Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SOA AUG 2024 - CMA CGM.exe

Overview

General Information

Sample name:SOA AUG 2024 - CMA CGM.exe
Analysis ID:1524994
MD5:47f67ecfb3eb722a3d7aefb8b5ac8b54
SHA1:78da020402a8413cdf7d663a196c9ce46577bdbb
SHA256:a327355ae6e99929d1303a762ea8a936d8e4884f45d683de08dba6882c1c016d
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SOA AUG 2024 - CMA CGM.exe (PID: 1664 cmdline: "C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe" MD5: 47F67ECFB3EB722A3D7AEFB8B5AC8B54)
    • powershell.exe (PID: 2612 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tshjuqE.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 5916 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 936 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp561C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • vbc.exe (PID: 5660 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
    • vbc.exe (PID: 2872 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
    • vbc.exe (PID: 5704 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
    • vbc.exe (PID: 5672 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
    • vbc.exe (PID: 4616 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
  • tshjuqE.exe (PID: 7020 cmdline: C:\Users\user\AppData\Roaming\tshjuqE.exe MD5: 47F67ECFB3EB722A3D7AEFB8B5AC8B54)
    • schtasks.exe (PID: 3200 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp6484.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • vbc.exe (PID: 5388 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
    • vbc.exe (PID: 1268 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
    • vbc.exe (PID: 5764 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
    • vbc.exe (PID: 6308 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
    • vbc.exe (PID: 5072 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.f6b-crxy.top/cu29/"], "decoy": ["qidr.shop", "usinessaviationconsulting.net", "68716329.xyz", "nd-los.net", "ealthironcladguarantee.shop", "oftware-download-69354.bond", "48372305.top", "omeownershub.top", "mall-chilli.top", "ajakgoid.online", "ire-changer-53482.bond", "rugsrx.shop", "oyang123.info", "azino-forum-pro.online", "817715.rest", "layman.vip", "eb777.club", "ovatonica.net", "urgaslotvip.website", "inn-paaaa.buzz", "reativedreams.design", "upremehomes.shop", "ames-saaab.buzz", "phonelock.xyz", "ideandseekvacations.xyz", "77179ksuhr.top", "ental-bridges-87553.bond", "7win2.bet", "ainan.company", "5mwhs.top", "hopp9.top", "65fhgejd3.xyz", "olandopaintingllc.online", "n-wee.buzz", "reshcasinoinfo2.top", "5734.party", "qtbyj.live", "gil.lat", "siabgc4d.online", "fios.top", "sed-cars-89003.bond", "nlineschools-2507-001-sap.click", "upiloffatemotors.online", "ordf.top", "achhonglan.shop", "irex.info", "oursmile.vip", "leachlondonstore.online", "asukacro.online", "panish-classes-64045.bond", "apita.top", "srtio.xyz", "kdsclci.bond", "ochacha.sbs", "oldsteps.buzz", "yzq0n.top", "npostl.xyz", "ladder-cancer-symptoms-mine.sbs", "400725iimfyuj120.top", "3589.photo", "rasilhojenoticias.online", "ependableequipment.online", "itusbandar126.info", "ohns.app"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x64a1:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x348c1:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cdd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x4b1f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xac0f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x3902f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x15af7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      • 0x43f17:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9b58:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9dc2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x37f78:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x381e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x158f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x43d15:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x153e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x43801:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x159f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x43e17:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x15b6f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x43f8f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa7da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x38bfa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1465c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x42a7c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb4d3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x398f3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1bb37:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x49f57:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1cb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18a59:$sqlite3step: 68 34 1C 7B E1
      • 0x18b6c:$sqlite3step: 68 34 1C 7B E1
      • 0x46e79:$sqlite3step: 68 34 1C 7B E1
      • 0x46f8c:$sqlite3step: 68 34 1C 7B E1
      • 0x18a88:$sqlite3text: 68 38 2A 90 C5
      • 0x18bad:$sqlite3text: 68 38 2A 90 C5
      • 0x46ea8:$sqlite3text: 68 38 2A 90 C5
      • 0x46fcd:$sqlite3text: 68 38 2A 90 C5
      • 0x18a9b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18bc3:$sqlite3blob: 68 53 D8 7F 8C
      • 0x46ebb:$sqlite3blob: 68 53 D8 7F 8C
      • 0x46fe3:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 9 entries

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tshjuqE.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tshjuqE.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe", ParentImage: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe, ParentProcessId: 1664, ParentProcessName: SOA AUG 2024 - CMA CGM.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tshjuqE.exe", ProcessId: 2612, ProcessName: powershell.exe
      Sigma detected: Powershell Defender Exclusion
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tshjuqE.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tshjuqE.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe", ParentImage: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe, ParentProcessId: 1664, ParentProcessName: SOA AUG 2024 - CMA CGM.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tshjuqE.exe", ProcessId: 2612, ProcessName: powershell.exe
      Sigma detected: Suspicious Add Scheduled Task Parent
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp6484.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp6484.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\tshjuqE.exe, ParentImage: C:\Users\user\AppData\Roaming\tshjuqE.exe, ParentProcessId: 7020, ParentProcessName: tshjuqE.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp6484.tmp", ProcessId: 3200, ProcessName: schtasks.exe
      Sigma detected: Suspicious Schtasks From Env Var Folder
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp561C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp561C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe", ParentImage: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe, ParentProcessId: 1664, ParentProcessName: SOA AUG 2024 - CMA CGM.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp561C.tmp", ProcessId: 936, ProcessName: schtasks.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tshjuqE.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tshjuqE.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe", ParentImage: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe, ParentProcessId: 1664, ParentProcessName: SOA AUG 2024 - CMA CGM.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tshjuqE.exe", ProcessId: 2612, ProcessName: powershell.exe

      Persistence and Installation Behavior

      barindex
      Sigma detected: Scheduled temp file as task from temp location
      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp561C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp561C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe", ParentImage: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe, ParentProcessId: 1664, ParentProcessName: SOA AUG 2024 - CMA CGM.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp561C.tmp", ProcessId: 936, ProcessName: schtasks.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: SOA AUG 2024 - CMA CGM.exeAvira: detected
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeAvira: detection malicious, Label: HEUR/AGEN.1305639
      Found malware configuration
      Source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.f6b-crxy.top/cu29/"], "decoy": ["qidr.shop", "usinessaviationconsulting.net", "68716329.xyz", "nd-los.net", "ealthironcladguarantee.shop", "oftware-download-69354.bond", "48372305.top", "omeownershub.top", "mall-chilli.top", "ajakgoid.online", "ire-changer-53482.bond", "rugsrx.shop", "oyang123.info", "azino-forum-pro.online", "817715.rest", "layman.vip", "eb777.club", "ovatonica.net", "urgaslotvip.website", "inn-paaaa.buzz", "reativedreams.design", "upremehomes.shop", "ames-saaab.buzz", "phonelock.xyz", "ideandseekvacations.xyz", "77179ksuhr.top", "ental-bridges-87553.bond", "7win2.bet", "ainan.company", "5mwhs.top", "hopp9.top", "65fhgejd3.xyz", "olandopaintingllc.online", "n-wee.buzz", "reshcasinoinfo2.top", "5734.party", "qtbyj.live", "gil.lat", "siabgc4d.online", "fios.top", "sed-cars-89003.bond", "nlineschools-2507-001-sap.click", "upiloffatemotors.online", "ordf.top", "achhonglan.shop", "irex.info", "oursmile.vip", "leachlondonstore.online", "asukacro.online", "panish-classes-64045.bond", "apita.top", "srtio.xyz", "kdsclci.bond", "ochacha.sbs", "oldsteps.buzz", "yzq0n.top", "npostl.xyz", "ladder-cancer-symptoms-mine.sbs", "400725iimfyuj120.top", "3589.photo", "rasilhojenoticias.online", "ependableequipment.online", "itusbandar126.info", "ohns.app"]}
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeReversingLabs: Detection: 31%
      Multi AV Scanner detection for submitted file
      Source: SOA AUG 2024 - CMA CGM.exeReversingLabs: Detection: 32%
      Yara detected FormBook
      Source: Yara matchFile source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: SOA AUG 2024 - CMA CGM.exeJoe Sandbox ML: detected
      Source: SOA AUG 2024 - CMA CGM.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: SOA AUG 2024 - CMA CGM.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: xDnL.pdbSHA256 source: SOA AUG 2024 - CMA CGM.exe, tshjuqE.exe.0.dr
      Source: Binary string: xDnL.pdb source: SOA AUG 2024 - CMA CGM.exe, tshjuqE.exe.0.dr

      Networking

      barindex
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: www.f6b-crxy.top/cu29/
      Source: SOA AUG 2024 - CMA CGM.exe, 00000000.00000002.2198245825.0000000002C88000.00000004.00000800.00020000.00000000.sdmp, tshjuqE.exe, 0000000D.00000002.2237054846.0000000002D60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

      E-Banking Fraud

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: SOA AUG 2024 - CMA CGM.exe PID: 1664, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: Process Memory Space: tshjuqE.exe PID: 7020, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeCode function: 0_2_00F3D5BC0_2_00F3D5BC
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeCode function: 0_2_06F35AF00_2_06F35AF0
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeCode function: 0_2_06F351D00_2_06F351D0
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeCode function: 0_2_06F351CE0_2_06F351CE
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeCode function: 0_2_06F34D980_2_06F34D98
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeCode function: 0_2_06F36D100_2_06F36D10
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeCode function: 0_2_06F36D030_2_06F36D03
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeCode function: 0_2_06F368D80_2_06F368D8
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeCode function: 0_2_06F368C80_2_06F368C8
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeCode function: 0_2_06F378700_2_06F37870
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeCode function: 13_2_012FD5BC13_2_012FD5BC
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeCode function: 13_2_052A6BE013_2_052A6BE0
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeCode function: 13_2_052A000613_2_052A0006
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeCode function: 13_2_052A004013_2_052A0040
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeCode function: 13_2_052A6BD013_2_052A6BD0
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeCode function: 13_2_09A668C813_2_09A668C8
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeCode function: 13_2_09A668D813_2_09A668D8
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeCode function: 13_2_09A6787013_2_09A67870
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeCode function: 13_2_09A64D9813_2_09A64D98
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeCode function: 13_2_09A66D0313_2_09A66D03
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeCode function: 13_2_09A66D1013_2_09A66D10
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeCode function: 13_2_09A651C113_2_09A651C1
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeCode function: 13_2_09A651D013_2_09A651D0
      Source: SOA AUG 2024 - CMA CGM.exe, 00000000.00000002.2196197377.0000000000BAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SOA AUG 2024 - CMA CGM.exe
      Source: SOA AUG 2024 - CMA CGM.exe, 00000000.00000002.2199060259.0000000004292000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SOA AUG 2024 - CMA CGM.exe
      Source: SOA AUG 2024 - CMA CGM.exe, 00000000.00000002.2207628306.0000000006EB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SOA AUG 2024 - CMA CGM.exe
      Source: SOA AUG 2024 - CMA CGM.exe, 00000000.00000000.2167723438.0000000000662000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamexDnL.exe@ vs SOA AUG 2024 - CMA CGM.exe
      Source: SOA AUG 2024 - CMA CGM.exeBinary or memory string: OriginalFilenamexDnL.exe@ vs SOA AUG 2024 - CMA CGM.exe
      Source: SOA AUG 2024 - CMA CGM.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: Process Memory Space: SOA AUG 2024 - CMA CGM.exe PID: 1664, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: Process Memory Space: tshjuqE.exe PID: 7020, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: SOA AUG 2024 - CMA CGM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: tshjuqE.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, uXuEVJYnGaFBaKDp8b.csSecurity API names: _0020.SetAccessControl
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, uXuEVJYnGaFBaKDp8b.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, uXuEVJYnGaFBaKDp8b.csSecurity API names: _0020.AddAccessRule
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, cCyHacXQqIaKEQ3ts3.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, uXuEVJYnGaFBaKDp8b.csSecurity API names: _0020.SetAccessControl
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, uXuEVJYnGaFBaKDp8b.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, uXuEVJYnGaFBaKDp8b.csSecurity API names: _0020.AddAccessRule
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, uXuEVJYnGaFBaKDp8b.csSecurity API names: _0020.SetAccessControl
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, uXuEVJYnGaFBaKDp8b.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, uXuEVJYnGaFBaKDp8b.csSecurity API names: _0020.AddAccessRule
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, cCyHacXQqIaKEQ3ts3.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, cCyHacXQqIaKEQ3ts3.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: classification engineClassification label: mal100.troj.evad.winEXE@32/11@0/0
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeFile created: C:\Users\user\AppData\Roaming\tshjuqE.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2532:120:WilError_03
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeMutant created: \Sessions\1\BaseNamedObjects\CkAJOWvyvxyjlP
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:800:120:WilError_03
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeFile created: C:\Users\user\AppData\Local\Temp\tmp561C.tmpJump to behavior
      Source: SOA AUG 2024 - CMA CGM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: SOA AUG 2024 - CMA CGM.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: SOA AUG 2024 - CMA CGM.exeReversingLabs: Detection: 32%
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeFile read: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe "C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe"
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tshjuqE.exe"
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp561C.tmp"
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\tshjuqE.exe C:\Users\user\AppData\Roaming\tshjuqE.exe
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp6484.tmp"
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tshjuqE.exe"Jump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp561C.tmp"Jump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp6484.tmp"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: dwrite.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: dwrite.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: SOA AUG 2024 - CMA CGM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: SOA AUG 2024 - CMA CGM.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: SOA AUG 2024 - CMA CGM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: xDnL.pdbSHA256 source: SOA AUG 2024 - CMA CGM.exe, tshjuqE.exe.0.dr
      Source: Binary string: xDnL.pdb source: SOA AUG 2024 - CMA CGM.exe, tshjuqE.exe.0.dr

      Data Obfuscation

      barindex
      .NET source code contains potential unpacker
      Source: SOA AUG 2024 - CMA CGM.exe, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
      Source: tshjuqE.exe.0.dr, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.5480000.3.raw.unpack, MainForm.cs.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, uXuEVJYnGaFBaKDp8b.cs.Net Code: Fahm2Xdy1W System.Reflection.Assembly.Load(byte[])
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, uXuEVJYnGaFBaKDp8b.cs.Net Code: Fahm2Xdy1W System.Reflection.Assembly.Load(byte[])
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.3a7a190.0.raw.unpack, MainForm.cs.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, uXuEVJYnGaFBaKDp8b.cs.Net Code: Fahm2Xdy1W System.Reflection.Assembly.Load(byte[])
      Source: SOA AUG 2024 - CMA CGM.exeStatic PE information: 0x83A554D2 [Wed Dec 28 02:00:50 2039 UTC]
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeCode function: 0_2_06F3E6C5 push FFFFFF8Bh; iretd 0_2_06F3E6C7
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeCode function: 13_2_09A6D84B push edx; iretd 13_2_09A6D853
      Source: SOA AUG 2024 - CMA CGM.exeStatic PE information: section name: .text entropy: 7.4353031245498595
      Source: tshjuqE.exe.0.drStatic PE information: section name: .text entropy: 7.4353031245498595
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, cCyHacXQqIaKEQ3ts3.csHigh entropy of concatenated method names: 'T5ZKiul9w5', 'TNJKd0eOon', 'Wj7KxmnOpR', 'pa2KDJCvPq', 'zs3KBvE8LZ', 'HqHKlF5M5V', 'ra2KvRuCkc', 'fQIKSL6yl2', 'EemK9FfCKR', 'AbMKyZEhy1'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, d3t4KKy6Wj4hgeS3Uv.csHigh entropy of concatenated method names: 'QJQMNWY7VD', 'GKfMuol7x0', 'PUtMm1Xfol', 'atuMQ94CDr', 'iOlMKQ6cWr', 'dreMflghpZ', 'mdIMTUAejY', 'mnr6vbEHaN', 'Dr06SgHy71', 'wFr69h42rc'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, zciFvOiwo9ZSlZnDPZ.csHigh entropy of concatenated method names: 'esUt0VuuqC', 'eTBtqbP1dX', 'p51ti6YjDJ', 'klxtd3p7ap', 'aiXtOn2wLD', 'jrXtInOI3m', 'shAtowMc4T', 'DrYtr8yooD', 'sWutUUw4hk', 'vSVtsdHgUX'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, x8Yo0oHHXG0s7FUJ9Q.csHigh entropy of concatenated method names: 'WlMp4sAudZ', 'sLopkraDYK', 'HTNp2Ujpk7', 'LhGpnCKCIo', 'sVlpGUEcXx', 'zVnpLhNqkr', 'wDtp7UhqKw', 'QJYpXth3ln', 'ARypWE3eFn', 'sadpA30utZ'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, JnmGFKWib9eD7ChHAA.csHigh entropy of concatenated method names: 'GqFhn0bLG0', 'UW9hLs3nO2', 'X6ThX9iblv', 'zDWhW64Z1S', 'GpyhtGNUfx', 'c9Ihec6YW6', 'NM2hR8FcTP', 'k1Ph6R00Af', 'tPLhMJ9K06', 'hXfhaxJXSO'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, CBbDDLh3T1HHjGj3XY.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'N8qZ9ClGIm', 'a94ZyYVNYI', 'Fb8ZzMo54B', 'ngruJeqdga', 'nNSuNv5Jov', 'PTpuZXw626', 'hRkuuJ48Ds', 'yun7yn6KnjhQi6M6r4S'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, Usy8xc9q95ZgDBOvJC.csHigh entropy of concatenated method names: 'et86F85T0S', 'BBM6OJ1oWf', 'JrZ6IA5cTu', 'F9b6oioUGw', 'BIk6iiAteD', 'C9h6rmfhBe', 'Next', 'Next', 'Next', 'NextBytes'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, uWu4cpAWnL9t27jHRw.csHigh entropy of concatenated method names: 'PqTfGX4I4h', 'iOJf7OxpHM', 'hK0hI0F1DQ', 'KrghofWOMx', 'GIVhrSXVIg', 'ssEhUAhXTP', 'Xfxhs8Imbd', 'So6hglY4J2', 'mCNhHCneh7', 'de8h0ScsrL'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, sMoq8Am4iwZbrHdDBy.csHigh entropy of concatenated method names: 'DQZNpCyHac', 'fqINYaKEQ3', 'fibNC9eD7C', 'hHANcAjWu4', 'CjHNtRwQS3', 'kGWNeRr3k4', 'm0MmosiB7xtnAQrqcM', 'aJGWYQRlxsL1i17ttg', 'VR5NNdPnr0', 'rTUNuGJJjD'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, tmba8aKoYgmuspHOI7.csHigh entropy of concatenated method names: 'Dispose', 'KBbN9X7tnu', 'tgGZOGyucA', 'yFnjjNNlEl', 'eODNyFSXSy', 'ew8NzjB90a', 'ProcessDialogKey', 'VrlZJsy8xc', 'P95ZNZgDBO', 'WJCZZm3t4K'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, zHT6DHZnyWJKdNK2sX.csHigh entropy of concatenated method names: 'LHf2gXUAn', 'SScn6MkqW', 'AfRLgOHA9', 'c2c7XsXcS', 'wDUWGYxZ8', 'StqA7B7Js', 'Cdswxit9fpJlVxSigT', 'GEukvuyywFcxUhO4LB', 'oX96yTtly', 'SU2aXQFsI'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, DiP8u5scXVdht105uc.csHigh entropy of concatenated method names: 'Mg5pQj7xWO', 'AIaphLJHZn', 'UbspT6a2g9', 'TdrTy2uJ8g', 'GoJTz2NLcq', 't2spJTB9tW', 'wudpNCnUK9', 'VjZpZAV4ZK', 'LfCpukvNW9', 'HxCpmqWgua'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, HDFSXSSy8w8jB90alr.csHigh entropy of concatenated method names: 'Ljx6QsXD48', 'oQO6KqToO5', 'FM26hTeIH6', 'zHZ6fPV5mc', 'Bdo6T2UJQX', 'u5T6p9f6Yo', 'A6M6Yx1xZ2', 'NEF6PvjXih', 'MFI6Crhfmn', 'jQ56cu2Arv'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, k1yQAcDpXg7eQjOkuo.csHigh entropy of concatenated method names: 'JheRCoicpK', 'h6KRccfCwM', 'ToString', 'Hu2RQUyL72', 'XCkRKZQu7I', 'EBlRh9CgQW', 'ESmRflWfWp', 'eHtRTd0dKc', 'iq5RpPyVrL', 'qxnRYg6FFs'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, X7Uu1qE879aj56n2V0.csHigh entropy of concatenated method names: 'f6IVXHTOKd', 'JGAVWukYwT', 'r8DVFWaZJJ', 'O8WVOeV0o3', 'kohVoYM1yM', 'nrqVrP4cra', 'BbeVs9DZ3P', 'qy9VgdB5ry', 'YiiV04jeRg', 'idOV1t6Sne'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, fS3pGWFRr3k4JUXevA.csHigh entropy of concatenated method names: 'JjdT8W22us', 'chPTKFOBaQ', 'ebBTfcGB12', 'AINTpeO8oN', 'yeyTYnKclP', 'LIbfBluxcu', 'vGyflV2bmd', 'CTqfvWQD6p', 'Ox7fSxjPpO', 'uE8f98Iyls'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, F3aJXZzuIpt84KtsRb.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bY9MVSsBDf', 'vQ1Mteo6nd', 'iQXMelKp9E', 'o7eMRAXlSB', 'lfPM6G4KL7', 'qPmMMM6Yle', 'tIPMaFFRiM'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, V0QIKVNJlnuseHsku9S.csHigh entropy of concatenated method names: 'Hu0M47SvJP', 'AJLMkHdraI', 'ITSM2USitb', 'FQRMnL44D0', 'qYmMGR2oD2', 'G12MLP6nMx', 'bMKM7qQ5DX', 'TDHMXnDBmS', 'oSQMWrGC9m', 'd8GMAqvmaU'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, gTkiDHNunwAqWKt01i4.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'r7maiHV5ef', 'vygadScT5T', 'KsSaxoeEU4', 'yPGaDv1oGl', 'KaqaB5vXBj', 'ObealXyqkI', 'os1avpgqkb'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, uXuEVJYnGaFBaKDp8b.csHigh entropy of concatenated method names: 'sSTu8Dr9s1', 'ntEuQQ37kN', 'eoMuKIu7jd', 'HPluhKMtSQ', 'I7ZufxmqMB', 'nhQuTrf317', 'k88upVfORA', 'C3DuYngqNT', 'K0QuPHCIPv', 'NJVuCvnNhw'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, cCyHacXQqIaKEQ3ts3.csHigh entropy of concatenated method names: 'T5ZKiul9w5', 'TNJKd0eOon', 'Wj7KxmnOpR', 'pa2KDJCvPq', 'zs3KBvE8LZ', 'HqHKlF5M5V', 'ra2KvRuCkc', 'fQIKSL6yl2', 'EemK9FfCKR', 'AbMKyZEhy1'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, d3t4KKy6Wj4hgeS3Uv.csHigh entropy of concatenated method names: 'QJQMNWY7VD', 'GKfMuol7x0', 'PUtMm1Xfol', 'atuMQ94CDr', 'iOlMKQ6cWr', 'dreMflghpZ', 'mdIMTUAejY', 'mnr6vbEHaN', 'Dr06SgHy71', 'wFr69h42rc'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, zciFvOiwo9ZSlZnDPZ.csHigh entropy of concatenated method names: 'esUt0VuuqC', 'eTBtqbP1dX', 'p51ti6YjDJ', 'klxtd3p7ap', 'aiXtOn2wLD', 'jrXtInOI3m', 'shAtowMc4T', 'DrYtr8yooD', 'sWutUUw4hk', 'vSVtsdHgUX'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, x8Yo0oHHXG0s7FUJ9Q.csHigh entropy of concatenated method names: 'WlMp4sAudZ', 'sLopkraDYK', 'HTNp2Ujpk7', 'LhGpnCKCIo', 'sVlpGUEcXx', 'zVnpLhNqkr', 'wDtp7UhqKw', 'QJYpXth3ln', 'ARypWE3eFn', 'sadpA30utZ'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, JnmGFKWib9eD7ChHAA.csHigh entropy of concatenated method names: 'GqFhn0bLG0', 'UW9hLs3nO2', 'X6ThX9iblv', 'zDWhW64Z1S', 'GpyhtGNUfx', 'c9Ihec6YW6', 'NM2hR8FcTP', 'k1Ph6R00Af', 'tPLhMJ9K06', 'hXfhaxJXSO'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, CBbDDLh3T1HHjGj3XY.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'N8qZ9ClGIm', 'a94ZyYVNYI', 'Fb8ZzMo54B', 'ngruJeqdga', 'nNSuNv5Jov', 'PTpuZXw626', 'hRkuuJ48Ds', 'yun7yn6KnjhQi6M6r4S'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, Usy8xc9q95ZgDBOvJC.csHigh entropy of concatenated method names: 'et86F85T0S', 'BBM6OJ1oWf', 'JrZ6IA5cTu', 'F9b6oioUGw', 'BIk6iiAteD', 'C9h6rmfhBe', 'Next', 'Next', 'Next', 'NextBytes'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, uWu4cpAWnL9t27jHRw.csHigh entropy of concatenated method names: 'PqTfGX4I4h', 'iOJf7OxpHM', 'hK0hI0F1DQ', 'KrghofWOMx', 'GIVhrSXVIg', 'ssEhUAhXTP', 'Xfxhs8Imbd', 'So6hglY4J2', 'mCNhHCneh7', 'de8h0ScsrL'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, sMoq8Am4iwZbrHdDBy.csHigh entropy of concatenated method names: 'DQZNpCyHac', 'fqINYaKEQ3', 'fibNC9eD7C', 'hHANcAjWu4', 'CjHNtRwQS3', 'kGWNeRr3k4', 'm0MmosiB7xtnAQrqcM', 'aJGWYQRlxsL1i17ttg', 'VR5NNdPnr0', 'rTUNuGJJjD'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, tmba8aKoYgmuspHOI7.csHigh entropy of concatenated method names: 'Dispose', 'KBbN9X7tnu', 'tgGZOGyucA', 'yFnjjNNlEl', 'eODNyFSXSy', 'ew8NzjB90a', 'ProcessDialogKey', 'VrlZJsy8xc', 'P95ZNZgDBO', 'WJCZZm3t4K'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, zHT6DHZnyWJKdNK2sX.csHigh entropy of concatenated method names: 'LHf2gXUAn', 'SScn6MkqW', 'AfRLgOHA9', 'c2c7XsXcS', 'wDUWGYxZ8', 'StqA7B7Js', 'Cdswxit9fpJlVxSigT', 'GEukvuyywFcxUhO4LB', 'oX96yTtly', 'SU2aXQFsI'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, DiP8u5scXVdht105uc.csHigh entropy of concatenated method names: 'Mg5pQj7xWO', 'AIaphLJHZn', 'UbspT6a2g9', 'TdrTy2uJ8g', 'GoJTz2NLcq', 't2spJTB9tW', 'wudpNCnUK9', 'VjZpZAV4ZK', 'LfCpukvNW9', 'HxCpmqWgua'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, HDFSXSSy8w8jB90alr.csHigh entropy of concatenated method names: 'Ljx6QsXD48', 'oQO6KqToO5', 'FM26hTeIH6', 'zHZ6fPV5mc', 'Bdo6T2UJQX', 'u5T6p9f6Yo', 'A6M6Yx1xZ2', 'NEF6PvjXih', 'MFI6Crhfmn', 'jQ56cu2Arv'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, k1yQAcDpXg7eQjOkuo.csHigh entropy of concatenated method names: 'JheRCoicpK', 'h6KRccfCwM', 'ToString', 'Hu2RQUyL72', 'XCkRKZQu7I', 'EBlRh9CgQW', 'ESmRflWfWp', 'eHtRTd0dKc', 'iq5RpPyVrL', 'qxnRYg6FFs'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, X7Uu1qE879aj56n2V0.csHigh entropy of concatenated method names: 'f6IVXHTOKd', 'JGAVWukYwT', 'r8DVFWaZJJ', 'O8WVOeV0o3', 'kohVoYM1yM', 'nrqVrP4cra', 'BbeVs9DZ3P', 'qy9VgdB5ry', 'YiiV04jeRg', 'idOV1t6Sne'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, fS3pGWFRr3k4JUXevA.csHigh entropy of concatenated method names: 'JjdT8W22us', 'chPTKFOBaQ', 'ebBTfcGB12', 'AINTpeO8oN', 'yeyTYnKclP', 'LIbfBluxcu', 'vGyflV2bmd', 'CTqfvWQD6p', 'Ox7fSxjPpO', 'uE8f98Iyls'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, F3aJXZzuIpt84KtsRb.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bY9MVSsBDf', 'vQ1Mteo6nd', 'iQXMelKp9E', 'o7eMRAXlSB', 'lfPM6G4KL7', 'qPmMMM6Yle', 'tIPMaFFRiM'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, V0QIKVNJlnuseHsku9S.csHigh entropy of concatenated method names: 'Hu0M47SvJP', 'AJLMkHdraI', 'ITSM2USitb', 'FQRMnL44D0', 'qYmMGR2oD2', 'G12MLP6nMx', 'bMKM7qQ5DX', 'TDHMXnDBmS', 'oSQMWrGC9m', 'd8GMAqvmaU'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, gTkiDHNunwAqWKt01i4.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'r7maiHV5ef', 'vygadScT5T', 'KsSaxoeEU4', 'yPGaDv1oGl', 'KaqaB5vXBj', 'ObealXyqkI', 'os1avpgqkb'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, uXuEVJYnGaFBaKDp8b.csHigh entropy of concatenated method names: 'sSTu8Dr9s1', 'ntEuQQ37kN', 'eoMuKIu7jd', 'HPluhKMtSQ', 'I7ZufxmqMB', 'nhQuTrf317', 'k88upVfORA', 'C3DuYngqNT', 'K0QuPHCIPv', 'NJVuCvnNhw'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, cCyHacXQqIaKEQ3ts3.csHigh entropy of concatenated method names: 'T5ZKiul9w5', 'TNJKd0eOon', 'Wj7KxmnOpR', 'pa2KDJCvPq', 'zs3KBvE8LZ', 'HqHKlF5M5V', 'ra2KvRuCkc', 'fQIKSL6yl2', 'EemK9FfCKR', 'AbMKyZEhy1'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, d3t4KKy6Wj4hgeS3Uv.csHigh entropy of concatenated method names: 'QJQMNWY7VD', 'GKfMuol7x0', 'PUtMm1Xfol', 'atuMQ94CDr', 'iOlMKQ6cWr', 'dreMflghpZ', 'mdIMTUAejY', 'mnr6vbEHaN', 'Dr06SgHy71', 'wFr69h42rc'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, zciFvOiwo9ZSlZnDPZ.csHigh entropy of concatenated method names: 'esUt0VuuqC', 'eTBtqbP1dX', 'p51ti6YjDJ', 'klxtd3p7ap', 'aiXtOn2wLD', 'jrXtInOI3m', 'shAtowMc4T', 'DrYtr8yooD', 'sWutUUw4hk', 'vSVtsdHgUX'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, x8Yo0oHHXG0s7FUJ9Q.csHigh entropy of concatenated method names: 'WlMp4sAudZ', 'sLopkraDYK', 'HTNp2Ujpk7', 'LhGpnCKCIo', 'sVlpGUEcXx', 'zVnpLhNqkr', 'wDtp7UhqKw', 'QJYpXth3ln', 'ARypWE3eFn', 'sadpA30utZ'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, JnmGFKWib9eD7ChHAA.csHigh entropy of concatenated method names: 'GqFhn0bLG0', 'UW9hLs3nO2', 'X6ThX9iblv', 'zDWhW64Z1S', 'GpyhtGNUfx', 'c9Ihec6YW6', 'NM2hR8FcTP', 'k1Ph6R00Af', 'tPLhMJ9K06', 'hXfhaxJXSO'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, CBbDDLh3T1HHjGj3XY.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'N8qZ9ClGIm', 'a94ZyYVNYI', 'Fb8ZzMo54B', 'ngruJeqdga', 'nNSuNv5Jov', 'PTpuZXw626', 'hRkuuJ48Ds', 'yun7yn6KnjhQi6M6r4S'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, Usy8xc9q95ZgDBOvJC.csHigh entropy of concatenated method names: 'et86F85T0S', 'BBM6OJ1oWf', 'JrZ6IA5cTu', 'F9b6oioUGw', 'BIk6iiAteD', 'C9h6rmfhBe', 'Next', 'Next', 'Next', 'NextBytes'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, uWu4cpAWnL9t27jHRw.csHigh entropy of concatenated method names: 'PqTfGX4I4h', 'iOJf7OxpHM', 'hK0hI0F1DQ', 'KrghofWOMx', 'GIVhrSXVIg', 'ssEhUAhXTP', 'Xfxhs8Imbd', 'So6hglY4J2', 'mCNhHCneh7', 'de8h0ScsrL'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, sMoq8Am4iwZbrHdDBy.csHigh entropy of concatenated method names: 'DQZNpCyHac', 'fqINYaKEQ3', 'fibNC9eD7C', 'hHANcAjWu4', 'CjHNtRwQS3', 'kGWNeRr3k4', 'm0MmosiB7xtnAQrqcM', 'aJGWYQRlxsL1i17ttg', 'VR5NNdPnr0', 'rTUNuGJJjD'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, tmba8aKoYgmuspHOI7.csHigh entropy of concatenated method names: 'Dispose', 'KBbN9X7tnu', 'tgGZOGyucA', 'yFnjjNNlEl', 'eODNyFSXSy', 'ew8NzjB90a', 'ProcessDialogKey', 'VrlZJsy8xc', 'P95ZNZgDBO', 'WJCZZm3t4K'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, zHT6DHZnyWJKdNK2sX.csHigh entropy of concatenated method names: 'LHf2gXUAn', 'SScn6MkqW', 'AfRLgOHA9', 'c2c7XsXcS', 'wDUWGYxZ8', 'StqA7B7Js', 'Cdswxit9fpJlVxSigT', 'GEukvuyywFcxUhO4LB', 'oX96yTtly', 'SU2aXQFsI'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, DiP8u5scXVdht105uc.csHigh entropy of concatenated method names: 'Mg5pQj7xWO', 'AIaphLJHZn', 'UbspT6a2g9', 'TdrTy2uJ8g', 'GoJTz2NLcq', 't2spJTB9tW', 'wudpNCnUK9', 'VjZpZAV4ZK', 'LfCpukvNW9', 'HxCpmqWgua'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, HDFSXSSy8w8jB90alr.csHigh entropy of concatenated method names: 'Ljx6QsXD48', 'oQO6KqToO5', 'FM26hTeIH6', 'zHZ6fPV5mc', 'Bdo6T2UJQX', 'u5T6p9f6Yo', 'A6M6Yx1xZ2', 'NEF6PvjXih', 'MFI6Crhfmn', 'jQ56cu2Arv'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, k1yQAcDpXg7eQjOkuo.csHigh entropy of concatenated method names: 'JheRCoicpK', 'h6KRccfCwM', 'ToString', 'Hu2RQUyL72', 'XCkRKZQu7I', 'EBlRh9CgQW', 'ESmRflWfWp', 'eHtRTd0dKc', 'iq5RpPyVrL', 'qxnRYg6FFs'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, X7Uu1qE879aj56n2V0.csHigh entropy of concatenated method names: 'f6IVXHTOKd', 'JGAVWukYwT', 'r8DVFWaZJJ', 'O8WVOeV0o3', 'kohVoYM1yM', 'nrqVrP4cra', 'BbeVs9DZ3P', 'qy9VgdB5ry', 'YiiV04jeRg', 'idOV1t6Sne'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, fS3pGWFRr3k4JUXevA.csHigh entropy of concatenated method names: 'JjdT8W22us', 'chPTKFOBaQ', 'ebBTfcGB12', 'AINTpeO8oN', 'yeyTYnKclP', 'LIbfBluxcu', 'vGyflV2bmd', 'CTqfvWQD6p', 'Ox7fSxjPpO', 'uE8f98Iyls'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, F3aJXZzuIpt84KtsRb.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bY9MVSsBDf', 'vQ1Mteo6nd', 'iQXMelKp9E', 'o7eMRAXlSB', 'lfPM6G4KL7', 'qPmMMM6Yle', 'tIPMaFFRiM'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, V0QIKVNJlnuseHsku9S.csHigh entropy of concatenated method names: 'Hu0M47SvJP', 'AJLMkHdraI', 'ITSM2USitb', 'FQRMnL44D0', 'qYmMGR2oD2', 'G12MLP6nMx', 'bMKM7qQ5DX', 'TDHMXnDBmS', 'oSQMWrGC9m', 'd8GMAqvmaU'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, gTkiDHNunwAqWKt01i4.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'r7maiHV5ef', 'vygadScT5T', 'KsSaxoeEU4', 'yPGaDv1oGl', 'KaqaB5vXBj', 'ObealXyqkI', 'os1avpgqkb'
      Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, uXuEVJYnGaFBaKDp8b.csHigh entropy of concatenated method names: 'sSTu8Dr9s1', 'ntEuQQ37kN', 'eoMuKIu7jd', 'HPluhKMtSQ', 'I7ZufxmqMB', 'nhQuTrf317', 'k88upVfORA', 'C3DuYngqNT', 'K0QuPHCIPv', 'NJVuCvnNhw'
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeFile created: \soa aug 2024 - cma cgm.exe
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeFile created: \soa aug 2024 - cma cgm.exe
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeFile created: \soa aug 2024 - cma cgm.exe
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeFile created: \soa aug 2024 - cma cgm.exe
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeFile created: \soa aug 2024 - cma cgm.exe
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeFile created: \soa aug 2024 - cma cgm.exe
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeFile created: \soa aug 2024 - cma cgm.exe
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeFile created: \soa aug 2024 - cma cgm.exeJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeFile created: \soa aug 2024 - cma cgm.exeJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeFile created: \soa aug 2024 - cma cgm.exeJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeFile created: \soa aug 2024 - cma cgm.exeJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeFile created: \soa aug 2024 - cma cgm.exeJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeFile created: \soa aug 2024 - cma cgm.exeJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeFile created: \soa aug 2024 - cma cgm.exeJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeFile created: C:\Users\user\AppData\Roaming\tshjuqE.exeJump to dropped file

      Boot Survival

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedules
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp561C.tmp"

      Hooking and other Techniques for Hiding and Protection

      barindex
      Loading BitLocker PowerShell Module
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Yara detected AntiVM3
      Source: Yara matchFile source: Process Memory Space: SOA AUG 2024 - CMA CGM.exe PID: 1664, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: tshjuqE.exe PID: 7020, type: MEMORYSTR
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeMemory allocated: F30000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeMemory allocated: 2A10000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeMemory allocated: 4A10000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeMemory allocated: 7960000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeMemory allocated: 8960000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeMemory allocated: 8B10000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeMemory allocated: 9B10000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeMemory allocated: 9E70000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeMemory allocated: AE70000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeMemory allocated: BE70000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeMemory allocated: 1140000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeMemory allocated: 2D20000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeMemory allocated: 4D20000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeMemory allocated: 7290000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeMemory allocated: 8290000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeMemory allocated: 8420000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeMemory allocated: 9420000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeMemory allocated: 9A70000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeMemory allocated: AA70000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeCode function: 0_2_00F397A0 sidt fword ptr [edi]0_2_00F397A0
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6179Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3513Jump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe TID: 4156Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5696Thread sleep time: -4611686018427385s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exe TID: 1484Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: SOA AUG 2024 - CMA CGM.exe, 00000000.00000002.2196556972.0000000000C96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33^
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Adds a directory exclusion to Windows Defender
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tshjuqE.exe"
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tshjuqE.exe"Jump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tshjuqE.exe"Jump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp561C.tmp"Jump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp6484.tmp"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeQueries volume information: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeQueries volume information: C:\Users\user\AppData\Roaming\tshjuqE.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\tshjuqE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Scheduled Task/Job      		1
      Scheduled Task/Job      		11
      Process Injection      		1
      Masquerading      		OS Credential Dumping11
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      DLL Side-Loading      		1
      Scheduled Task/Job      		11
      Disable or Modify Tools      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media1
      Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      DLL Side-Loading      		41
      Virtualization/Sandbox Evasion      		Security Account Manager41
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
      Process Injection      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
      Obfuscated Files or Information      		LSA Secrets1
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
      Software Packing      		Cached Domain Credentials12
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      Timestomp      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      DLL Side-Loading      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1524994 Sample: SOA AUG 2024 -  CMA CGM.exe Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 11 other signatures 2->52 7 SOA AUG 2024 -  CMA CGM.exe 7 2->7         started        11 tshjuqE.exe 5 2->11         started        process3 file4 38 C:\Users\user\AppData\Roaming\tshjuqE.exe, PE32 7->38 dropped 40 C:\Users\user\...\tshjuqE.exe:Zone.Identifier, ASCII 7->40 dropped 42 C:\Users\user\AppData\Local\...\tmp561C.tmp, XML 7->42 dropped 44 C:\Users\...\SOA AUG 2024 -  CMA CGM.exe.log, ASCII 7->44 dropped 54 Adds a directory exclusion to Windows Defender 7->54 13 powershell.exe 23 7->13         started        16 schtasks.exe 1 7->16         started        18 vbc.exe 7->18         started        26 4 other processes 7->26 56 Antivirus detection for dropped file 11->56 58 Multi AV Scanner detection for dropped file 11->58 60 Machine Learning detection for dropped file 11->60 20 schtasks.exe 1 11->20         started        22 vbc.exe 11->22         started        24 vbc.exe 11->24         started        28 3 other processes 11->28 signatures5 process6 signatures7 62 Loading BitLocker PowerShell Module 13->62 30 WmiPrvSE.exe 13->30         started        32 conhost.exe 13->32         started        34 conhost.exe 16->34         started        36 conhost.exe 20->36         started        process8

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      SOA AUG 2024 - CMA CGM.exe32%ReversingLabsWin32.Trojan.CrypterX
      SOA AUG 2024 - CMA CGM.exe100%AviraHEUR/AGEN.1305639
      SOA AUG 2024 - CMA CGM.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\tshjuqE.exe100%AviraHEUR/AGEN.1305639
      C:\Users\user\AppData\Roaming\tshjuqE.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\tshjuqE.exe32%ReversingLabsWin32.Trojan.CrypterX

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      www.f6b-crxy.top/cu29/true
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSOA AUG 2024 - CMA CGM.exe, 00000000.00000002.2198245825.0000000002C88000.00000004.00000800.00020000.00000000.sdmp, tshjuqE.exe, 0000000D.00000002.2237054846.0000000002D60000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1524994
        Start date and time:2024-10-03 15:12:05 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 6m 2s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:23
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:SOA AUG 2024 - CMA CGM.exe
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@32/11@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 54
        • Number of non-executed functions: 10
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
        • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • VT rate limit hit for: SOA AUG 2024 - CMA CGM.exe

        Simulations

        Behavior and APIs

        TimeTypeDescription
        09:13:02API Interceptor1x Sleep call for process: SOA AUG 2024 - CMA CGM.exe modified
        09:13:03API Interceptor13x Sleep call for process: powershell.exe modified
        09:13:06API Interceptor1x Sleep call for process: tshjuqE.exe modified
        15:13:04Task SchedulerRun new task: tshjuqE path: C:\Users\user\AppData\Roaming\tshjuqE.exe

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SOA AUG 2024 - CMA CGM.exe.log

        Download File
        Process:C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):1216
        Entropy (8bit):5.34331486778365
        Encrypted:false
        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
        MD5:1330C80CAAC9A0FB172F202485E9B1E8
        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
        Malicious:true
        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tshjuqE.exe.log

        Download File
        Process:C:\Users\user\AppData\Roaming\tshjuqE.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):1216
        Entropy (8bit):5.34331486778365
        Encrypted:false
        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
        MD5:1330C80CAAC9A0FB172F202485E9B1E8
        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
        Malicious:false
        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Download File
        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        File Type:data
        Category:dropped
        Size (bytes):2232
        Entropy (8bit):5.379552885213346
        Encrypted:false
        SSDEEP:48:fWSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMugeC/ZM0Uyus:fLHxvCZfIfSKRHmOugw1s
        MD5:236CE6553B5DB20FA0B07F9FEA88F4A4
        SHA1:AEB5B156162EC5CD4E0BC3A0BA0F0D4739D40DBD
        SHA-256:3849E9437770B9804D942D293FFAB3C6449B82BA23C0CD3D48DE2C318938FCAD
        SHA-512:90B07AFD72EE353BEA8E2C7ECBB8CDAFB965C91E1B32C5FFE971F60C69004FDEBF5BA429B4DD455210772D2494A8AD60930A8F01C289D0199998A7CC36050FD6
        Malicious:false
        Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0g14qtby.bu5.psm1

        Download File
        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):60
        Entropy (8bit):4.038920595031593
        Encrypted:false
        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
        MD5:D17FE0A3F47BE24A6453E9EF58C94641
        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
        Malicious:false
        Preview:# PowerShell test file to determine AppLocker lockdown mode

        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hjskv5dk.emq.psm1

        Download File
        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):60
        Entropy (8bit):4.038920595031593
        Encrypted:false
        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
        MD5:D17FE0A3F47BE24A6453E9EF58C94641
        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
        Malicious:false
        Preview:# PowerShell test file to determine AppLocker lockdown mode

        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nv3po1gn.lqj.ps1

        Download File
        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):60
        Entropy (8bit):4.038920595031593
        Encrypted:false
        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
        MD5:D17FE0A3F47BE24A6453E9EF58C94641
        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
        Malicious:false
        Preview:# PowerShell test file to determine AppLocker lockdown mode

        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zko1ou2o.p4c.ps1

        Download File
        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):60
        Entropy (8bit):4.038920595031593
        Encrypted:false
        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
        MD5:D17FE0A3F47BE24A6453E9EF58C94641
        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
        Malicious:false
        Preview:# PowerShell test file to determine AppLocker lockdown mode

        C:\Users\user\AppData\Local\Temp\tmp561C.tmp

        Download File
        Process:C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe
        File Type:XML 1.0 document, ASCII text
        Category:dropped
        Size (bytes):1594
        Entropy (8bit):5.094511211329217
        Encrypted:false
        SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLWxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTev
        MD5:03B86C63ACE4E5FC8CA775F76E9F6D59
        SHA1:612D9D1657B1871B101D32FE007CCBE4FD544635
        SHA-256:5410B997FE270DDC1030E84DC02F562A9E35AA563177007849F6187171AC9F53
        SHA-512:998C88D376A945D3BC10826A277DA3D45EB5FBED5062CD963DF3C36B28BF07DA8152EE95062447E730AC152DED2ABF43ABDB840813BDE09B429ED8555FAC9FF7
        Malicious:true
        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

        C:\Users\user\AppData\Local\Temp\tmp6484.tmp

        Download File
        Process:C:\Users\user\AppData\Roaming\tshjuqE.exe
        File Type:XML 1.0 document, ASCII text
        Category:dropped
        Size (bytes):1594
        Entropy (8bit):5.094511211329217
        Encrypted:false
        SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLWxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTev
        MD5:03B86C63ACE4E5FC8CA775F76E9F6D59
        SHA1:612D9D1657B1871B101D32FE007CCBE4FD544635
        SHA-256:5410B997FE270DDC1030E84DC02F562A9E35AA563177007849F6187171AC9F53
        SHA-512:998C88D376A945D3BC10826A277DA3D45EB5FBED5062CD963DF3C36B28BF07DA8152EE95062447E730AC152DED2ABF43ABDB840813BDE09B429ED8555FAC9FF7
        Malicious:false
        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

        C:\Users\user\AppData\Roaming\tshjuqE.exe

        Download File
        Process:C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe
        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
        Category:dropped
        Size (bytes):747520
        Entropy (8bit):7.431195542260135
        Encrypted:false
        SSDEEP:12288:CQq8Tj0Kd+D1fDwAmlhwJogsFRot09s4KlV7N5r:h5f0/8gsFRouu/7NZ
        MD5:47F67ECFB3EB722A3D7AEFB8B5AC8B54
        SHA1:78DA020402A8413CDF7D663A196C9CE46577BDBB
        SHA-256:A327355AE6E99929D1303A762EA8A936D8E4884F45D683DE08DBA6882C1C016D
        SHA-512:6B82898B826EE2FC7B8F1E39C4302CB69FEF655BB6CC7389CB8397C8DCCA28CBE3A81EC84D96FB1E13692AA833894B1B2EF7C56628685D42853808495A695CA3
        Malicious:true
        Antivirus:
        • Antivirus: Avira, Detection: 100%
        • Antivirus: Joe Sandbox ML, Detection: 100%
        • Antivirus: ReversingLabs, Detection: 32%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....T................0..\..........^{... ........@.. ....................................@..................................{..O.......,...........................X`..p............................................ ............... ..H............text...d[... ...\.................. ..`.rsrc...,............^..............@..@.reloc...............f..............@..B................?{......H........o...W..........................................................^..}.....(.......(.....*..*..*..*....0............{....o....,..{....o....,..{....o....+....,...{........(....o......8.....{....o......,5..{....o....(....#.....@.@[..{......(....o......8.....{....o........,3..{....o....(....#...(\%.@[...{......(....o......+B.{....o........,1..{....o....(....#...(\%.@Z...{......(....o......*.0..+.........,..{.......+....,...{....o........(.....*..0............s....}.....s..

        C:\Users\user\AppData\Roaming\tshjuqE.exe:Zone.Identifier

        Download File
        Process:C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):26
        Entropy (8bit):3.95006375643621
        Encrypted:false
        SSDEEP:3:ggPYV:rPYV
        MD5:187F488E27DB4AF347237FE461A079AD
        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
        Malicious:true
        Preview:[ZoneTransfer]....ZoneId=0

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
        Entropy (8bit):7.431195542260135
        TrID:
        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
        • Win32 Executable (generic) a (10002005/4) 49.75%
        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
        • Windows Screen Saver (13104/52) 0.07%
        • Generic Win/DOS Executable (2004/3) 0.01%
        File name:SOA AUG 2024 - CMA CGM.exe
        File size:747'520 bytes
        MD5:47f67ecfb3eb722a3d7aefb8b5ac8b54
        SHA1:78da020402a8413cdf7d663a196c9ce46577bdbb
        SHA256:a327355ae6e99929d1303a762ea8a936d8e4884f45d683de08dba6882c1c016d
        SHA512:6b82898b826ee2fc7b8f1e39c4302cb69fef655bb6cc7389cb8397c8dcca28cbe3a81ec84d96fb1e13692aa833894b1b2ef7c56628685d42853808495a695ca3
        SSDEEP:12288:CQq8Tj0Kd+D1fDwAmlhwJogsFRot09s4KlV7N5r:h5f0/8gsFRouu/7NZ
        TLSH:86F437BAD1221F82DA133EB048182B413F3CB67F4A74567C8FD60CA5419DDB9C964BAD
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....T................0..\..........^{... ........@.. ....................................@................................

        File Icon

        Icon Hash:00928e8e8686b000

        Static PE Info

        General

        Entrypoint:0x4b7b5e
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Time Stamp:0x83A554D2 [Wed Dec 28 02:00:50 2039 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

        Entrypoint Preview

        Instruction
        jmp dword ptr [00402000h]
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0xb7b0b0x4f.text
        IMAGE_DIRECTORY_ENTRY_RESOURCE0xb80000x62c.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000xc.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0xb60580x70.text
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x20000xb5b640xb5c006298b62686ff91c713016aecf92d03cdFalse0.769540652940165data7.4353031245498595IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rsrc0xb80000x62c0x800255403db9296b2011f6b94e802f54706False0.3388671875data3.468463333712543IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0xba0000xc0x200a2f3ca54a8fe2ff0f42239c02f7c649bFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountryZLIB Complexity
        RT_VERSION0xb80900x39cdata0.42207792207792205
        RT_MANIFEST0xb843c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

        Imports

        DLLImport
        mscoree.dll_CorExeMain

        Network Behavior

        No network behavior found

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        Behavior

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:09:13:02
        Start date:03/10/2024
        Path:C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe
        Wow64 process (32bit):true
        Commandline:"C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe"
        Imagebase:0x660000
        File size:747'520 bytes
        MD5 hash:47F67ECFB3EB722A3D7AEFB8B5AC8B54
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Yara matches:
        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
        Reputation:low
        Has exited:true

        General

        Target ID:3
        Start time:09:13:03
        Start date:03/10/2024
        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Wow64 process (32bit):true
        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tshjuqE.exe"
        Imagebase:0xf80000
        File size:433'152 bytes
        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:4
        Start time:09:13:03
        Start date:03/10/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff66e660000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:5
        Start time:09:13:03
        Start date:03/10/2024
        Path:C:\Windows\SysWOW64\schtasks.exe
        Wow64 process (32bit):true
        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp561C.tmp"
        Imagebase:0xf50000
        File size:187'904 bytes
        MD5 hash:48C2FE20575769DE916F48EF0676A965
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:6
        Start time:09:13:03
        Start date:03/10/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff66e660000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:7
        Start time:09:13:03
        Start date:03/10/2024
        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        Imagebase:0x240000
        File size:2'625'616 bytes
        MD5 hash:0A7608DB01CAE07792CEA95E792AA866
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate
        Has exited:true

        General

        Target ID:8
        Start time:09:13:03
        Start date:03/10/2024
        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        Imagebase:0x240000
        File size:2'625'616 bytes
        MD5 hash:0A7608DB01CAE07792CEA95E792AA866
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate
        Has exited:true

        General

        Target ID:9
        Start time:09:13:03
        Start date:03/10/2024
        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        Imagebase:0x240000
        File size:2'625'616 bytes
        MD5 hash:0A7608DB01CAE07792CEA95E792AA866
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate
        Has exited:true

        General

        Target ID:10
        Start time:09:13:03
        Start date:03/10/2024
        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        Imagebase:0x240000
        File size:2'625'616 bytes
        MD5 hash:0A7608DB01CAE07792CEA95E792AA866
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate
        Has exited:true

        General

        Target ID:11
        Start time:09:13:03
        Start date:03/10/2024
        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        Imagebase:0x240000
        File size:2'625'616 bytes
        MD5 hash:0A7608DB01CAE07792CEA95E792AA866
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate
        Has exited:true

        General

        Target ID:12
        Start time:09:13:04
        Start date:03/10/2024
        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
        Imagebase:0x7ff717f30000
        File size:496'640 bytes
        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
        Has elevated privileges:true
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:13
        Start time:09:13:04
        Start date:03/10/2024
        Path:C:\Users\user\AppData\Roaming\tshjuqE.exe
        Wow64 process (32bit):true
        Commandline:C:\Users\user\AppData\Roaming\tshjuqE.exe
        Imagebase:0x820000
        File size:747'520 bytes
        MD5 hash:47F67ECFB3EB722A3D7AEFB8B5AC8B54
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Yara matches:
        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
        Antivirus matches:
        • Detection: 100%, Avira
        • Detection: 100%, Joe Sandbox ML
        • Detection: 32%, ReversingLabs
        Reputation:low
        Has exited:true

        General

        Target ID:14
        Start time:09:13:07
        Start date:03/10/2024
        Path:C:\Windows\SysWOW64\schtasks.exe
        Wow64 process (32bit):true
        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp6484.tmp"
        Imagebase:0xf50000
        File size:187'904 bytes
        MD5 hash:48C2FE20575769DE916F48EF0676A965
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:15
        Start time:09:13:07
        Start date:03/10/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff66e660000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:16
        Start time:09:13:07
        Start date:03/10/2024
        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        Imagebase:0x240000
        File size:2'625'616 bytes
        MD5 hash:0A7608DB01CAE07792CEA95E792AA866
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:17
        Start time:09:13:07
        Start date:03/10/2024
        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        Imagebase:0x240000
        File size:2'625'616 bytes
        MD5 hash:0A7608DB01CAE07792CEA95E792AA866
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:18
        Start time:09:13:07
        Start date:03/10/2024
        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        Imagebase:0x240000
        File size:2'625'616 bytes
        MD5 hash:0A7608DB01CAE07792CEA95E792AA866
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:19
        Start time:09:13:07
        Start date:03/10/2024
        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        Imagebase:0x240000
        File size:2'625'616 bytes
        MD5 hash:0A7608DB01CAE07792CEA95E792AA866
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:20
        Start time:09:13:07
        Start date:03/10/2024
        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        Imagebase:0x240000
        File size:2'625'616 bytes
        MD5 hash:0A7608DB01CAE07792CEA95E792AA866
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Has exited:true

        Disassembly

        Reset < >

          Execution Graph

          Execution Coverage:11.9%
          Dynamic/Decrypted Code Coverage:100%
          Signature Coverage:0%
          Total number of Nodes:114
          Total number of Limit Nodes:6
          execution_graph 22226 6f38a42 22227 6f3865c 22226->22227 22232 6f3b198 22227->22232 22241 6f3b1fe 22227->22241 22251 6f3b188 22227->22251 22228 6f3876f 22233 6f3b1b2 22232->22233 22237 6f3b1ba 22233->22237 22260 6f3b83d 22233->22260 22265 6f3bf0d 22233->22265 22270 6f3b80e 22233->22270 22275 6f3b625 22233->22275 22279 6f3bc46 22233->22279 22284 6f3bbd2 22233->22284 22237->22228 22242 6f3b18c 22241->22242 22243 6f3b201 22241->22243 22244 6f3bbd2 2 API calls 22242->22244 22245 6f3bc46 2 API calls 22242->22245 22246 6f3b625 2 API calls 22242->22246 22247 6f3b160 22242->22247 22248 6f3b80e 2 API calls 22242->22248 22249 6f3bf0d 2 API calls 22242->22249 22250 6f3b83d 2 API calls 22242->22250 22244->22247 22245->22247 22246->22247 22247->22228 22248->22247 22249->22247 22250->22247 22253 6f3b18c 22251->22253 22252 6f3b160 22252->22228 22253->22252 22254 6f3bbd2 2 API calls 22253->22254 22255 6f3bc46 2 API calls 22253->22255 22256 6f3b625 2 API calls 22253->22256 22257 6f3b80e 2 API calls 22253->22257 22258 6f3bf0d 2 API calls 22253->22258 22259 6f3b83d 2 API calls 22253->22259 22254->22252 22255->22252 22256->22252 22257->22252 22258->22252 22259->22252 22261 6f3b84a 22260->22261 22262 6f3bc6f 22261->22262 22289 6f37ca0 22261->22289 22293 6f37ca8 22261->22293 22266 6f3bfe4 22265->22266 22297 6f375e0 22266->22297 22301 6f375e8 22266->22301 22267 6f3c002 22271 6f3b850 22270->22271 22305 6f376c0 22271->22305 22309 6f376b8 22271->22309 22272 6f3b871 22272->22237 22313 6f38240 22275->22313 22317 6f38235 22275->22317 22280 6f3bc4c 22279->22280 22282 6f37ca0 ReadProcessMemory 22280->22282 22283 6f37ca8 ReadProcessMemory 22280->22283 22281 6f3bc6f 22282->22281 22283->22281 22285 6f3bbed 22284->22285 22286 6f3bc6f 22285->22286 22287 6f37ca0 ReadProcessMemory 22285->22287 22288 6f37ca8 ReadProcessMemory 22285->22288 22287->22286 22288->22286 22290 6f37ca8 ReadProcessMemory 22289->22290 22292 6f37d37 22290->22292 22292->22262 22294 6f37cf3 ReadProcessMemory 22293->22294 22296 6f37d37 22294->22296 22296->22262 22298 6f375e8 Wow64GetThreadContext 22297->22298 22300 6f37675 22298->22300 22300->22267 22302 6f3762d Wow64GetThreadContext 22301->22302 22304 6f37675 22302->22304 22304->22267 22306 6f37700 VirtualAllocEx 22305->22306 22308 6f3773d 22306->22308 22308->22272 22310 6f37700 VirtualAllocEx 22309->22310 22312 6f3773d 22310->22312 22312->22272 22314 6f382c9 22313->22314 22314->22314 22315 6f3842e CreateProcessA 22314->22315 22316 6f3848b 22315->22316 22318 6f38240 CreateProcessA 22317->22318 22320 6f3848b 22318->22320 22182 f3acb0 22186 f3ad97 22182->22186 22191 f3ada8 22182->22191 22183 f3acbf 22187 f3addc 22186->22187 22188 f3adb9 22186->22188 22187->22183 22188->22187 22189 f3afe0 GetModuleHandleW 22188->22189 22190 f3b00d 22189->22190 22190->22183 22192 f3addc 22191->22192 22193 f3adb9 22191->22193 22192->22183 22193->22192 22194 f3afe0 GetModuleHandleW 22193->22194 22195 f3b00d 22194->22195 22195->22183 22196 6f3c3e0 22197 6f3c56b 22196->22197 22199 6f3c406 22196->22199 22199->22197 22200 6f37f7c 22199->22200 22201 6f3c660 PostMessageW 22200->22201 22202 6f3c6cc 22201->22202 22202->22199 22224 f3d690 DuplicateHandle 22225 f3d726 22224->22225 22321 f3d040 22322 f3d086 GetCurrentProcess 22321->22322 22324 f3d0d1 22322->22324 22325 f3d0d8 GetCurrentThread 22322->22325 22324->22325 22326 f3d115 GetCurrentProcess 22325->22326 22327 f3d10e 22325->22327 22328 f3d14b 22326->22328 22327->22326 22329 f3d173 GetCurrentThreadId 22328->22329 22330 f3d1a4 22329->22330 22203 f34668 22204 f3467a 22203->22204 22205 f34686 22204->22205 22207 f34779 22204->22207 22208 f3479d 22207->22208 22212 f34879 22208->22212 22216 f34888 22208->22216 22213 f34888 22212->22213 22214 f3498c 22213->22214 22220 f344b0 22213->22220 22214->22214 22217 f348af 22216->22217 22218 f3498c 22217->22218 22219 f344b0 CreateActCtxA 22217->22219 22219->22218 22221 f35918 CreateActCtxA 22220->22221 22223 f359db 22221->22223

          Executed Functions

          Function 06F35AF0 Relevance: .4, Instructions: 428COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2208077377.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_6f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 8e602c55c2552c1bf49a0b8d2538a7d459c0d79a28b6df83863d4a1919977203
          • Instruction ID: 36766f267ed5cc92387fb5ad5ff55609eca29b754824a57192397b7c1c05b575
          • Opcode Fuzzy Hash: 8e602c55c2552c1bf49a0b8d2538a7d459c0d79a28b6df83863d4a1919977203
          • Instruction Fuzzy Hash: FAF19E30E04219DFDB46EBB8C854AAEBFB2EFC9300F108059E415A7356CB759D46CBA1
          Function 00F3D031 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          • GetCurrentProcess.KERNEL32 ref: 00F3D0BE
          • GetCurrentThread.KERNEL32 ref: 00F3D0FB
          • GetCurrentProcess.KERNEL32 ref: 00F3D138
          • GetCurrentThreadId.KERNEL32 ref: 00F3D191
          Memory Dump Source
          • Source File: 00000000.00000002.2197678267.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID: Current$ProcessThread
          • String ID:
          • API String ID: 2063062207-0
          • Opcode ID: 221fd7735dfbc808a6e0fc1984f394a8ff421499d795772085c5430058a74453
          • Instruction ID: 7b5411019200d322819e2be2765988912eaf59514d1ab9050430853ece48d535
          • Opcode Fuzzy Hash: 221fd7735dfbc808a6e0fc1984f394a8ff421499d795772085c5430058a74453
          • Instruction Fuzzy Hash: 485145B0900349CFEB58DFA9D948B9EBBF1FF88324F208059E019A7361DB745984CB65
          Function 00F3D040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          • GetCurrentProcess.KERNEL32 ref: 00F3D0BE
          • GetCurrentThread.KERNEL32 ref: 00F3D0FB
          • GetCurrentProcess.KERNEL32 ref: 00F3D138
          • GetCurrentThreadId.KERNEL32 ref: 00F3D191
          Memory Dump Source
          • Source File: 00000000.00000002.2197678267.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID: Current$ProcessThread
          • String ID:
          • API String ID: 2063062207-0
          • Opcode ID: 4bdc505511f6c0da8de17d1ffd7e2853fa54337897fde6b114934ab1c08445bd
          • Instruction ID: f9e0fdcc4011362c08aa9e4444be022e10deddba6d4b9c7419e198e04eb84a66
          • Opcode Fuzzy Hash: 4bdc505511f6c0da8de17d1ffd7e2853fa54337897fde6b114934ab1c08445bd
          • Instruction Fuzzy Hash: D85155B0900349CFEB58DFAAD548B9EBBF1FF88324F208059E419A7360DB745984CB65
          Function 00F3ADA8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 208COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 44 f3ada8-f3adb7 45 f3ade3-f3ade7 44->45 46 f3adb9-f3adc6 call f3a0cc 44->46 48 f3adfb-f3ae3c 45->48 49 f3ade9-f3adf3 45->49 52 f3adc8 46->52 53 f3addc 46->53 55 f3ae49-f3ae57 48->55 56 f3ae3e-f3ae46 48->56 49->48 101 f3adce call f3b040 52->101 102 f3adce call f3b030 52->102 53->45 57 f3ae7b-f3ae7d 55->57 58 f3ae59-f3ae5e 55->58 56->55 63 f3ae80-f3ae87 57->63 60 f3ae60-f3ae67 call f3a0d8 58->60 61 f3ae69 58->61 59 f3add4-f3add6 59->53 62 f3af18-f3af94 59->62 65 f3ae6b-f3ae79 60->65 61->65 94 f3afc0-f3afd8 62->94 95 f3af96-f3afbe 62->95 66 f3ae94-f3ae9b 63->66 67 f3ae89-f3ae91 63->67 65->63 70 f3aea8-f3aeaa call f3a0e8 66->70 71 f3ae9d-f3aea5 66->71 67->66 73 f3aeaf-f3aeb1 70->73 71->70 75 f3aeb3-f3aebb 73->75 76 f3aebe-f3aec3 73->76 75->76 77 f3aee1-f3aeee 76->77 78 f3aec5-f3aecc 76->78 85 f3af11-f3af17 77->85 86 f3aef0-f3af0e 77->86 78->77 80 f3aece-f3aede call f3a0f8 call f3a108 78->80 80->77 86->85 96 f3afe0-f3b00b GetModuleHandleW 94->96 97 f3afda-f3afdd 94->97 95->94 98 f3b014-f3b028 96->98 99 f3b00d-f3b013 96->99 97->96 99->98 101->59 102->59
          APIs
          • GetModuleHandleW.KERNEL32(00000000), ref: 00F3AFFE
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2197678267.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID: HandleModule
          • String ID: N$N
          • API String ID: 4139908857-1044518071
          • Opcode ID: dccd7026c86a9df232f96cc6d2d45cfd8c754290388ba8c6c14223dc2d70d32a
          • Instruction ID: 7a0c72dc0a294a518102eb4a2f73fcde4017596b1352bab56bea313aec670205
          • Opcode Fuzzy Hash: dccd7026c86a9df232f96cc6d2d45cfd8c754290388ba8c6c14223dc2d70d32a
          • Instruction Fuzzy Hash: 4A815670A00B058FD724DF6AD44575ABBF1FF88324F00892ED48ADBA50D775E84ACB92
          Function 06F38235 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 230 6f38235-6f382d5 233 6f382d7-6f382e1 230->233 234 6f3830e-6f3832e 230->234 233->234 235 6f382e3-6f382e5 233->235 239 6f38330-6f3833a 234->239 240 6f38367-6f38396 234->240 237 6f382e7-6f382f1 235->237 238 6f38308-6f3830b 235->238 241 6f382f3 237->241 242 6f382f5-6f38304 237->242 238->234 239->240 244 6f3833c-6f3833e 239->244 250 6f38398-6f383a2 240->250 251 6f383cf-6f38489 CreateProcessA 240->251 241->242 242->242 243 6f38306 242->243 243->238 245 6f38361-6f38364 244->245 246 6f38340-6f3834a 244->246 245->240 248 6f3834e-6f3835d 246->248 249 6f3834c 246->249 248->248 253 6f3835f 248->253 249->248 250->251 252 6f383a4-6f383a6 250->252 262 6f38492-6f38518 251->262 263 6f3848b-6f38491 251->263 254 6f383c9-6f383cc 252->254 255 6f383a8-6f383b2 252->255 253->245 254->251 257 6f383b6-6f383c5 255->257 258 6f383b4 255->258 257->257 259 6f383c7 257->259 258->257 259->254 273 6f3851a-6f3851e 262->273 274 6f38528-6f3852c 262->274 263->262 273->274 277 6f38520 273->277 275 6f3852e-6f38532 274->275 276 6f3853c-6f38540 274->276 275->276 278 6f38534 275->278 279 6f38542-6f38546 276->279 280 6f38550-6f38554 276->280 277->274 278->276 279->280 281 6f38548 279->281 282 6f38566-6f3856d 280->282 283 6f38556-6f3855c 280->283 281->280 284 6f38584 282->284 285 6f3856f-6f3857e 282->285 283->282 286 6f38585 284->286 285->284 286->286
          APIs
          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06F38476
          Memory Dump Source
          • Source File: 00000000.00000002.2208077377.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_6f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID: CreateProcess
          • String ID:
          • API String ID: 963392458-0
          • Opcode ID: 50510680f5aca43b09a0d36ce2dee9cb669f7ab107ae0919c767de3f30a03f64
          • Instruction ID: 789e1d572ae948cbd700c49efa46d0ae0ce900abfaf56cc42ae44e75b848469c
          • Opcode Fuzzy Hash: 50510680f5aca43b09a0d36ce2dee9cb669f7ab107ae0919c767de3f30a03f64
          • Instruction Fuzzy Hash: 68915A71D00229DFEF64CFA8C841BDEBBB2BF48350F148569E819A7240DB789985CF91
          Function 06F38240 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 288 6f38240-6f382d5 290 6f382d7-6f382e1 288->290 291 6f3830e-6f3832e 288->291 290->291 292 6f382e3-6f382e5 290->292 296 6f38330-6f3833a 291->296 297 6f38367-6f38396 291->297 294 6f382e7-6f382f1 292->294 295 6f38308-6f3830b 292->295 298 6f382f3 294->298 299 6f382f5-6f38304 294->299 295->291 296->297 301 6f3833c-6f3833e 296->301 307 6f38398-6f383a2 297->307 308 6f383cf-6f38489 CreateProcessA 297->308 298->299 299->299 300 6f38306 299->300 300->295 302 6f38361-6f38364 301->302 303 6f38340-6f3834a 301->303 302->297 305 6f3834e-6f3835d 303->305 306 6f3834c 303->306 305->305 310 6f3835f 305->310 306->305 307->308 309 6f383a4-6f383a6 307->309 319 6f38492-6f38518 308->319 320 6f3848b-6f38491 308->320 311 6f383c9-6f383cc 309->311 312 6f383a8-6f383b2 309->312 310->302 311->308 314 6f383b6-6f383c5 312->314 315 6f383b4 312->315 314->314 316 6f383c7 314->316 315->314 316->311 330 6f3851a-6f3851e 319->330 331 6f38528-6f3852c 319->331 320->319 330->331 334 6f38520 330->334 332 6f3852e-6f38532 331->332 333 6f3853c-6f38540 331->333 332->333 335 6f38534 332->335 336 6f38542-6f38546 333->336 337 6f38550-6f38554 333->337 334->331 335->333 336->337 338 6f38548 336->338 339 6f38566-6f3856d 337->339 340 6f38556-6f3855c 337->340 338->337 341 6f38584 339->341 342 6f3856f-6f3857e 339->342 340->339 343 6f38585 341->343 342->341 343->343
          APIs
          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06F38476
          Memory Dump Source
          • Source File: 00000000.00000002.2208077377.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_6f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID: CreateProcess
          • String ID:
          • API String ID: 963392458-0
          • Opcode ID: 47e64fa22abfff12ee755a330c1c3c8abc198369b69ed6b43fa3a78af456aafd
          • Instruction ID: d81c812206a8e7e977f35e7467f0c259b88f3a1634e1c42489ffabbebbefcf19
          • Opcode Fuzzy Hash: 47e64fa22abfff12ee755a330c1c3c8abc198369b69ed6b43fa3a78af456aafd
          • Instruction Fuzzy Hash: D7914A71D00229DFEF64CFA8C841BEDBBB2BF48354F148569E819A7240DB789985CF91
          Function 00F3590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 345 f3590c-f35916 346 f35918-f359d9 CreateActCtxA 345->346 348 f359e2-f35a3c 346->348 349 f359db-f359e1 346->349 356 f35a4b-f35a4f 348->356 357 f35a3e-f35a41 348->357 349->348 358 f35a51-f35a5d 356->358 359 f35a60 356->359 357->356 358->359 361 f35a61 359->361 361->361
          APIs
          • CreateActCtxA.KERNEL32(?), ref: 00F359C9
          Memory Dump Source
          • Source File: 00000000.00000002.2197678267.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID: Create
          • String ID:
          • API String ID: 2289755597-0
          • Opcode ID: 71d85d23692f8142b81f855418e7efec48c38290463599ee0e45ee1fb612d04b
          • Instruction ID: 6717bf59fe3af8fbf6353e388c9db68319e9dfe84395636db28610b6cd2f27f0
          • Opcode Fuzzy Hash: 71d85d23692f8142b81f855418e7efec48c38290463599ee0e45ee1fb612d04b
          • Instruction Fuzzy Hash: DB41D0B1C0071DCBDB24CFA9C988B8EBBB5BF88714F20816AD408AB255DB756946CF50
          Function 00F344B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 362 f344b0-f359d9 CreateActCtxA 365 f359e2-f35a3c 362->365 366 f359db-f359e1 362->366 373 f35a4b-f35a4f 365->373 374 f35a3e-f35a41 365->374 366->365 375 f35a51-f35a5d 373->375 376 f35a60 373->376 374->373 375->376 378 f35a61 376->378 378->378
          APIs
          • CreateActCtxA.KERNEL32(?), ref: 00F359C9
          Memory Dump Source
          • Source File: 00000000.00000002.2197678267.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID: Create
          • String ID:
          • API String ID: 2289755597-0
          • Opcode ID: 418a3e548241914b469c7f40ffa320aaab8216a7efb2962954ad07da5f6127e2
          • Instruction ID: c67de98f401dee4c879e37a9c8fbaab080658148f435ff752464fc51523e0658
          • Opcode Fuzzy Hash: 418a3e548241914b469c7f40ffa320aaab8216a7efb2962954ad07da5f6127e2
          • Instruction Fuzzy Hash: 6341D1B0C0071DCBDF24CFA9C988B9EBBB5BF88714F20816AD408AB255DB756945DF90
          Function 06F3C658 Relevance: 1.6, APIs: 1, Instructions: 70windowCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 379 6f3c658-6f3c65c 380 6f3c65e-6f3c6ca PostMessageW 379->380 381 6f3c60c-6f3c62f 379->381 384 6f3c6d3-6f3c6e7 380->384 385 6f3c6cc-6f3c6d2 380->385 386 6f3c631-6f3c637 381->386 387 6f3c638-6f3c64c 381->387 385->384 386->387
          APIs
          • PostMessageW.USER32(?,00000010,00000000,?), ref: 06F3C6BD
          Memory Dump Source
          • Source File: 00000000.00000002.2208077377.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_6f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID: MessagePost
          • String ID:
          • API String ID: 410705778-0
          • Opcode ID: 6c94c38d373ef7deb36cfd42faa9e050ffa5420308cd08b50433572c038db233
          • Instruction ID: 2595ab27d4f19e06cc1cde74f154ff1db045daf594af70f81c761e20653dffc3
          • Opcode Fuzzy Hash: 6c94c38d373ef7deb36cfd42faa9e050ffa5420308cd08b50433572c038db233
          • Instruction Fuzzy Hash: 662115B68003599FDB50DF9AD849BDEFBF8EB48324F20841AD518A3210C3796554CFA5
          Function 06F37CA0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 390 6f37ca0-6f37d35 ReadProcessMemory 394 6f37d37-6f37d3d 390->394 395 6f37d3e-6f37d6e 390->395 394->395
          APIs
          • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06F37D28
          Memory Dump Source
          • Source File: 00000000.00000002.2208077377.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_6f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID: MemoryProcessRead
          • String ID:
          • API String ID: 1726664587-0
          • Opcode ID: 51f626f168f858e0e785c0838b1a8d9031c4613fc502c2bb250d54a7dc9760b8
          • Instruction ID: b18cb26efe3fc6c586d61cc0d376bf8627fdabff1549610790fdbd3ee176f62c
          • Opcode Fuzzy Hash: 51f626f168f858e0e785c0838b1a8d9031c4613fc502c2bb250d54a7dc9760b8
          • Instruction Fuzzy Hash: BE2127B18003499FDB10DFAAC881BEEBBF5FF48310F108429E919A7240D7749910CBA5
          Function 06F375E0 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 399 6f375e0-6f37633 402 6f37643-6f37673 Wow64GetThreadContext 399->402 403 6f37635-6f37641 399->403 405 6f37675-6f3767b 402->405 406 6f3767c-6f376ac 402->406 403->402 405->406
          APIs
          • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 06F37666
          Memory Dump Source
          • Source File: 00000000.00000002.2208077377.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_6f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID: ContextThreadWow64
          • String ID:
          • API String ID: 983334009-0
          • Opcode ID: d1ccd9b641336b77a6c61de0d76ad25fce7e45bca8923a4805aa8673cce440eb
          • Instruction ID: 8cac495b9b84a0258cc69bda87e898f3acda9fbdfad03a0962c674c6956c7c6b
          • Opcode Fuzzy Hash: d1ccd9b641336b77a6c61de0d76ad25fce7e45bca8923a4805aa8673cce440eb
          • Instruction Fuzzy Hash: 3A2139B1D003099FDB50DFAAC8857EEBBF4AF88314F14842AD519A7240DB789945CFA5
          Function 06F37CA8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 420 6f37ca8-6f37d35 ReadProcessMemory 423 6f37d37-6f37d3d 420->423 424 6f37d3e-6f37d6e 420->424 423->424
          APIs
          • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06F37D28
          Memory Dump Source
          • Source File: 00000000.00000002.2208077377.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_6f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID: MemoryProcessRead
          • String ID:
          • API String ID: 1726664587-0
          • Opcode ID: d519a6b364f37902e495401672dd8de4c615b7b2afcb451e3419b39fa96d6464
          • Instruction ID: a05ef27a1b00d51d7a7d4a9a7d179bf7e4efb2f8c1783192d1d2dd4cf7494bbd
          • Opcode Fuzzy Hash: d519a6b364f37902e495401672dd8de4c615b7b2afcb451e3419b39fa96d6464
          • Instruction Fuzzy Hash: B02119B18003599FDB10DFAAC881BEEBBF5FF48310F108429E518A7240D7759511CBA5
          Function 06F375E8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 410 6f375e8-6f37633 412 6f37643-6f37673 Wow64GetThreadContext 410->412 413 6f37635-6f37641 410->413 415 6f37675-6f3767b 412->415 416 6f3767c-6f376ac 412->416 413->412 415->416
          APIs
          • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 06F37666
          Memory Dump Source
          • Source File: 00000000.00000002.2208077377.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_6f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID: ContextThreadWow64
          • String ID:
          • API String ID: 983334009-0
          • Opcode ID: 438c47b195adf24702e2a61773b244cc96881b42692895de9ca64f65ce8a5cde
          • Instruction ID: eb08f6af89117390171e4965a08f67f18e9a000d267f22e46aad794e9a0e5d59
          • Opcode Fuzzy Hash: 438c47b195adf24702e2a61773b244cc96881b42692895de9ca64f65ce8a5cde
          • Instruction Fuzzy Hash: 522129B1D003098FDB50DFAAC4857EEBBF4EF88324F54842AD519A7240DB789945CFA5
          Function 00F3D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
          Download Yara Rule
          APIs
          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F3D717
          Memory Dump Source
          • Source File: 00000000.00000002.2197678267.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID: DuplicateHandle
          • String ID:
          • API String ID: 3793708945-0
          • Opcode ID: 38f86b5b78ce5ca9364f667be412938c3f00b86f9465cbacb306c96fb260fe45
          • Instruction ID: 483beb6821944bff9d261515500a340f578bc0480002d74272be9a661256eaba
          • Opcode Fuzzy Hash: 38f86b5b78ce5ca9364f667be412938c3f00b86f9465cbacb306c96fb260fe45
          • Instruction Fuzzy Hash: 8521C4B5900249DFDB10CFAAD984ADEBBF8FB48320F14841AE918A3350D375A954CFA5
          Function 00F3D689 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 428 f3d689-f3d724 DuplicateHandle 429 f3d726-f3d72c 428->429 430 f3d72d-f3d74a 428->430 429->430
          APIs
          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F3D717
          Memory Dump Source
          • Source File: 00000000.00000002.2197678267.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID: DuplicateHandle
          • String ID:
          • API String ID: 3793708945-0
          • Opcode ID: bbb966c5bd4c201cffb870dc8f9a086cb29b15aabd0b886737302dd6708f8822
          • Instruction ID: 8450b6692cb57d18cb35fbbc0b4f5e5797a0f1516a776311d948ea02cbda870b
          • Opcode Fuzzy Hash: bbb966c5bd4c201cffb870dc8f9a086cb29b15aabd0b886737302dd6708f8822
          • Instruction Fuzzy Hash: 7221E3B5900249DFDB10CFAAD984ADEBBF5FB48324F14841AE918A3310D374A954CF61
          Function 06F376B8 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06F3772E
          Memory Dump Source
          • Source File: 00000000.00000002.2208077377.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_6f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: c042c9f9ce54d49ea18db3de6584385109dad9daeede7ada7a2223aaf69b04d9
          • Instruction ID: d6e664950376c5fd660726748317b679fb2d401b93ec69a16135aeec09c9ad35
          • Opcode Fuzzy Hash: c042c9f9ce54d49ea18db3de6584385109dad9daeede7ada7a2223aaf69b04d9
          • Instruction Fuzzy Hash: 11115972900249DFDB10DFAAC844BDEFBF6EF88314F248419E559A7250C7799950CBA4
          Function 06F376C0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06F3772E
          Memory Dump Source
          • Source File: 00000000.00000002.2208077377.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_6f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 544f7d8c4027151a24a1b7917fd5ba9681a9e5ea7f09d4884e6ca9416d603f39
          • Instruction ID: 9ae1ab277431b2322a9c9425eb7a7a71f450235b54a3bd91806ac3400ae4816b
          • Opcode Fuzzy Hash: 544f7d8c4027151a24a1b7917fd5ba9681a9e5ea7f09d4884e6ca9416d603f39
          • Instruction Fuzzy Hash: 44112672900249DFDB10DFAAC845BDEBBF5EF88320F248419E519A7250C775A950CBA5
          Function 00F3AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
          Download Yara Rule
          APIs
          • GetModuleHandleW.KERNEL32(00000000), ref: 00F3AFFE
          Memory Dump Source
          • Source File: 00000000.00000002.2197678267.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID: HandleModule
          • String ID:
          • API String ID: 4139908857-0
          • Opcode ID: 9e13256901ecab5bffda74096e2f87e6c28a09b173434e5cf801f077494bb28c
          • Instruction ID: dc8557534c66b554ca3d06a5bb0dd37f5ea92dacfe33c1997402110d10ceb456
          • Opcode Fuzzy Hash: 9e13256901ecab5bffda74096e2f87e6c28a09b173434e5cf801f077494bb28c
          • Instruction Fuzzy Hash: 091110B6C003498FCB14CF9AC444BDEFBF4AF88324F10842AD928A7210D3B9A545CFA1
          Function 06F37F7C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
          Download Yara Rule
          APIs
          • PostMessageW.USER32(?,00000010,00000000,?), ref: 06F3C6BD
          Memory Dump Source
          • Source File: 00000000.00000002.2208077377.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_6f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID: MessagePost
          • String ID:
          • API String ID: 410705778-0
          • Opcode ID: 2159cd07479e923828f9dd05f1d35bbe9c7d541857604912715975ed7a9dcc38
          • Instruction ID: 8de8b81f5acc7bf3044f0987a555cae101216a023e11ddaf61f01ab2931b7130
          • Opcode Fuzzy Hash: 2159cd07479e923828f9dd05f1d35bbe9c7d541857604912715975ed7a9dcc38
          • Instruction Fuzzy Hash: 4311E3B58003499FDB50DF9AD945BEEBBF8EB48320F10841AE918B7210D375A954CFA5
          Function 00EDD1FC Relevance: .1, Instructions: 76COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2197327191.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_edd000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: f4d93d7f971a4d4831ec185e0b1ae9daa69a176bebb2988f446458ef855fd68a
          • Instruction ID: 35bb8754575903993239bfaca1fe6215c9aa93fe2affa7f4c14d534738d5b62b
          • Opcode Fuzzy Hash: f4d93d7f971a4d4831ec185e0b1ae9daa69a176bebb2988f446458ef855fd68a
          • Instruction Fuzzy Hash: C221F172508240EFDB05DF54DDC0B2ABFA5FB88314F20856AE9091A366C376D817CBA1
          Function 00EED01C Relevance: .1, Instructions: 72COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2197427518.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_eed000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 46307277d55193fdc5aee1b4c8d277619a37732e1d3b1bc88a59a9eba6e61c8b
          • Instruction ID: ad5770246b8d5fe6997f3404c33cd041ce471c6d7a0bbee8691cba2da1b85cff
          • Opcode Fuzzy Hash: 46307277d55193fdc5aee1b4c8d277619a37732e1d3b1bc88a59a9eba6e61c8b
          • Instruction Fuzzy Hash: 52213475608388EFCB14DF15D9C0B26BB66FB84318F28C56DD90A5B292C37BD807CA61
          Function 00EED1D4 Relevance: .1, Instructions: 72COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2197427518.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_eed000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: df0de72dd896a339bc9db67fa1a12ddf23e3ea545a6cab933345cd7ac66eabcd
          • Instruction ID: 7f0f0696f5721d79f952b972d761e69aa026a5773958e97e968265b927f54c55
          • Opcode Fuzzy Hash: df0de72dd896a339bc9db67fa1a12ddf23e3ea545a6cab933345cd7ac66eabcd
          • Instruction Fuzzy Hash: 25214675508388EFDB04DF51DDC0B26BBA5FB88318F20C56DEA095B2A2C376D806CA61
          Function 00EED005 Relevance: .1, Instructions: 62COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2197427518.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_eed000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 7ef2ac39ab9d4b7d18c1473f44a481cc51c577ef60e315a2cd23f38849ce3a06
          • Instruction ID: fd508d0cf58dc9f7a5c920aa2be16709419768a23d7bc8f7d460c17e39b1d65d
          • Opcode Fuzzy Hash: 7ef2ac39ab9d4b7d18c1473f44a481cc51c577ef60e315a2cd23f38849ce3a06
          • Instruction Fuzzy Hash: 6821537550D3C48FDB12CF24D994715BF72EB46314F28C5EAD8498B6A7C33A980ACB62
          Function 00EDD1F7 Relevance: .1, Instructions: 57COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2197327191.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_edd000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 45d2786e60e1e4201bb004dcd9f59ae96814e242b2a6b2dda49e09682ea99c03
          • Instruction ID: 9c3ac401006c82e871bafdc80fe70111670e0fec5de4d911aab9b843c70cbc55
          • Opcode Fuzzy Hash: 45d2786e60e1e4201bb004dcd9f59ae96814e242b2a6b2dda49e09682ea99c03
          • Instruction Fuzzy Hash: D621AF76508284DFCB06CF50D9C4B56BF72FB84314F24C5AADC091B666C33AD826CBA1
          Function 00EED1CF Relevance: .1, Instructions: 53COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2197427518.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_eed000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
          • Instruction ID: b23d55dadc6ba77f63cb5238fd645ac8ee9f345a2d8c037e8eb9574f5cf256ee
          • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
          • Instruction Fuzzy Hash: 9D11DD79508284DFCB01CF50CAC0B15FBB1FB88318F24C6ADD9494B2A6C33AD81ACB61
          Function 00EDD745 Relevance: .0, Instructions: 45COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2197327191.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_edd000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b9f450d2fca89d274354d182e16a0b90c466bb2bd484b6bb376ef8cccbfb5845
          • Instruction ID: 9e7484b03cc2039b8f97319d6fd36bf5dd44b74f1352aa6d4f42877fc0ff898e
          • Opcode Fuzzy Hash: b9f450d2fca89d274354d182e16a0b90c466bb2bd484b6bb376ef8cccbfb5845
          • Instruction Fuzzy Hash: 9F012B7140C3409AE7104F25CDC4B66BF98DF41334F18D59BED086E396D6799842C6B1
          Function 00EDD744 Relevance: .0, Instructions: 36COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2197327191.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_edd000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: ddbc7a65571a004c19a49df4c3ee1607f9a0fa0b0489c246867a92a579c22e47
          • Instruction ID: df27aa1e298bbfede516ba2a6aca0ecbc57138ad54dfd976110558367c306c95
          • Opcode Fuzzy Hash: ddbc7a65571a004c19a49df4c3ee1607f9a0fa0b0489c246867a92a579c22e47
          • Instruction Fuzzy Hash: 0EF0C2714083449AE7108E15CCC8B62FF98EB91738F18D45BED0C5A386C2799845CBB1

          Non-executed Functions

          Function 06F34D98 Relevance: .3, Instructions: 312COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2208077377.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_6f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c1c01f2992c5837a27426bbcc8b6e991189ffd05215d40d9d7f034f69d35cce4
          • Instruction ID: 81e60d1c550b0a108457b715d28a1f6fdd937312c0125d133c10e083142b9ef5
          • Opcode Fuzzy Hash: c1c01f2992c5837a27426bbcc8b6e991189ffd05215d40d9d7f034f69d35cce4
          • Instruction Fuzzy Hash: 8FE10C74E002698FDB14DFA9C580AAEFBF2FF89314F249259D414AB355D731A942CFA0
          Function 06F36D10 Relevance: .3, Instructions: 312COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2208077377.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_6f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 906f199f1d57e63fd793f07d470cfb71ff5787b399cf82a4bfe6295dcb9446ed
          • Instruction ID: e5735c6df7a54e2abe467d09166e62d0ccd7bed5872e6a849827326c9559303e
          • Opcode Fuzzy Hash: 906f199f1d57e63fd793f07d470cfb71ff5787b399cf82a4bfe6295dcb9446ed
          • Instruction Fuzzy Hash: 4EE11C74E002698FDB14DFA9C590AAEFBF2FF89314F248169D414AB355D731A982CF60
          Function 06F368D8 Relevance: .3, Instructions: 312COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2208077377.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_6f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: bf827a5b1d02ef9066fa70563d2bee53b0540cecc63d0fc788116754d36b9e01
          • Instruction ID: 5b358f0dace2a2765b6f37ae73d2e75dee4ba17e276c645a5c6ee2c241de6f8f
          • Opcode Fuzzy Hash: bf827a5b1d02ef9066fa70563d2bee53b0540cecc63d0fc788116754d36b9e01
          • Instruction Fuzzy Hash: 28E12C74E002699FDB14DFA9C580AAEFBF2FF88315F248169D414AB359D731A942CF60
          Function 06F37870 Relevance: .3, Instructions: 312COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2208077377.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_6f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 44067e1cd8d3803b98019bc0d34e10046b93a21fbf6fe9c0c1306d276f6c41fc
          • Instruction ID: 19c0b9729d25c8884c2c1385dd4adc3101fcead387ccc6b2d015a2983ad0285e
          • Opcode Fuzzy Hash: 44067e1cd8d3803b98019bc0d34e10046b93a21fbf6fe9c0c1306d276f6c41fc
          • Instruction Fuzzy Hash: DFE11CB4E002698FDB14DFA9C580AAEFBF2FF49314F248259D414AB359D731A942CF64
          Function 06F351D0 Relevance: .3, Instructions: 312COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2208077377.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_6f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 377ebbb54a0bc7a3adfab6bac8374dc0f9c954cf60575700db38a5d712063a7b
          • Instruction ID: dc2d48eae267d52e530cbef2e001dc33f68f77180d6b43fbe082c6695ff5a693
          • Opcode Fuzzy Hash: 377ebbb54a0bc7a3adfab6bac8374dc0f9c954cf60575700db38a5d712063a7b
          • Instruction Fuzzy Hash: E3E12D74E002698FDB54DFA9C580AAEFBF2FF89314F248159D414A7359C731A942CF60
          Function 00F3D5BC Relevance: .3, Instructions: 264COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2197678267.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 93f2dacf3908951a9ac0577aaf7d884dd9700cf3c0b407c57a6848071672c2a1
          • Instruction ID: 7bee30c808e27e4bf7df5c1176daecf9d0a9540d1a7e732c076b6aef0184f242
          • Opcode Fuzzy Hash: 93f2dacf3908951a9ac0577aaf7d884dd9700cf3c0b407c57a6848071672c2a1
          • Instruction Fuzzy Hash: 0EA17D32E00209CFCF19DFB4D84099EBBB2FF85320B15817AE805AB265DB75E919DB40
          Function 06F368C8 Relevance: .1, Instructions: 138COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2208077377.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_6f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: dfb8224831fef6f3b494130beb0758be336c3663af090fb67a56eb12699d4393
          • Instruction ID: 40fe86d1e022ac85203e2d289865cdb14ac3d0033b0dd586c37833566410917c
          • Opcode Fuzzy Hash: dfb8224831fef6f3b494130beb0758be336c3663af090fb67a56eb12699d4393
          • Instruction Fuzzy Hash: 22511B71E002699FDB14CFA9C9406AEFBF6FF89310F24C169D418A7215D731AA42CFA1
          Function 06F36D03 Relevance: .1, Instructions: 132COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2208077377.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_6f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c07202636e670c5244e0cf33598d9fac6e4b8502a174cea4814bf7431ebadecc
          • Instruction ID: 227ca59b273b5d3a224b356657ccf7f825145f99ff3bfb50f61c056c5c3dd86e
          • Opcode Fuzzy Hash: c07202636e670c5244e0cf33598d9fac6e4b8502a174cea4814bf7431ebadecc
          • Instruction Fuzzy Hash: EF510E74E002698FDB14DFA9C9805AEFBF6FF89310F248169D418AB356D731A942CF61
          Function 06F351CE Relevance: .1, Instructions: 128COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2208077377.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_6f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c03507a62f22a4e647aec93116449a892cb8d1a0983db78455ec924909029ec6
          • Instruction ID: a54858a8d98d099bf166fd8407d8af7b75bd57d51d7a422e2330668355191bfc
          • Opcode Fuzzy Hash: c03507a62f22a4e647aec93116449a892cb8d1a0983db78455ec924909029ec6
          • Instruction Fuzzy Hash: 26510974E002698FDB14DFA9C5806AEFBF6FF89314F248169D418A7315D731A942CFA1
          Function 00F397A0 Relevance: .0, Instructions: 12COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2197678267.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f30000_SOA AUG 2024 - CMA CGM.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 5c8ab538dc0b21969d87489f5f150c007af1e630e25eee7548fd1f12f8c24876
          • Instruction ID: 4e1ae34a944457656c46b00f83d62efd90ca0ba6eb828ea750cbcae364c762f0
          • Opcode Fuzzy Hash: 5c8ab538dc0b21969d87489f5f150c007af1e630e25eee7548fd1f12f8c24876
          • Instruction Fuzzy Hash: 9FD0C97599A3824EC382C6348858084BFB27A9628432800DEC240CF297DB65450A8712

          Execution Graph

          Execution Coverage:9.9%
          Dynamic/Decrypted Code Coverage:100%
          Signature Coverage:0%
          Total number of Nodes:212
          Total number of Limit Nodes:4
          execution_graph 35558 9a6a426 35559 9a6a3b4 35558->35559 35560 9a6a429 35558->35560 35561 9a6a3e2 35559->35561 35568 9a6aa36 35559->35568 35573 9a6a84d 35559->35573 35577 9a6addf 35559->35577 35582 9a6ae6e 35559->35582 35587 9a6b135 35559->35587 35592 9a6aa65 35559->35592 35569 9a6aa78 35568->35569 35597 9a676c0 35569->35597 35601 9a676b8 35569->35601 35570 9a6aa99 35570->35561 35570->35570 35605 9a68235 35573->35605 35609 9a68240 35573->35609 35578 9a6ae15 35577->35578 35613 9a67ca0 35578->35613 35617 9a67ca8 35578->35617 35579 9a6ae97 35583 9a6ae74 35582->35583 35584 9a6ae97 35583->35584 35585 9a67ca0 ReadProcessMemory 35583->35585 35586 9a67ca8 ReadProcessMemory 35583->35586 35585->35584 35586->35584 35588 9a6b20c 35587->35588 35621 9a675e0 35588->35621 35625 9a675e8 35588->35625 35589 9a6b22a 35593 9a6aa72 35592->35593 35595 9a67ca0 ReadProcessMemory 35593->35595 35596 9a67ca8 ReadProcessMemory 35593->35596 35594 9a6ae97 35595->35594 35596->35594 35598 9a67700 VirtualAllocEx 35597->35598 35600 9a6773d 35598->35600 35600->35570 35602 9a67700 VirtualAllocEx 35601->35602 35604 9a6773d 35602->35604 35604->35570 35606 9a682c9 CreateProcessA 35605->35606 35608 9a6848b 35606->35608 35610 9a682c9 CreateProcessA 35609->35610 35612 9a6848b 35610->35612 35614 9a67cf3 ReadProcessMemory 35613->35614 35616 9a67d37 35614->35616 35616->35579 35618 9a67cf3 ReadProcessMemory 35617->35618 35620 9a67d37 35618->35620 35620->35579 35622 9a6762d Wow64GetThreadContext 35621->35622 35624 9a67675 35622->35624 35624->35589 35626 9a6762d Wow64GetThreadContext 35625->35626 35628 9a67675 35626->35628 35628->35589 35765 10ed01c 35766 10ed034 35765->35766 35767 10ed08e 35766->35767 35770 52a2808 35766->35770 35775 52a2818 35766->35775 35771 52a280d 35770->35771 35772 52a2877 35771->35772 35780 52a29a0 35771->35780 35785 52a2990 35771->35785 35776 52a2845 35775->35776 35777 52a2877 35776->35777 35778 52a29a0 2 API calls 35776->35778 35779 52a2990 2 API calls 35776->35779 35778->35777 35779->35777 35781 52a29b4 35780->35781 35790 52a2a48 35781->35790 35794 52a2a58 35781->35794 35782 52a2a40 35782->35772 35787 52a29b4 35785->35787 35786 52a2a40 35786->35772 35788 52a2a48 2 API calls 35787->35788 35789 52a2a58 2 API calls 35787->35789 35788->35786 35789->35786 35791 52a2a58 35790->35791 35793 52a2a69 35791->35793 35797 52a4013 35791->35797 35793->35782 35795 52a2a69 35794->35795 35796 52a4013 2 API calls 35794->35796 35795->35782 35796->35795 35801 52a4030 35797->35801 35805 52a4040 35797->35805 35798 52a402a 35798->35793 35802 52a4040 35801->35802 35803 52a40da CallWindowProcW 35802->35803 35804 52a4089 35802->35804 35803->35804 35804->35798 35806 52a4082 35805->35806 35808 52a4089 35805->35808 35807 52a40da CallWindowProcW 35806->35807 35806->35808 35807->35808 35808->35798 35629 12f4668 35630 12f467a 35629->35630 35631 12f4686 35630->35631 35635 12f4779 35630->35635 35640 12f3e28 35631->35640 35633 12f46a5 35636 12f479d 35635->35636 35644 12f4879 35636->35644 35648 12f4888 35636->35648 35641 12f3e33 35640->35641 35656 12f5c44 35641->35656 35643 12f7048 35643->35633 35646 12f4888 35644->35646 35645 12f498c 35645->35645 35646->35645 35652 12f44b0 35646->35652 35649 12f48af 35648->35649 35650 12f498c 35649->35650 35651 12f44b0 CreateActCtxA 35649->35651 35651->35650 35653 12f5918 CreateActCtxA 35652->35653 35655 12f59db 35653->35655 35655->35655 35657 12f5c4f 35656->35657 35660 12f5c64 35657->35660 35659 12f70ed 35659->35643 35661 12f5c6f 35660->35661 35664 12f5c94 35661->35664 35663 12f71c2 35663->35659 35665 12f5c9f 35664->35665 35668 12f5cc4 35665->35668 35667 12f72c5 35667->35663 35669 12f5ccf 35668->35669 35671 12f85cb 35669->35671 35675 12fac78 35669->35675 35670 12f8609 35670->35667 35671->35670 35679 12fcd78 35671->35679 35684 12fcd68 35671->35684 35689 12faca0 35675->35689 35693 12facb0 35675->35693 35676 12fac8e 35676->35671 35680 12fcd99 35679->35680 35681 12fcdbd 35680->35681 35701 12fcf19 35680->35701 35705 12fcf28 35680->35705 35681->35670 35685 12fcd99 35684->35685 35686 12fcdbd 35685->35686 35687 12fcf19 GetModuleHandleW 35685->35687 35688 12fcf28 GetModuleHandleW 35685->35688 35686->35670 35687->35686 35688->35686 35690 12facb0 35689->35690 35696 12fada8 35690->35696 35691 12facbf 35691->35676 35695 12fada8 GetModuleHandleW 35693->35695 35694 12facbf 35694->35676 35695->35694 35697 12faddc 35696->35697 35698 12fadb9 35696->35698 35697->35691 35698->35697 35699 12fafe0 GetModuleHandleW 35698->35699 35700 12fb00d 35699->35700 35700->35691 35702 12fcf28 35701->35702 35703 12fcf6f 35702->35703 35709 12fbae0 35702->35709 35703->35681 35706 12fcf35 35705->35706 35707 12fbae0 GetModuleHandleW 35706->35707 35708 12fcf6f 35706->35708 35707->35708 35708->35681 35710 12fbaeb 35709->35710 35712 12fdc88 35710->35712 35713 12fd2dc 35710->35713 35712->35712 35714 12fd2e7 35713->35714 35715 12f5cc4 GetModuleHandleW 35714->35715 35716 12fdcf7 35715->35716 35716->35712 35831 52a8f53 35832 52a8f60 35831->35832 35833 52a8b44 GetModuleHandleW 35832->35833 35834 52a8f6f 35833->35834 35717 52a6be0 35718 52a6c0d 35717->35718 35735 52a6a30 35718->35735 35720 52a6c4e 35721 52a6a30 GetModuleHandleW 35720->35721 35722 52a6c80 35721->35722 35740 52a6a40 35722->35740 35725 52a6a40 GetModuleHandleW 35726 52a6ce4 35725->35726 35727 52a6a30 GetModuleHandleW 35726->35727 35728 52a6d16 35727->35728 35744 52a6a50 35728->35744 35730 52a6d48 35731 52a6a50 GetModuleHandleW 35730->35731 35732 52a6d7a 35731->35732 35733 52a6a50 GetModuleHandleW 35732->35733 35734 52a6dac 35733->35734 35736 52a6a3b 35735->35736 35739 12f5cc4 GetModuleHandleW 35736->35739 35748 12f8308 35736->35748 35737 52a7cf3 35737->35720 35739->35737 35741 52a6a4b 35740->35741 35755 52a8b44 35741->35755 35743 52a6cb2 35743->35725 35745 52a6a5b 35744->35745 35760 52ae418 35745->35760 35747 52af871 35747->35730 35749 12f830b 35748->35749 35751 12f85cb 35749->35751 35752 12fac78 GetModuleHandleW 35749->35752 35750 12f8609 35750->35737 35751->35750 35753 12fcd68 GetModuleHandleW 35751->35753 35754 12fcd78 GetModuleHandleW 35751->35754 35752->35751 35753->35750 35754->35750 35756 52a8b4f 35755->35756 35757 52a8fa2 35756->35757 35758 12f8308 GetModuleHandleW 35756->35758 35759 12f5cc4 GetModuleHandleW 35756->35759 35757->35743 35758->35757 35759->35757 35761 52ae423 35760->35761 35763 12f8308 GetModuleHandleW 35761->35763 35764 12f5cc4 GetModuleHandleW 35761->35764 35762 52afd6c 35762->35747 35763->35762 35764->35762 35809 9a6b608 35810 9a6b793 35809->35810 35812 9a6b62e 35809->35812 35812->35810 35813 9a67f7c 35812->35813 35814 9a6b888 PostMessageW 35813->35814 35815 9a6b8f4 35814->35815 35815->35812 35816 12fd040 35817 12fd086 35816->35817 35821 12fd628 35817->35821 35824 12fd618 35817->35824 35818 12fd173 35828 12fd27c 35821->35828 35825 12fd628 35824->35825 35826 12fd27c DuplicateHandle 35825->35826 35827 12fd656 35826->35827 35827->35818 35829 12fd690 DuplicateHandle 35828->35829 35830 12fd656 35829->35830 35830->35818

          Executed Functions

          Function 09A68235 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 37 9a68235-9a682d5 39 9a682d7-9a682e1 37->39 40 9a6830e-9a6832e 37->40 39->40 41 9a682e3-9a682e5 39->41 47 9a68367-9a68396 40->47 48 9a68330-9a6833a 40->48 42 9a682e7-9a682f1 41->42 43 9a68308-9a6830b 41->43 45 9a682f5-9a68304 42->45 46 9a682f3 42->46 43->40 45->45 50 9a68306 45->50 46->45 56 9a683cf-9a68489 CreateProcessA 47->56 57 9a68398-9a683a2 47->57 48->47 49 9a6833c-9a6833e 48->49 51 9a68340-9a6834a 49->51 52 9a68361-9a68364 49->52 50->43 54 9a6834e-9a6835d 51->54 55 9a6834c 51->55 52->47 54->54 58 9a6835f 54->58 55->54 68 9a68492-9a68518 56->68 69 9a6848b-9a68491 56->69 57->56 59 9a683a4-9a683a6 57->59 58->52 61 9a683a8-9a683b2 59->61 62 9a683c9-9a683cc 59->62 63 9a683b6-9a683c5 61->63 64 9a683b4 61->64 62->56 63->63 66 9a683c7 63->66 64->63 66->62 79 9a6851a-9a6851e 68->79 80 9a68528-9a6852c 68->80 69->68 79->80 81 9a68520 79->81 82 9a6852e-9a68532 80->82 83 9a6853c-9a68540 80->83 81->80 82->83 86 9a68534 82->86 84 9a68542-9a68546 83->84 85 9a68550-9a68554 83->85 84->85 87 9a68548 84->87 88 9a68566-9a6856d 85->88 89 9a68556-9a6855c 85->89 86->83 87->85 90 9a68584 88->90 91 9a6856f-9a6857e 88->91 89->88 93 9a68585 90->93 91->90 93->93
          APIs
          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09A68476
          Memory Dump Source
          • Source File: 0000000D.00000002.2241721850.0000000009A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A60000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_9a60000_tshjuqE.jbxd
          Similarity
          • API ID: CreateProcess
          • String ID:
          • API String ID: 963392458-0
          • Opcode ID: c0ce97187ec2d9a78981f255fd2f081c1473258c1d104d344f50eefb7de9da0d
          • Instruction ID: 8097676ffd41f6e208ffa8f1947fcea8985471083419936e26bc5c373f58665d
          • Opcode Fuzzy Hash: c0ce97187ec2d9a78981f255fd2f081c1473258c1d104d344f50eefb7de9da0d
          • Instruction Fuzzy Hash: 77A14871D00319DFEB24CF68C841BADBBB6BF48710F1485A9E819A7290DB789985CF91
          Function 09A68240 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 94 9a68240-9a682d5 96 9a682d7-9a682e1 94->96 97 9a6830e-9a6832e 94->97 96->97 98 9a682e3-9a682e5 96->98 104 9a68367-9a68396 97->104 105 9a68330-9a6833a 97->105 99 9a682e7-9a682f1 98->99 100 9a68308-9a6830b 98->100 102 9a682f5-9a68304 99->102 103 9a682f3 99->103 100->97 102->102 107 9a68306 102->107 103->102 113 9a683cf-9a68489 CreateProcessA 104->113 114 9a68398-9a683a2 104->114 105->104 106 9a6833c-9a6833e 105->106 108 9a68340-9a6834a 106->108 109 9a68361-9a68364 106->109 107->100 111 9a6834e-9a6835d 108->111 112 9a6834c 108->112 109->104 111->111 115 9a6835f 111->115 112->111 125 9a68492-9a68518 113->125 126 9a6848b-9a68491 113->126 114->113 116 9a683a4-9a683a6 114->116 115->109 118 9a683a8-9a683b2 116->118 119 9a683c9-9a683cc 116->119 120 9a683b6-9a683c5 118->120 121 9a683b4 118->121 119->113 120->120 123 9a683c7 120->123 121->120 123->119 136 9a6851a-9a6851e 125->136 137 9a68528-9a6852c 125->137 126->125 136->137 138 9a68520 136->138 139 9a6852e-9a68532 137->139 140 9a6853c-9a68540 137->140 138->137 139->140 143 9a68534 139->143 141 9a68542-9a68546 140->141 142 9a68550-9a68554 140->142 141->142 144 9a68548 141->144 145 9a68566-9a6856d 142->145 146 9a68556-9a6855c 142->146 143->140 144->142 147 9a68584 145->147 148 9a6856f-9a6857e 145->148 146->145 150 9a68585 147->150 148->147 150->150
          APIs
          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09A68476
          Memory Dump Source
          • Source File: 0000000D.00000002.2241721850.0000000009A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A60000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_9a60000_tshjuqE.jbxd
          Similarity
          • API ID: CreateProcess
          • String ID:
          • API String ID: 963392458-0
          • Opcode ID: b4cf864bc1fd3afef58dd47bfc914ca398938087c3b58ac39d188c2f3c08c118
          • Instruction ID: 2e7697d3475523ee19eb0bca7080e7b1f64c4fbd99953a6d8d6e6be92ff7495e
          • Opcode Fuzzy Hash: b4cf864bc1fd3afef58dd47bfc914ca398938087c3b58ac39d188c2f3c08c118
          • Instruction Fuzzy Hash: FD916871D00319DFEF20CF68C841BADBBB6BF48710F048169E809A7290DB789985CF91
          Function 012FADA8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 151 12fada8-12fadb7 152 12fadb9-12fadc6 call 12fa0cc 151->152 153 12fade3-12fade7 151->153 160 12faddc 152->160 161 12fadc8 152->161 155 12fadfb-12fae3c 153->155 156 12fade9-12fadf3 153->156 162 12fae3e-12fae46 155->162 163 12fae49-12fae57 155->163 156->155 160->153 207 12fadce call 12fb030 161->207 208 12fadce call 12fb040 161->208 162->163 164 12fae7b-12fae7d 163->164 165 12fae59-12fae5e 163->165 170 12fae80-12fae87 164->170 167 12fae69 165->167 168 12fae60-12fae67 call 12fa0d8 165->168 166 12fadd4-12fadd6 166->160 169 12faf18-12fafd8 166->169 174 12fae6b-12fae79 167->174 168->174 202 12fafda-12fafdd 169->202 203 12fafe0-12fb00b GetModuleHandleW 169->203 171 12fae89-12fae91 170->171 172 12fae94-12fae9b 170->172 171->172 175 12fae9d-12faea5 172->175 176 12faea8-12faeaa call 12fa0e8 172->176 174->170 175->176 180 12faeaf-12faeb1 176->180 182 12faebe-12faec3 180->182 183 12faeb3-12faebb 180->183 184 12faec5-12faecc 182->184 185 12faee1-12faeee 182->185 183->182 184->185 187 12faece-12faede call 12fa0f8 call 12fa108 184->187 191 12faf11-12faf17 185->191 192 12faef0-12faf0e 185->192 187->185 192->191 202->203 204 12fb00d-12fb013 203->204 205 12fb014-12fb028 203->205 204->205 207->166 208->166
          APIs
          • GetModuleHandleW.KERNELBASE(00000000), ref: 012FAFFE
          Memory Dump Source
          • Source File: 0000000D.00000002.2236517555.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_12f0000_tshjuqE.jbxd
          Similarity
          • API ID: HandleModule
          • String ID:
          • API String ID: 4139908857-0
          • Opcode ID: e9065746eab2977f780fd9297926ebddc5833a1b2557c6bcd309bc21ea87eaea
          • Instruction ID: 1812fce855d6d049040d847d169905611dbc8a432b8836dc00f58d11e1748e14
          • Opcode Fuzzy Hash: e9065746eab2977f780fd9297926ebddc5833a1b2557c6bcd309bc21ea87eaea
          • Instruction Fuzzy Hash: 89712570A10B068FE724DF2AD45575ABBF1FF88300F008A2DD69AD7A50DB75E849CB91
          Function 012F44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 209 12f44b0-12f59d9 CreateActCtxA 212 12f59db-12f59e1 209->212 213 12f59e2-12f5a3c 209->213 212->213 220 12f5a3e-12f5a41 213->220 221 12f5a4b-12f5a4f 213->221 220->221 222 12f5a51-12f5a5d 221->222 223 12f5a60 221->223 222->223 225 12f5a61 223->225 225->225
          APIs
          • CreateActCtxA.KERNEL32(?), ref: 012F59C9
          Memory Dump Source
          • Source File: 0000000D.00000002.2236517555.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_12f0000_tshjuqE.jbxd
          Similarity
          • API ID: Create
          • String ID:
          • API String ID: 2289755597-0
          • Opcode ID: d1417a232f535917d0041a8eb0117538ba93e95650d5834a8424729342651ef4
          • Instruction ID: 6d685707c85b1c9191f56d885ebf01833c90a1b80aee1d071f7bc4f9c36f9ced
          • Opcode Fuzzy Hash: d1417a232f535917d0041a8eb0117538ba93e95650d5834a8424729342651ef4
          • Instruction Fuzzy Hash: CC41F171C1072DCBDB24CFA9C984B8EFBB5BF48704F60806AD508AB251DBB16949CF90
          Function 012F590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 226 12f590c-12f59d9 CreateActCtxA 228 12f59db-12f59e1 226->228 229 12f59e2-12f5a3c 226->229 228->229 236 12f5a3e-12f5a41 229->236 237 12f5a4b-12f5a4f 229->237 236->237 238 12f5a51-12f5a5d 237->238 239 12f5a60 237->239 238->239 241 12f5a61 239->241 241->241
          APIs
          • CreateActCtxA.KERNEL32(?), ref: 012F59C9
          Memory Dump Source
          • Source File: 0000000D.00000002.2236517555.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_12f0000_tshjuqE.jbxd
          Similarity
          • API ID: Create
          • String ID:
          • API String ID: 2289755597-0
          • Opcode ID: d7ad65108ca60ad1a9d3b765f4067b516ec5ff07c09239800a35e12d427e2e06
          • Instruction ID: e202c6af0b099a17076ed03b310652a5fadb59fd4e6ef7b15354e8b6d1897711
          • Opcode Fuzzy Hash: d7ad65108ca60ad1a9d3b765f4067b516ec5ff07c09239800a35e12d427e2e06
          • Instruction Fuzzy Hash: 3241FFB1C1072DCBDB24CFA9C9847CDBBB1BF48704F20806AD508AB251DBB5694ACF90
          Function 052A4040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 242 52a4040-52a407c 243 52a412c-52a414c 242->243 244 52a4082-52a4087 242->244 250 52a414f-52a415c 243->250 245 52a40da-52a4112 CallWindowProcW 244->245 246 52a4089-52a40c0 244->246 248 52a411b-52a412a 245->248 249 52a4114-52a411a 245->249 252 52a40c9-52a40d8 246->252 253 52a40c2-52a40c8 246->253 248->250 249->248 252->250 253->252
          APIs
          • CallWindowProcW.USER32(?,?,?,?,?), ref: 052A4101
          Memory Dump Source
          • Source File: 0000000D.00000002.2239747818.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_52a0000_tshjuqE.jbxd
          Similarity
          • API ID: CallProcWindow
          • String ID:
          • API String ID: 2714655100-0
          • Opcode ID: e10c530f859d1f981458c929497421d5115dd88f6ce8ef093c76e6c924cccb6a
          • Instruction ID: 8821452fa2cae45fd1c0a6f191b2a51ab3a13e213783521b7f37de17f9ec069c
          • Opcode Fuzzy Hash: e10c530f859d1f981458c929497421d5115dd88f6ce8ef093c76e6c924cccb6a
          • Instruction Fuzzy Hash: C04138B5A103099FCB14CF89C448AAABBF5FF88314F24C459D519AB321D7B4A841CFA0
          Function 09A67CA0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 256 9a67ca0-9a67d35 ReadProcessMemory 259 9a67d37-9a67d3d 256->259 260 9a67d3e-9a67d6e 256->260 259->260
          APIs
          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09A67D28
          Memory Dump Source
          • Source File: 0000000D.00000002.2241721850.0000000009A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A60000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_9a60000_tshjuqE.jbxd
          Similarity
          • API ID: MemoryProcessRead
          • String ID:
          • API String ID: 1726664587-0
          • Opcode ID: 0a978051e9ba9b0cab1b18637d1a8b2504550ff80555ac21f30cb4f018dd4b76
          • Instruction ID: b7a65ac0cae1bfca6aab6bde7aae1d30e2745bbf01efc38745dd4d978276505b
          • Opcode Fuzzy Hash: 0a978051e9ba9b0cab1b18637d1a8b2504550ff80555ac21f30cb4f018dd4b76
          • Instruction Fuzzy Hash: AB2107719003499FDB10CFA9C881AEEBBF5FF88710F14882AE919A7250D7759910CBA1
          Function 09A675E0 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 270 9a675e0-9a67633 272 9a67635-9a67641 270->272 273 9a67643-9a67673 Wow64GetThreadContext 270->273 272->273 275 9a67675-9a6767b 273->275 276 9a6767c-9a676ac 273->276 275->276
          APIs
          • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 09A67666
          Memory Dump Source
          • Source File: 0000000D.00000002.2241721850.0000000009A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A60000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_9a60000_tshjuqE.jbxd
          Similarity
          • API ID: ContextThreadWow64
          • String ID:
          • API String ID: 983334009-0
          • Opcode ID: 14676406e7178b6c1448b4be7a29c4932324051aee41cfda21967520f3b1b8dc
          • Instruction ID: 4009a07e3bff5fe5c745b22b76cbbec98ea27a54ffcc6197e38f7fd3fabb62a1
          • Opcode Fuzzy Hash: 14676406e7178b6c1448b4be7a29c4932324051aee41cfda21967520f3b1b8dc
          • Instruction Fuzzy Hash: C0214571D003098FDB10CFAAC481BEEBBF4AF88314F10842AE559A7250C7B89944CFA1
          Function 012FD27C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 264 12fd27c-12fd724 DuplicateHandle 266 12fd72d-12fd74a 264->266 267 12fd726-12fd72c 264->267 267->266
          APIs
          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012FD656,?,?,?,?,?), ref: 012FD717
          Memory Dump Source
          • Source File: 0000000D.00000002.2236517555.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_12f0000_tshjuqE.jbxd
          Similarity
          • API ID: DuplicateHandle
          • String ID:
          • API String ID: 3793708945-0
          • Opcode ID: d5cde24c07d377b7a73d7f629e3f5863338961a32b7c1d9bfd77b536753e1b19
          • Instruction ID: 239e026c2040cfda474bacf69c43b79925c499112d3762433f9b8209189bdbcc
          • Opcode Fuzzy Hash: d5cde24c07d377b7a73d7f629e3f5863338961a32b7c1d9bfd77b536753e1b19
          • Instruction Fuzzy Hash: 7721D4B59102499FDB10CF9AD584ADEFBF4EB48314F14841AE919A7210D374A950CFA5
          Function 012FD689 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 280 12fd689-12fd68e 281 12fd690-12fd724 DuplicateHandle 280->281 282 12fd72d-12fd74a 281->282 283 12fd726-12fd72c 281->283 283->282
          APIs
          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012FD656,?,?,?,?,?), ref: 012FD717
          Memory Dump Source
          • Source File: 0000000D.00000002.2236517555.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_12f0000_tshjuqE.jbxd
          Similarity
          • API ID: DuplicateHandle
          • String ID:
          • API String ID: 3793708945-0
          • Opcode ID: 794a8473d4e050e468525550c48cdbf69bdabb61b7144a6c9e78326776f78323
          • Instruction ID: e8bb120e4a21c2fab0e4b497277a0ed0fd4a114870ea9d04a004976d89174d4b
          • Opcode Fuzzy Hash: 794a8473d4e050e468525550c48cdbf69bdabb61b7144a6c9e78326776f78323
          • Instruction Fuzzy Hash: D721E3B59002499FDB10CF9AD984ADEFBF8FB48324F14841AE914A7210D374A950CFA4
          Function 09A67CA8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 296 9a67ca8-9a67d35 ReadProcessMemory 299 9a67d37-9a67d3d 296->299 300 9a67d3e-9a67d6e 296->300 299->300
          APIs
          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09A67D28
          Memory Dump Source
          • Source File: 0000000D.00000002.2241721850.0000000009A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A60000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_9a60000_tshjuqE.jbxd
          Similarity
          • API ID: MemoryProcessRead
          • String ID:
          • API String ID: 1726664587-0
          • Opcode ID: 9b8e2672d4f0691121252e755521a88bf22f660d48554b8703a1279eb1cbe1ef
          • Instruction ID: a2357e158e4fcea4796fa354530fd17f7f9bf2728081a94d8aa69911f57ded29
          • Opcode Fuzzy Hash: 9b8e2672d4f0691121252e755521a88bf22f660d48554b8703a1279eb1cbe1ef
          • Instruction Fuzzy Hash: 3D212A71900349DFDB10CF9AC841BEEBBF5FF48310F108429E519A7250D7759910CBA5
          Function 09A675E8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 286 9a675e8-9a67633 288 9a67635-9a67641 286->288 289 9a67643-9a67673 Wow64GetThreadContext 286->289 288->289 291 9a67675-9a6767b 289->291 292 9a6767c-9a676ac 289->292 291->292
          APIs
          • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 09A67666
          Memory Dump Source
          • Source File: 0000000D.00000002.2241721850.0000000009A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A60000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_9a60000_tshjuqE.jbxd
          Similarity
          • API ID: ContextThreadWow64
          • String ID:
          • API String ID: 983334009-0
          • Opcode ID: bb751a7f14683990634ccb03896641e33e977cb025b31f071b63930619814200
          • Instruction ID: 7ba0feb2120907b2aa4812b60510de324dfdbd969b5dc50f071fbbc741d7f449
          • Opcode Fuzzy Hash: bb751a7f14683990634ccb03896641e33e977cb025b31f071b63930619814200
          • Instruction Fuzzy Hash: 39214971D003098FDB10DFAAC485BEEBBF4EF88724F148429E559A7240DB789944CFA5
          Function 09A676B8 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 304 9a676b8-9a6773b VirtualAllocEx 307 9a67744-9a67769 304->307 308 9a6773d-9a67743 304->308 308->307
          APIs
          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09A6772E
          Memory Dump Source
          • Source File: 0000000D.00000002.2241721850.0000000009A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A60000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_9a60000_tshjuqE.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 108ccb91f1082c11c809da3d8f70fc4cfc09e617446d6f1761d08661ef1fd596
          • Instruction ID: 0cc4c1767fa64150c27e37c4b7e35bd9ffeaf60de197e26212430318e5a42a87
          • Opcode Fuzzy Hash: 108ccb91f1082c11c809da3d8f70fc4cfc09e617446d6f1761d08661ef1fd596
          • Instruction Fuzzy Hash: 42213671900349DFDB10CFA9C845AEEBBF5AF88324F248419E555A7260CB759510CFA0
          Function 09A676C0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 312 9a676c0-9a6773b VirtualAllocEx 315 9a67744-9a67769 312->315 316 9a6773d-9a67743 312->316 316->315
          APIs
          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09A6772E
          Memory Dump Source
          • Source File: 0000000D.00000002.2241721850.0000000009A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A60000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_9a60000_tshjuqE.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: e9291c074ca9638663fe9ccdeeaef456a3ade94984fef96cf0165de2992e660f
          • Instruction ID: ee78a9aaf19b2ea0db67c62f9bc6097d47bde3964033bbc0c12c13776087d0c5
          • Opcode Fuzzy Hash: e9291c074ca9638663fe9ccdeeaef456a3ade94984fef96cf0165de2992e660f
          • Instruction Fuzzy Hash: E41153729003499FDB10CFAAC844BDEBBF5AF88724F208819E519A7250CB75A910CBA0
          Function 09A6B883 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
          Download Yara Rule
          APIs
          • PostMessageW.USER32(?,00000010,00000000,?), ref: 09A6B8E5
          Memory Dump Source
          • Source File: 0000000D.00000002.2241721850.0000000009A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A60000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_9a60000_tshjuqE.jbxd
          Similarity
          • API ID: MessagePost
          • String ID:
          • API String ID: 410705778-0
          • Opcode ID: ab36bc86870f485b4a1b0e8bf0192aad7e48e0f8b765335d593ecd9bb33578d2
          • Instruction ID: 64d7b43e6f11da80f84a7dd6d18620e1b6371abf4d9f2aa2b57ddc737db6bcec
          • Opcode Fuzzy Hash: ab36bc86870f485b4a1b0e8bf0192aad7e48e0f8b765335d593ecd9bb33578d2
          • Instruction Fuzzy Hash: A611F2B58003499FDB10CF99C485BDEBBF8FB48720F20841AE959A7210C3B5A544CFA0
          Function 09A67F7C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
          Download Yara Rule
          APIs
          • PostMessageW.USER32(?,00000010,00000000,?), ref: 09A6B8E5
          Memory Dump Source
          • Source File: 0000000D.00000002.2241721850.0000000009A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A60000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_9a60000_tshjuqE.jbxd
          Similarity
          • API ID: MessagePost
          • String ID:
          • API String ID: 410705778-0
          • Opcode ID: 122d7a955267203f527c7a3f7893d6a85067efc42dd26bae695a3d4fe23a92b6
          • Instruction ID: 709c28d84c1908f163cc4e76a8b3a7e277baed72b3696d6553461aeb1428c0b7
          • Opcode Fuzzy Hash: 122d7a955267203f527c7a3f7893d6a85067efc42dd26bae695a3d4fe23a92b6
          • Instruction Fuzzy Hash: 631103B5804349DFDB20DF9AC484BDEBBF8FB48720F108859E959A7210C3B5A954CFA1
          Function 012FAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
          Download Yara Rule
          APIs
          • GetModuleHandleW.KERNELBASE(00000000), ref: 012FAFFE
          Memory Dump Source
          • Source File: 0000000D.00000002.2236517555.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_12f0000_tshjuqE.jbxd
          Similarity
          • API ID: HandleModule
          • String ID:
          • API String ID: 4139908857-0
          • Opcode ID: 32ba2a0fd6fbf6477c689c6309cd2a70b8ee066861ee8d837a73761940fd70fc
          • Instruction ID: 11c33e4fc04a10e1429911905fce00fbc2594656733a705862832a9086992590
          • Opcode Fuzzy Hash: 32ba2a0fd6fbf6477c689c6309cd2a70b8ee066861ee8d837a73761940fd70fc
          • Instruction Fuzzy Hash: D711D2B5C007498FDB14CF9AC444B9EFBF4AB88624F10842AD669A7210D375A545CFA5
          Function 010DD4C4 Relevance: .1, Instructions: 75COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 0000000D.00000002.2236076897.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_10dd000_tshjuqE.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 186ddde29512c4a041117821a68de97ddf739f3438ff9a51e1089fb72689208b
          • Instruction ID: b8d4b00c291e21f6636c6e3c9619c3796b09154805982b53c5d3532fbe45b626
          • Opcode Fuzzy Hash: 186ddde29512c4a041117821a68de97ddf739f3438ff9a51e1089fb72689208b
          • Instruction Fuzzy Hash: F2210372504340EFDB15DF54D9C0B2ABFA5FB88318F60C5A9E9490B29AC336D456CBA1
          Function 010DD3D8 Relevance: .1, Instructions: 75COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 0000000D.00000002.2236076897.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_10dd000_tshjuqE.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 9bc8ab540ac448bd83110821e734ad4996af306d1fbeffcffecf6d2284814c2a
          • Instruction ID: f622fd1e9f990c0369f1c0d965729bf559fe6cb122cb168ee904fba9ccf20665
          • Opcode Fuzzy Hash: 9bc8ab540ac448bd83110821e734ad4996af306d1fbeffcffecf6d2284814c2a
          • Instruction Fuzzy Hash: 67214872500304EFDB05DF54D9C0B6ABFA5FB84324F20C1ADE9490B296CB36E456CBA1
          Function 010ED01C Relevance: .1, Instructions: 72COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 0000000D.00000002.2236148695.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_10ed000_tshjuqE.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: ad272abd998cfabf0285606a55941bbb3cec2b5f30f699734fbcec4b225e7897
          • Instruction ID: a81fb4b001b3b39574f5f574ef99b8b679f78264158d3fc05ea949094408a32e
          • Opcode Fuzzy Hash: ad272abd998cfabf0285606a55941bbb3cec2b5f30f699734fbcec4b225e7897
          • Instruction Fuzzy Hash: BD210075604200EFDB15DF55D988B2ABFE1FB84314F28C5ADE98A0B252C37AD406CB61
          Function 010ED1D4 Relevance: .1, Instructions: 72COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 0000000D.00000002.2236148695.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_10ed000_tshjuqE.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 434352986c493ed70ceef911c45753361b6048f394790ef65669a80230514f0c
          • Instruction ID: 274769b72aaeb72491c4204328d0c3cff5c48147f169120a842ea25be7ce5b7f
          • Opcode Fuzzy Hash: 434352986c493ed70ceef911c45753361b6048f394790ef65669a80230514f0c
          • Instruction Fuzzy Hash: B0214675504300EFDB05DF95D9C8B2ABBE1FB84324F20C5ADE9894B292C376D406CB61
          Function 010ED006 Relevance: .1, Instructions: 62COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 0000000D.00000002.2236148695.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_10ed000_tshjuqE.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: ef879f59577f044497ae6a67254d327045fda1d1f3a87f8c276654bbf3ba1379
          • Instruction ID: e4e6fbcf4f79e8a367118b97aa6b6369b1798fa33e34b67b2389695b3f03dd42
          • Opcode Fuzzy Hash: ef879f59577f044497ae6a67254d327045fda1d1f3a87f8c276654bbf3ba1379
          • Instruction Fuzzy Hash: A32162755093808FDB13CF64D994715BFB1EB46214F28C5DAD8898F6A7C33AD80ACB62
          Function 010DD3D3 Relevance: .1, Instructions: 56COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 0000000D.00000002.2236076897.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_10dd000_tshjuqE.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
          • Instruction ID: 4ffa3f01654c5f241b8df8f45a51afa22b3282adf213849dec27864d17fe833b
          • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
          • Instruction Fuzzy Hash: 7911CDB6404280DFCB12CF44D5C0B56BFA1FB84224F2482A9D8490A256C33AE456CBA1
          Function 010DD4BF Relevance: .1, Instructions: 56COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 0000000D.00000002.2236076897.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_10dd000_tshjuqE.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
          • Instruction ID: 352e276ada5dd14d10402946b6750ab97dabb99841112d3305cb670759b27ef3
          • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
          • Instruction Fuzzy Hash: D011AF76504280DFCB16CF54D5C4B16BFB1FB84318F24C6A9D8490B65AC33AD456CBA1
          Function 010ED1CF Relevance: .1, Instructions: 53COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 0000000D.00000002.2236148695.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_10ed000_tshjuqE.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
          • Instruction ID: c82f0502928facf213c4b5e83af51b78f9a79030918669ce48bfde975b4fc531
          • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
          • Instruction Fuzzy Hash: AA11BB79504280DFCB06CF54C6C4B15BBA1FB84224F24C6AED8894B2A6C33AD40ACB61
          Function 010DD745 Relevance: .0, Instructions: 45COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 0000000D.00000002.2236076897.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_10dd000_tshjuqE.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 13153deac2b30715cf3db7ae2dceb50f7df5ac250b7c7271ad95aaf3a5ecb790
          • Instruction ID: 474b06e64e3d15efee38deafb071e3dd013f350ceff9fbbdcebc31fd3bbcd67f
          • Opcode Fuzzy Hash: 13153deac2b30715cf3db7ae2dceb50f7df5ac250b7c7271ad95aaf3a5ecb790
          • Instruction Fuzzy Hash: CD012B715043809AF7104EA9CDC4B6AFFD8FF41324F08C59AEE490A2D2E6B99440CBB1
          Function 010DD744 Relevance: .0, Instructions: 36COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 0000000D.00000002.2236076897.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_13_2_10dd000_tshjuqE.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: f7de5605592faa378d524f40054825fd67b6d13dd6bbe667464b168b44e1c2b8
          • Instruction ID: a00ac9fcf20b153318e5438f02ca29b279a08bf4f2de079f4cbe7e70e3b07d49
          • Opcode Fuzzy Hash: f7de5605592faa378d524f40054825fd67b6d13dd6bbe667464b168b44e1c2b8
          • Instruction Fuzzy Hash: D6F0C2714053849EE7108E19CCC4B66FFD8EB81634F18C49AED480A287D2799840CBB1