Edit tour

Windows Analysis Report
Document for shipping.exe

Overview

General Information

Sample name:	Document for shipping.exe
Analysis ID:	1427769
MD5:	e8e193c463155c347c1a4cd828e5947f
SHA1:	2c3ddd91660d4590ed48aad854d3568dea951af3
SHA256:	f4153f8494d015bbe6740d237a848dc9898726b4812f015d47c80eac08fe5e12
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Detected potential crypto function

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Scan Loop Network

Uses 32bit PE files

Classification

Process Tree

System is w10x64native

Document for shipping.exe (PID: 7148 cmdline: "C:\Users\user\Desktop\Document for shipping.exe" MD5: E8E193C463155C347C1A4CD828E5947F)

WerFault.exe (PID: 7980 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 1180 MD5: 40A149513D721F096DDF50C04DA2F01F)

cleanup

Sigma Signatures

System Summary

Sigma detected: Suspicious Scan Loop Network

Source: Process started

Author: frack113: Data: Command: "C:\Users\user\Desktop\Document for shipping.exe", CommandLine: "C:\Users\user\Desktop\Document for shipping.exe", CommandLine|base64offset|contains: ~, Image: C:\Users\user\Desktop\Document for shipping.exe, NewProcessName: C:\Users\user\Desktop\Document for shipping.exe, OriginalFileName: C:\Users\user\Desktop\Document for shipping.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 6460, ProcessCommandLine: "C:\Users\user\Desktop\Document for shipping.exe", ProcessId: 7148, ProcessName: Document for shipping.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Document for shipping.exe	ReversingLabs: Detection: 21%
Source: Document for shipping.exe	Virustotal: Detection: 28%			Perma Link

Machine Learning detection for sample

Source: Document for shipping.exe

Joe Sandbox ML: detected

Source: Document for shipping.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Document for shipping.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: %%.pdbis( source: Document for shipping.exe, 00000003.00000002.81164074176.00000000004F6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xaml.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\PresentationFramework.pdb source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\WindowsBase.pdbe source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbSystem.ni.dllH source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbsT source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb\|Q source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.pdbb source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000797000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.pdbbxo source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000797000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xaml.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: WindowsBase.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\Document for shipping.PDB$y source: Document for shipping.exe, 00000003.00000002.81164074176.00000000004F6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: PresentationCore.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xml.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: WindowsBase.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Users\user\Desktop\Document for shipping.PDBad source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb]QF source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xaml.pdbMZ@ source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xml.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: PresentationCore.ni.pdbRSDS:Ne source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: vk.pdb source: Document for shipping.exe, 00000003.00000002.81164074176.00000000004F6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.pdb(\|s source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: p0C:\Windows\mscorlib.pdb source: Document for shipping.exe, 00000003.00000002.81164074176.00000000004F6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: PresentationCore.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xaml.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\PresentationFramework.pdbpdbork.pdb source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbn source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\PresentationFramework.pdbg.D source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\WindowsBase.pdbpdbase.pdbbQS source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\WindowsBase.pdb source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.pdbp source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr

Source: Document for shipping.exe, 00000003.00000002.81165521175.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MainWindow.xamld
Source: Document for shipping.exe, 00000003.00000002.81165521175.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/MainWindow.xaml
Source: Document for shipping.exe, 00000003.00000002.81165521175.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/mainwindow.baml
Source: Document for shipping.exe, 00000003.00000002.81165521175.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/mainwindow.bamld
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net

System Summary

.NET source code contains very large array initializations

Source: Document for shipping.exe, --.cs

Large array initialization: _0002: array initializer size 672632

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Document for shipping.exe

Source: C:\Users\user\Desktop\Document for shipping.exe	Code function: 3_2_02382BC2	3_2_02382BC2
Source: C:\Users\user\Desktop\Document for shipping.exe	Code function: 3_2_0238182E	3_2_0238182E
Source: C:\Users\user\Desktop\Document for shipping.exe	Code function: 3_2_023828B0	3_2_023828B0
Source: C:\Users\user\Desktop\Document for shipping.exe	Code function: 3_2_02381846	3_2_02381846
Source: C:\Users\user\Desktop\Document for shipping.exe	Code function: 3_2_02381098	3_2_02381098
Source: C:\Users\user\Desktop\Document for shipping.exe	Code function: 3_2_02381D00	3_2_02381D00
Source: C:\Users\user\Desktop\Document for shipping.exe	Code function: 3_2_02382951	3_2_02382951

Source: C:\Users\user\Desktop\Document for shipping.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 1180

Source: Document for shipping.exe, 00000003.00000000.81129385221.0000000000134000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameZvTD.exe< vs Document for shipping.exe
Source: Document for shipping.exe, 00000003.00000002.81164265279.000000000071E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Document for shipping.exe
Source: Document for shipping.exe	Binary or memory string: OriginalFilenameZvTD.exe< vs Document for shipping.exe

Source: Document for shipping.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Document for shipping.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal64.evad.winEXE@2/6@0/0

Source: C:\Users\user\Desktop\Document for shipping.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7148

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\7dd8211d-103a-414a-8fd3-c03277b4785f

Jump to behavior

Source: Document for shipping.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Document for shipping.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Document for shipping.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Document for shipping.exe	ReversingLabs: Detection: 21%
Source: Document for shipping.exe	Virustotal: Detection: 28%

Source: C:\Users\user\Desktop\Document for shipping.exe

File read: C:\Users\user\Desktop\Document for shipping.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Document for shipping.exe "C:\Users\user\Desktop\Document for shipping.exe"
Source: C:\Users\user\Desktop\Document for shipping.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 1180

Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Document for shipping.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Document for shipping.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Document for shipping.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Document for shipping.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: %%.pdbis( source: Document for shipping.exe, 00000003.00000002.81164074176.00000000004F6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xaml.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\PresentationFramework.pdb source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\WindowsBase.pdbe source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbSystem.ni.dllH source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbsT source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb\|Q source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.pdbb source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000797000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.pdbbxo source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000797000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xaml.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: WindowsBase.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\Document for shipping.PDB$y source: Document for shipping.exe, 00000003.00000002.81164074176.00000000004F6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: PresentationCore.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xml.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: WindowsBase.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Users\user\Desktop\Document for shipping.PDBad source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb]QF source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xaml.pdbMZ@ source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xml.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: PresentationCore.ni.pdbRSDS:Ne source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: vk.pdb source: Document for shipping.exe, 00000003.00000002.81164074176.00000000004F6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.pdb(\|s source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: p0C:\Windows\mscorlib.pdb source: Document for shipping.exe, 00000003.00000002.81164074176.00000000004F6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: PresentationCore.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xaml.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\PresentationFramework.pdbpdbork.pdb source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbn source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\PresentationFramework.pdbg.D source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\WindowsBase.pdbpdbase.pdbbQS source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\WindowsBase.pdb source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.pdbp source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: Document for shipping.exe, --.cs

.Net Code: _0003 System.Reflection.Assembly.Load(byte[])

Source: Document for shipping.exe

Static PE information: section name: .text entropy: 7.967944103480401

Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Document for shipping.exe	Memory allocated: 2380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Memory allocated: 2580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Memory allocated: 4580000 memory reserve \| memory write watch	Jump to behavior

Source: Amcache.hve.6.dr

Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver

Source: C:\Users\user\Desktop\Document for shipping.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Document for shipping.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Document for shipping.exe

Queries volume information: C:\Users\user\Desktop\Document for shipping.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Document for shipping.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.2107.4-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	12 Software Packing	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
Document for shipping.exe	21%	ReversingLabs
Document for shipping.exe	100%	Joe Sandbox ML
Document for shipping.exe	29%	Virustotal	Browse

Source	Detection	Scanner	Label
http://foo/bar/mainwindow.baml	0%	Avira URL Cloud	safe
http://foo/bar/mainwindow.bamld	0%	Avira URL Cloud	safe
http://defaultcontainer/MainWindow.xamld	0%	Avira URL Cloud	safe
http://foo/MainWindow.xaml	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://foo/bar/mainwindow.baml	Document for shipping.exe, 00000003.00000002.81165521175.0000000002581000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/bar/mainwindow.bamld	Document for shipping.exe, 00000003.00000002.81165521175.0000000002581000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://upx.sf.net	Amcache.hve.6.dr	false		high
http://defaultcontainer/MainWindow.xamld	Document for shipping.exe, 00000003.00000002.81165521175.0000000002581000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/MainWindow.xaml	Document for shipping.exe, 00000003.00000002.81165521175.0000000002581000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427769
Start date and time:	2024-04-18 06:26:15 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Document for shipping.exe
Detection:	MAL
Classification:	mal64.evad.winEXE@2/6@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 96% Number of executed functions: 31 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20
Excluded domains from analysis (whitelisted): spclient.wg.spotify.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com
Execution Graph export aborted for target Document for shipping.exe, PID 7148 because it is empty
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:28:22	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Document for shi_1e66adbaabbf5113cadc695eb21a9b827719b085_a5a929e4_dc820042-fdf7-4e79-be5a-b9c3276b8ecf\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1916095140710943
Encrypted:	false
SSDEEP:	192:I9e5MKB0mBUWSaurGMUaldXJW8Du76afAIO8d:We5MKrBUWSaVMHlJ7Du76afAIO8d
MD5:	7770CE098BBF60DC0A7585E2E970E4E7
SHA1:	B3B1F5CFDEAE76940A39472CA6FA7E4BB1E15B26
SHA-256:	DD265B126B5B7281F0C6D9EC8E08499AFF441AD0F01DAB7F747F3FBD35D3F27A
SHA-512:	E155319536A2FE6F55F02C55EC8A9F3348418F8F56B25F2D1D6CF8F9EE085CD5457DC7C373B4DA94B1B4B50F1E9347CC3CD175E5942A2F8D2D9F310B761BB347
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.8.8.8.0.9.9.9.8.8.4.0.2.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.7.8.8.8.1.0.0.4.1.0.1.5.7.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.8.2.0.0.4.2.-.f.d.f.7.-.4.e.7.9.-.b.e.5.a.-.b.9.c.3.2.7.6.b.8.e.c.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.2.f.c.7.9.0.7.-.8.e.5.e.-.4.9.6.5.-.8.4.d.4.-.f.1.5.2.1.b.8.f.c.e.c.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.D.o.c.u.m.e.n.t. .f.o.r. .s.h.i.p.p.i.n.g...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.Z.v.T.D...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.e.c.-.0.0.0.1.-.0.0.2.7.-.9.7.d.4.-.1.e.d.7.4.8.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.5.9.b.e.4.4.6.d.5.e.7.9.2.e.3.4.7.9.1.2.a.8.6.6.2.5.1.a.e.c.0.0.0.0.0.0.0.0.0.!.0.0.0.0.2.c.3.d.d.d.9.1.6.6.0.d.4.5.9.0.e.d.4.8.a.a.d.8.5.4.d.3.5.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER52C7.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Apr 18 04:28:20 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	289771
Entropy (8bit):	4.881482901683762
Encrypted:	false
SSDEEP:	3072:3hUBBGzsV0jN/lLTg6Puchq6ye+OqGELxyuzSi4CbZK4uEq/iUs8Xs:3OBBGzsV0jN/RTgquqyD0ELxyLCbI4
MD5:	AD557C78492AE89D2E1C6DDFB9500715
SHA1:	5FE5C6438F880ED8E99D398A50358E11E785C856
SHA-256:	9E7D114262DE5BD3CDB07C59A6BEA4C0385E0FDC139FF7A4247EBA8EBEDCDCE0
SHA-512:	FD195FA47984E7B110A5AA48105BCAF9A31C597E227BA7BE035735C01FE6E8B1D4AF4B42E5749AFCF0655CCDF417E1130C34EB8154D17B6B00D6F1B197EFC4C4
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......d. f............T...............h.......$...(".......8..JC..........`.......8...........T...........x...s=..........L"..........8$..............................................................................bJ.......$......GenuineIntel...........T...........c. f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER53B2.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8460
Entropy (8bit):	3.6916668920750912
Encrypted:	false
SSDEEP:	192:R9l7lZNi1Y6aX6YnhLSUHRgmfZDQC3prp89bfcsfVVm:R9lnNi66a6YdSUHRgmf9Qvfvf2
MD5:	5E85C1F6812F7FB4F98D3E209B824379
SHA1:	9191DAD8F8E20DE1B20C1A908EDD184E4CCC1D7B
SHA-256:	5DF35D005009E700EBC76E29C6EB65286D03D8C60CD580E593E69E80DBA5E54A
SHA-512:	8C7132981820E5E8DD28D04170AD5E60500DF2AC8F96C2BFFE47C174BDDA3163F28957F3D602FE2863FEB2EC2593ED55210E19810092F56C632C75630341BD89
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER53E2.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4991
Entropy (8bit):	4.513038845820559
Encrypted:	false
SSDEEP:	48:cvIwwtl8zsne702I7VFJ5WS2Cfjkas3rm8M4Jlv2K7F14+q8vr2KJvxjlejlNd:uILfe7GySPfQJyKxZxexNd
MD5:	01410F6FFEA68F4E1F695C3462237785
SHA1:	AC09EB4657AF153D8D9CE36F7D9EEF3BBEDBFD22
SHA-256:	DC176D47CE99843DFFEF384AE8E8B39CC19AA075AC5C20EE5725BC72EE35B71E
SHA-512:	7259C252FB381FE0433FAF4F1C5E0772BD9DC8A1811816B24F4F2CE1B37DFAFC68BFE67A7767678D2F2C81328774FECABA5B573D8B2C400E720147F4EBE3575B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222628659" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	2359296
Entropy (8bit):	4.363885601547218
Encrypted:	false
SSDEEP:	49152:gEeH3uyC3A/pNmQJNyJ2eagmcnYJ1u8hs:w
MD5:	1D3B008A14C32E07C88C71F2826A91C0
SHA1:	393833C88BFFABDB5348897A16F67226336B95AB
SHA-256:	38E532A7A798A1A50B940F3438D93F4DB2853B9752CA91202337AFB43C3B630D
SHA-512:	87197E96C0E7E24C2A44DB15E7E9A039356924DDBAAC2DBECFD2483355B0EBE1B3332C49000FD839C81F514968B22100789D222BEB21177C301D0BED9E5BAF9C
Malicious:	false
Reputation:	low
Preview:	regfE...E...5.#.^................... .....!.....\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e......Q......P..#....Q......P..#........Q......P..#.rmtm.q.d>...............................................................................................................................................................................................................................................................................................................................................L...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	2.9973857052718382
Encrypted:	false
SSDEEP:	768:PmQyPWn9OUCKonEo5/eF34OoajKRVnR7cyG2pKmVzcdygvfNaIy727gpeXeiTRG3:+AUnEoN0uRlDVwygvfs/sgNH4ut
MD5:	436DCEE777C12F315E2868D79F74B83B
SHA1:	7AE0084432193786D3778048CDB00F959542A5D1
SHA-256:	2CAAD0317D08F23C0FE5070C9086CEB497B88F8CCAF62DCAE79E3AFC2951C100
SHA-512:	F5ABD448F86CB24CC8CB80E74BB231CCCC4FC0B8C0F0F7EB577883CECD93635E25D542000A6003DF5E84E8EE7D78719E5B62D21B13C4829DABD57516E1B0DA26
Malicious:	false
Reputation:	low
Preview:	regfD...D...5.#.^................... .....!.....\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e......Q......P..#....Q......P..#........Q......P..#.rmtm.q.d>...............................................................................................................................................................................................................................................................................................................................................J...HvLE........D.....!.....i......\..?.}.........P... ...........0....................... ................!......P!.......!..0..hbin................5.#.^...........nk,....S...............................................................&...{11517B7C-E79D-4e20-961B-75A811715ADD}......nk .w...>.......(...........@...............................*...N.......)...InventoryMiscellaneousMemorySlotArrayInfo....................mG.....nk .$4./T....... ...................................Z.......

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.962416554275987
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Document for shipping.exe
File size:	731'136 bytes
MD5:	e8e193c463155c347c1a4cd828e5947f
SHA1:	2c3ddd91660d4590ed48aad854d3568dea951af3
SHA256:	f4153f8494d015bbe6740d237a848dc9898726b4812f015d47c80eac08fe5e12
SHA512:	e4c81e3d3c6c8ff21ec95c2766b1aadd3a0ab64b8837a176271f79a7860e935caaa030f7f9504f9aca0d7b6959c4ad9f379d40ce1cd6475c392c5ade838c47aa
SSDEEP:	12288:mAtH617FRqHXH2sfD+CXVTfnAnR0b7GPdfe4pFjKYGK/McCMGAJ76KLa0Tu3LU4l:cR0bfwZPGK/ZCMGAJ76KLa0S3LUQV6YL
TLSH:	DEF4220420D8EF2BE78D56B5BC91428113F8C1832E92F7D99DE134E599893E869523FF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...wf f....................."......."... ...@....@.. ....................................@................................

File Icon


Icon Hash:	0f235999b9792317

Static PE Info

General

Entrypoint:	0x4b22fe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66206677 [Thu Apr 18 00:16:55 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb22a4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb4000	0x1e7c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb0304	0xb0400	0346bee583eaa0c5a5c9dbe44dff1186	False	0.9694148936170213	data	7.967944103480401	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb4000	0x1e7c	0x2000	829e217b9009f1f1a8f766dbcd5ef2db	False	0.849609375	data	7.491148442241623	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb6000	0xc	0x200	bf2dcf652622585e68fc8ed9a940a2d4	False	0.041015625	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb4130	0x1834	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9917688831504197
RT_GROUP_ICON	0xb5964	0x14	data	1.05
RT_VERSION	0xb5978	0x350	data	0.43985849056603776
RT_MANIFEST	0xb5cc8	0x1b4	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (433), with no line terminators	0.5642201834862385

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	3
Start time:	06:28:19
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\Document for shipping.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Document for shipping.exe"
Imagebase:	0x80000
File size:	731'136 bytes
MD5 hash:	E8E193C463155C347C1A4CD828E5947F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:28:19
Start date:	18/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 1180
Imagebase:	0xc80000
File size:	482'640 bytes
MD5 hash:	40A149513D721F096DDF50C04DA2F01F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 0238182E Relevance: 4.7, Strings: 3, Instructions: 907COMMON

Download Yara Rule

Strings

LR$r, xrefs: 0238238B
LR$r, xrefs: 0238185E
\s$r, xrefs: 02381A6E

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID: LR$r$LR$r$\s$r
API String ID: 0-3600654002
Opcode ID: 6ff555beb4963e33edc24d6db1dbab2b2430acec394703de2d7c203791a83d41
Instruction ID: 9034cd254bc50feeaad6ef603e66d801ab40405a9cf2b57cdaeb7dc0fdf1e240
Opcode Fuzzy Hash: 6ff555beb4963e33edc24d6db1dbab2b2430acec394703de2d7c203791a83d41
Instruction Fuzzy Hash: F982DD75E002698FDB14DF69C884AAEBBF2BF88300F15C56AD449EB255CB34A942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02381846 Relevance: 4.1, Strings: 3, Instructions: 326COMMON

Download Yara Rule

Strings

LR$r, xrefs: 0238185E
U;+E, xrefs: 02381852
\s$r, xrefs: 02381A6E

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID: LR$r$U;+E$\s$r
API String ID: 0-4134377204
Opcode ID: 8543a640d8237880b94ef7d792e9ba170e8b5b2362c4de5135d16ded37924480
Instruction ID: 247373aef13372101e656d89b9c4e57504bcdcaee3ba86af901e9a60de9155a0
Opcode Fuzzy Hash: 8543a640d8237880b94ef7d792e9ba170e8b5b2362c4de5135d16ded37924480
Instruction Fuzzy Hash: 74C19175E016258FDB14DF79C884AAEB7F2BFC8301F168559D44AEB354DB34AA02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02382BC2 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

, xrefs: 02382CEE

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ce7576405257e917b0d3211efca818e94402f705bd4616da3ec0de8330b06d58
Instruction ID: 9301ba5c21b31c1205ae9b3177d54c0e185ba699d56135a4ab89e2d2d4deee75
Opcode Fuzzy Hash: ce7576405257e917b0d3211efca818e94402f705bd4616da3ec0de8330b06d58
Instruction Fuzzy Hash: 8E51DB75B002058FCB14DB79D8846AEBBF2EFC8215B18817AD919DB349EB30ED058B90

Uniqueness

Uniqueness Score: -1.00%

Function 023828B0 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42aa558fc1d5a092197a1fea8e4b3b3e28cf878e1afb40d50054ff785741c827
Instruction ID: df2963b24791ccaf7210c72340fac59cfc3310239d6bf4a08a6f1c843d22bac7
Opcode Fuzzy Hash: 42aa558fc1d5a092197a1fea8e4b3b3e28cf878e1afb40d50054ff785741c827
Instruction Fuzzy Hash: 27815E36F112248FD714EB69D884B5EB7F3AFC8710F198165E805EB3A5DE349C418B90

Uniqueness

Uniqueness Score: -1.00%

Function 02382951 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac3494f4923a24c8e882630088fb8b60e455aa1f8b72bce01e5c2d6feaa7416f
Instruction ID: 944652ec4c9f6d453ebb4f49479aee6216553a8e97b28956adce36bbd373ed8f
Opcode Fuzzy Hash: ac3494f4923a24c8e882630088fb8b60e455aa1f8b72bce01e5c2d6feaa7416f
Instruction Fuzzy Hash: 51614D32F116248FD714DB69C880B5EB7E3AFC8710F1AC165E409AB3A6DE74EC418B90

Uniqueness

Uniqueness Score: -1.00%

Function 02384235 Relevance: 14.0, Strings: 11, Instructions: 278COMMON

Download Yara Rule

Strings

$$r, xrefs: 023843DC
f)r, xrefs: 023843CC
$$r, xrefs: 023842FD
Te$r, xrefs: 0238427D
$$r, xrefs: 023843F2
XX$r, xrefs: 02384268
$$r, xrefs: 02384493
f)r, xrefs: 02384542
XX$r, xrefs: 02384258
f)r, xrefs: 02384532
Te$r, xrefs: 02384287

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID: f)r$ f)r$ f)r$Te$r$Te$r$XX$r$XX$r$$$r$$$r$$$r$$$r
API String ID: 0-433220769
Opcode ID: 15bde2870bca52fe9aedc887f23dd613022a199b505cb1846dc61412c312ff5c
Instruction ID: 23518096909731df4de1bacbc3de09f7c7256ca55b279c66c9a4e943f036a738
Opcode Fuzzy Hash: 15bde2870bca52fe9aedc887f23dd613022a199b505cb1846dc61412c312ff5c
Instruction Fuzzy Hash: 27B17C30E0431ACFDB24DB98D544BADB7B6EF84305F658065E601AFA99DB70DC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02383E07 Relevance: 2.5, Strings: 2, Instructions: 47COMMON

Download Yara Rule

Strings

f)r, xrefs: 02383E66
f)r, xrefs: 02383E5A

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID: f)r$ f)r
API String ID: 0-1289220391
Opcode ID: 4fd563235b13e89b9242bd58d5d73c9a813d5bbbef8d4aff4fc01f62ffd0f085
Instruction ID: c67f5a9ae6420fb5342538ca62426750b03ac439a703b67811c08b3eb0403820
Opcode Fuzzy Hash: 4fd563235b13e89b9242bd58d5d73c9a813d5bbbef8d4aff4fc01f62ffd0f085
Instruction Fuzzy Hash: CC11A132B40304DFEB25EEA4D45476D7B75EF44B01F145866E002AF388CB705C82CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02382670 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

, xrefs: 02382782

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 673df68c6bae51195c47d2dcfd7e9aed2b773a4db5d3730d25e09f3caf5e99b9
Instruction ID: 88989476539cb9825037249c10d89c3a677b50de54446255ea12397a8f810da7
Opcode Fuzzy Hash: 673df68c6bae51195c47d2dcfd7e9aed2b773a4db5d3730d25e09f3caf5e99b9
Instruction Fuzzy Hash: 7A419D75F002598BDB10DFAAD8806AFFBB2FB84211F14C52AE925DB706D730E9518B90

Uniqueness

Uniqueness Score: -1.00%

Function 023827E8 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

\s$r, xrefs: 0238284F

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID: \s$r
API String ID: 0-3117107385
Opcode ID: b3c59e94c917ea68b368ac8f1d7d45fed75c4a60192fb54dc9bd25049f326477
Instruction ID: c582c37d132b3a5d8f3f62ced35492b8d9317f5f8be1a30b9cc23e8b48ef8911
Opcode Fuzzy Hash: b3c59e94c917ea68b368ac8f1d7d45fed75c4a60192fb54dc9bd25049f326477
Instruction Fuzzy Hash: D121B4717102208FCB54EB79D854D2A77E9EF8961431584EAE80ACF371DB20EC418B90

Uniqueness

Uniqueness Score: -1.00%

Function 02380F15 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2de89837c3fb00ec0b2958262d3b01bf223b5d0e907421563688a67d9a6bb4d8
Instruction ID: 6fc6326b27ec3c3c2d25fecea3d93f01e4c6e672152012b2ea774512c6599b32
Opcode Fuzzy Hash: 2de89837c3fb00ec0b2958262d3b01bf223b5d0e907421563688a67d9a6bb4d8
Instruction Fuzzy Hash: 55214922A2D7998BD70E727C009815FBFA6BF97A0671404AFC5818F19AC614AC5DC3E2

Uniqueness

Uniqueness Score: -1.00%

Function 02383760 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22dd036b324a4703eb5a67046f54d131bc731a0ddb8b41d6fbcdaed24fd0d981
Instruction ID: 58d9ed7e9c9fcf0fec25d7a9b0f5e89c3fb280e445fae5ef00e5fbad76d47f16
Opcode Fuzzy Hash: 22dd036b324a4703eb5a67046f54d131bc731a0ddb8b41d6fbcdaed24fd0d981
Instruction Fuzzy Hash: E941E670B093A05FD32657794C50B6A7FAA9FC3600F19C4EAE454CF396CA65CC0AC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02380AD0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce92cb6ad89bb4c246ef8da300014a0a02998e4a223260629fd57231d6361801
Instruction ID: 0d0eae3b3cbd837c77412fe510300019662c5a7679d94c5ef10989f05646f408
Opcode Fuzzy Hash: ce92cb6ad89bb4c246ef8da300014a0a02998e4a223260629fd57231d6361801
Instruction Fuzzy Hash: 1F413574A10308DFDB1AEFA4C548A9DBBB2FF41309F15C4A9D0459F222EB34DA49CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0232D570 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81164892008.000000000232D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0232D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_232d000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb452e44702997ab80411396a472860e4b4e7b8c6e39bfbadc7f02227e9a3dd
Instruction ID: c09fe0cdd314fc4cb454e1bc391d438a5068eac6ca4124f7079d2a68cdca1e36
Opcode Fuzzy Hash: 0eb452e44702997ab80411396a472860e4b4e7b8c6e39bfbadc7f02227e9a3dd
Instruction Fuzzy Hash: BC212571504348DFDB11DF54D9C4B26BF6AFB88314F24C569E8090B646C376D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0233D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81164979628.000000000233D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0233D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_233d000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5db14fcfc5002740f332f9e4e92c7cddcfcd184ec16300ce8771ca85aa818fa
Instruction ID: a5bb0da21f0b661aa40230016ad2fb44095192ae15484912abdeba78446982b2
Opcode Fuzzy Hash: a5db14fcfc5002740f332f9e4e92c7cddcfcd184ec16300ce8771ca85aa818fa
Instruction Fuzzy Hash: 8A213471604348EFDB12DF24D8C4B26BB69FB88714F20C5A9E84A0B646C336D947CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0233D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81164979628.000000000233D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0233D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_233d000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8da2c7cd745b3a99404fd247820ad1bd98c10bb0b3c27ec4d1d3cd9c80401cd
Instruction ID: 6ea88a8578878e13dc034c278c1958844e39b400ad74bbf962614f7caabd04e9
Opcode Fuzzy Hash: b8da2c7cd745b3a99404fd247820ad1bd98c10bb0b3c27ec4d1d3cd9c80401cd
Instruction Fuzzy Hash: 292180755083849FCB02CF24D994B11BF71EB46214F28C5DAD8498F2A7C33A985ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 02382E00 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccac31a76a47d254a0bacb557a37e3f637c090b1cba329bd5651c033a2fcc3b4
Instruction ID: dc707298957ef69ee0aa04d2e2d4b4e4f07a04034ab70f5a20c702de15aea33b
Opcode Fuzzy Hash: ccac31a76a47d254a0bacb557a37e3f637c090b1cba329bd5651c033a2fcc3b4
Instruction Fuzzy Hash: 3911CE757402404FC745AB38E4A8A6E7BF3EFDD22532100A9E44ACF362EE20DC05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0232D56B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81164892008.000000000232D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0232D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_232d000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5cca3cdf5a65814c4efce24ab630ebad80daaf60a455b13edc9589fd3f2729
Instruction ID: 010def8c15a04583bdc4e59aa33b834328608c90b630340611d8cf23c6772c44
Opcode Fuzzy Hash: 8c5cca3cdf5a65814c4efce24ab630ebad80daaf60a455b13edc9589fd3f2729
Instruction Fuzzy Hash: 1111D076504284CFDB12CF10D9C4B16BF72FB88324F28C6A9D8490B256C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02382E10 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf54fc1f3fc76bef525ea3d49cc945d524cc30188ffd7bc961fb88ca15763259
Instruction ID: 61a0c4bbc83fb45dbee7d7892c4c8763f67fa4128d53cfbb4b716a92036e4f86
Opcode Fuzzy Hash: cf54fc1f3fc76bef525ea3d49cc945d524cc30188ffd7bc961fb88ca15763259
Instruction Fuzzy Hash: 10015E757402104FC788EB79E458A1E7BE7EFCC2253214069E50ACF375EE20DC008B91

Uniqueness

Uniqueness Score: -1.00%

Function 02380838 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a4780a1ff5458ad98e7c001608a39fd7da9772a32af363d6b0b271943be403
Instruction ID: 92864f5a06696662823352ce8aab9e4488867304c401f8cd300fc377b97ac7f3
Opcode Fuzzy Hash: d6a4780a1ff5458ad98e7c001608a39fd7da9772a32af363d6b0b271943be403
Instruction Fuzzy Hash: A6114874E002489FDB46EFB4D9646DEBFB1EF45300F1089AAD055A7254EA315A0ADF80

Uniqueness

Uniqueness Score: -1.00%

Function 02382F18 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ad67321d72f42461eb8013ff5c7a59aa9cf27fd36aec192cb075faa8288c34
Instruction ID: 3cef4708a8c92e5d1e1fd9ff95648b9438555912e34736097f0b8bed2b8e4699
Opcode Fuzzy Hash: 13ad67321d72f42461eb8013ff5c7a59aa9cf27fd36aec192cb075faa8288c34
Instruction Fuzzy Hash: 61018B757402504FC785EB3CE418A1EBBE6DFCD26132100A9E80ACF362EE20DC058BA2

Uniqueness

Uniqueness Score: -1.00%

Function 02381310 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee61dd905336399155e08e6094ad9b7a96aba3426ff51308ed81887c40978cc
Instruction ID: 0490c72c84855bc3484e08ad2fb75706e3d095d4d972b0423d9be618076ae7c8
Opcode Fuzzy Hash: 6ee61dd905336399155e08e6094ad9b7a96aba3426ff51308ed81887c40978cc
Instruction Fuzzy Hash: 1A017135A00309DBEF14EBA4C555BAEBBF9AB4C710F100429D506FB780DBB59945CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02382EA8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82b1fda6ef96e2b29d0d99819ba93282508cbd134ff01bde5594484357b846b
Instruction ID: c8edc2524a65c4796d09d6a64a016cdd4988054ce256a7831567942f1e3fee42
Opcode Fuzzy Hash: c82b1fda6ef96e2b29d0d99819ba93282508cbd134ff01bde5594484357b846b
Instruction Fuzzy Hash: AEF0FC757402804FC745AB38D4689AE7FF7DFC922531104A9E84ACB362ED24CD06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02382F28 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe699902c9b61633fb1169d9938617da7993a1c88d73be17047cf7913db43169
Instruction ID: b6756222380c826b9ea2e1aa759648e78d42759b786303c3602243609d2459b5
Opcode Fuzzy Hash: fe699902c9b61633fb1169d9938617da7993a1c88d73be17047cf7913db43169
Instruction Fuzzy Hash: B3F04F757501104FC744EB3DE018A1E7BE7DFCC66532100A9E50ACF365EE20DD058B91

Uniqueness

Uniqueness Score: -1.00%

Function 02380848 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b2fb648c1a91acd68cad4a0a30d20a858567bfb6029544976118fdc15b78788
Instruction ID: 49379787dd9b065c6ceede1ad9721a0d9ee94e9a3fe666b2b84855cdab94a1bb
Opcode Fuzzy Hash: 6b2fb648c1a91acd68cad4a0a30d20a858567bfb6029544976118fdc15b78788
Instruction Fuzzy Hash: 69012574E00308AFDB45EFF4D9546DEBBB6EF48300F1089AAD116AB254EB305A05DF81

Uniqueness

Uniqueness Score: -1.00%

Function 023828A0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4cf1f7af6d16ee1c8fe8a6668ffdf00c9967a3d873f311d057440b0827c8d47
Instruction ID: fb507e5aa42f8912e18f52e8b5074117ffb61bdddef390cc6627f1cfedee74df
Opcode Fuzzy Hash: b4cf1f7af6d16ee1c8fe8a6668ffdf00c9967a3d873f311d057440b0827c8d47
Instruction Fuzzy Hash: 88F02E357002445FDB11A67AD8947DF7FE6CFC4360B4440B1ED45CB212EA309C068A51

Uniqueness

Uniqueness Score: -1.00%

Function 02383859 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29eca4dc868ba5f22fadb386d21950e2dba876cc448ef1389f0350f0655e4711
Instruction ID: dc65b68ec31a07f7991c4fb33a5b41d69bb07b59879bd6fcc4fe1687a6f36738
Opcode Fuzzy Hash: 29eca4dc868ba5f22fadb386d21950e2dba876cc448ef1389f0350f0655e4711
Instruction Fuzzy Hash: 61F0E560789340AFDB2566751C11B717B699F83B40F1444EAE184DE1D1D990A800C256

Uniqueness

Uniqueness Score: -1.00%

Function 02380C75 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f9aa73b0603c4c6537d7788b193e6e26b6a5892321a7d87957eb9f3979ad21
Instruction ID: 8ed240b4709c4d52e912c94f0211f3a7aac7ce55271dd29167ebfa54ced611fa
Opcode Fuzzy Hash: d7f9aa73b0603c4c6537d7788b193e6e26b6a5892321a7d87957eb9f3979ad21
Instruction Fuzzy Hash: 24E08C35B457108BCA0A6A7451683EC2B62DBC621BB010869D206CF280CF29CA06D7C8

Uniqueness

Uniqueness Score: -1.00%

Function 023825F9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98a8c870b09ac7a7fca323e86131327d33d4f15ddd8cd6db4199d531625cf5eb
Instruction ID: 276570a0c6d967cd8604a5f7104c188e9dd075abe17a03fd33459f3af121f0a0
Opcode Fuzzy Hash: 98a8c870b09ac7a7fca323e86131327d33d4f15ddd8cd6db4199d531625cf5eb
Instruction Fuzzy Hash: 8BE09270905288EFC701DFB4D99599EFFF9EF46305B0004D9D844DB211D5346A06DB61

Uniqueness

Uniqueness Score: -1.00%

Function 02382608 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d550f2ab07755345de52871104fa1b5523f7d794055308ecaeec45bcc3d7b53
Instruction ID: 4a3fab4a3024c62b826e778a5c5bab7df787e38f6043c82b5d9092974645bcfb
Opcode Fuzzy Hash: 8d550f2ab07755345de52871104fa1b5523f7d794055308ecaeec45bcc3d7b53
Instruction Fuzzy Hash: EDD05E75E0120CEFCB00EFA4DA0095DF7FAEB8430AF1045A8D409E3210EA312F059BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02382640 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d810dfdd5705c75d3b211d1e71342581ed694c5fd609d81d48d531b651ff49
Instruction ID: 7322394e3b797f2acf2cc8858875b62d689ff4f34dbabb15e9edfc7f98239bcb
Opcode Fuzzy Hash: 50d810dfdd5705c75d3b211d1e71342581ed694c5fd609d81d48d531b651ff49
Instruction Fuzzy Hash: 74C08C31A8C3D12FEB038BB45C92BA5BF64EF03301F1808C6E180CF0D2C208A016C322

Uniqueness

Uniqueness Score: -1.00%

Function 023827D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad1a23cc9aecf0ca9bf5e7ff354e336f09801e19391b76cbada084c3dd72dc78
Instruction ID: 7ddf9eb18d6c5011f95ed0765e97c7f5a2f99dfd96303753f52e9737ea957c7d
Opcode Fuzzy Hash: ad1a23cc9aecf0ca9bf5e7ff354e336f09801e19391b76cbada084c3dd72dc78
Instruction Fuzzy Hash: 6CB0113028830C0A2A80AAB22C0AB23B28CAA00A08B800820EC0CC2802FB20E82002A0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02381098 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

\s$r, xrefs: 02381213

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID: \s$r
API String ID: 0-3117107385
Opcode ID: 58a1d9a83712519885ad1f154098da4e213a1a85713f3a7dd9d1d784eb96bc1b
Instruction ID: 8f6a3cd83c92b003919afff40f5f8dbe93b8b5bc3b553b56aff57ee0c2ea358f
Opcode Fuzzy Hash: 58a1d9a83712519885ad1f154098da4e213a1a85713f3a7dd9d1d784eb96bc1b
Instruction Fuzzy Hash: A57116B8E4020E9FDF14DFAAD484ABEBBB1BF48300F10A659D406EB250DB359941CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02381D00 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.81165237709.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2380000_Document for shipping.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a3c14e82c35855e95f3811927327b25bff1b86703c46193946e4a08c615953c
Instruction ID: bc24c252e030579d9df060f86617c9c624d5e348ac43f3bfdef7aa4a6926502c
Opcode Fuzzy Hash: 0a3c14e82c35855e95f3811927327b25bff1b86703c46193946e4a08c615953c
Instruction Fuzzy Hash: 3441F079E5411E9FDF14CFA9E481DEDB3F2BF88305B11A629E01AEB245CB31A945CB40

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Document for shipping.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Document for shi_1e66adbaabbf5113cadc695eb21a9b827719b085_a5a929e4_dc820042-fdf7-4e79-be5a-b9c3276b8ecf\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER52C7.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER53B2.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER53E2.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: Document for shipping.exePID: 7148, Parent PID: 5356

Windows Analysis Report
Document for shipping.exe