867d416692616c0b2ee183865bf251e959bd9985c9032543da81b261
Instruction Fuzzy Hash: E0F09632A041159BDB18DB56D841A7FF7ABFBC5621B15857AD40987204DA74AC02C3D4

Uniqueness

Uniqueness Score: -1.00%

Function 05B5E240 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e98708b1be2b8b068c241cf18165ffd5011b28a7ca83b8b0683d65b2ee7943ef
Instruction ID: 349c3efa05300f5ed60d1893539840be2ccdcb3ae0d2a1d852769e29b2c08abb
Opcode Fuzzy Hash: e98708b1be2b8b068c241cf18165ffd5011b28a7ca83b8b0683d65b2ee7943ef
Instruction Fuzzy Hash: 26F0BE313402146BEA287679A891B6F329ADBC2B54F50042DE2069B3C4CE65AC0282B6

Uniqueness

Uniqueness Score: -1.00%

Function 00DCD650 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.653140828.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dcd000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfea602c093d5da47215ea95941f065fc3fea050de4b89867ee7329a7c72ec09
Instruction ID: 07ee490787eb1d61395f77dc8c8c9673499907cc743e7b92d5dc92e95cdfc3f1
Opcode Fuzzy Hash: bfea602c093d5da47215ea95941f065fc3fea050de4b89867ee7329a7c72ec09
Instruction Fuzzy Hash: BAF0C271404288AAE7109A06CC84B62FFD8EB90334F18C55AED485F282C3789844CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 05B5E399 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902df2db1fa26f3fad9bc10b76475ff3af182cc25431e368e5a749caa85fa52a
Instruction ID: 0537ca5ab8e63d09ce0c61a9d630b0c39d88d0680fad556d42dfd6d5b93df9be
Opcode Fuzzy Hash: 902df2db1fa26f3fad9bc10b76475ff3af182cc25431e368e5a749caa85fa52a
Instruction Fuzzy Hash: 24F0E231A002599FDB10EB6CD8043DEBBF4FB84319F0485A9D559E3341D374AA0ACBC0

Uniqueness

Uniqueness Score: -1.00%

Function 05B5E835 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b4b102d9526c23684ce26d3425b76b0e897f6d6f8d30c0420ec48ffcfa0fc3
Instruction ID: 7da277e52f85f827f7cf5c0ac99de3739ad4ef25c2c314ed36d644965bf95422
Opcode Fuzzy Hash: 34b4b102d9526c23684ce26d3425b76b0e897f6d6f8d30c0420ec48ffcfa0fc3
Instruction Fuzzy Hash: 13F0B470A002098BDB1CFFB5D4147BD7AB2EF48319F0088ACD402AB290CF38A941DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05B5E1E0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466b966c4bffc2fbee71538c1250cae77cb862ca2ee2d7030ab03d3672e40991
Instruction ID: c0f4a47194e243afcaabe2e63ee6e3d7a6ad4fc60fc1a0f3358d0ea4e78f9264
Opcode Fuzzy Hash: 466b966c4bffc2fbee71538c1250cae77cb862ca2ee2d7030ab03d3672e40991
Instruction Fuzzy Hash: A2F01C716007049B8B1DDF2DD5419957BE5FF4632832489ADE029CF256E773E9038BC4

Uniqueness

Uniqueness Score: -1.00%

Function 05B5E1D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e497668a2e3f5f731e000d230e289f69bf5820b99f4c7fa01f441b24b9906e
Instruction ID: 00ec638c8165b9048ae2bdeeb67763758434c2cbae127ec15c27fa8f0364ab9d
Opcode Fuzzy Hash: f4e497668a2e3f5f731e000d230e289f69bf5820b99f4c7fa01f441b24b9906e
Instruction Fuzzy Hash: B6F065716442456BCB09DF78E4516B67BE5FB06358B1408ADF095CF216D762F90387C0

Uniqueness

Uniqueness Score: -1.00%

Function 05B5E3A8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e4ad9f433c37d984c516b6deed22389b788b9f9f59df0cdc6f46403e671eec
Instruction ID: 75676fc30ee18171ae46f9eb9347354dcd8c429b8ab26d8b43c87b75c518caa4
Opcode Fuzzy Hash: 31e4ad9f433c37d984c516b6deed22389b788b9f9f59df0cdc6f46403e671eec
Instruction Fuzzy Hash: EFE03931A002199FCB10AB6DD8086DEB7F8EB84215F004569D919E3244D774AA1ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 05B5DE28 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6f494a13fef0ffd4518536d68192acef5c9bbde7ff0b73be85617996499d7f
Instruction ID: 476d599aaf8f317001f2075ed6200c866a639829a55f977851f83b3071be0d79
Opcode Fuzzy Hash: ae6f494a13fef0ffd4518536d68192acef5c9bbde7ff0b73be85617996499d7f
Instruction Fuzzy Hash: C6D0A7352013905BC71423B97A043973FACDF4B223F0804B1E244C1701C5BA480283D0

Uniqueness

Uniqueness Score: -1.00%

Function 05B5E370 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a5c3305d5a76f87e4fbfcb5e80f7f2f7674ea653252fd32bad70cefe3b3c33
Instruction ID: c0f527eb0f64129f0aa1efca1f8defe44edb7ab7ca600af1ac22533472ba800a
Opcode Fuzzy Hash: f0a5c3305d5a76f87e4fbfcb5e80f7f2f7674ea653252fd32bad70cefe3b3c33
Instruction Fuzzy Hash: 7BC0122240A390AAEB59AB7864003A6BFE2DB86310F04C4ADC2C986A16C63848039790

Uniqueness

Uniqueness Score: -1.00%

Function 05B5E710 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc3c144eb6a0c584b34fe576b8d79985957be6f7a5dc285aa720da22e48acf4
Instruction ID: a0c927cef1e33a7e879eb32e6a601b26f1866f8c5784b7f66d83cda76589b940
Opcode Fuzzy Hash: 7dc3c144eb6a0c584b34fe576b8d79985957be6f7a5dc285aa720da22e48acf4
Instruction Fuzzy Hash: E7D0C9795010898ECF41AB60F666774BF22EBA230EF446484E491475AAC7686843DFC2

Uniqueness

Uniqueness Score: -1.00%

Function 05B5E8A8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a218cfe41a6cb7ab304e42fff14fde6f2b97d82409eca73fb501d3ce0487613f
Instruction ID: 19b3e1c0b612bb4d6f6eecf81facbe67453a3b432dc70a20184e8fff3c821a04
Opcode Fuzzy Hash: a218cfe41a6cb7ab304e42fff14fde6f2b97d82409eca73fb501d3ce0487613f
Instruction Fuzzy Hash: 48E0E275D40209CFD704DFA4E198AADBBB0EB08720F208499D816AB260CB34A904CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05B5DE38 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.662984451.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b50000_kmk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ae841b51e12d1c240cd795f338196d101884ebd15a57fcfd099d21c04968e6
Instruction ID: fc9e15a02fec1394a84f7b314ae6b0f4a83becae62284e04b4fda04c5a7082eb
Opcode Fuzzy Hash: a2ae841b51e12d1c240cd795f338196d101884ebd15a57fcfd099d21c04968e6
Instruction Fuzzy Hash: 44C08C322023249BC72427B9B9086963BEDDF8A222B000076E209C2700CABB8C0087E0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kmk.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\shipmentReceipt(22kb).pdf__customInvoice12074408.exe.log

C:\Users\user\AppData\Roaming\kmk\kmk.exe

C:\Users\user\AppData\Roaming\kmk\kmk.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Function 065E8360 Relevance: 3.5, Strings: 2, Instructions: 983
COMMON

Function 07FD86A0 Relevance: 1.9, Strings: 1, Instructions: 663
COMMON

Function 07FD9CC8 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 07FD9CB3 Relevance: 10.7, APIs: 7, Instructions: 165
COMMON

Function 07FD095D Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Function 07FD0968 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 03174004 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 03175495 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 07FD0648 Relevance: 1.6, APIs: 1, Instructions: 74
injectionCOMMON

Function 07FD0650 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 065EFCC0 Relevance: 1.6, APIs: 1, Instructions: 67
threadinjectionCOMMON

Function 07FD0769 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Function 065EFCC8 Relevance: 1.6, APIs: 1, Instructions: 63
threadinjectionCOMMON

Function 07FD0770 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON