Edit tour

Windows Analysis Report
Bill of Lading.exe

Overview

General Information

Sample name:	Bill of Lading.exe
Analysis ID:	1501090
MD5:	4a66f7adeee42701433453d52eef4fe3
SHA1:	dccf14f7ba680630193ba6afaee8010db77c5fc3
SHA256:	d5b1bfd640980218ef11f409fa2b966c84c402e93eb47c3bce412096bec5284f
Tags:	AsyncRATexe
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected XWorm

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Bill of Lading.exe (PID: 2080 cmdline: "C:\Users\user\Desktop\Bill of Lading.exe" MD5: 4A66F7ADEEE42701433453D52EEF4FE3)

InstallUtil.exe (PID: 1036 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

WerFault.exe (PID: 6108 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 912 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["xwram1.duckdns.org"], "Port": "58345", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2672720208.0000000000152000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000002.00000002.2672720208.0000000000152000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7900:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x799d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7ab2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x75ae:$cnc4: POST / HTTP/1.1
00000000.00000002.1448146740.00000000050F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1113c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1b314:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6fdd4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x111d9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1b3b1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6fe71:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x112ee:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1b4c6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6ff86:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x10dea:$cnc4: POST / HTTP/1.1 0x1afc2:$cnc4: POST / HTTP/1.1 0x6fa82:$cnc4: POST / HTTP/1.1
00000000.00000002.1438152349.0000000002731000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Bill of Lading.exe PID: 2080	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Bill of Lading.exe PID: 2080	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: Bill of Lading.exe PID: 2080	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: InstallUtil.exe PID: 1036	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Bill of Lading.exe.2dbc814.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.Bill of Lading.exe.2dbc814.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x5d00:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5d9d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5eb2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x59ae:$cnc4: POST / HTTP/1.1
2.2.InstallUtil.exe.150000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.2.InstallUtil.exe.150000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7b00:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7b9d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7cb2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x77ae:$cnc4: POST / HTTP/1.1
0.2.Bill of Lading.exe.50f0000.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.Bill of Lading.exe.2dbc814.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.Bill of Lading.exe.2dbc814.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7b00:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5c5c0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7b9d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5c65d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7cb2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5c772:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x77ae:$cnc4: POST / HTTP/1.1 0x5c26e:$cnc4: POST / HTTP/1.1
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\mmgfreeway.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Bill of Lading.exe, ProcessId: 2080, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmgfreeway

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: xwram1.duckdns.org

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["xwram1.duckdns.org"], "Port": "58345", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\mmgfreeway.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Roaming\mmgfreeway.exe	Virustotal: Detection: 72%			Perma Link

Multi AV Scanner detection for submitted file

Source: Bill of Lading.exe	ReversingLabs: Detection: 65%
Source: Bill of Lading.exe	Virustotal: Detection: 72%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\mmgfreeway.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Bill of Lading.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 2.2.InstallUtil.exe.150000.0.unpack	String decryptor: xwram1.duckdns.org
Source: 2.2.InstallUtil.exe.150000.0.unpack	String decryptor: 58345
Source: 2.2.InstallUtil.exe.150000.0.unpack	String decryptor: <123456789>
Source: 2.2.InstallUtil.exe.150000.0.unpack	String decryptor: <Xwormmm>
Source: 2.2.InstallUtil.exe.150000.0.unpack	String decryptor: PC
Source: 2.2.InstallUtil.exe.150000.0.unpack	String decryptor: USB.exe

Source: Bill of Lading.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Bill of Lading.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: O.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.00000000007F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @zo.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Osymbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448721171.0000000005250000.00000004.08000000.00040000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1446605944.00000000037AD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448721171.0000000005250000.00000004.08000000.00040000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1446605944.00000000037AD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: ?zoC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbP% source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HPno8C:\Windows\InstallUtil.pdbWH source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 4x nop then jmp 051B252Dh	0_2_051B2440
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_051B1468
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_051B1460
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 4x nop then jmp 051B252Dh	0_2_051B24F3
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 4x nop then jmp 051B252Dh	0_2_051B26AB
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 4x nop then jmp 051F5D61h	0_2_051F5D00
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 4x nop then jmp 051F5D61h	0_2_051F5CF0
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 4x nop then jmp 051FD400h	0_2_051FD348
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 4x nop then jmp 051FD400h	0_2_051FD340
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 4x nop then jmp 051F5D61h	0_2_051F5ECF
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_052DDA10

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: xwram1.duckdns.org

Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003911000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Bill of Lading.exe.2dbc814.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.2.InstallUtil.exe.150000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Bill of Lading.exe.2dbc814.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000002.2672720208.0000000000152000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Bill of Lading.exe

Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_051FFD50 NtResumeThread,	0_2_051FFD50
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_051FE820 NtProtectVirtualMemory,	0_2_051FE820
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_051FFD49 NtResumeThread,	0_2_051FFD49
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_051FE81A NtProtectVirtualMemory,	0_2_051FE81A

Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_00BD9D68	0_2_00BD9D68
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_00BD62F8	0_2_00BD62F8
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_00BD6308	0_2_00BD6308
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_00BD58B8	0_2_00BD58B8
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_00BD58A9	0_2_00BD58A9
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_050D18E2	0_2_050D18E2
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_050D1C17	0_2_050D1C17
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_050D2AF8	0_2_050D2AF8
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_050E7AF8	0_2_050E7AF8
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_050E0006	0_2_050E0006
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_050E0040	0_2_050E0040
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_050E806F	0_2_050E806F
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_050E6678	0_2_050E6678
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_050E6688	0_2_050E6688
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_050E129F	0_2_050E129F
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_050E12B0	0_2_050E12B0
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_050E7AEA	0_2_050E7AEA
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_051B2440	0_2_051B2440
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_051BA558	0_2_051BA558
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_051BA549	0_2_051BA549
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_051B24F3	0_2_051B24F3
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_051B26AB	0_2_051B26AB
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_051F79B0	0_2_051F79B0
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_051FBA28	0_2_051FBA28
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_051F7D97	0_2_051F7D97
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_051F79A0	0_2_051F79A0
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_051FB9D0	0_2_051FB9D0
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_051FCF88	0_2_051FCF88
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_051F8FD9	0_2_051F8FD9
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_051F23F8	0_2_051F23F8
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_051F8FE8	0_2_051F8FE8
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_051FBA18	0_2_051FBA18
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_052B0006	0_2_052B0006
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_052B0040	0_2_052B0040
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_052D0006	0_2_052D0006
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_052D0040	0_2_052D0040
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_052DF648	0_2_052DF648
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_05550040	0_2_05550040
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_05550006	0_2_05550006
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_0556D220	0_2_0556D220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_009D0EE0	2_2_009D0EE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 912

Source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003911000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Bill of Lading.exe
Source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003731000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Bill of Lading.exe
Source: Bill of Lading.exe, 00000000.00000002.1448721171.0000000005250000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Bill of Lading.exe
Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002731000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Bill of Lading.exe
Source: Bill of Lading.exe, 00000000.00000002.1449018047.00000000055D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename70filecrypt.exe8 vs Bill of Lading.exe
Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefiletocrypt.exe4 vs Bill of Lading.exe
Source: Bill of Lading.exe, 00000000.00000002.1437324458.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Bill of Lading.exe
Source: Bill of Lading.exe, 00000000.00000002.1447539886.0000000004BF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameQijjyabe.dll" vs Bill of Lading.exe
Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Bill of Lading.exe
Source: Bill of Lading.exe, 00000000.00000000.1427214065.0000000000208000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename70filecrypt.exe8 vs Bill of Lading.exe
Source: Bill of Lading.exe, 00000000.00000002.1446605944.00000000037AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Bill of Lading.exe
Source: Bill of Lading.exe, 00000000.00000002.1446605944.00000000037AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename70filecrypt.exe8 vs Bill of Lading.exe
Source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Bill of Lading.exe
Source: Bill of Lading.exe	Binary or memory string: OriginalFilename70filecrypt.exe8 vs Bill of Lading.exe

Source: Bill of Lading.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Bill of Lading.exe.2dbc814.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.2.InstallUtil.exe.150000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Bill of Lading.exe.2dbc814.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000002.2672720208.0000000000152000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: Bill of Lading.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: mmgfreeway.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/2@0/0

Source: C:\Users\user\Desktop\Bill of Lading.exe

File created: C:\Users\user\AppData\Roaming\mmgfreeway.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:64:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\iEuKzrF7KOcf8iUC

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3c6fa989-34e0-4741-9c63-3147f026ea2a

Jump to behavior

Source: Bill of Lading.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Bill of Lading.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Bill of Lading.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Bill of Lading.exe	ReversingLabs: Detection: 65%
Source: Bill of Lading.exe	Virustotal: Detection: 72%

Source: C:\Users\user\Desktop\Bill of Lading.exe

File read: C:\Users\user\Desktop\Bill of Lading.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Bill of Lading.exe "C:\Users\user\Desktop\Bill of Lading.exe"
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 912
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Bill of Lading.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\Bill of Lading.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Bill of Lading.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Bill of Lading.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Bill of Lading.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: O.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.00000000007F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @zo.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Osymbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448721171.0000000005250000.00000004.08000000.00040000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1446605944.00000000037AD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448721171.0000000005250000.00000004.08000000.00040000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1446605944.00000000037AD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: ?zoC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbP% source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HPno8C:\Windows\InstallUtil.pdbWH source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: Bill of Lading.exe, Pobwultsfy.cs	.Net Code: Atghiyyrxmt System.AppDomain.Load(byte[])
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.Bill of Lading.exe.50f0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1448146740.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1438152349.0000000002731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bill of Lading.exe PID: 2080, type: MEMORYSTR

Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_00BD56A8 push ss; ret	0_2_00BD5702
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_05082EA7 push esp; retf	0_2_05082EA8
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_051BDC66 push edx; retf	0_2_051BDCAD
Source: C:\Users\user\Desktop\Bill of Lading.exe	Code function: 0_2_051BDCFD push edi; iretd	0_2_051BDD05

Source: Bill of Lading.exe	Static PE information: section name: .text entropy: 7.916001790909424
Source: mmgfreeway.exe.0.dr	Static PE information: section name: .text entropy: 7.916001790909424

Source: 0.2.Bill of Lading.exe.4bf0000.6.raw.unpack, JUTfQANoJH8bQj3LXjk.cs	High entropy of concatenated method names: 'Ls5NPVJpxq', 'tAx4HJDc91PxEjiFKyw', 'J7NqPAD0gUZWL2dejci', 'ofollVDj9AYnZIOTl6y', 'fhAaFCDXuQfTche8IAx', 'A3D0nEDuIBIdvNTZWu4', 'AyoaSADhyZm8WdtqTuV'
Source: 0.2.Bill of Lading.exe.4bf0000.6.raw.unpack, P5YM9AGvh3to0BuV5X9.cs	High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'OP2G1GjBoN', 'NtProtectVirtualMemory', 'NNjdnuSPQWnbU8taRc7', 'E8r9e6SZhLbYv6WW1qA', 'VsQjBsSoVleDmwpI4is', 'hXlawlSBdu4LXtYKVoD'

Source: C:\Users\user\Desktop\Bill of Lading.exe

File created: C:\Users\user\AppData\Roaming\mmgfreeway.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Bill of Lading.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mmgfreeway			Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mmgfreeway			Jump to behavior

Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Bill of Lading.exe PID: 2080, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002731000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Bill of Lading.exe	Memory allocated: B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Memory allocated: 2730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Memory allocated: 2530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 9D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 23C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 43C0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002731000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002731000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual

Source: C:\Users\user\Desktop\Bill of Lading.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Bill of Lading.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Bill of Lading.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Bill of Lading.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 150000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Bill of Lading.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 150000	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 152000	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 15C000	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 15E000	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 255008	Jump to behavior

Source: C:\Users\user\Desktop\Bill of Lading.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Bill of Lading.exe	Queries volume information: C:\Users\user\Desktop\Bill of Lading.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Bill of Lading.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0.2.Bill of Lading.exe.2dbc814.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.InstallUtil.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bill of Lading.exe.2dbc814.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2672720208.0000000000152000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bill of Lading.exe PID: 2080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1036, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0.2.Bill of Lading.exe.2dbc814.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.InstallUtil.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bill of Lading.exe.2dbc814.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2672720208.0000000000152000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bill of Lading.exe PID: 2080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1036, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	211 Process Injection	1 Masquerading	OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	211 Process Injection	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Bill of Lading.exe	66%	ReversingLabs	Win32.Trojan.Leonem
Bill of Lading.exe	73%	Virustotal		Browse
Bill of Lading.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\mmgfreeway.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\mmgfreeway.exe	66%	ReversingLabs	Win32.Trojan.Leonem
C:\Users\user\AppData\Roaming\mmgfreeway.exe	73%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
https://stackoverflow.com/q/14436606/23354	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://stackoverflow.com/q/11564914/23354;	0%	URL Reputation	safe
https://stackoverflow.com/q/2152978/23354	0%	URL Reputation	safe
https://stackoverflow.com/q/2152978/23354	0%	URL Reputation	safe
https://github.com/mgravell/protobuf-net	0%	Avira URL Cloud	safe
xwram1.duckdns.org	100%	Avira URL Cloud	malware
https://github.com/mgravell/protobuf-neti	0%	Avira URL Cloud	safe
https://github.com/mgravell/protobuf-netJ	0%	Avira URL Cloud	safe
https://github.com/mgravell/protobuf-neti	0%	Virustotal		Browse
xwram1.duckdns.org	3%	Virustotal		Browse
https://github.com/mgravell/protobuf-netJ	0%	Virustotal		Browse
https://github.com/mgravell/protobuf-net	0%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
xwram1.duckdns.org	true	3%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/mgravell/protobuf-net	Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-neti	Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/14436606/23354	Bill of Lading.exe, 00000000.00000002.1438152349.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-netJ	Bill of Lading.exe, 00000000.00000002.1446605944.0000000003911000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Bill of Lading.exe, 00000000.00000002.1438152349.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/11564914/23354;	Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/2152978/23354	Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501090
Start date and time:	2024-08-29 12:14:58 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Bill of Lading.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/2@0/0
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 87% Number of executed functions: 136 Number of non-executed functions: 33
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target InstallUtil.exe, PID 1036 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:15:58	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run mmgfreeway C:\Users\user\AppData\Roaming\mmgfreeway.exe
12:16:19	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run mmgfreeway C:\Users\user\AppData\Roaming\mmgfreeway.exe

Process:	C:\Users\user\Desktop\Bill of Lading.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1005568
Entropy (8bit):	7.9110415312687135
Encrypted:	false
SSDEEP:	24576:mXiaSQJiANN86lhiQPcI1vAU73siET8sBm:mSaSQNbc8cIGUHETVBm
MD5:	4A66F7ADEEE42701433453D52EEF4FE3
SHA1:	DCCF14F7BA680630193BA6AFAEE8010DB77C5FC3
SHA-256:	D5B1BFD640980218EF11F409FA2B966C84C402E93EB47C3BCE412096BEC5284F
SHA-512:	5E13D6879EB1CE9773213CC25E37849FC0212FDF490BEF1CE72EBAAB1CDDA4D8F5E7CE197DC89373D2994B6E173C6D77D46627A0E6622E9731BAEDE8253CFD9C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66% Antivirus: Virustotal, Detection: 73%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................N...........l... ........@.. ....................................`.................................Hl..S.................................................................................... ............... ..H............text....L... ...N.................. ..`.rsrc................P..............@..@.reloc...............V..............@..B.................l......H.......\3...8..........t....................................................@.......A.......A......@.......A......@......@.......A.......A......@......@.......A......@.......A.......A......@....0.1A..3...@2.6....@7...5.4A..<....@=...?.>A....:.;A..9....@8.(...@)...+.*A....../A..-...@,...$.%A..'...@&."...@#...!. A....`.aA..c....@b.f....@g...e.dA..l....@m...o.nA....j.kA..i....@h.x....@y...{.zA....~..A..}....@\|...t.uA..w....@v.r....@s...q.pA..P....@Q...S.RA....V.WA.

C:\Users\user\AppData\Roaming\mmgfreeway.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Bill of Lading.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9110415312687135
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Bill of Lading.exe
File size:	1'005'568 bytes
MD5:	4a66f7adeee42701433453d52eef4fe3
SHA1:	dccf14f7ba680630193ba6afaee8010db77c5fc3
SHA256:	d5b1bfd640980218ef11f409fa2b966c84c402e93eb47c3bce412096bec5284f
SHA512:	5e13d6879eb1ce9773213cc25e37849fc0212fdf490bef1ce72ebaab1cdda4d8f5e7ce197dc89373d2994b6e173c6d77d46627a0e6622e9731baede8253cfd9c
SSDEEP:	24576:mXiaSQJiANN86lhiQPcI1vAU73siET8sBm:mSaSQNbc8cIGUHETVBm
TLSH:	FD25125893F84A1BEBFF3F78F8F400104B71FA62A876E75D410450EE9953B90A8607B6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................N...........l... ........@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4f6c9e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CD1498 [Mon Aug 26 23:49:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf6c48	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf8000	0x5b6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xf4ca4	0xf4e00	76f151089946dff2ebe6f9bd2430a128	False	0.9324192827973455	data	7.916001790909424	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xf8000	0x5b6	0x600	101a06026b0d671d0b1f091b1b9d2d2c	False	0.4166666666666667	data	4.111643608414945	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfa000	0xc	0x200	7595f860861717f5b0998c76bfb079ae	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xf80a0	0x32c	data			0.41748768472906406
RT_MANIFEST	0xf83cc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	06:15:54
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\Bill of Lading.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Bill of Lading.exe"
Imagebase:	0x110000
File size:	1'005'568 bytes
MD5 hash:	4A66F7ADEEE42701433453D52EEF4FE3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1448146740.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1438152349.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:15:55
Start date:	29/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x80000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.2672720208.0000000000152000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000002.2672720208.0000000000152000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	06:15:59
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 912
Imagebase:	0x7d0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	97.2%
Signature Coverage:	4.3%
Total number of Nodes:	211
Total number of Limit Nodes:	8

Executed Functions

Function 051FBA28 Relevance: 3.0, Strings: 2, Instructions: 543
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ny]Z, xrefs: 051FBE72
8, xrefs: 051FBB34

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID:
String ID: 8$ny]Z
API String ID: 0-1775822267
Opcode ID: 4f0861430a2c28c90184bfef855e57d8ba63a2390e27da436044223573b3a107
Instruction ID: abc289a0aa4c09ff1f0e8918c525a48f8a721a73bc5f7cd89ba43447a5c4f48a
Opcode Fuzzy Hash: 4f0861430a2c28c90184bfef855e57d8ba63a2390e27da436044223573b3a107
Instruction Fuzzy Hash: 4F42C375D01629CBDB64DF69C850BD9B7B2BF89300F1486EAD50DA7251EB30AE85CF80

Function 050D18E2 Relevance: 2.4, Strings: 1, Instructions: 1136COMMON

Download Yara Rule

Strings

4, xrefs: 050D22C5

Memory Dump Source

Source File: 00000000.00000002.1448067637.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_Bill of Lading.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 2a8bae37a00b0a059edcf3c12a55b3d6badbbefc173102e1cc3d0e6c8e698904
Instruction ID: 910b12129d9ae3399302355745af0602efd16c38249bccfede52810a28bea908
Opcode Fuzzy Hash: 2a8bae37a00b0a059edcf3c12a55b3d6badbbefc173102e1cc3d0e6c8e698904
Instruction Fuzzy Hash: 06B20734A00219DFDB54DFA4D894BADB7B6FF88301F158199E906AB3A5CB709D81CF60

Function 050D1C17 Relevance: 1.7, Strings: 1, Instructions: 495COMMON

Download Yara Rule

Strings

4, xrefs: 050D22C5

Memory Dump Source

Source File: 00000000.00000002.1448067637.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_Bill of Lading.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 76cd4b25fe1fd78138dc1a8f4a209712dc6598e792946771b71765199435ce87
Instruction ID: eb803e29f3412af15bcf65565d7399cb643edfa493795aff2337e6e78142425a
Opcode Fuzzy Hash: 76cd4b25fe1fd78138dc1a8f4a209712dc6598e792946771b71765199435ce87
Instruction Fuzzy Hash: 2D22F734A00219DFDB64DFA4D994BADB7B2FF48301F148199E909AB3A5DB709D81CF60

Function 051FE820 Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 051FE8D5

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 2a0fc1f04f8eccc5662963e8eba6c72cb64bf9984fb1f5f06a8e5b42c5bba6b9
Instruction ID: 20830b685780943bdd1558e5d52a0dc610b3c46b2f0164ab5bba133a3a0ff748
Opcode Fuzzy Hash: 2a0fc1f04f8eccc5662963e8eba6c72cb64bf9984fb1f5f06a8e5b42c5bba6b9
Instruction Fuzzy Hash: 974197B8D002589FCF10CFAAD980ADEFBB5BB49310F10942AE915B7210D775A905CF64

Function 051FE81A Relevance: 1.6, APIs: 1, Instructions: 104nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 051FE8D5

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 11c6a8cf2101b1f8e63e849bb7d481af1b70612e2ff5218c281b98c14c0bc0bf
Instruction ID: 9219a0b8b6be7b9817a6c5ff6b9f15031524fcdf820278c92812179414c68bbc
Opcode Fuzzy Hash: 11c6a8cf2101b1f8e63e849bb7d481af1b70612e2ff5218c281b98c14c0bc0bf
Instruction Fuzzy Hash: BE4196B9D002589FCF10CFAAD980ADEFBB5BF49310F10A42AE919B7250D735A905CF64

Function 051FFD50 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 051FFDDE

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 258d2d705ceeccf8b416c4b6a38759b3380431888d578f6173e9405249193393
Instruction ID: 85a08b9a7396113e00af7624397d29ab660d262abc1b335b4357d5dd2cc26d86
Opcode Fuzzy Hash: 258d2d705ceeccf8b416c4b6a38759b3380431888d578f6173e9405249193393
Instruction Fuzzy Hash: 8331A9B8D012199FCB10CFAAD984A9EFBF5BB49310F20942AE915B7340C775A946CF94

Function 051FFD49 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 051FFDDE

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 19c759d014420c441e677f881c8990135f144f07013fb3d16c0accdeb1e9138e
Instruction ID: e41919c16e0508d1068c3d8bf948e73386dad87f5a74afe12bdcdbe1b6d656b4
Opcode Fuzzy Hash: 19c759d014420c441e677f881c8990135f144f07013fb3d16c0accdeb1e9138e
Instruction Fuzzy Hash: 4C31AAB9D012199FCB10CFA9D984A9EFBF1BF48310F20942AE915B7340D775A946CF94

Function 050E7AF8 Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

?DG*, xrefs: 050E7B80

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID: ?DG*
API String ID: 0-2585527011
Opcode ID: 22d14976c0e354ce3b4944aa0784483ec465a3cabf83a1915fe694cad850ff96
Instruction ID: 1600e2457f11b9080ea32f01d8e914fd25adfb949974332dc05d11e042c89c91
Opcode Fuzzy Hash: 22d14976c0e354ce3b4944aa0784483ec465a3cabf83a1915fe694cad850ff96
Instruction Fuzzy Hash: 95A1E670E05258CFEB64DFA9E484BADBBF6FB89305F20806AD409AB355DB745981CF00

Function 050E7AEA Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

?DG*, xrefs: 050E7B80

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID: ?DG*
API String ID: 0-2585527011
Opcode ID: 2ddd9c6401d208ca606e56c3f355554579f02fec5b5905a0b276fcd2564b360a
Instruction ID: 42a24562124be23735dac2fc8f34080efe0a19590c8d194ad674a892566df395
Opcode Fuzzy Hash: 2ddd9c6401d208ca606e56c3f355554579f02fec5b5905a0b276fcd2564b360a
Instruction Fuzzy Hash: C3A1D474E05248CFEB64DFA9E884BADBBF6FB89305F20806AD409A7355DB745985CF00

Function 051FB9D0 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

h, xrefs: 051FBB28

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: 6269afa6faae25dca80a72dc14014bb3f01afe28725569061425a864f47ad8a0
Instruction ID: 339c6e17a4d82fb6449291c53426f95fd920c6bf8fba810f2d6ea2d23f35fe02
Opcode Fuzzy Hash: 6269afa6faae25dca80a72dc14014bb3f01afe28725569061425a864f47ad8a0
Instruction Fuzzy Hash: 0781F571D04628DBDB64DFAAC850BD9BBB2FF89310F14C2AAD50DA7251EB305A85CF50

Function 051FBA18 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

h, xrefs: 051FBB28

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: 714a03f440b2e4ed60ce4860ef50691a70e5f851e3363e20caa7d6efd222ebc6
Instruction ID: b69fbbcbee15799b654ee1bd75604676a1d023e841ba1aa9b452c03bf4dfff2d
Opcode Fuzzy Hash: 714a03f440b2e4ed60ce4860ef50691a70e5f851e3363e20caa7d6efd222ebc6
Instruction Fuzzy Hash: F161D471D04629DBEB68DF6ACC40BD9B7B2BF89300F54C2AAD50DA7254EB305A85CF50

Function 00BD9D68 Relevance: 1.0, Instructions: 983COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44a396d978e049d99a4dd9fbba7ec952b5c93d22a804418e2517d0d675f235ce
Instruction ID: 792ccc0d6884a2b0c28a2853bd4ee3b91b40ce2c85f40bca88e91f7697bbf1b5
Opcode Fuzzy Hash: 44a396d978e049d99a4dd9fbba7ec952b5c93d22a804418e2517d0d675f235ce
Instruction Fuzzy Hash: 86A2C575A00228CFDB65CF69C984AD9BBB2FF89304F1581E9D509AB361DB319E81CF41

Function 051F79B0 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5312d8a2e19f83840ac04d749da66852fc9ef47c73dc361717af2e81c9ff0a0
Instruction ID: 4e20f760ea2786b967e4516c9098f5f4151625bde60890a79cb301f25b9150c5
Opcode Fuzzy Hash: c5312d8a2e19f83840ac04d749da66852fc9ef47c73dc361717af2e81c9ff0a0
Instruction Fuzzy Hash: 05C15B74D05208CFEB28CF69D888BADBBF2FF89305F1584AAD509A7295DB745985CF00

Function 051F79A0 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e59c152717ebd7e0e46f5c7c41a5dc7e7667ef343b265222b30da5ebe81c7b0
Instruction ID: 6593438ef9c818bee9316a3c5ae9439513770e82f7c59d51966608355bd734a0
Opcode Fuzzy Hash: 6e59c152717ebd7e0e46f5c7c41a5dc7e7667ef343b265222b30da5ebe81c7b0
Instruction Fuzzy Hash: 11C15CB4D05208CFEB28CF69D888BADBBF2FF85305F1584AAD109A7294D7744985CF00

Function 051F7D97 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 375ec1a6d76e83260d0c2203a33dd8a244f5207ae9c83f06ad2c4491093ec7be
Instruction ID: 228159a9d29bd2a14cb63fd7a7bff03683033f7bb2f17ddbc8fc651e725f65b6
Opcode Fuzzy Hash: 375ec1a6d76e83260d0c2203a33dd8a244f5207ae9c83f06ad2c4491093ec7be
Instruction Fuzzy Hash: 4FA15B74D05208CFEB28CFA9D888BADBBF2FF49305F1584AAD109A7295D7745A84CF00

Function 051B2440 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448454225.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61fed8f262348f90393a4f1eb70358c6b4799a674ed15d627c4c154eeccb940b
Instruction ID: 65527b1bb73e2726564638ac3c4865af6c2d70898980d89d887915166fb86a46
Opcode Fuzzy Hash: 61fed8f262348f90393a4f1eb70358c6b4799a674ed15d627c4c154eeccb940b
Instruction Fuzzy Hash: 7C810378E05208CFEB28DFA9D444BEDB7F2BB4A305F1090A9D029A7655DB749D89CF00

Function 051B24F3 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448454225.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac743192af444f501f8774571dc59f0bbb008942d10ad7821c12d4a598639f8d
Instruction ID: 5d01a6eca820bbf510c699d4942417c5d84c81d742fea13bed3a895659109c16
Opcode Fuzzy Hash: ac743192af444f501f8774571dc59f0bbb008942d10ad7821c12d4a598639f8d
Instruction Fuzzy Hash: ED81F478E05208CFEB28DFA9D454BEDB7F2BB4A305F1090A9D019A7655DB749989CF00

Function 051B26AB Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448454225.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb987016d040a7bd92c6f06484462f91790447d918c325fbfbe76e93f689197
Instruction ID: 805a5a923c7245ee0f412de48a8afcd1502db5d305300426539bd9f95ecba740
Opcode Fuzzy Hash: 1eb987016d040a7bd92c6f06484462f91790447d918c325fbfbe76e93f689197
Instruction Fuzzy Hash: C971E578E05208CFEB24DFA9D458BEDB7F2FB4A305F1180A9D019A7655DB749989CF00

Function 051FCF88 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a1cec51085a840524d76728f682f96e4c936b4928ceb96b19cbb49d810db4cc
Instruction ID: f120bc97eb0ce80f81c20d875493d53cb4b6e2b52195c5b4264218e4e337acef
Opcode Fuzzy Hash: 6a1cec51085a840524d76728f682f96e4c936b4928ceb96b19cbb49d810db4cc
Instruction Fuzzy Hash: D8512874E04208EFDB04DFA9D855AAEBBF2FF89301F10806AE519A7350DB349942CF91

Function 051FF0B5 Relevance: 1.8, APIs: 1, Instructions: 264
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 051FF327

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9269d096d426bf081d701d29a86537ee1f96fb177162540d5859c3ae20cbb593
Instruction ID: 5e7fcec440e53ad1e11f16fc25c269f85c989f8f3322edf745eae2b1838a60cb
Opcode Fuzzy Hash: 9269d096d426bf081d701d29a86537ee1f96fb177162540d5859c3ae20cbb593
Instruction Fuzzy Hash: 56A11375D0421DDFDB20CFA9C885BEEBBF1BB49300F149169E859A7280DBB48986CF45

Function 051FF0C0 Relevance: 1.8, APIs: 1, Instructions: 261
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 051FF327

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 854eb214d22bf74e0d067b4918ae87295607a4a198218da19812d28c25b0a3ee
Instruction ID: 456848ef8f95f12686616105f9911da3ae941150d726c56648c6556928bbbbf2
Opcode Fuzzy Hash: 854eb214d22bf74e0d067b4918ae87295607a4a198218da19812d28c25b0a3ee
Instruction Fuzzy Hash: C9A10374D0421DDFDB20CFA9C845BEEBBF1BB49310F149169E859A7280DBB48986CF45

Function 051B0ED7 Relevance: 1.7, APIs: 1, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingA.KERNEL32(?,?,?,?,?,?), ref: 051B105E

Memory Dump Source

Source File: 00000000.00000002.1448454225.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_Bill of Lading.jbxd

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: cd3260bb7e2842a2703f057cc784712ee308e9d334bb1c1d1f8aaf7320920a4f
Instruction ID: bd2f1b4f498c0ee9c0054bae9370d7e06a1fc9f7b25b93250cc9ef31680852c6
Opcode Fuzzy Hash: cd3260bb7e2842a2703f057cc784712ee308e9d334bb1c1d1f8aaf7320920a4f
Instruction Fuzzy Hash: CD5113B0D043989FDB11CFA9C894BDEBFB1BF0A300F14906AE855AB241D7749989CF55

Function 051B08BD Relevance: 1.7, APIs: 1, Instructions: 154
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,?,?,?,?,?,?), ref: 051B0A0C

Memory Dump Source

Source File: 00000000.00000002.1448454225.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_Bill of Lading.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d1f7c061a8572fb704481572e8799dda6eafe97b31aa3b0ac95c50361ff4b492
Instruction ID: 3850b75c19e5ff94ee0644e5d8458e5d02e35cab68ee2290fbb3d4bbd23b71b3
Opcode Fuzzy Hash: d1f7c061a8572fb704481572e8799dda6eafe97b31aa3b0ac95c50361ff4b492
Instruction Fuzzy Hash: 4051DFB4D04219DFEF10DFA9D988BDEBBB1BB49300F20952AE819B7240DB749945CF54

Function 051B08C8 Relevance: 1.7, APIs: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,?,?,?,?,?,?), ref: 051B0A0C

Memory Dump Source

Source File: 00000000.00000002.1448454225.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_Bill of Lading.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4a0f22617f61871b0c6714a6b69aa062c5358bb5ee65e7beef9f504965ec21ff
Instruction ID: ebc078d8bc3d3527d1623196b2a0a80242885fc6de806a07e96be4eb255035e4
Opcode Fuzzy Hash: 4a0f22617f61871b0c6714a6b69aa062c5358bb5ee65e7beef9f504965ec21ff
Instruction Fuzzy Hash: EE51BEB4D042199FEF20DFA9D888BDEBBB1BB49300F209529E819B7250DBB49945CF54

Function 051B0F28 Relevance: 1.6, APIs: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingA.KERNEL32(?,?,?,?,?,?), ref: 051B105E

Memory Dump Source

Source File: 00000000.00000002.1448454225.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_Bill of Lading.jbxd

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: 4f249c9c4571c818e5f15c2061d1568fd060088daf17fa6989505ac7e5485a98
Instruction ID: 6008710f682e2de763ef1c9c57a49544a703796f67520684048f7f3973235ee8
Opcode Fuzzy Hash: 4f249c9c4571c818e5f15c2061d1568fd060088daf17fa6989505ac7e5485a98
Instruction Fuzzy Hash: DC51CFB4D0434C9FEF10DFA9D895BEEBBB1BB49314F20902AE815A7240DB759985CF44

Function 051FFB38 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 051FFC0B

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4704c5460810c1e8a001215545c135da0753396ee5bc3818453f3b02bb8df483
Instruction ID: 0b3c9abaed20db0bc365b5ec192188fc6907e2a36c24853e1fb3cfa20257f7c0
Opcode Fuzzy Hash: 4704c5460810c1e8a001215545c135da0753396ee5bc3818453f3b02bb8df483
Instruction Fuzzy Hash: 6841BAB4D012589FCF00CFA9D984ADEFBF1BB49310F24942AE819B7240D778AA45CF64

Function 051FFB30 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 051FFC0B

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ade5b47088f2a5aa77d3948f5a4819fae8465693c1556fecf08e00b0c739da69
Instruction ID: f447fdc6db38f5e5b53fc492f50e0cdcee0ce301997d8fa9fea12bec5bda4d23
Opcode Fuzzy Hash: ade5b47088f2a5aa77d3948f5a4819fae8465693c1556fecf08e00b0c739da69
Instruction Fuzzy Hash: 9A41CAB5D012188FCF00CFA9D980ADEFBF1BB09310F24942AE818B7240D778AA06CF54

Function 051B1168 Relevance: 1.6, APIs: 1, Instructions: 102fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 051B121A

Memory Dump Source

Source File: 00000000.00000002.1448454225.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_Bill of Lading.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 43342764e4890d0ec58057d207aa33c350b3ef836376ddb2fca86516a67f05a2
Instruction ID: ad4b232f6c9196ebdf4da3134059feee7c441c679642dbdf723f8394189d9f5a
Opcode Fuzzy Hash: 43342764e4890d0ec58057d207aa33c350b3ef836376ddb2fca86516a67f05a2
Instruction Fuzzy Hash: 1431B7B8D002489FDF10CFA9D980AEEBBB1BF49310F20942AE815B7340D735A906CF58

Function 051FF9D8 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 051FFA82

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1a1e2348d41a31e66ccef5ac0e44c6945d364ba3cfafe3209cda69f353cb2a09
Instruction ID: 05fd2f62fbfa5ea0f92ab4060d7d7418c0e4c0b45f2fecabf5e5e349513077c1
Opcode Fuzzy Hash: 1a1e2348d41a31e66ccef5ac0e44c6945d364ba3cfafe3209cda69f353cb2a09
Instruction Fuzzy Hash: 7C31A6B8D002589FCF10CFA9D880A9EFBB5BB49310F10942AE815B7250D775A906CF64

Function 051FF9D0 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 051FFA82

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b6a9b959c7159e3b9765ef5c04e97afa1190eb8584a487bfe84319740e545590
Instruction ID: f617701fa1d8391dca328f1a11de75498a0a1ac1053549510373d7437f4148eb
Opcode Fuzzy Hash: b6a9b959c7159e3b9765ef5c04e97afa1190eb8584a487bfe84319740e545590
Instruction Fuzzy Hash: C13196B8D002599FCF10CFA9D980AAEBBB1BB49310F10942AE915B7250D775A906CF64

Function 051B1170 Relevance: 1.6, APIs: 1, Instructions: 101fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 051B121A

Memory Dump Source

Source File: 00000000.00000002.1448454225.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_Bill of Lading.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: cd6934a6a005cc5145b8a7b16346e8bf65021153e4bd649d6d143c1e3976d424
Instruction ID: 72740daa0a864c9836e9c1c9c09733d3fd49b91d6c30fdb3d91f6e7a2d60e072
Opcode Fuzzy Hash: cd6934a6a005cc5145b8a7b16346e8bf65021153e4bd649d6d143c1e3976d424
Instruction Fuzzy Hash: A53188B8D042589FDF10CFAAD980ADEFBB5BB49310F20942AE815B7350D775A905CF54

Function 050DF828 Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 050DF8D4

Memory Dump Source

Source File: 00000000.00000002.1448067637.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_Bill of Lading.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5e4f6cabb54b306ed2d384175d7a32b49524373c9b9e09051a95755aead90918
Instruction ID: 90b0e949b42a68a671ab3d098278757586517635bb24e28e9d0b613a6c2daec7
Opcode Fuzzy Hash: 5e4f6cabb54b306ed2d384175d7a32b49524373c9b9e09051a95755aead90918
Instruction Fuzzy Hash: 7931C8B9D002599FCF10CFA9E980AEEFBB1BF48310F14942AE815B7250D739A945CF64

Function 050DF830 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 050DF8D4

Memory Dump Source

Source File: 00000000.00000002.1448067637.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_Bill of Lading.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a392b22b0985b99815178d007a29e2a281dd65e2fcb7514fefac6d616edbde3a
Instruction ID: a01f6428904aa4afeeed64f741890d3a4426ffb6d6e47c8170c288389c3fb2ec
Opcode Fuzzy Hash: a392b22b0985b99815178d007a29e2a281dd65e2fcb7514fefac6d616edbde3a
Instruction Fuzzy Hash: 5031B9B4D002599FCF10CFAAE880AEEFBB1BB49310F14942AE815B7250D775A945CF64

Function 052DDBC8 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 052DDC6C

Memory Dump Source

Source File: 00000000.00000002.1448902920.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_Bill of Lading.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: db621d054437e4a2d0e4dbc1d9f94a7eab4f4870590e699409e374df13ec4fe3
Instruction ID: dcfa1dad655778d298d57e249ccb9df9270e434138717c58dfda6904c2d2c937
Opcode Fuzzy Hash: db621d054437e4a2d0e4dbc1d9f94a7eab4f4870590e699409e374df13ec4fe3
Instruction Fuzzy Hash: 7F31A7B9D012489FCF10CFA9D880A9EFBF5BF49310F20942AE815B7210D775A945CF64

Function 051FF470 Relevance: 1.6, APIs: 1, Instructions: 95threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 051FF527

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f62b7bf3d932010078c437c38bb515a17360e34c01ed8754a6e77ee27f310637
Instruction ID: 43bb3839a618a421bbb12ce3466e2cefc5467042d88f4cc2808d196675d948c8
Opcode Fuzzy Hash: f62b7bf3d932010078c437c38bb515a17360e34c01ed8754a6e77ee27f310637
Instruction Fuzzy Hash: 5641DDB4D002589FDB14CFAAD884AEEFBF1BF49310F24802AE415B7250D778A945CF54

Function 051FF478 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 051FF527

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e3b561dbd8048c2dbd80665fe31940c51fd2288aaa19da72c3135e3e6ac44634
Instruction ID: 1c71ffaa62c1ce90e86b3e1c82702e3619b5cd35f87fd269009d2bed15be41ac
Opcode Fuzzy Hash: e3b561dbd8048c2dbd80665fe31940c51fd2288aaa19da72c3135e3e6ac44634
Instruction Fuzzy Hash: 5231CAB4D012589FDB14DFAAD884AEEFBF1BF49310F24802AE419B7250D778A949CF54

Function 051FEC99 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 051FED1E

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 1813dec1e43aaf95d55bed3c096342407aebddc185e9c46ca4609449c4c53226
Instruction ID: 4bcec0a7fab2d80b202b0e094a7f4b0c3c8f8188c84d7e4cf24064076cbe9463
Opcode Fuzzy Hash: 1813dec1e43aaf95d55bed3c096342407aebddc185e9c46ca4609449c4c53226
Instruction Fuzzy Hash: C031EBB8D012189FDB14CFA9D984AEEFBB5BF48310F14942AE415B7350C738A905CF54

Function 051FECA0 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 051FED1E

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 67820b828acfebf67a937f38f6b4d80f141f7c74ded6ace9d26e3d32d6e7a08b
Instruction ID: ea17590ba39acc0f64332ab5235110092964b23f899f394c8ea0fefc6da1f805
Opcode Fuzzy Hash: 67820b828acfebf67a937f38f6b4d80f141f7c74ded6ace9d26e3d32d6e7a08b
Instruction Fuzzy Hash: CF31EBB4C012189FCB14CFAAD884AEEFBB5AB48310F14842AE815B3350C738A901CF64

Function 052DED90 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 052DEE2F

Memory Dump Source

Source File: 00000000.00000002.1448902920.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_Bill of Lading.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 71833a2f1b3950137fb5a66544415c6d810adf391d33bb9b8f93daacc821e074
Instruction ID: 13121d70c7c5205e3cdc1e8ee49c074d72f702cadd51eeae19f7fed862f7509e
Opcode Fuzzy Hash: 71833a2f1b3950137fb5a66544415c6d810adf391d33bb9b8f93daacc821e074
Instruction Fuzzy Hash: 6E31A8B8D012489FDF14CFA9D880A9EFBB5BF49320F14942AE815BB210D775A945CF64

Function 050E19D8 Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

<, xrefs: 050E1F01

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 5493b8e58dc1a274f5f5b25dd3c0395bdcf649912297a43c35d6306a166006c7
Instruction ID: 03449f6e78cc9d0854c9a6217255f4fbe661e0d2320bf02692263cc67fa63861
Opcode Fuzzy Hash: 5493b8e58dc1a274f5f5b25dd3c0395bdcf649912297a43c35d6306a166006c7
Instruction Fuzzy Hash: 54116678D04228CFEB60DF68D899BEDBBB2BB08314F2011E9E409A7250C7759E81CF54

Function 050E272A Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

b, xrefs: 050E2782

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID: b
API String ID: 0-1908338681
Opcode ID: c80aaab13c346e00fdd1de6dd58afe1f5188b09ae85d89ca315ef47194dd22d0
Instruction ID: 29f4b49de29592ca01914f27ee55e6fa0899e394854a7960fda70657aa0f24d7
Opcode Fuzzy Hash: c80aaab13c346e00fdd1de6dd58afe1f5188b09ae85d89ca315ef47194dd22d0
Instruction Fuzzy Hash: 8FF0627494122A8FCB64DF64C898BEDBBB6FF49340F1041EAE419A7261DB305E80CF00

Function 05080D98 Relevance: .6, Instructions: 577COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447918114.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5080000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3596c876766b1e2bcf447b1e3750f501acc2f839925ed1258716db10f89b1d86
Instruction ID: 5f6960a27365c8c8f07ac8b7f12b512a2e78043ef706317d385f5590cfeb87e8
Opcode Fuzzy Hash: 3596c876766b1e2bcf447b1e3750f501acc2f839925ed1258716db10f89b1d86
Instruction Fuzzy Hash: AC429174E04219CBDB54EFE4E458ABEBBB2FF88311F108029DA96A7250CB745D46CF61

Function 050818C0 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447918114.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5080000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3a5660a053b8882e70cf6daa068f1f421727d8b0f7b9d8488f732da7a71b078
Instruction ID: b783251c58f9eed0639291f8ad8b95b0c75780492e363d93032d45bbe8d3e04d
Opcode Fuzzy Hash: d3a5660a053b8882e70cf6daa068f1f421727d8b0f7b9d8488f732da7a71b078
Instruction Fuzzy Hash: 22F19034E05208EFCB58EFA5E498ABCBBB2FF49311F20456AE456A7350DB355986CF00

Function 00BD0870 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b69cf6c81a437747794efd71e5ee99746e6722532bd0fc6d8fb9d9cdf73f190
Instruction ID: d68a04104e2d42b7dce5ce99ab5779b45d74a0e5a7061126d22d969df1f598f8
Opcode Fuzzy Hash: 8b69cf6c81a437747794efd71e5ee99746e6722532bd0fc6d8fb9d9cdf73f190
Instruction Fuzzy Hash: 78519130B105159FCB44EB6DD854B6DBBF2FF88700F158499E406EB3A1DB359C418B95

Function 050E7428 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 987496a47fc22dc0a6365a5504e4720dc32c37fdb4092c79f1dc350552d2587a
Instruction ID: ab63259b9d70b3a964164a7712780c4e78ae0991c9f11e7563b8195577ba132f
Opcode Fuzzy Hash: 987496a47fc22dc0a6365a5504e4720dc32c37fdb4092c79f1dc350552d2587a
Instruction Fuzzy Hash: 4061B2B4D05249DFDB48DFA9E488AEEBBF2FF88301F20802AD815A7250D7745945CF50

Function 050E7418 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8703a52058aeaa09054d02b8f3b3017d9004c0d1f359ebfcb88216bfcd30a7f
Instruction ID: b57b2144d8147d1ffc62ae421f0f3f322acb9e39a3c077610fc3658bee100224
Opcode Fuzzy Hash: d8703a52058aeaa09054d02b8f3b3017d9004c0d1f359ebfcb88216bfcd30a7f
Instruction Fuzzy Hash: F361E3B4D05249DFDB48DFA9E4986EEBBF2FF88301F20806AE815A72A0D7745945CF50

Function 00BD56A8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe48fb26289fd647fd37c2158660e9513dc81a3ad278c7ee1fa57d7364fa35c
Instruction ID: 6438aa021cbfde4df2eb6fc5a7971db8cb6d50d2215ce5b327359d071a605598
Opcode Fuzzy Hash: 1fe48fb26289fd647fd37c2158660e9513dc81a3ad278c7ee1fa57d7364fa35c
Instruction Fuzzy Hash: AD41B0A1D0A784DFEB169B68C4A439DBFB1EF56305F6480EBC1418B392EA344D4A8716

Function 050E782A Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 913736fd1b13ab9d07a4888adf1539e9ed3f466709c82c8728dd55383a8cb947
Instruction ID: 6f315569dc03887663689d70ffc7958fb0f013257db7c387fe81acb3a786872d
Opcode Fuzzy Hash: 913736fd1b13ab9d07a4888adf1539e9ed3f466709c82c8728dd55383a8cb947
Instruction Fuzzy Hash: 6551D574E01248DFDB58DFB6D494A9DBBB2FF89300F20816AD805AB360DB319942CF50

Function 00BDD6F0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57e4f82bb4206445d8a0f0cdd437b051abdccc90e71062f5bf0cae3b3a49cf67
Instruction ID: 8122610023416f213d13b763b32d651c313cc1ac4689eef4a1ffeb3a33279c06
Opcode Fuzzy Hash: 57e4f82bb4206445d8a0f0cdd437b051abdccc90e71062f5bf0cae3b3a49cf67
Instruction Fuzzy Hash: B3519F74E01208DFDB48DFA5E588AADBBF5FF89301F2090AAE416A7361EB345945CF50

Function 050E7838 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59251b7d67fa31fe2ccd7bd54d31ae9e5cbb6756c6767312d704b83f9010106
Instruction ID: 671a9af595485333d280c5d409b270471f1ca36022e9f8925dfaebe7233e91e5
Opcode Fuzzy Hash: c59251b7d67fa31fe2ccd7bd54d31ae9e5cbb6756c6767312d704b83f9010106
Instruction Fuzzy Hash: CD51B2B4E01209DFDB58DFA9D594A9DBBB2FF89301F20912AD405AB360DB359941CF50

Function 050EEA98 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd410182192e17daf50567b4550d4e1889ad0f78963db5a1ebf1067ecc04587f
Instruction ID: b8b8414027cd539f7da88b64a4ffc540610417dabbe756e5fd7d2a212e4c0ec9
Opcode Fuzzy Hash: cd410182192e17daf50567b4550d4e1889ad0f78963db5a1ebf1067ecc04587f
Instruction Fuzzy Hash: 3A41F370D0921CDFDB14CFA9E845BEEBBFABB89301F24806AE409A7250D7745944CF51

Function 0556FBA8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448951029.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b31e85f261735c7bd739e7c4f8170e510f8c6f94e8c7d67040073a1de197551
Instruction ID: 4a4dca9c892f23a533ee3564f6ceb82ff49fc1ecc05111af54d7bad0edeaf82b
Opcode Fuzzy Hash: 0b31e85f261735c7bd739e7c4f8170e510f8c6f94e8c7d67040073a1de197551
Instruction Fuzzy Hash: 3A21B4367042516FEB08AB69E854AAE7BA7FFC9320F148039F909D7364DE759C1187A0

Function 050EFC18 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 753dacb963949f706f7f78e6cccef0c9fb723e1a5b2830c763fc97021c5ec792
Instruction ID: fb0c7edfe8b6f052e88927714afdd08d2c64f52dc3dc6d2046bdb456f0e1038a
Opcode Fuzzy Hash: 753dacb963949f706f7f78e6cccef0c9fb723e1a5b2830c763fc97021c5ec792
Instruction Fuzzy Hash: 9F31EF74E14209DFEB04DFAAE484AAEBBF2FB88305F20C066D919B7254D73859458F54

Function 008ED32C Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437592809.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92bcf953e736f07b5f8071515fcfcf9652befc8c0db1b4a068ed17794618e808
Instruction ID: edf24f5af19584057282fb3cb9ff36c80b97ff5bc15cc1ee4ce271b48319e17c
Opcode Fuzzy Hash: 92bcf953e736f07b5f8071515fcfcf9652befc8c0db1b4a068ed17794618e808
Instruction Fuzzy Hash: 6F2106B2504384DFDB05DF11D9C4B16BB65FB89314F24C569ED054B386C336D81ACB62

Function 05080D7C Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447918114.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5080000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4564a0860bdd098ff259d84bbe817343fb971e270b5d5f0ec4c330c295c77831
Instruction ID: 474f7560515aac402038565dcb8e7530726df7b4f808518fe0f854f3c7ed8004
Opcode Fuzzy Hash: 4564a0860bdd098ff259d84bbe817343fb971e270b5d5f0ec4c330c295c77831
Instruction Fuzzy Hash: FB312875E04349CFDB18EFA9E418ABEBBB2FF45311F00806AD152A7251CB345A4ACF91

Function 008ED508 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437592809.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5412da9568fe0818d1b4d187bd42a6382f9a314a46adbe784a9e7618acc4f27
Instruction ID: 27ba0792cdb89bf96591515a5af524b74c23c2ada5016f29b6aacecfff6e0a18
Opcode Fuzzy Hash: e5412da9568fe0818d1b4d187bd42a6382f9a314a46adbe784a9e7618acc4f27
Instruction Fuzzy Hash: C0213A71504384DFDB05DF14D9C4B26BF65FB99318F24C56DD8098B246C336D85AC7A1

Function 00BD9BB8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e9e05d6de0b05c848d048bac5c468281fced738f3cb7981dc729d9b99c0f63e
Instruction ID: e457fcc5aad17020c901c312d3ff873fa2df9bd1fb79d69ef38f6fdfbc7531e6
Opcode Fuzzy Hash: 0e9e05d6de0b05c848d048bac5c468281fced738f3cb7981dc729d9b99c0f63e
Instruction Fuzzy Hash: E8212874E04209CBDB04DFAAD8447EEFBF5FB89300F1484AAD519B3384EB755A458B61

Function 00BD0861 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a82ab08bccab88586bca4812fa24e91920cd39dfc1bf1af3e99d74b9c14568
Instruction ID: 64bff6469459dd5e3d727d9e459ccad5209b8d7c57c59adf477bfcb81f79ed8c
Opcode Fuzzy Hash: c6a82ab08bccab88586bca4812fa24e91920cd39dfc1bf1af3e99d74b9c14568
Instruction Fuzzy Hash: AB212835A00519CFDB54EBA8C854B6DBBF2FF88300F1584A9E905EB366EB349C41CB91

Function 008FD01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437624867.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8fd000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46527fd3bc35eeb835cd7dac3807d6e8debecfa18fbd59a8065037890402b6e5
Instruction ID: c55fbf82e130d27443381f554580d3e4ba6167643149057109d0a6c79d26ad11
Opcode Fuzzy Hash: 46527fd3bc35eeb835cd7dac3807d6e8debecfa18fbd59a8065037890402b6e5
Instruction Fuzzy Hash: 52210376104748DFDB10DF24D984B26BB66FBC4724F20C569EB098B242C736D806CBA2

Function 00BDF3E0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f31ca9c91888d0fb14ce9dc95982ce82f9d6cf74435cf19f864fbfa167f1a007
Instruction ID: 761e613d747fca18e706ff33056668a2f9197e75e5f7ab0173253793e0437882
Opcode Fuzzy Hash: f31ca9c91888d0fb14ce9dc95982ce82f9d6cf74435cf19f864fbfa167f1a007
Instruction Fuzzy Hash: 6F2120B0D0821A8BDB04DFA9C9482FEFBF5EB88310F10957AC406A3340EB740A458FA1

Function 00BD5799 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 340161ac4b04f3b00309c405bbee3ce4778f5e7826959dbaa6b9d0a83962e6af
Instruction ID: bcb31151e0cc624eea8d58cf71acc22514ab148d58c90f8316dbc69ac17b7fda
Opcode Fuzzy Hash: 340161ac4b04f3b00309c405bbee3ce4778f5e7826959dbaa6b9d0a83962e6af
Instruction Fuzzy Hash: 4A21D4B0D05609EFEB14EFA9D4887ADBBF1FB49305F2084ABD519E3254E7384E858B41

Function 050E7FA0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94221bbea8c544a4d804a2fa196d1a2f8e46dd3f30a0e89aa9d7498b3381d280
Instruction ID: 930a31d790ddcac552610fd2bb061c969d1580483457172ccfaa4a70eb6cd0a8
Opcode Fuzzy Hash: 94221bbea8c544a4d804a2fa196d1a2f8e46dd3f30a0e89aa9d7498b3381d280
Instruction Fuzzy Hash: 042127B4E04209DFDB54DFA9D4446AEBBF2FF48301F20C1A9D819A3240D7359982CFA0

Function 00BD57A8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d512537a4b51fb90a30579d2405b535b2d0f285f79a994c56162717380f205d6
Instruction ID: 8eb6ba0be0694858976ebf179f9e67953005a6c56e269a619c66643ebd9f645d
Opcode Fuzzy Hash: d512537a4b51fb90a30579d2405b535b2d0f285f79a994c56162717380f205d6
Instruction Fuzzy Hash: 112107B0D05609DFDB14EFA9D4887ADBBF1FB49305F2084ABD419A3350E7384E848B12

Function 0556F038 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448951029.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fba2b878e777490760649975488538d1e61d9e24c1cfa376b41c97b12ac917e7
Instruction ID: 80c2a68fc35cc494fed4fd7126f1bd480d4ab8c7b44a5c42d91a2abfd69d5e34
Opcode Fuzzy Hash: fba2b878e777490760649975488538d1e61d9e24c1cfa376b41c97b12ac917e7
Instruction Fuzzy Hash: A62190306003055FEB04EB69D94576EBBFAFBC9705F008539D00AD7645DFB5AD058BA1

Function 00BDAFA0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2461bc03d327a636fc7b1e5d13911877c2a5ed3ae68660e9b3312838e725b8e
Instruction ID: 70b24ef8371d49db4ee270baa415f2f7ca2a581a2ac04cd6e09794b54d0a3c6f
Opcode Fuzzy Hash: b2461bc03d327a636fc7b1e5d13911877c2a5ed3ae68660e9b3312838e725b8e
Instruction Fuzzy Hash: 8911E4B5D04209CBCB04CF99D844AEEFBF5FB88311F1090AAD519B3310EB385A45DBA1

Function 008ED327 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437592809.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac1a99fa3094d31d6b273ac7c7f03b519f34febd85b0dbf2f78a0125c4c0676e
Instruction ID: 95b36bc2e58776cfb54e9d9cc90c9e0e338b50f5e0f71c057e8e5c9a38d2ece2
Opcode Fuzzy Hash: ac1a99fa3094d31d6b273ac7c7f03b519f34febd85b0dbf2f78a0125c4c0676e
Instruction Fuzzy Hash: 47219D76504280DFCB06CF10D9C4B16BF62FB85324F24C6A9DC494B696C33AD81ACBA2

Function 008ED503 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437592809.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: 78f9e5c30b25343508a0672c2bfbbf2450a73161f7bc5cb9ec8ed25726249af9
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: 4411BE76504284DFCB16CF10D9C4B16BF72FB95328F2486A9DC094B256C33AD85ACBA2

Function 008FD017 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437624867.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8fd000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 719b54ee29577d71d4f849c8324c76986223a2495e6055c088822038e13ee709
Instruction ID: 7159ddfc9cff6f901f1621aea8db6cbb5fb5e01e9097e8206def220056adea55
Opcode Fuzzy Hash: 719b54ee29577d71d4f849c8324c76986223a2495e6055c088822038e13ee709
Instruction Fuzzy Hash: FA11D376504684CFCB11CF14D5C4B26BF72FB84324F24C6A9DE094B656C33AD81ACBA2

Function 050EB590 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be69539c110f34edd1d162cbc553eb94a1073930651cb9dd0ceb51dff7984f9
Instruction ID: e20325a01c2865d6631b222bac554c84eef250626f2ead3507dfe9312b8199e6
Opcode Fuzzy Hash: 0be69539c110f34edd1d162cbc553eb94a1073930651cb9dd0ceb51dff7984f9
Instruction Fuzzy Hash: E5216274A012688FDB64DF29D894BADBBF1FF48301F1441EAD509A7250DB349E85CF51

Function 0556E278 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448951029.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6313a8da305c5c4f4783f6211129a4fd4ab26748ed39587b04d1fd125f30e35
Instruction ID: 4a159095072c7b9e35b98ef2a1b36dc1b458ce6580319086b5fde432ee30f0ab
Opcode Fuzzy Hash: d6313a8da305c5c4f4783f6211129a4fd4ab26748ed39587b04d1fd125f30e35
Instruction Fuzzy Hash: B211E5B4E002099FDB44DFA9C8457AFFBF5FF88300F50856A9418A7350EB305A019B91

Function 050EA760 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dce66a7aa2822a482ef2eb7071d9b7910294d5be9cbdc38411dcd2f41f82aafe
Instruction ID: 65c0e4a50b7bf2e6478eda8fc1ca7f4ae8af15be27954a30dc4587b2de58109b
Opcode Fuzzy Hash: dce66a7aa2822a482ef2eb7071d9b7910294d5be9cbdc38411dcd2f41f82aafe
Instruction Fuzzy Hash: 5F215F74A012688FDB68DF29D894BEDBBB1FF48301F1440EAD509A7260DB349E81CF51

Function 050EEEB8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eb5d9c08fc7196d65415dfd6cdd0080538e40e045fe42268c2dab3d6416c1c2
Instruction ID: 85b898e40744e3b9fecbc686cbf592f0d1d70648b41880597bb5a428e9548d35
Opcode Fuzzy Hash: 2eb5d9c08fc7196d65415dfd6cdd0080538e40e045fe42268c2dab3d6416c1c2
Instruction Fuzzy Hash: A2115B7090425CDFDB14DF69E8457ADB7BAFB8A300F2080A5E509A7351DB745E88CF51

Function 050E7F91 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a15abcadd856946455c1dbf2d0b81ab295a1f64e99df6101eef950c5a99d882
Instruction ID: 6e8acc29a7dc10795eb41819546779bf9632e7664849932bddd293721163dbeb
Opcode Fuzzy Hash: 8a15abcadd856946455c1dbf2d0b81ab295a1f64e99df6101eef950c5a99d882
Instruction Fuzzy Hash: 8A0117B0E092499FDB54DFBAD8416AEBBF5EB49304F2481A9C408A3211E7305542CB91

Function 050E7A78 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ee12fa725f3bdd2ea00f5b75385144cf4d6d7e1ce4b70d520b0833f71152c0
Instruction ID: e90ba0199e1c3233f39ce04fe997bed85da4d64105e5cfee22fb48b84e3f6973
Opcode Fuzzy Hash: e5ee12fa725f3bdd2ea00f5b75385144cf4d6d7e1ce4b70d520b0833f71152c0
Instruction Fuzzy Hash: 2601E8B0D05248DFCB54DFA8D8456AEBBF4FB49305F2445AAD809E3250E7315B41CB61

Function 0556F4E0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448951029.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c13d139f6ac51db3cd081049487dafe390b33a30ed9c32d2e3782feab4b5885a
Instruction ID: 67d6ce0b6c2c8a237c73ef5fbce7097238688d62afa61f7a47e393e1a002e96d
Opcode Fuzzy Hash: c13d139f6ac51db3cd081049487dafe390b33a30ed9c32d2e3782feab4b5885a
Instruction Fuzzy Hash: 10F0E931F093115FE7158A14A854B2BF7A9FFCD720F14446AD5099B344DB76EC8187D0

Function 050E153B Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57cd6e6603c5f5c268332cc0c7de488d504914a8cc6c859c964e487a9dab086d
Instruction ID: a2994e08bb10c58de4b54b975187bedb88410848ad488e326bf6bda8e96c376c
Opcode Fuzzy Hash: 57cd6e6603c5f5c268332cc0c7de488d504914a8cc6c859c964e487a9dab086d
Instruction Fuzzy Hash: B301EE74D0521CCFDB64CFA4E888BECBBB2BB08311F2450A9D009B2280CB740AC5CF66

Function 050E01D2 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3c98c90b8e8efde45bcdef81c062d9b45233b3f5dc062e81b1f2d8f8bd38cb8
Instruction ID: 9a2e1c235d1d75a65e8e39d11e1448b67b97ae8f40f3f1da5e0d22a5ed2e3c23
Opcode Fuzzy Hash: d3c98c90b8e8efde45bcdef81c062d9b45233b3f5dc062e81b1f2d8f8bd38cb8
Instruction Fuzzy Hash: DFF03C70E08118CFD714DFA9E8586EDB7FAFB8D300F2091A9911AAB355DB749845CF00

Function 050E38A2 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603003c40a5bbebaac632f4f8520b986ab3da5c122effd4e7d83f2454f494bb3
Instruction ID: b8d60dca10fe2d70dbbafc35950067e31bf47ba8be808869e206af37fb42423a
Opcode Fuzzy Hash: 603003c40a5bbebaac632f4f8520b986ab3da5c122effd4e7d83f2454f494bb3
Instruction Fuzzy Hash: C3F03A75D04248EFCB90DFA8D850BADBFF4AB49300F14C0AAE868D3351D2359A12DF50

Function 0555588B Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448951029.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b937d22efb4d9c5abc845869a05f8e26d74b7178bab3fbc66a7e5444a7fd99d9
Instruction ID: dd5802873aa258c778f6141bf6010cdb71f844657a66484f3f09611b17e465b2
Opcode Fuzzy Hash: b937d22efb4d9c5abc845869a05f8e26d74b7178bab3fbc66a7e5444a7fd99d9
Instruction Fuzzy Hash: 0E01C474A002288FDB25DF28C948AD9B7F2FB88300F0080E6D909E7344DB355E958F54

Function 050E72FD Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c0e9439e093341d2ae6ef86c8da856c389b11562c315e10c4d6869ccf4d286
Instruction ID: bacb1a3ad2c843d30b0a6eb8af995d876b0bbc4a398c4e384d924c8de868eb03
Opcode Fuzzy Hash: 87c0e9439e093341d2ae6ef86c8da856c389b11562c315e10c4d6869ccf4d286
Instruction Fuzzy Hash: A6019274904358DFDB54DFA4F488B9DB7B2FB14305F209099E419A7291CB755984CF00

Function 00BD0B67 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23fdd5b89ca6643f3fb48c6d63947b0702efa657cc96bb4f61de5ca4bfd5ad2f
Instruction ID: 1d5d217d2d69438e2a6bd50b1c4d32bb35040de33ecf80cd997b660ac188c2bb
Opcode Fuzzy Hash: 23fdd5b89ca6643f3fb48c6d63947b0702efa657cc96bb4f61de5ca4bfd5ad2f
Instruction Fuzzy Hash: 23F089342087848FD326E775E460A697FB1EF8920271444AAD155C72A6DA289D098B92

Function 0555603C Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448951029.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f59eb0eebb8ce606dc9f282ee0ad85c363e4c6ed1672a1d75d8bc22553ca430
Instruction ID: 5fe3f096aa758d0c8e07889d50150497d77c26c888715cea523d32922466b68e
Opcode Fuzzy Hash: 8f59eb0eebb8ce606dc9f282ee0ad85c363e4c6ed1672a1d75d8bc22553ca430
Instruction Fuzzy Hash: 12F01974B0021CCFC764DF28C858A9AB7B1FB49311F1085D6A529E7784DB389E88CF92

Function 050E38B0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f90a0e0535d82a242333857d875985572b9e908d174481066195ba4b02dd8c7
Instruction ID: a8a46cc0b2a1dee8aac45b109627f31924724bc9a3421a33fce57d6a6ce9b712
Opcode Fuzzy Hash: 0f90a0e0535d82a242333857d875985572b9e908d174481066195ba4b02dd8c7
Instruction Fuzzy Hash: E6F01C74D04248EFCB94DFA9D940AADBFF8EB49300F14C4AAAC58D3341D6359A11DF51

Function 050E34D0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 140bc7371d165d061c5ea9cd569e69ea8b1b6ee7c0332670a9011ace994752cf
Instruction ID: 9ba422bb0cfc22ee8c34b7348311f7fd46903257eec0567951ea838489d9c0f9
Opcode Fuzzy Hash: 140bc7371d165d061c5ea9cd569e69ea8b1b6ee7c0332670a9011ace994752cf
Instruction Fuzzy Hash: 06F01571E08248AFCB95DFA8E4016EDBFF5EB4A300F1088AAD84493311D6355A92EF81

Function 050E7F41 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b057073e0bb28f69632656bdcc33bea1a65dc6ef0b4c519d05469e45895895af
Instruction ID: f0bbffa8e05ebf2ddc8d70d4a34b0f31e638ecd28cd792bafa567037b97cb6cd
Opcode Fuzzy Hash: b057073e0bb28f69632656bdcc33bea1a65dc6ef0b4c519d05469e45895895af
Instruction Fuzzy Hash: BAF01C74E14248EFC744DFA8E444B9DBBF4FB49300F1080AAD84897321D6349A01CF81

Function 050E70CE Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76c41ead7a11fc670086ae3526dc30edad60959728456ea7f5d045054fa2a09
Instruction ID: b85766b4696b4846f345c3a4fe99f25f2f4f0a95b47b5983b66b356bd1603910
Opcode Fuzzy Hash: e76c41ead7a11fc670086ae3526dc30edad60959728456ea7f5d045054fa2a09
Instruction Fuzzy Hash: 54F0AF74D00248DFEB58DFA6F084BADB7F2FB58301F20C06AE019A7255DB3658968F00

Function 050E7701 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a04e4d13a2c845e114e952185a4a479cabd28bbdd82a4907acfb6d28491494
Instruction ID: 6cb170cc1d6f0e02d093b84251609d30aed984307d0acba82fcf2e7df6659caa
Opcode Fuzzy Hash: f8a04e4d13a2c845e114e952185a4a479cabd28bbdd82a4907acfb6d28491494
Instruction Fuzzy Hash: 85F09278D14248EFC780EFB8D9547AC7BF4EF0A361F2042E4E959933A1D6309940CB51

Function 050EA600 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0702390ff82fa24f5d33d7f2a63b457685b2361cd6ecf1b02310df507be0ba21
Instruction ID: e22dc1a4e6e0179c5c7abd12cfeeb504b13c99aa4d373a77cf7d2880edbef84d
Opcode Fuzzy Hash: 0702390ff82fa24f5d33d7f2a63b457685b2361cd6ecf1b02310df507be0ba21
Instruction Fuzzy Hash: DAF0AF70804668CFDB64DF24EC9879DB7B1BB44306F1045DAD109A7280D7745E84CF15

Function 050E1258 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f73c559d9c06f5dd1c217d94f698a0b4940fe499edd4e88752a22deee96c7a12
Instruction ID: e41461f8bf613f8007b3bd6c8703e47314222382f3d21bfed9a9413ca96aba11
Opcode Fuzzy Hash: f73c559d9c06f5dd1c217d94f698a0b4940fe499edd4e88752a22deee96c7a12
Instruction Fuzzy Hash: 92E03974808208AFC748DBA4E941AACBBB5FB46300F2481AED80593221D7315A62DB84

Function 050E8AA0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee4fc6ea8f900e7e00ccce141775f6f0dcd2593bfef5ec3165aeea055579f13
Instruction ID: 101f876d61a6463558cf35a68c3ef439f9e9816ee033eb3beefc10058b6d8752
Opcode Fuzzy Hash: 8ee4fc6ea8f900e7e00ccce141775f6f0dcd2593bfef5ec3165aeea055579f13
Instruction Fuzzy Hash: C8F0F4B4910228CFEB64DF24EC587AE7BB2FB88302F2081D5D409A7241C7788D828F11

Function 05550DE9 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448951029.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eab0fd8baba2e46ca8ce65ee6dab171c5c9ed54eeb87934868d65158b514747e
Instruction ID: 0e0b00711c7c3e5b9aba374d41dec29191982618f9c66f830ec843cf3c897049
Opcode Fuzzy Hash: eab0fd8baba2e46ca8ce65ee6dab171c5c9ed54eeb87934868d65158b514747e
Instruction Fuzzy Hash: 18F05830904118CFE729DF68D92C7AD7376FB4530AF00449A950AA72A0CE781E88CFA2

Function 05569860 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448951029.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: effc5c7c47ca4eb9f1d66df846bdb9e27b934d8a9cca599aa38be4e9d2847c92
Instruction ID: 3f84a3dae0706ba572623442cfbfd52bbd047a9ad659cc88c4ffad78dafd1e85
Opcode Fuzzy Hash: effc5c7c47ca4eb9f1d66df846bdb9e27b934d8a9cca599aa38be4e9d2847c92
Instruction Fuzzy Hash: 70E0C274E04208EFCB94DFA9D940AADBBF5FB88300F10C1AA9819A3350D6359A52DF81

Function 05565408 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448951029.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: effc5c7c47ca4eb9f1d66df846bdb9e27b934d8a9cca599aa38be4e9d2847c92
Instruction ID: f975af882e222e751071471c605a211196e083bbd6fd90e62ca948ccf6a50457
Opcode Fuzzy Hash: effc5c7c47ca4eb9f1d66df846bdb9e27b934d8a9cca599aa38be4e9d2847c92
Instruction Fuzzy Hash: D2E0ED74D04208EFCB54DFA9D440AADFBF5FB48301F50C1AA9C0993350E6319A51DF81

Function 05555B3B Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448951029.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424d49b1667017c9aa91a6997a9ba41c857910ebbf163201d692e17296d87b1b
Instruction ID: 49454847047b3aa796ef741145afbc2714b71d27d7e1d204b4083844d39d430b
Opcode Fuzzy Hash: 424d49b1667017c9aa91a6997a9ba41c857910ebbf163201d692e17296d87b1b
Instruction Fuzzy Hash: 0CF05E34904119CBE769DF24C8597ADB372FB85305F008896911AA7290CE381E88CF51

Function 05568E80 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448951029.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08db895a968e0daf2f01c04568b87bcc2bb8895e9c8bc583729bff8d06e05fd
Instruction ID: e3f07f4b96b663c7c05c8fcaf173f2d7b824502b83e0ef805744c77bc11908b2
Opcode Fuzzy Hash: a08db895a968e0daf2f01c04568b87bcc2bb8895e9c8bc583729bff8d06e05fd
Instruction Fuzzy Hash: 09E0E574E04208EFCB94DFA9D9406ACBBF4FB88300F10C1AA9818A3340D7759E02CF81

Function 00BDF700 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388091622ab35baadd7a492b5a5b857e69b97d080ee81fd3c3b158d5e539d2c0
Instruction ID: 5070824fc159098f1a48af3da9eb02843cea6507c2caf04753a728ced36dbe96
Opcode Fuzzy Hash: 388091622ab35baadd7a492b5a5b857e69b97d080ee81fd3c3b158d5e539d2c0
Instruction Fuzzy Hash: 0BE0E574E08208EFCB94DFA8D4406ACFBF4EB48300F10C1EA981993350E6319E02DF41

Function 050EE9C0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ea8d199b37c1b462244980164a31956fb499335aabc1d6c67f40809ce9759c
Instruction ID: f42394bcfa20cc6d2c882a6bdee0f0b52372b716d30467e119926dcb03f65d2c
Opcode Fuzzy Hash: 08ea8d199b37c1b462244980164a31956fb499335aabc1d6c67f40809ce9759c
Instruction Fuzzy Hash: FDE0E570D0520CEFCB94DFA8E4416ADBBF9EB48300F6081AAA804A2310D6355A51DF81

Function 050E34E0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ea8d199b37c1b462244980164a31956fb499335aabc1d6c67f40809ce9759c
Instruction ID: b5222e534bff0a631e54233faea2286ccd2f159e37e7419b77c60965d2864f39
Opcode Fuzzy Hash: 08ea8d199b37c1b462244980164a31956fb499335aabc1d6c67f40809ce9759c
Instruction Fuzzy Hash: 5BE0E5B1E05208EFCB94DFA8D401AADBBF9EB48300F5085AA9804A3310D6356A91DF81

Function 0556EFF0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448951029.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 947a437afa7a0d9f51c67f1284ff34e9fe75b07392aeb70ffee3b5739767226a
Instruction ID: f8fe7af3fce111094c29af42fe5e079c02b23f22857aab641d8d2ce2d9e33648
Opcode Fuzzy Hash: 947a437afa7a0d9f51c67f1284ff34e9fe75b07392aeb70ffee3b5739767226a
Instruction Fuzzy Hash: E5E08674D08248EBC704DFA4E84097DBBB9FF45310F10C1A9DC4957345D631AA52DF91

Function 050EE690 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7309ebea0c8fc73738b4f740962bbb10c939d8edbd5c850035b76882cec8b526
Instruction ID: 380dc2f9c7df2aec2000d759cb1394ccf1ee86cfaae655a17598b7ab8bb2d86c
Opcode Fuzzy Hash: 7309ebea0c8fc73738b4f740962bbb10c939d8edbd5c850035b76882cec8b526
Instruction Fuzzy Hash: 30E09A70D0520CEFCB94EFB9D4446ADB7F9FB45340F2081A99819A3350D6355A51DF81

Function 052B0948 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448880254.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52b0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c097ab6211f2548401ac87bd21b8d64821cb9458934406f9a3bb033d667fe8
Instruction ID: e77958711fc22eadc2762164de2a99a9bcf2a8fd34351e6bddc7b77ddd4de650
Opcode Fuzzy Hash: a2c097ab6211f2548401ac87bd21b8d64821cb9458934406f9a3bb033d667fe8
Instruction Fuzzy Hash: 55E0C230A5E688EBE712DBB4D8097AA7B68EF42740F0045A9D90857292D7B19D50CB85

Function 052B05A1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448880254.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52b0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4319ef2fa2e31239670083d770631ffefb9b8b95aa0fc867f8c9332bfe4a58bb
Instruction ID: a713dc0de793458a06c7cde5bf0794dc686897d199e10f5cf130a14fef90f686
Opcode Fuzzy Hash: 4319ef2fa2e31239670083d770631ffefb9b8b95aa0fc867f8c9332bfe4a58bb
Instruction Fuzzy Hash: CDE08CB4419148EBDB22DBB4E824BB9BBACEB06340F048699994903251C672AE02CB40

Function 052B0499 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448880254.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52b0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15c433c2235f3f5e16429b6bd35f576929a774562149e16e36f81aa784ab046
Instruction ID: ab5db1be7eaad3cc83816497d21de2793f22aa65fec18dbd96f2602d3a8d7349
Opcode Fuzzy Hash: f15c433c2235f3f5e16429b6bd35f576929a774562149e16e36f81aa784ab046
Instruction Fuzzy Hash: 2BE08672405208FFD711EBF4C41469E7BF8EF45201F0044E6D54453250E9715A01D792

Function 055680D8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448951029.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba1fec1b0d23ba654a91f7bf6ffa9b9daa7e1094e0b2b7e6f27e98fd53c864b7
Instruction ID: c13801851615e86644d062b590bcd7446d32906fe8784d7ba1448660bc1912b4
Opcode Fuzzy Hash: ba1fec1b0d23ba654a91f7bf6ffa9b9daa7e1094e0b2b7e6f27e98fd53c864b7
Instruction Fuzzy Hash: 29E01274D08288EBCB14DFA8D4416ACBBF8FB89310F10C5AA9C0853341CA32AA42DF85

Function 055533AA Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448951029.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d27bd3c6a24d622cc113c2d44573fa0074a1bee5b55ed05af7bd2c4edefa1778
Instruction ID: aedb1fd70772e8651c5377a5b32ddaf2277278b39b9ceb4c5f0f07c7d71a32b8
Opcode Fuzzy Hash: d27bd3c6a24d622cc113c2d44573fa0074a1bee5b55ed05af7bd2c4edefa1778
Instruction Fuzzy Hash: 91F0A930A04108DFD329EF68C81D6AD37B2FB45306F04409A940EE7291CE390E888F62

Function 050EFB08 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e05203b1359eaf466b9b32ec901276791647890cd79708ba3ff54cd094f8c3a8
Instruction ID: 89cfed77a1995448cd39c5c4e84f3b44e50e06fe603414f6f6594901358c1a14
Opcode Fuzzy Hash: e05203b1359eaf466b9b32ec901276791647890cd79708ba3ff54cd094f8c3a8
Instruction Fuzzy Hash: 38E08C70D04208EFC780DFA8E850AACBBF8EB08204F2080A98C08D3361E7319E42CB41

Function 050E1268 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e4a77a8ee56b20a501372c97507db1123695248c7e2fa1676b7f0b335fe1fe
Instruction ID: 65925834d5edad95e3468865b4eee6e6e92c2e84a99b58ad92663c704089afcd
Opcode Fuzzy Hash: 58e4a77a8ee56b20a501372c97507db1123695248c7e2fa1676b7f0b335fe1fe
Instruction Fuzzy Hash: 7EE08674908208EFC744DFA4E94496DBBB9FB45300F20C1ADDC0453350C6315E62DB81

Function 0556D1E0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448951029.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf3855aeb7f3c50f6c094e19c45a63f97f7709bf5406880d028b341596a830d
Instruction ID: db735f1536be36602ccfbc353e454f1a0754a42adfee7d22281cd8c36173eb6a
Opcode Fuzzy Hash: bcf3855aeb7f3c50f6c094e19c45a63f97f7709bf5406880d028b341596a830d
Instruction Fuzzy Hash: 3CE01274A08248EBC714DFA8D94197DFBF9FB85304F1085A9DC0917351C6715E52DB81

Function 00BDF3A0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4290d20376873383ecb1f53800fa8eda28f1058e5e3f4b74fe393fc62aefc2ae
Instruction ID: cfd0296cd1987dc1d701fc329da53e9e6d3faa80ef4f344460812bc77b04b943
Opcode Fuzzy Hash: 4290d20376873383ecb1f53800fa8eda28f1058e5e3f4b74fe393fc62aefc2ae
Instruction Fuzzy Hash: 37E0C234908208EBCB04DFA4D85197CFBF8EB45310F2081EACC0917340D7315E02DB85

Function 00BD0AEE Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6186153a44d1e74339b2e162e2ec3122eb73fd83334a7e145cf6a5558759b1a6
Instruction ID: fd43ee9881602bb1aa61a2360470782d1fa90bc3729a1af46ca61a7a3cd0b194
Opcode Fuzzy Hash: 6186153a44d1e74339b2e162e2ec3122eb73fd83334a7e145cf6a5558759b1a6
Instruction Fuzzy Hash: E2E086B0C083488FCB40DFB8581416DBFF4BA05114F5205E6C409EB311F67589418B81

Function 00BD0B28 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e6b78eb0ffe74dab9bdbce0708c9adc5ed093c6e2758b978f7f6534b498130
Instruction ID: c069cbcfb43c5f1274ddc4f68982211978d4c11cf571fae84d27cbf9ca408363
Opcode Fuzzy Hash: d9e6b78eb0ffe74dab9bdbce0708c9adc5ed093c6e2758b978f7f6534b498130
Instruction Fuzzy Hash: B5E0C2BA6006048FC304AB74E804B243FB6BF8D611BA180E4EC4DCF326EA35AC02CB51

Function 00BD9D18 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7fa57bb4fe2754be6afed65fd03fcfcca132dd1d02c0c8d029729eae089b9a9
Instruction ID: 1993fe60fb003156c10996e9f0d1594270fa12389e56e05b25fd3ca3a88d3584
Opcode Fuzzy Hash: f7fa57bb4fe2754be6afed65fd03fcfcca132dd1d02c0c8d029729eae089b9a9
Instruction Fuzzy Hash: 79E0EC7191020CEFD714EBB8D50865EB7E9EF45201F0045E69505A3250EA719E109BA2

Function 050EE710 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64efbdcfb892dd8011c8565c9a2ddea43e1ab0118f1e7f85ec011d9fcd2ae10b
Instruction ID: 07e20e4f03b920e2bcb9fc9f324d7b331ad3ecc9937909579b4089eb14682838
Opcode Fuzzy Hash: 64efbdcfb892dd8011c8565c9a2ddea43e1ab0118f1e7f85ec011d9fcd2ae10b
Instruction Fuzzy Hash: 11E012B0D1530CEFC754DFB8E6496ADBBF8EB09241F2041AADD49A3350E6305E50CB51

Function 052B04A0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448880254.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52b0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c17a0d78238170ba2d17d4c49920aeacd28460d4b1f01a44691daaf68739ad
Instruction ID: 0764c5d35993f629c7c57d2294d3cf7fa9cc1d2cfa64ae4d19f9b73711e6b940
Opcode Fuzzy Hash: 21c17a0d78238170ba2d17d4c49920aeacd28460d4b1f01a44691daaf68739ad
Instruction Fuzzy Hash: 29E0127291120CEBD711EBF4C40469EB7F9EF45201F1045E6D50593260FA719A10DB92

Function 050EAB5A Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad503b3738a0c950739902599ec34137683be7bc6ce4cf22699a86ee29a30f9a
Instruction ID: 2a773eed5a2e02deeed3f384036fb7f55122d9591dcd4d1d825e501ff1c164fe
Opcode Fuzzy Hash: ad503b3738a0c950739902599ec34137683be7bc6ce4cf22699a86ee29a30f9a
Instruction Fuzzy Hash: 98F0FA74D102288FDB69CF24D965B99BBB6FB88201F1051EAD40DA3350EBB41F81CF10

Function 050E6EDA Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b213ff5d3a118ecec04e6345a482330a433f82c0725082017f7df4fb568edfa7
Instruction ID: f91d1ad00e15f5be9e0389d589cf94bf463404725877f9873de3fa1ecbf01ead
Opcode Fuzzy Hash: b213ff5d3a118ecec04e6345a482330a433f82c0725082017f7df4fb568edfa7
Instruction Fuzzy Hash: 69F02B74E00268EFCB64DF64E985BADB7B1FF56300F60909AE549A7251CB315E848F02

Function 00BDD6B8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0844b8547f538dd33020a4286bc66cda61eab162b05e6b8d777c27ab4d8d6cd1
Instruction ID: de0c69d3dfd76d0ff5f926f8d834f177477b308f964b60242505dc461bd5186d
Opcode Fuzzy Hash: 0844b8547f538dd33020a4286bc66cda61eab162b05e6b8d777c27ab4d8d6cd1
Instruction Fuzzy Hash: E5D05E74509108EBC714DB99D840A69F7ECEB46304F1080DA980C47351EA729D02DF91

Function 052B05B0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448880254.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52b0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be701f98b5f7e939d112dff612dec13fd5be5b2ff2f7f4fe6f336708dae29867
Instruction ID: 90f5b05a46dd3433db5b6fc3ce5c6db7178a9b1da4d3c878dafdea75e9c44c7c
Opcode Fuzzy Hash: be701f98b5f7e939d112dff612dec13fd5be5b2ff2f7f4fe6f336708dae29867
Instruction Fuzzy Hash: FDD05E70519108EBD764DB94D804ABAB3ACFB46344F50809D980953351CAB2AE02CB41

Function 052B0958 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448880254.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52b0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7121dc035ae9c281c570acc094c2ad29b34f935c01e981381ff7df4a4e42208b
Instruction ID: 4fb747c57ecf38806ae69874407585310c1f6ee3f3ecc36a0d98abac0c3e777f
Opcode Fuzzy Hash: 7121dc035ae9c281c570acc094c2ad29b34f935c01e981381ff7df4a4e42208b
Instruction Fuzzy Hash: 8CD0A770C1A208DBF315DBB4C4047AF736DEB42740F1000A9D40812250C7B15D00DB41

Function 00BD0B38 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e036c7cfd1d3eee41d3369b943d824ecc0a0cabcbf852e702c22aed70aec7d09
Instruction ID: 36ef2b3b47369a531465144b861727e1bdb457dff9f641c5c301125220a26b5f
Opcode Fuzzy Hash: e036c7cfd1d3eee41d3369b943d824ecc0a0cabcbf852e702c22aed70aec7d09
Instruction Fuzzy Hash: 23D0C9B93506048FD744AB74E844D297BAAFBCC612360C5A5ED0DCB329EA36EC12CB51

Function 050E1408 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe90d8b0e849bfca8f02fb8fad096fdcfed58bddd762a97bd5ea6769de8fda9
Instruction ID: dc7527b01f3127133e8f1c810df9a7005be3209f03e45f730b4300c65e7d17ac
Opcode Fuzzy Hash: 7fe90d8b0e849bfca8f02fb8fad096fdcfed58bddd762a97bd5ea6769de8fda9
Instruction Fuzzy Hash: 3DE0B674D04219CFCF21CFA4D884AEDBBB5FB08310F1010E9D409A3640C7345E82DE51

Function 050E6F23 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a7d683520aae2c482a6e0b2dbe06370ac4421ffbd4a53886097bc69cfab1593
Instruction ID: 3f5f344aecae28c4bd5b1b5306a34d43954cc2495088e4e3c1c69343ff33ac61
Opcode Fuzzy Hash: 2a7d683520aae2c482a6e0b2dbe06370ac4421ffbd4a53886097bc69cfab1593
Instruction Fuzzy Hash: 29E04274D14158DFCB64CF64F895B9CB7B1FB25300F208096E40DA3351CA365E848F01

Function 00BD9B00 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8caa8551cba826a2c0979b79bc9bba1c87bccdd318d69f4764b73b8a355e17d3
Instruction ID: 80b1b12fd9336cabc6a04510fc8c354cc4cc6588dcfce9d3013c7685a9af946b
Opcode Fuzzy Hash: 8caa8551cba826a2c0979b79bc9bba1c87bccdd318d69f4764b73b8a355e17d3
Instruction Fuzzy Hash: 7BC08C30000B0487C32077A4FC1D72CB2A8EB01302F408073E90C122B06E786850CB76

Function 050E7146 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b5b7acd8aadffd498228cf2693691d74b91fb6980a80019ce8c242ba86c424
Instruction ID: 18c243bf03145477dc93945df276c43554873f471c6e28f566718a912513f297
Opcode Fuzzy Hash: f6b5b7acd8aadffd498228cf2693691d74b91fb6980a80019ce8c242ba86c424
Instruction Fuzzy Hash: 9FD06CB8904268DFDB64EF20E884B8DBBB2FB48301F10919AD459A3354CB345A948F01

Function 050E2141 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 481b239cd5e036d2e41708c8c4e265e882e3e186009af399ca12af3b1ac8746f
Instruction ID: 174fb48e5bce783cd099703c812fe7b42c07c4391209d82c2bddeda38f29d7a7
Opcode Fuzzy Hash: 481b239cd5e036d2e41708c8c4e265e882e3e186009af399ca12af3b1ac8746f
Instruction Fuzzy Hash: CFD06C78E011698BEB24CF21DC88B9EB7B6AB45300F2052D5C40DA7240C7305EC0CF18

Function 050E7A2A Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3caa496aab2d0f624424208a138ee5add1e612518d1e8153b25e69eac413bd0
Instruction ID: 47db77df9c9eff74278b5ba5710acd463df0fdfd6cd6f46528d577576c6705fb
Opcode Fuzzy Hash: c3caa496aab2d0f624424208a138ee5add1e612518d1e8153b25e69eac413bd0
Instruction Fuzzy Hash: 58C00276E1001A9A8B04DAD9E8408DCB774EB94321B004026D214A6144D63165668B54

Function 00BD083A Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d3012a4808eacbcfc00613a93dc5357fd3cdd90b050ea0c51efe6bd79b3ee8
Instruction ID: 3e56a615693ac06aec8bdaee2fe2668a41862e1ae460b724df78eab7de369d5e
Opcode Fuzzy Hash: b8d3012a4808eacbcfc00613a93dc5357fd3cdd90b050ea0c51efe6bd79b3ee8
Instruction Fuzzy Hash: D7C08C25909AA19FCF145774A82922C3901FB43304F4504BCD30287292E8610805C202

Function 00BD0B1C Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a025f016b9ba71eb35937c7526a39cd3aaa873274fc3a4524b5c6a86bfd730f3
Instruction ID: e21c9e62aee5a5ee54a9d5724957fa771c3fc0df7723e84fd205ae06ae843f6a
Opcode Fuzzy Hash: a025f016b9ba71eb35937c7526a39cd3aaa873274fc3a4524b5c6a86bfd730f3
Instruction Fuzzy Hash: FCB0123051C10CC79414AA706858334FB50B18060AB2001C3E80E4D3207B1104319363

Non-executed Functions

Function 050E12B0 Relevance: 2.6, Strings: 2, Instructions: 79COMMON

Download Yara Rule

Strings

F, xrefs: 050E137F
M, xrefs: 050E1847

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID: F$M
API String ID: 0-1926493419
Opcode ID: 4ffd0f6b4112f66a13c6fde19892ca3f54fe5e944a6c15725f822a5733da9b54
Instruction ID: 7dc3ff184db92ea9ba8c82befd5dbe8c464eb8db99cac2f0b112e92229d112fe
Opcode Fuzzy Hash: 4ffd0f6b4112f66a13c6fde19892ca3f54fe5e944a6c15725f822a5733da9b54
Instruction Fuzzy Hash: 62315AB5E056188BDB68CF6BD84469EFBF7AFC9300F14C1FA940DA6264DB300A858F11

Function 050E129F Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

F, xrefs: 050E137F

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: de2b3495606e15a36360ac60cae53d0330588b832aaa96a948115f582e685d86
Instruction ID: 919acd9d36a2d0a950783fd0abd64bf5721d7b20ea147ba8a22ead709853e03e
Opcode Fuzzy Hash: de2b3495606e15a36360ac60cae53d0330588b832aaa96a948115f582e685d86
Instruction Fuzzy Hash: E4319F71E056189BEB5CCF6B8C4429EFBF7AFC9300F18C1BA840CA6264DB300A458F51

Function 051F23F8 Relevance: .6, Instructions: 595COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d984c566933f52175b6e12f68f77e51b88bb108fe89691d28f3f677ac37b4616
Instruction ID: 664de8fcbe4cfbbf6a2729bf2a3c86cea8324ec53e8bbed59bf13917716c02ff
Opcode Fuzzy Hash: d984c566933f52175b6e12f68f77e51b88bb108fe89691d28f3f677ac37b4616
Instruction Fuzzy Hash: AE324674B006168FCB58DF69C894A7EBBF2FB89300F248529D56AD7381DB34AD41CB91

Function 050E6688 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6df25f6ad1479199e07e361bf326b8a3250f81ee5688138ffd5788463bbfd2a
Instruction ID: 4a3d9c3691bbd708a0ef85cfee1f9475667960bcd3a199a9228b8eb4d5e297ae
Opcode Fuzzy Hash: d6df25f6ad1479199e07e361bf326b8a3250f81ee5688138ffd5788463bbfd2a
Instruction Fuzzy Hash: 9D12A070E046189FDB14CFAAD98069EFBF2FF98304F28C169D458AB219D735A946CF50

Function 050D2AF8 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448067637.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8207b968e3d7ec69eddd0ad31233dbd36c5a207cddb3ead1f5dc88e8bce0e0de
Instruction ID: 8be77763d5fa60ee21bbf4cd3c842ed79d8708ba0aa11eb50cebcb43f8e89ae4
Opcode Fuzzy Hash: 8207b968e3d7ec69eddd0ad31233dbd36c5a207cddb3ead1f5dc88e8bce0e0de
Instruction Fuzzy Hash: 1ED10738A006098FDB54DF69D584A6EF7F2BF88711F25C599E805AB361DB34EC81CB60

Function 051BA558 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448454225.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0565bff06948cb32b7afc44e351f5ccf8b15cceeebf4c806bb52dd0d4ac0c3a8
Instruction ID: d6d7b26e7dea15c81808e4c3494b2b1eed98d53e6498a40e9853465490ce02ea
Opcode Fuzzy Hash: 0565bff06948cb32b7afc44e351f5ccf8b15cceeebf4c806bb52dd0d4ac0c3a8
Instruction Fuzzy Hash: 20C1D1B4A05258CFEB64DFA5D894BEDBBF2BF49305F1080AAD409AB295D7B45984CF00

Function 051BA549 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448454225.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d84e8f464982a70d23fab77626b7f4a46320861f712cc42bf57f19f1365dba4d
Instruction ID: 3b126208f139690e54b8b77d0c496447ca4877b5939a5f4931fa0d0d9a3edf5f
Opcode Fuzzy Hash: d84e8f464982a70d23fab77626b7f4a46320861f712cc42bf57f19f1365dba4d
Instruction Fuzzy Hash: E1C1E1B4A05248CFEB64DFA5D894BADBBF2FF49305F1080AAD409AB295D7B45984CF00

Function 052B0006 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448880254.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52b0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c456898a8d599655ec2615bb0ea96b5393b6e9b27a22f61d3eafca5d24cf271
Instruction ID: 931cee438179cc5ed020db01e3461ed5c350c02cd66f960a7776e0e60abd0e19
Opcode Fuzzy Hash: 7c456898a8d599655ec2615bb0ea96b5393b6e9b27a22f61d3eafca5d24cf271
Instruction Fuzzy Hash: 2CB11774D15208CFEB15DFA9D888BEEBBB2FF4A345F109069D009A7295DBB45945CF00

Function 052B0040 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448880254.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52b0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e5776b16aeca00bdb20d3d52f3a4b59cd38ece1e02f6964d07cb5aa18651f3
Instruction ID: 8b485ceda99394455fc78501c16aee652318a76a181a9e46b23ed44393cc6899
Opcode Fuzzy Hash: 29e5776b16aeca00bdb20d3d52f3a4b59cd38ece1e02f6964d07cb5aa18651f3
Instruction Fuzzy Hash: 26A13774E15208CFEB14DFA9D888BEEBBB2FF49346F109069D009A7295DBB45985CF00

Function 052DF648 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448902920.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d5b05041277a26e212985c7d116d9b06b5c58c65ed6ee62c1c88154a3445b1
Instruction ID: 58c1522344dde18527d2149deae7997e9a2338663927376073e02d049b2c9485
Opcode Fuzzy Hash: 86d5b05041277a26e212985c7d116d9b06b5c58c65ed6ee62c1c88154a3445b1
Instruction Fuzzy Hash: 5BB1E474E25218DFEB14CFAAD984BADFBF2BF89305F1080AAD40AA7255D7705981CF14

Function 0556D220 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448951029.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c19e0b52a88f7b778d98b656506610166af8615815121d35dc169a8b9d91e2d
Instruction ID: e7e7ce35f5cdcf809244c3bf5a8215ad05b0932903d9b0cf1e25e4d2a0a1140b
Opcode Fuzzy Hash: 8c19e0b52a88f7b778d98b656506610166af8615815121d35dc169a8b9d91e2d
Instruction Fuzzy Hash: 60910570E05258CFEB64DFA9C844BAEBBF6BF49304F1488AAD40DA7245DB749985CF40

Function 00BD58A9 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b631b906da05dc0c0f984a1125db1f438055b2635dc6e2c266364c32626c95c
Instruction ID: 6a14b2388b5cb32fb56c422b3793873f7db0c5dddfd25aed6e6a3afd93f21636
Opcode Fuzzy Hash: 4b631b906da05dc0c0f984a1125db1f438055b2635dc6e2c266364c32626c95c
Instruction Fuzzy Hash: 5F713E74E006489FE708EF7AE840A9ABBF3FFC8305F14C229D4049B269EB355915DB51

Function 00BD58B8 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20d7312710a209a4ba854607ef2632d62ed7567b1848e3d6caeda3289448bd0
Instruction ID: df5068020cc272b1909f3a6ee256f8b33e87e8d749f5824f0d4d29f9a575655f
Opcode Fuzzy Hash: b20d7312710a209a4ba854607ef2632d62ed7567b1848e3d6caeda3289448bd0
Instruction Fuzzy Hash: 12712B74E006489FEB18EF7AE840A9ABBF3FFC9305F14C229D4049B268EB355915DB51

Function 051F5CF0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d96caeb63c1772cbe990a9c251ec821d4e8ffe66697d79dbdb0eebe047bf75d
Instruction ID: 591283a3d1fffbde0ad3ad193e8b55b133ed10a795630eedd6be9a05f9bad25f
Opcode Fuzzy Hash: 3d96caeb63c1772cbe990a9c251ec821d4e8ffe66697d79dbdb0eebe047bf75d
Instruction Fuzzy Hash: A0516978D06218DFEB24DFA9D488BEDBBF2FB49305F02812AD506A7295D7784885CF00

Function 051F5D00 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df8b8ade894637df640a7922c3cf6e30d59bc7a39f4e61016e52af4d9ae99ad4
Instruction ID: e59a3f3f22f3b13ef41732b879340b725c1d3f0bd943d0f7d8e08f20a1f1f06f
Opcode Fuzzy Hash: df8b8ade894637df640a7922c3cf6e30d59bc7a39f4e61016e52af4d9ae99ad4
Instruction Fuzzy Hash: 1B514878D06208DFEB24DFA9D448BEDBBF6FB49305F02402AD606A7294D7784885CF00

Function 050E6678 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85190f9f93b181d61cbc7f8d21ca932634b3b19da04391e79d4d7c5171c81ac0
Instruction ID: 9184bd2a66f546818b56503521d67f33410c98cfefe5984577910166bb9d8b87
Opcode Fuzzy Hash: 85190f9f93b181d61cbc7f8d21ca932634b3b19da04391e79d4d7c5171c81ac0
Instruction Fuzzy Hash: 274146B5E006198BEB18CFABD94069EFBF3BFC8300F14C16AD958AB214DA3459468F54

Function 052D0006 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448902920.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a144c0cb329e0ef07b19bd1c87170fa3b12964727e761d558dddf988b2facd5
Instruction ID: d70969beb338188b85e052444beaa16c44f5f6f198d80d43f20deb14da0a6b37
Opcode Fuzzy Hash: 2a144c0cb329e0ef07b19bd1c87170fa3b12964727e761d558dddf988b2facd5
Instruction Fuzzy Hash: 17518CB1D056548BEB2DCF2B8D453CAFAF3AFC9300F04C1FA954CA6265EA7409868F01

Function 052D0040 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448902920.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260c873fbfab8902bcebfe7a591bc809cd9c0927d31465cb3601c2b698a74ace
Instruction ID: c59d924603b4c8395e28dfd26a76d82dd8aa52741b0f31dc3dc3ea97585da90b
Opcode Fuzzy Hash: 260c873fbfab8902bcebfe7a591bc809cd9c0927d31465cb3601c2b698a74ace
Instruction Fuzzy Hash: DC514B71D016588BEB2CCF6B8D457CAFAF7AFC9300F04C1FA954CA6225EB704A858E50

Function 052DDA10 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448902920.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cea8d95f344e2c329f0155c23b46d32aae8909f9e860f9db8d3fbac9e2a8ae7
Instruction ID: 9731d15cb1b471bce2edcb8bffed248f01688d300427a50d84fee67dd416e4b1
Opcode Fuzzy Hash: 9cea8d95f344e2c329f0155c23b46d32aae8909f9e860f9db8d3fbac9e2a8ae7
Instruction Fuzzy Hash: 99411FB4D147499FDB10CFA9C884BADFBF1BF09304F249129E819AB290D7789885CF54

Function 051F5ECF Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e56283c7248b63574eb7c852f8be1db732cb229a354fd2110ddd6ef62356199d
Instruction ID: df978f3cb678bf7c4ab36ae9136d432d56d32d900fac60f654c2c90f612d5f61
Opcode Fuzzy Hash: e56283c7248b63574eb7c852f8be1db732cb229a354fd2110ddd6ef62356199d
Instruction Fuzzy Hash: 75412678D05208CFEB24DFA4D488BEDBBF2FB4A306F12516AE205A7695D7784885CF00

Function 050E806F Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33838384a7d47832466397bde9f25f32c5d15598c9624e2694b7f6d1a0ebd03
Instruction ID: b1ddcceb48fcd06d18c16d0dd3bcb20893f0ae73cdf685fcdefbcbcc88e9cce7
Opcode Fuzzy Hash: b33838384a7d47832466397bde9f25f32c5d15598c9624e2694b7f6d1a0ebd03
Instruction Fuzzy Hash: D6414D71E05A588FEB1CCF6BDD5069EFAF7AFC9201F18C0BA944CAA265DB3045468F01

Function 051B1468 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448454225.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60461bc28830b12f24baf90f829d7213c934dfcebed355522e790f875990505
Instruction ID: 10ccf78beda73f0918a2fdeee349f808dd8ea7b278da4072b0aca9eabc1c435d
Opcode Fuzzy Hash: d60461bc28830b12f24baf90f829d7213c934dfcebed355522e790f875990505
Instruction Fuzzy Hash: 5D410EB5C042589FDB00CFAAD484AEEFBF4BF49310F24842AE415B7240C778AA45CF64

Function 051B1460 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448454225.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1cf887b0a54be73ca9d74f8872209004f47b92cc2b68d6ea04ef26f3ea2529b
Instruction ID: 01cd92db985e747cc5b9ee260175ec1c78a07cff22252bc4cf4e3ef79bbaf652
Opcode Fuzzy Hash: e1cf887b0a54be73ca9d74f8872209004f47b92cc2b68d6ea04ef26f3ea2529b
Instruction Fuzzy Hash: F041FDB5C052589FDB00CFA9D484AEEFBF0AF09310F24842AE855B7240C778AA49CF64

Function 051F8FE8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a094558e25666ce6350587f97740c507f5173ce32af580728deaccbe3e293c1
Instruction ID: ffaf5d00548d8dfc5b81dcaab88d6e705047070b8df2257ff983f424a9f64788
Opcode Fuzzy Hash: 7a094558e25666ce6350587f97740c507f5173ce32af580728deaccbe3e293c1
Instruction Fuzzy Hash: CD31F5B0D05218CBEB68DFAAC954B9DBBF6BF89300F04C1AAD509AB250DB744985CF50

Function 05550006 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448951029.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6dedc5a1154adf5f1cb776b85977699f2e403d5fdde29bcedcc26116485e24
Instruction ID: 9268e7b5ce59aaeb7de89069f462ee03ae2fb7f769e145db66c51bc294f44634
Opcode Fuzzy Hash: 8a6dedc5a1154adf5f1cb776b85977699f2e403d5fdde29bcedcc26116485e24
Instruction Fuzzy Hash: 9A313A71D047588FE719CF6BCC1979ABBF6AF85300F04C0FA9808A6265EB741A898F51

Function 050E0006 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36a36db951ea57de39daa31d0b6ec2863d3bac134e849f0e3255a4018c64a7f0
Instruction ID: 4deb50d3aa7bff67bde036b8502f78066a175b2268fa23c2bb5b6abd3767fd90
Opcode Fuzzy Hash: 36a36db951ea57de39daa31d0b6ec2863d3bac134e849f0e3255a4018c64a7f0
Instruction Fuzzy Hash: D831FD71D057988FD71ACF6B9D112D9BBF3AFCA310F19C0BAD408AA266EA740945CF11

Function 00BD6308 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ab23fb46f53e51bee17a311d80a6c1b215b4e91d3514f5d034586448d98d9d9
Instruction ID: 66c88621a335ae23a70665ec28806b86d9da28d71b4f89d89b5e99c61ca0061e
Opcode Fuzzy Hash: 4ab23fb46f53e51bee17a311d80a6c1b215b4e91d3514f5d034586448d98d9d9
Instruction Fuzzy Hash: B33188B1D016188BEB68CF6BCD5478AFAF6BFC9304F14C1AAC40CA6264EB7409858F01

Function 050E0040 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448107573.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50e0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b5f6eb2eb1baad43d2ebbedbbcd5fd5c47147340cd9e71e3c3cc73b769fc17
Instruction ID: 7c585e63757e4e40a02d09119818b116838555ee40368817b2fc34cfdd8c6d9f
Opcode Fuzzy Hash: a9b5f6eb2eb1baad43d2ebbedbbcd5fd5c47147340cd9e71e3c3cc73b769fc17
Instruction Fuzzy Hash: 2421D771E04659CBDB29CF6BD8546EEBBF3AFC9300F14C0BA9419AB314EA7509858F40

Function 05550040 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448951029.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 401c69fe757372966eca09cde6ce4ebba6f0cd69aef9412533239799af604de3
Instruction ID: 4da23ae19bec0738f50372f6b73d6a33d379e92cce39415e639901ef6eeef03d
Opcode Fuzzy Hash: 401c69fe757372966eca09cde6ce4ebba6f0cd69aef9412533239799af604de3
Instruction Fuzzy Hash: 6821AC71D04618CBEB28CF6BD85879AF6F7BFC8310F04C4BA991CA6254DB741A958F41

Function 00BD62F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437968916.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9c5fc542f56c7931dc7b107aff7da1e30ffd825b36f65ebad517fe0c45708a
Instruction ID: 47f1632891cd48f03cb570f8593200b555a31f46addc2133772df2d897a68fd2
Opcode Fuzzy Hash: 9c9c5fc542f56c7931dc7b107aff7da1e30ffd825b36f65ebad517fe0c45708a
Instruction Fuzzy Hash: 813178B1D016188BEB68CF6BCD5478AFBF7AFC9304F14C1A9C40CA6265EB7509858F01

Function 051FD348 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e01111fb07d1adbcd1ecad4158d17fff84aeb7e0bca10feb668bcc0b4452ab1
Instruction ID: bc0d436b08e7ddc6b0af10d320376600c7ab9bbc34dbe7adbf964dbc10ed3e41
Opcode Fuzzy Hash: 4e01111fb07d1adbcd1ecad4158d17fff84aeb7e0bca10feb668bcc0b4452ab1
Instruction Fuzzy Hash: A021FFB5D042189FDB14CFAAD880AEEFBF5FB49320F10901AE905B7250C7356905CFA4

Function 051FD340 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee93f9aea6621bcf16cd2b8e2f848a7d30a5243dbad2e781775208feec8a227
Instruction ID: 1f27ca15d987cb95c506f6ddd9073a8bb3e4a386c84e1bbf1d9d2bc074fa68d9
Opcode Fuzzy Hash: 3ee93f9aea6621bcf16cd2b8e2f848a7d30a5243dbad2e781775208feec8a227
Instruction Fuzzy Hash: 2D21EDB5D042189FDB14CFA9D980AEEFBF1BB49320F14941AE909B7250CB35A905CFA4

Function 051F8FD9 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448642137.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51f0000_Bill of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ec51d57321c2ea9fbfe54405acc89a2c49bb32d956b3447c7acf15406c128a
Instruction ID: 6d5e5ca1fa5ed2ff007c8dde39aa77ee28c221feef0657a4408659afc982f7b3
Opcode Fuzzy Hash: 08ec51d57321c2ea9fbfe54405acc89a2c49bb32d956b3447c7acf15406c128a
Instruction Fuzzy Hash: 5521C4B1D056188BEB28CFABC9547DEFAF7AFC8300F14C16AD509AA254DB7509868F50

Analysis Process: InstallUtil.exePID: 1036, Parent PID: 4084COMMON

Executed Functions

Function 009D0EE0 Relevance: 4.1, Strings: 3, Instructions: 311COMMON

Download Yara Rule

Strings

Ij, xrefs: 009D113A
4Pf, xrefs: 009D11B5
4Pf, xrefs: 009D11DD

Memory Dump Source

Source File: 00000002.00000002.2673936751.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 4Pf$4Pf$Ij
API String ID: 0-4135004042
Opcode ID: 9cb6969bfefb252a950d6161c58f9b66d9056e860880263b64675d6c05ae6504
Instruction ID: 5dee1168984c86fb414a181a39f387e9bc12ba13bb23ea5ec7407437f57c1bee
Opcode Fuzzy Hash: 9cb6969bfefb252a950d6161c58f9b66d9056e860880263b64675d6c05ae6504
Instruction Fuzzy Hash: 6BB19035B04218ABEB48EF74985476E7BB7BFC8700F15C96AE506EB394CE349C029791

Function 009D0901 Relevance: 2.6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

Strings

4Pf, xrefs: 009D0948
4Pf, xrefs: 009D096F

Memory Dump Source

Source File: 00000002.00000002.2673936751.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 4Pf$4Pf
API String ID: 0-3387177017
Opcode ID: 46eb3396544d1d944d4cb5a3d3f4535c93152ff60326a29a60037a40ba4f9a31
Instruction ID: ab5f8b8c40acc408a7e2eeda4c84ec13e663e2d88d7befa8644a8d79a5778950
Opcode Fuzzy Hash: 46eb3396544d1d944d4cb5a3d3f4535c93152ff60326a29a60037a40ba4f9a31
Instruction Fuzzy Hash: 4921BE30E052489FCB58EBB894157AE7FF2AF85340F1484AAD44AEB396DA745D05CB90

Function 009D12D1 Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2673936751.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b11383b97ff54794be3b1e1a181955acc9c6d76f5523156842236ed1f87a964
Instruction ID: 78853ffad2888df47370b036d904f8791c816fb6124b610577d642d2b74e4c24
Opcode Fuzzy Hash: 1b11383b97ff54794be3b1e1a181955acc9c6d76f5523156842236ed1f87a964
Instruction Fuzzy Hash: A131DC34A10309DFDB02EBB8D8856AEBBB6FF89300F1085AAD405A7356DB346A00CF51

Function 009D0BD8 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2673936751.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e70099870ab40b81620979fffff6abb24efdabfc4337c8ac1e0df1db2cf68c
Instruction ID: c82d1f288b9b58197a6ea6e4c99dd55553fd43a5651f833170f61687b3a947e3
Opcode Fuzzy Hash: d6e70099870ab40b81620979fffff6abb24efdabfc4337c8ac1e0df1db2cf68c
Instruction Fuzzy Hash: 37719D307103058FCB45EB78E868A6E7BA7FFC8711F108529E4069B3A5DF74AD059B91

Function 009D1771 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2673936751.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69aa67d036578bf882903e9559f79130938d18084796993bbd696724f2256ddd
Instruction ID: 6955fac7a7fc08356d9f5c591bbd5cf0cb29b9d749d0f09e7128a5993508d5f3
Opcode Fuzzy Hash: 69aa67d036578bf882903e9559f79130938d18084796993bbd696724f2256ddd
Instruction Fuzzy Hash: 1B218061B003185FDB54ABB9481436FFAEBEFC9741B14842ED80BD7381DE3488059761

Function 009D1660 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2673936751.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c2a7127f9ff3bcc4da68856fa01646bda7f0063e780559c6a209137108c4b0b
Instruction ID: 3ebab9f2ba1286899a2fce3843065a2540ab21e152fcefa3a62019c7014d41ae
Opcode Fuzzy Hash: 5c2a7127f9ff3bcc4da68856fa01646bda7f0063e780559c6a209137108c4b0b
Instruction Fuzzy Hash: 4D218B34A10309DFDB45EBB8D8856AEBBBAFFC8700F108569E405A7309DB756A40CB91

Function 009D0CC2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2673936751.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7498368b9902d857b5e14049a9955bc9e84129acf5ec7647b7519c62a07357f
Instruction ID: 827853a986729731a90f7dd3dc71b9051fa3bc3eef197cd4a57f6987b329d90e
Opcode Fuzzy Hash: a7498368b9902d857b5e14049a9955bc9e84129acf5ec7647b7519c62a07357f
Instruction Fuzzy Hash: 2F21C3317007044BDB69BB79882022E7AE3BFC46567408A3EC02BCB780EF319E045BD6

Function 009D0848 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2673936751.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeeb3b1e586426bf39a08147fac93bcbb708ac4a5ec75c0f1d9198e7126610b2
Instruction ID: 7e455ac7d57a5f535622728af6645cac7256ea7703340c143be04897e5ec59c4
Opcode Fuzzy Hash: aeeb3b1e586426bf39a08147fac93bcbb708ac4a5ec75c0f1d9198e7126610b2
Instruction Fuzzy Hash: 350199745213199FDF42FF18F9C0A567BAEBB84715F009A6498048B22EDB747906DF81

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Bill of Lading.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\mmgfreeway.exe

C:\Users\user\AppData\Roaming\mmgfreeway.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Windows Analysis Report
Bill of Lading.exe

Function 051FBA28 Relevance: 3.0, Strings: 2, Instructions: 543
COMMON

Function 051FF0B5 Relevance: 1.8, APIs: 1, Instructions: 264
processCOMMON

Function 051FF0C0 Relevance: 1.8, APIs: 1, Instructions: 261
processCOMMON

Function 051B0ED7 Relevance: 1.7, APIs: 1, Instructions: 176
COMMON

Function 051B08BD Relevance: 1.7, APIs: 1, Instructions: 154
fileCOMMON

Function 051B08C8 Relevance: 1.7, APIs: 1, Instructions: 153
fileCOMMON

Function 051B0F28 Relevance: 1.6, APIs: 1, Instructions: 146
COMMON

Function 051FFB30 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON