Play interactive tour

Edit tour

Analysis Report Shipping Documents000000000000000000020.exe

Overview

General Information

Sample Name:	Shipping Documents000000000000000000020.exe
Analysis ID:	385348
MD5:	88926051eb8f9a2ff4ab25ce7a0ad41a
SHA1:	e67ecfbae026b6643e2efb7e22a0b209658d943a
SHA256:	40295912aeeb49a6c9cb45bf5981e80ed788de2984e6306ccfd8cbfdc6855c9c
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Modifies the hosts file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

Shipping Documents000000000000000000020.exe (PID: 7028 cmdline: 'C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe' MD5: 88926051EB8F9A2FF4AB25CE7A0AD41A)

powershell.exe (PID: 5992 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Shipping Documents000000000000000000020.exe (PID: 816 cmdline: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe MD5: 88926051EB8F9A2FF4AB25CE7A0AD41A)

Shipping Documents000000000000000000020.exe (PID: 5752 cmdline: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe MD5: 88926051EB8F9A2FF4AB25CE7A0AD41A)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "ab@noradobe.commax@#1235smtp.noradobe.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.908737908.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.684480154.0000000003C19000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.684611255.000000000441C000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Shipping Documents000000000000000000020.exe PID: 5752	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Shipping Documents000000000000000000020.exe PID: 5752	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Shipping Documents000000000000000000020.exe PID: 7028	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Shipping Documents000000000000000000020.exe PID: 7028	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
5.2.Shipping Documents000000000000000000020.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Shipping Documents000000000000000000020.exe.452eed8.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Shipping Documents000000000000000000020.exe.452eed8.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 5.2.Shipping Documents000000000000000000020.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "ab@noradobe.commax@#1235smtp.noradobe.com"}

Multi AV Scanner detection for submitted file

Show sources

Source: Shipping Documents000000000000000000020.exe

Virustotal: Detection: 31%

Perma Link

Machine Learning detection for sample

Show sources

Source: Shipping Documents000000000000000000020.exe

Joe Sandbox ML: detected

Source: 5.2.Shipping Documents000000000000000000020.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: Shipping Documents000000000000000000020.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Shipping Documents000000000000000000020.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: System.Management.Automation.pdb Windows source: powershell.exe, 00000002.00000002.761718998.000000000076E000.00000004.00000020.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49771 -> 208.91.199.224:587

Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp	String found in binary or memory: http://RsDqkEurDsEYEYdu6ifh.net
Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp	String found in binary or memory: http://RsDqkEurDsEYEYdu6ifh.netp
Source: powershell.exe, 00000002.00000003.752237664.00000000007B8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000002.00000003.760649561.0000000008CC0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micr
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp	String found in binary or memory: http://hhMcag.com
Source: powershell.exe, 00000002.00000003.752210718.00000000007A9000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.763313916.0000000004272000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.679109370.0000000002C67000.00000004.00000001.sdmp, Shipping Documents000000000000000000020.exe, 00000000.00000002.678238591.0000000002C11000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.762903505.0000000004131000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.679109370.0000000002C67000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.911793482.0000000002E9F000.00000004.00000001.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: Shipping Documents000000000000000000020.exe	String found in binary or memory: http://weather.gc.ca/astro/seeing_e.html)
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000002.00000003.752210718.00000000007A9000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.763313916.0000000004272000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.651082600.00000000080FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigner
Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.651217175.00000000080FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.651941330.00000000080FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.652876433.00000000080FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.652876433.00000000080FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlX
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp, Shipping Documents000000000000000000020.exe, 00000000.00000003.652482542.00000000080FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.648814135.000000000810B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comic
Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.650057465.00000000080FF000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.650233295.00000000080F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.655343399.00000000080FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm&
Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.655343399.00000000080FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmb
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.649783713.00000000080FF000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krtn
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.651043701.00000000080FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com-r
Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.651043701.00000000080FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com.
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.649783713.00000000080FF000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krP
Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.649783713.00000000080FF000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krn-u
Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.649783713.00000000080FF000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krrmal
Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.649783713.00000000080FF000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kru-r5
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.649103390.000000000810B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com0
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.653487847.00000000080FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.653487847.00000000080FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de.r
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.653487847.00000000080FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.dee
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.650368334.00000000080F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cneD
Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: powershell.exe, 00000002.00000003.752210718.00000000007A9000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.763313916.0000000004272000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000003.737966315.0000000004AE1000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.761613549.00000000006F0000.00000004.00000020.sdmp	String found in binary or memory: https://ion=v4.5
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684480154.0000000003C19000.00000004.00000001.sdmp, Shipping Documents000000000000000000020.exe, 00000005.00000002.908737908.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

Show sources

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 5.2.Shipping Documents000000000000000000020.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b037AF53Eu002dBCFCu002d4C0Fu002dBE1Du002d31131A909FA4u007d/A7A768EAu002dCB92u002d4FAFu002d9F4Cu002d47F2075D610B.cs

Large array initialization: .cctor: array initializer size 11974

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Shipping Documents000000000000000000020.exe

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 0_2_02AAD010	0_2_02AAD010
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 0_2_02AA3A88	0_2_02AA3A88
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 0_2_02AA3A79	0_2_02AA3A79
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 0_2_02AA3B50	0_2_02AA3B50
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 0_2_0807D370	0_2_0807D370
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 0_2_080A00CB	0_2_080A00CB
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 0_2_080A027D	0_2_080A027D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_008FD321	2_2_008FD321
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 5_2_00D42D50	5_2_00D42D50
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 5_2_00D41FF0	5_2_00D41FF0
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 5_2_00D4BBF0	5_2_00D4BBF0
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 5_2_00D42768	5_2_00D42768
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 5_2_00D475E8	5_2_00D475E8
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 5_2_00D49AC3	5_2_00D49AC3
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 5_2_00D50CA0	5_2_00D50CA0
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 5_2_00D5F080	5_2_00D5F080
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 5_2_00D5AD30	5_2_00D5AD30
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 5_2_00D55ED8	5_2_00D55ED8
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 5_2_00D53F08	5_2_00D53F08
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 5_2_029947A0	5_2_029947A0
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 5_2_02994790	5_2_02994790
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 5_2_02994753	5_2_02994753
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 5_2_0299D7B0	5_2_0299D7B0
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 5_2_00D562F0	5_2_00D562F0

Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.685157704.0000000004645000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs Shipping Documents000000000000000000020.exe
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.695864065.0000000011D70000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Shipping Documents000000000000000000020.exe
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.695864065.0000000011D70000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Shipping Documents000000000000000000020.exe
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.678238591.0000000002C11000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs Shipping Documents000000000000000000020.exe
Source: Shipping Documents000000000000000000020.exe, 00000000.00000000.644586199.0000000000998000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIPermissionSetEntry.exeP vs Shipping Documents000000000000000000020.exe
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.695267930.0000000011C70000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Shipping Documents000000000000000000020.exe
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.693049376.0000000009770000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Shipping Documents000000000000000000020.exe
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.678948249.0000000002C59000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamevdsWZZIMnNFFEXhbCRbjgqtZrPAuKaBxxOBNYQS.exe4 vs Shipping Documents000000000000000000020.exe
Source: Shipping Documents000000000000000000020.exe, 00000004.00000002.671324035.0000000000118000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIPermissionSetEntry.exeP vs Shipping Documents000000000000000000020.exe
Source: Shipping Documents000000000000000000020.exe, 00000005.00000000.672407506.0000000000828000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIPermissionSetEntry.exeP vs Shipping Documents000000000000000000020.exe
Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.908737908.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamevdsWZZIMnNFFEXhbCRbjgqtZrPAuKaBxxOBNYQS.exe4 vs Shipping Documents000000000000000000020.exe
Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.909925723.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs Shipping Documents000000000000000000020.exe
Source: Shipping Documents000000000000000000020.exe	Binary or memory string: OriginalFilenameIPermissionSetEntry.exeP vs Shipping Documents000000000000000000020.exe

Source: Shipping Documents000000000000000000020.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Shipping Documents000000000000000000020.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 5.2.Shipping Documents000000000000000000020.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.Shipping Documents000000000000000000020.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@8/7@0/0

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipping Documents000000000000000000020.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6232:120:WilError_01

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1e3l3n3j.fey.ps1

Jump to behavior

Source: Shipping Documents000000000000000000020.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: Shipping Documents000000000000000000020.exe

Virustotal: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe 'C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe'
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process created: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process created: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process created: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process created: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Shipping Documents000000000000000000020.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Shipping Documents000000000000000000020.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: System.Management.Automation.pdb Windows source: powershell.exe, 00000002.00000002.761718998.000000000076E000.00000004.00000020.sdmp

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 0_2_008C2A15 push 00000035h; iretd	0_2_008C2A17
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 0_2_02AA70CC push edi; iretd	0_2_02AA70D6
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 0_2_0807FA98 push 380808C3h; ret	0_2_0807FA9D
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 0_2_0807FAA0 push esp; ret	0_2_0807FAA1
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 0_2_08076F80 push eax; mov dword ptr [esp], ecx	0_2_08076F84
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 0_2_0807137F push ecx; ret	0_2_08071395
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_008F12A1 push es; ret	2_2_008F12B0
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 4_2_00042A15 push 00000035h; iretd	4_2_00042A17
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 5_2_00752A15 push 00000035h; iretd	5_2_00752A17
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 5_2_00D47871 push ss; iretd	5_2_00D47872
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 5_2_00D4BA50 pushfd ; retf	5_2_00D4BA59
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 5_2_00D47A37 push edi; retn 0000h	5_2_00D47A39
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 5_2_00D44F59 push es; iretd	5_2_00D44F5A
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 5_2_00FED95C push eax; ret	5_2_00FED95D
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Code function: 5_2_00FEE28A push eax; ret	5_2_00FEE349

Source: initial sample

Static PE information: section name: .text entropy: 7.50975674252

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping Documents000000000000000000020.exe PID: 7028, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4056	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2702	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Window / User API: threadDelayed 1436	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Window / User API: threadDelayed 8401	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe TID: 7032	Thread sleep time: -101052s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe TID: 7052	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe TID: 7164	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5536	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe TID: 5664	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe TID: 5592	Thread sleep count: 1436 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe TID: 5592	Thread sleep count: 8401 > 30	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Thread delayed: delay time: 101052	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: powershell.exe, 00000002.00000002.763313916.0000000004272000.00000004.00000001.sdmp	Binary or memory string: k:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.693194635.0000000009840000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.678948249.0000000002C59000.00000004.00000001.sdmp	Binary or memory string: k%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.693194635.0000000009840000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareZA5VSKAZWin32_VideoControllerOEZ77T6UVideoController120060621000000.000000-0002167..14display.infMSBDAU2GWMKX7PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsGESZD_RK
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.910428362.0000000000F34000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.678948249.0000000002C59000.00000004.00000001.sdmp	Binary or memory string: k"SOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe'
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe'			Jump to behavior

Modifies the hosts file

Show sources

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process created: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Process created: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Jump to behavior

Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.910928221.00000000014F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.910928221.00000000014F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.910928221.00000000014F0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.910928221.00000000014F0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the hosts file

Show sources

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000005.00000002.908737908.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.684480154.0000000003C19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.684611255.000000000441C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping Documents000000000000000000020.exe PID: 5752, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping Documents000000000000000000020.exe PID: 7028, type: MEMORY
Source: Yara match	File source: 5.2.Shipping Documents000000000000000000020.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Documents000000000000000000020.exe.452eed8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Documents000000000000000000020.exe.452eed8.2.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Source: Yara match	File source: 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping Documents000000000000000000020.exe PID: 5752, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000005.00000002.908737908.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.684480154.0000000003C19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.684611255.000000000441C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping Documents000000000000000000020.exe PID: 5752, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping Documents000000000000000000020.exe PID: 7028, type: MEMORY
Source: Yara match	File source: 5.2.Shipping Documents000000000000000000020.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Documents000000000000000000020.exe.452eed8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Documents000000000000000000020.exe.452eed8.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation311	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping1	Query Registry1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	File and Directory Permissions Modification1	LSASS Memory	Security Software Discovery321	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools11	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion241	NTDS	Virtualization/Sandbox Evasion241	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection12	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	System Information Discovery113	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing3	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Shipping Documents000000000000000000020.exe	31%	Virustotal		Browse
Shipping Documents000000000000000000020.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.Shipping Documents000000000000000000020.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://hhMcag.com	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com0	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cneD	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://weather.gc.ca/astro/seeing_e.html)	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.krrmal	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htmb	0%	Avira URL Cloud	safe
http://www.sandoll.co.krP	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://crl.micr	0%	URL Reputation	safe
http://crl.micr	0%	URL Reputation	safe
http://crl.micr	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://RsDqkEurDsEYEYdu6ifh.netp	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigner	0%	Avira URL Cloud	safe
http://RsDqkEurDsEYEYdu6ifh.net	0%	Avira URL Cloud	safe
https://api.ipify.org%$	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.sakkal.com.	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.sakkal.com-r	0%	Avira URL Cloud	safe
http://www.sandoll.co.kru-r5	0%	Avira URL Cloud	safe
http://www.goodfont.co.krtn	0%	Avira URL Cloud	safe
https://ion=v4.5	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm&	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	false		high
http://hhMcag.com	Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://us2.smtp.mailhostbox.com	Shipping Documents000000000000000000020.exe, 00000005.00000002.911793482.0000000002E9F000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers?	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	false		high
http://www.tiro.com0	Shipping Documents000000000000000000020.exe, 00000000.00000003.649103390.000000000810B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cneD	Shipping Documents000000000000000000020.exe, 00000000.00000003.650368334.00000000080F3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4	Shipping Documents000000000000000000020.exe, 00000000.00000002.679109370.0000000002C67000.00000004.00000001.sdmp	false		high
http://www.tiro.com	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://weather.gc.ca/astro/seeing_e.html)	Shipping Documents000000000000000000020.exe	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sandoll.co.krrmal	Shipping Documents000000000000000000020.exe, 00000000.00000003.649783713.00000000080FF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp	false		high
http://www.sajatypeworks.com	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.comic	Shipping Documents000000000000000000020.exe, 00000000.00000003.648814135.000000000810B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htmb	Shipping Documents000000000000000000020.exe, 00000000.00000003.655343399.00000000080FC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sandoll.co.krP	Shipping Documents000000000000000000020.exe, 00000000.00000003.649783713.00000000080FF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org%GETMozilla/5.0	Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.ascendercorp.com/typedesigners.html	Shipping Documents000000000000000000020.exe, 00000000.00000003.651217175.00000000080FC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.de	Shipping Documents000000000000000000020.exe, 00000000.00000003.653487847.00000000080FC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.micr	powershell.exe, 00000002.00000003.760649561.0000000008CC0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Shipping Documents000000000000000000020.exe, 00000000.00000002.679109370.0000000002C67000.00000004.00000001.sdmp, Shipping Documents000000000000000000020.exe, 00000000.00000002.678238591.0000000002C11000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.762903505.0000000004131000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	Shipping Documents000000000000000000020.exe, 00000000.00000002.684480154.0000000003C19000.00000004.00000001.sdmp, Shipping Documents000000000000000000020.exe, 00000005.00000002.908737908.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	false		high
http://DynDns.comDynDNS	Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000003.752210718.00000000007A9000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.763313916.0000000004272000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://RsDqkEurDsEYEYdu6ifh.netp	Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000003.752210718.00000000007A9000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.763313916.0000000004272000.00000004.00000001.sdmp	false		high
https://go.micro	powershell.exe, 00000002.00000003.737966315.0000000004AE1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ascendercorp.com/typedesigner	Shipping Documents000000000000000000020.exe, 00000000.00000003.651082600.00000000080FC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://RsDqkEurDsEYEYdu6ifh.net	Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000002.00000003.752210718.00000000007A9000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.763313916.0000000004272000.00000004.00000001.sdmp	false		high
https://api.ipify.org%$	Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.carterandcone.coml	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	Shipping Documents000000000000000000020.exe, 00000000.00000003.650233295.00000000080F3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com.	Shipping Documents000000000000000000020.exe, 00000000.00000003.651043701.00000000080FC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	Shipping Documents000000000000000000020.exe, 00000000.00000003.650057465.00000000080FF000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com-r	Shipping Documents000000000000000000020.exe, 00000000.00000003.651043701.00000000080FC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp, Shipping Documents000000000000000000020.exe, 00000000.00000003.652482542.00000000080FC000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kru-r5	Shipping Documents000000000000000000020.exe, 00000000.00000003.649783713.00000000080FF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.krtn	Shipping Documents000000000000000000020.exe, 00000000.00000003.649783713.00000000080FF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.html	Shipping Documents000000000000000000020.exe, 00000000.00000003.652876433.00000000080FC000.00000004.00000001.sdmp	false		high
https://ion=v4.5	powershell.exe, 00000002.00000002.761613549.00000000006F0000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	low
http://www.galapagosdesign.com/staff/dennis.htm&	Shipping Documents000000000000000000020.exe, 00000000.00000003.655343399.00000000080FC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlX	Shipping Documents000000000000000000020.exe, 00000000.00000003.652876433.00000000080FC000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers8	Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.krn-u	Shipping Documents000000000000000000020.exe, 00000000.00000003.649783713.00000000080FF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/	Shipping Documents000000000000000000020.exe, 00000000.00000003.651941330.00000000080FC000.00000004.00000001.sdmp	false		high
http://www.urwpp.de.r	Shipping Documents000000000000000000020.exe, 00000000.00000003.653487847.00000000080FC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.dee	Shipping Documents000000000000000000020.exe, 00000000.00000003.653487847.00000000080FC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385348
Start date:	12.04.2021
Start time:	11:09:05
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Shipping Documents000000000000000000020.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@8/7@0/0
EGA Information:	Successful, ratio: 75%
HDC Information:	Successful, ratio: 1.7% (good quality ratio 1.2%) Quality average: 45% Quality standard deviation: 34.2%
HCA Information:	Successful, ratio: 97% Number of executed functions: 218 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Execution Graph export aborted for target Shipping Documents000000000000000000020.exe, PID 816 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:10:01	API Interceptor	609x Sleep call for process: Shipping Documents000000000000000000020.exe modified
11:10:31	API Interceptor	30x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipping Documents000000000000000000020.exe.log Download File
Process:	C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1406
Entropy (8bit):	5.341099307467139
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmER:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHg
MD5:	69867B278D60059171E44B9D996D3934
SHA1:	A3EA48217800614A1813EFAC9EF10DFD1436B5CA
SHA-256:	F0BBFC5D53409EC9D7886DCF55E7D909AFD054B5C312624209D364F750ED5FEC
SHA-512:	1539E7F2FA2BEADC006505C2F4FB6CCF065B31FE5E15CFC74C8578440C814B7BB1AADC2F77910F7E7CD85D0F0FABBC1AA57E4DDFEB148E9038C4D855E572C36E
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	14734
Entropy (8bit):	4.996142136926143
Encrypted:	false
SSDEEP:	384:SEdVoGIpN6KQkj2Zkjh4iUxZvuiOOdBCNXp5nYoJib4J:SYV3IpNBQkj2Yh4iUxZvuiOOdBCNZlYO
MD5:	B7D3A4EB1F0AED131A6E0EDF1D3C0414
SHA1:	A72E0DDE5F3083632B7242D2407658BCA3E54F29
SHA-256:	8E0EB5898DDF86FE9FE0011DD7AC6711BB0639A8707053D831FB348F9658289B
SHA-512:	F9367BBEC9A44E5C08757576C56B9C8637D8A0A9D6220DE925255888E6A0A088C653E207E211A6796F6A7F469736D538EA5B9E094944316CF4E8189DDD3EED9D
Malicious:	false
Preview:	PSMODULECACHE.............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script................T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	20556
Entropy (8bit):	5.578322063144952
Encrypted:	false
SSDEEP:	384:CtADeEURwGxx7UQwYeOYSBKnSultIiP7Q99ghSJUeRu1BMrmrZ9J1ldS:MLx7UIY4KSultdE8hXe1aG
MD5:	892EBE5CEDC22F8692C84292998371E4
SHA1:	FCE3038D2157031342A987867888DCE4D5F224A6
SHA-256:	78886D96675465B2836F750523CD91FD8035C5147AD8F1048EB3D5D999D8737E
SHA-512:	BD80DFC302922C24DF02F088FA42EA16460B26E2EBEBDC5332B1256FBB1F04FFA59E7DA74567E3C8C5A19ECC1AA74309BC6A1672542540977197F4DC8D8E2247
Malicious:	false
Preview:	@...e.....................E.....g.......'............@..........H...............<@.^.L."My...:<..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)b.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1e3l3n3j.fey.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqrz2va4.wdb.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\Documents\20210412\PowerShell_transcript.980108.pF4zasZh.20210412111006.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3703
Entropy (8bit):	5.274164731646126
Encrypted:	false
SSDEEP:	96:BZyj8NNqDo1Z2jZcj8NNqDo1Z8qhW0cW0cW0tZP:Pyyg
MD5:	E5642136880E6A99ACE40163E854D870
SHA1:	467D6F63C0CA1BF941707699996C2599DFB3C659
SHA-256:	B288FF9F2B034C7D20DE245F523CD00047C60F40C04A31353D358BBA256A6937
SHA-512:	3ABE21747D1ECDC5EC8197726A51A4382C2BAE3CD0F99270300B131913682CB96BD797197BF1266C810AC4958DFFC31554D74ED809C45D795B8920797A8E5617
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210412111021..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 980108 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe..Process ID: 5992..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210412111021..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe..******************..Command start time: 20210412111422..********************..PS>TerminatingError(Add-MpPr

C:\Windows\System32\drivers\etc\hosts Download File
Process:	C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	11
Entropy (8bit):	2.663532754804255
Encrypted:	false
SSDEEP:	3:iLE:iLE
MD5:	B24D295C1F84ECBFB566103374FB91C5
SHA1:	6A750D3F8B45C240637332071D34B403FA1FF55A
SHA-256:	4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
SHA-512:	9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
Malicious:	true
Preview:	..127.0.0.1

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.501743091602637
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Shipping Documents000000000000000000020.exe
File size:	872960
MD5:	88926051eb8f9a2ff4ab25ce7a0ad41a
SHA1:	e67ecfbae026b6643e2efb7e22a0b209658d943a
SHA256:	40295912aeeb49a6c9cb45bf5981e80ed788de2984e6306ccfd8cbfdc6855c9c
SHA512:	11651c034a9c7533c573359db6c8a312061824f37db033ba23bfc050f54e68768e37e92343613aedc9485964b5d2c25066b42c85d89bc5fddd930fe2509f2492
SSDEEP:	12288:ig6kXAJ/2b2wJM0YoIVVT3qkZwQd4Ewym5oAA0K9oehaU+hDVD2UAdgGwUtMI6yh:0wAJUb0dPwyko+ONaU+hkd
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....us`..............P..F...........d... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4d64ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x607375EE [Sun Apr 11 22:19:26 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd645c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd8000	0x800	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xda000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd44b4	0xd4600	False	0.755054673705	data	7.50975674252	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xd8000	0x800	0x800	False	0.34423828125	data	3.62173282807	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xda000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xd80a0	0x3e8	data
RT_MANIFEST	0xd8488	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright CodeUnit 2007
Assembly Version	2007.8.28.1
InternalName	IPermissionSetEntry.exe
FileVersion	2007.08.28.1
CompanyName	CodeUnit
LegalTrademarks
Comments	Image Size Standardiser
ProductName	Image Size Standardiser
ProductVersion	2007.08.28.1
FileDescription	Image Size Standardiser
OriginalFilename	IPermissionSetEntry.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Shipping Documents000000000000000000020.exe PID: 7028 Parent PID: 5904

General

Start time:	11:09:51
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe'
Imagebase:	0x8c0000
File size:	872960 bytes
MD5 hash:	88926051EB8F9A2FF4AB25CE7A0AD41A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.684480154.0000000003C19000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.684611255.000000000441C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 5992 Parent PID: 7028

General

Start time:	11:10:03
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe'
Imagebase:	0x920000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: conhost.exe PID: 6232 Parent PID: 5992

General

Start time:	11:10:03
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: Shipping Documents000000000000000000020.exe PID: 816 Parent PID: 7028

General

Start time:	11:10:04
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe
Imagebase:	0x40000
File size:	872960 bytes
MD5 hash:	88926051EB8F9A2FF4AB25CE7A0AD41A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: Shipping Documents000000000000000000020.exe PID: 5752 Parent PID: 7028

General

Start time:	11:10:04
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe
Imagebase:	0x750000
File size:	872960 bytes
MD5 hash:	88926051EB8F9A2FF4AB25CE7A0AD41A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.908737908.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Shipping Documents000000000000000000020.exe PID: 7028 Parent PID: 5904 Shipping Documents000000000000000000020.exeCOMMON

Execution Graph

Execution Coverage:	13.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	2

Executed Functions

Function 080A00CB, Relevance: 1.5, Strings: 1, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

L, xrefs: 080A010C

Memory Dump Source

Source File: 00000000.00000002.688722280.00000000080A0000.00000040.00000001.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a0000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID: L
API String ID: 0-2909332022
Opcode ID: 63f34dc4919437d26c4f64e03737d16c5207ea1a25a2c966ed451ee9521a5116
Instruction ID: 76c3058ef1d9d057619cf3d591096fc70c0119d7207bd9d6057646378fce3b83
Opcode Fuzzy Hash: 63f34dc4919437d26c4f64e03737d16c5207ea1a25a2c966ed451ee9521a5116
Instruction Fuzzy Hash: EDA13774E04619CFDB14CF99D980BAEBBB2FF89305F208199D549AB345D7309981CF61

Uniqueness

Uniqueness Score: -1.00%

Function 080A027D, Relevance: 1.5, Strings: 1, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

L, xrefs: 080A010C

Memory Dump Source

Source File: 00000000.00000002.688722280.00000000080A0000.00000040.00000001.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a0000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID: L
API String ID: 0-2909332022
Opcode ID: f45e385d2499875e118b27b9d737c0799e8c6aef6284bddf1c5d21ce09bae166
Instruction ID: aaf3b1fe565e6b0ae2536bcd9c5dad0fb134697092987bf5d4e3e65580ea6d7d
Opcode Fuzzy Hash: f45e385d2499875e118b27b9d737c0799e8c6aef6284bddf1c5d21ce09bae166
Instruction Fuzzy Hash: 18914674E04659CFCB64CFA9D980BAEBBB2BF89305F208199D509A7245D7309D81CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0807D370, Relevance: .7, Instructions: 651
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60de0864b516b7a343c94f7b305aafbc4b22e5be8893125266bac5c487beac54
Instruction ID: 6c152260fea25735f06509711d2a1ba1fca4348811fbb9a553d72c8fb9a72245
Opcode Fuzzy Hash: 60de0864b516b7a343c94f7b305aafbc4b22e5be8893125266bac5c487beac54
Instruction Fuzzy Hash: 9542E438B11604CFCB699B78D45866D7BF2FF89206F10886EE94ADB364DF359842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02AA3A88, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677062647.0000000002AA0000.00000040.00000001.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930d193e9da11d3c51425bf4780cc56c88fe306da388bcff69791dcfd8685a8e
Instruction ID: 2c878a39a67deaee555ec5e1f344f6e3f79f794e001ab240699f0a8326316753
Opcode Fuzzy Hash: 930d193e9da11d3c51425bf4780cc56c88fe306da388bcff69791dcfd8685a8e
Instruction Fuzzy Hash: 6191F174E05209CFCB08CFEAD9909ADBBB2EF89300F20906AD516BB264DB349945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02AA3A79, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677062647.0000000002AA0000.00000040.00000001.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51d90d0ed533e2986936d57fec761cebbd1cf61e6efc2d8e184f912c6575ebc
Instruction ID: 0a4b6f446b1bfca7060eac89223354a7ea9f822bb0da714147dda52d7a7ecd8c
Opcode Fuzzy Hash: a51d90d0ed533e2986936d57fec761cebbd1cf61e6efc2d8e184f912c6575ebc
Instruction Fuzzy Hash: EB910374E05209CFDB08CFEAD990AADBBB2EF88300F24906AD516BB254DB349945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02AA3B50, Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677062647.0000000002AA0000.00000040.00000001.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb19c9bf0ce10ffe896414a708dcb3228bd93eea054fdc6da91b810aed8fd487
Instruction ID: 8d87790e60926d257e3da14bf591b74ebb8aebaa03b5262439e05126a12e3a5e
Opcode Fuzzy Hash: bb19c9bf0ce10ffe896414a708dcb3228bd93eea054fdc6da91b810aed8fd487
Instruction Fuzzy Hash: B971E274E05209CFCF04CFE9D9909ADBBB2EF88300F24946AD616BB264DB309941CF64

Uniqueness

Uniqueness Score: -1.00%

Function 02AAD010, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677062647.0000000002AA0000.00000040.00000001.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650d55c13fe95df45397e6bee80f4cbea22efcdf69891efdf4c139c1fa03a57d
Instruction ID: 97c8d198a1c5708ce57aeb21769a69baabbab6d699ccc4eb53d8b39b6a4ccf50
Opcode Fuzzy Hash: 650d55c13fe95df45397e6bee80f4cbea22efcdf69891efdf4c139c1fa03a57d
Instruction Fuzzy Hash: 3D317A70E0560ADBCB04CFA5D5525AEFBB6EF8A301F10D42AC45AA7648DB349A02CF64

Uniqueness

Uniqueness Score: -1.00%

Function 02AAD510, Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02AAD570
GetCurrentThread.KERNEL32 ref: 02AAD5AD
GetCurrentProcess.KERNEL32 ref: 02AAD5EA
GetCurrentThreadId.KERNEL32 ref: 02AAD643

Memory Dump Source

Source File: 00000000.00000002.677062647.0000000002AA0000.00000040.00000001.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 582229f2d8ef65fcfe2af2f2d84fb1d8ba6d69fe6c30be926e08b0e94f61b681
Instruction ID: 0a5edaf5b196df4897197e0666829c800ed50a2c50678399c9ab4c43df20dc68
Opcode Fuzzy Hash: 582229f2d8ef65fcfe2af2f2d84fb1d8ba6d69fe6c30be926e08b0e94f61b681
Instruction Fuzzy Hash: FA5155B09046498FDB14CFAAD68879EBBF0FF48318F248459E419B7750DB345984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 08071EF0, Relevance: 2.7, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 080737BE
, xrefs: 080737B7

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: b3dfb2ba172c8561d2a2f96ae6d2d77b3721153c926f08dc6c889c7a953bde26
Instruction ID: 7650bf18ed5649c0f5f13787c96df6d1a4af570324b530328da8d1a3d25d4cce
Opcode Fuzzy Hash: b3dfb2ba172c8561d2a2f96ae6d2d77b3721153c926f08dc6c889c7a953bde26
Instruction Fuzzy Hash: B5619235920705CFEB00EF2DD495555BBF2FF89304B4286A9E849AB356EB71E9C4CB80

Uniqueness

Uniqueness Score: -1.00%

Function 08073770, Relevance: 2.6, Strings: 2, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 080737BE
, xrefs: 080737B7

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: fb40c3e4063d0186a7cb93fc8b85cec91f475098646527d9eec2459909a35da8
Instruction ID: b122cb4c23a8997e613897f6255ece8144a51c10bfc7fbd7b8cea1a391bbe3ee
Opcode Fuzzy Hash: fb40c3e4063d0186a7cb93fc8b85cec91f475098646527d9eec2459909a35da8
Instruction Fuzzy Hash: 8061C835920705CFEB00DF2CD496655BBF2FF45304B4285A9E849AB356EB71E9C4CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02AADB40, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02AADBC7

Memory Dump Source

Source File: 00000000.00000002.677062647.0000000002AA0000.00000040.00000001.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4f4d842c105556034d7112b487819597e000a4315ff1a824a1431df4aaa2f915
Instruction ID: 893a0766749359e435c008c27f3b1f0f7ead5e5418c34e79364a4ff72975635d
Opcode Fuzzy Hash: 4f4d842c105556034d7112b487819597e000a4315ff1a824a1431df4aaa2f915
Instruction Fuzzy Hash: EA21F5B5901208DFDB10CFAAD984ADEBBF8FF48324F14841AE954A7710D774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08078C70, Relevance: 1.5, Strings: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 08078E47

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 5a702a23393e72abadb176fedef125e9ec0bd502a4bf43c388b64c6fbf303176
Instruction ID: f41cdef4d7489f3d9d58c37bcb649e53e06fdfb32bd94a7737ac015951c13ca6
Opcode Fuzzy Hash: 5a702a23393e72abadb176fedef125e9ec0bd502a4bf43c388b64c6fbf303176
Instruction Fuzzy Hash: A4D10B75D1020ACFCF04DFA8D5888EDB7B2FF88315B218659D80677259DB70AA86CF84

Uniqueness

Uniqueness Score: -1.00%

Function 08078C60, Relevance: 1.5, Strings: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 08078E13

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9ce1448f8c72e0d1ff1af14bb5b2dd6ad5a1d1df4be8597854079a44e6e008ff
Instruction ID: 16c37450889a34df025b60020969e0a0cc8d413c484d018a795f0f6bd32af6c0
Opcode Fuzzy Hash: 9ce1448f8c72e0d1ff1af14bb5b2dd6ad5a1d1df4be8597854079a44e6e008ff
Instruction Fuzzy Hash: B9A1EC3591060ACFCF04DFA8D9848DDB7B1FF98314B218659E81677259DB70EA8ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 08079010, Relevance: .7, Instructions: 729
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d4c87bc2db512a90a84b565c041c95411b22810b26bd1d9f42466e6589d61d
Instruction ID: b826c6e451e440ce53ab9e900e3fb6d79ec956b8cb9d87acf8f67ad99ed1789d
Opcode Fuzzy Hash: 90d4c87bc2db512a90a84b565c041c95411b22810b26bd1d9f42466e6589d61d
Instruction Fuzzy Hash: B4723D31910609CFDB04EF78D899A9DBBB1FF55301F008699D54AAB265EF30AAC5CF81

Uniqueness

Uniqueness Score: -1.00%

Function 080759E0, Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b26e5debaea1a2824e1ce64ac79dcbf1a1f61c4add1058deead829860bfadd9b
Instruction ID: 83a33ee5855120864b09c022cc354f48e1817ddd4ecb5c9f36407eafb97895d2
Opcode Fuzzy Hash: b26e5debaea1a2824e1ce64ac79dcbf1a1f61c4add1058deead829860bfadd9b
Instruction Fuzzy Hash: 4042D831E10619CFCB14DFA8C8846DDB7B2FF89305F1086A9D459BB261EB70AA85CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0807AC50, Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbdf944418080b3cdee9278675841f9f092985c0377dc9ef939b4089fb0c0d99
Instruction ID: 580f583b6e9b18efe0d4d53006dee8d17658b655661dab65c03062b61fbd0432
Opcode Fuzzy Hash: dbdf944418080b3cdee9278675841f9f092985c0377dc9ef939b4089fb0c0d99
Instruction Fuzzy Hash: 75223834A10219CFCB54DF69C894AADB7F2BF89305F5085A9E819EB3A1DB30AC45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0807D360, Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 111fa15829e5af8a0c69b8d13f583350923f321f458b62794a044b52a24e2a96
Instruction ID: 07e25f6e44135a95e0535609cd6dbfc70d465c91ddd26285220154a9cdc3edac
Opcode Fuzzy Hash: 111fa15829e5af8a0c69b8d13f583350923f321f458b62794a044b52a24e2a96
Instruction Fuzzy Hash: 0DE10338B01644CFCB699F78C4586697BF2FF89316F1444AEE80ADB364DB31A842CB55

Uniqueness

Uniqueness Score: -1.00%

Function 080759D0, Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0cb75f4ebc94422df1001d06b39d0230f8354b11816e6f50cab731905fa3b52
Instruction ID: 91ea1283a1ec95a9be6bfcb0bf664e3222630638f6f7025c541bf2ed67a66ea5
Opcode Fuzzy Hash: b0cb75f4ebc94422df1001d06b39d0230f8354b11816e6f50cab731905fa3b52
Instruction Fuzzy Hash: FFE1E735E10619CFCB24DF68C8946EDB7B2FF49301F1486A9D419AB261EB30AE85CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0807EB00, Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 955322459e9daac189326f12c55e78a9e8f2a685a6b216a2dc50f3f2dd3344aa
Instruction ID: e9fd141801898316e9aa88d9b1670de9b2993636cfb033ef273889b4fbc47f43
Opcode Fuzzy Hash: 955322459e9daac189326f12c55e78a9e8f2a685a6b216a2dc50f3f2dd3344aa
Instruction Fuzzy Hash: E0C18834F0160ACFCB14DFA9C8845AEBBF2FF88705B1085AAD516E7750DB30A956CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0807F390, Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62756e04b05b0afb7d7760ad88598792bd17be106d95ef5f49c8eb3865e90fb8
Instruction ID: d54dd99d4ace33b0a32bd30c3f66ab45ea0b4dffb269f83b3336a47e78b325b8
Opcode Fuzzy Hash: 62756e04b05b0afb7d7760ad88598792bd17be106d95ef5f49c8eb3865e90fb8
Instruction Fuzzy Hash: 47A11131A00346CFCB11CF28D4809AEBBF2FF85315B15C96AD455DB265DB30E98ACBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0807A488, Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac14c0e1ba466f474093eae62eaa55013e7676fdc92ba31d2d4eec4fb8a1f837
Instruction ID: cbca102616d5332919ec15d61754d0c19060a7191614d132ad33326753416786
Opcode Fuzzy Hash: ac14c0e1ba466f474093eae62eaa55013e7676fdc92ba31d2d4eec4fb8a1f837
Instruction Fuzzy Hash: CFC10834E10619CFCB54DF69C884ADDB7B2FF89315F1186A9E409AB361EB30A985CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0807A478, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eab4f1bdaab6f322f3111e71b77c23d780ad7754685685de3364ea8a7984517d
Instruction ID: a5e2892f4fb545d046e545b1aa885149bac51eab02128ba4f994a0b267190086
Opcode Fuzzy Hash: eab4f1bdaab6f322f3111e71b77c23d780ad7754685685de3364ea8a7984517d
Instruction Fuzzy Hash: 88A11B35E10619CFCB54DF68C884ADDB7B2FF89315F1186A9D549AB321EB30AA85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 080708D0, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66f8a584bd66c64a6cd18722a2e82c9622c7ba80b1c8f72f0ab958a2f321e47
Instruction ID: 52c3deb870098758a33d9c10f0d8751410d4438e58633ac63e5f66286560fa14
Opcode Fuzzy Hash: d66f8a584bd66c64a6cd18722a2e82c9622c7ba80b1c8f72f0ab958a2f321e47
Instruction Fuzzy Hash: 5071B031A106198FCB09EF78C49059AB7F6FF89304B11866CD519AB365EF30EC85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 080789A0, Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec406cd6a4721264dd8d07c25954be10c3761d7a37965fe790b00a12d2f45945
Instruction ID: 5d801e5ae8aa99aaf46bac277af790f8b71183396a36b6b92b217fa5983ff25c
Opcode Fuzzy Hash: ec406cd6a4721264dd8d07c25954be10c3761d7a37965fe790b00a12d2f45945
Instruction Fuzzy Hash: 4B91F67191060ACFCB41DF68C884999FBF5FF89310B14C69AE919EB255EB70E985CF80

Uniqueness

Uniqueness Score: -1.00%

Function 08077308, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c56ab62b7af7757e2be0ce6451761364d291028a0b5fdfd59844c9bc882760
Instruction ID: ad1a64cd30ce5028cc3977ffb4d57ebf388c874280df120b6eca4bca25600820
Opcode Fuzzy Hash: 49c56ab62b7af7757e2be0ce6451761364d291028a0b5fdfd59844c9bc882760
Instruction Fuzzy Hash: 1A71DDB9700A00CFC728DF29C59895ABBF2BF8920571589A9E54ACB372DB71EC41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08077118, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf8f9c01385c05fde03ba65fb2ec9f82a6baa3bc60b22c635b547c83b4b4b34
Instruction ID: afbde66d2f137d19fcd7a6c962d97fdd5711f08c27af9cf96392ba29215836f2
Opcode Fuzzy Hash: 4bf8f9c01385c05fde03ba65fb2ec9f82a6baa3bc60b22c635b547c83b4b4b34
Instruction Fuzzy Hash: 6371A274A042068FCB48CF69D584999FBF2FF4D314B1986A9E849DB312D734E885CF94

Uniqueness

Uniqueness Score: -1.00%

Function 080772F8, Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22d45e11b9259c0150a0bba64d82a11b52addc7f8182bd759a0ff28031cb5d10
Instruction ID: 7e7dc72590f448d85fab9e09f172b9daaaa38604e14603a54cf8e047d2374626
Opcode Fuzzy Hash: 22d45e11b9259c0150a0bba64d82a11b52addc7f8182bd759a0ff28031cb5d10
Instruction Fuzzy Hash: 8671DFB9700A00CFC728DF29C598A59BBF2FF8920571589A9E54ACB772DB31EC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 08071170, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c278040c0dd5325cc11a3d65a91fb2cda167dc1802f7cc7c0b8a6fcb5141c2
Instruction ID: 02e729a11631a6af82f5c36dac7505fc974dc7805eddb726a4c06a83348fa30a
Opcode Fuzzy Hash: c0c278040c0dd5325cc11a3d65a91fb2cda167dc1802f7cc7c0b8a6fcb5141c2
Instruction Fuzzy Hash: E7719F74A01208EFCB55DFA8D884DAEBBB6BF48715F114098F901AB361DB31ED92CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0807E8C9, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68555f801ef03471c03c06ac9b7aacac8d7fabe6bca045af52abf65ddd269439
Instruction ID: beb669b866fa0df11c26d4023f8c95435b9a543473a7bfb9f0404a393bc6c675
Opcode Fuzzy Hash: 68555f801ef03471c03c06ac9b7aacac8d7fabe6bca045af52abf65ddd269439
Instruction Fuzzy Hash: 69616035E10619DFDB00DFB8D8549AEBBB2FF89300F00856EE446A7354EB309989CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0807AC40, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31fb0a70941a052a5645bbc3ea202696c785a21855262f31d7213c97d49b0425
Instruction ID: f88ecadb19e45dd3d6ade747b88a8191da5a911c54bcb125d84b983f6d0a2cd3
Opcode Fuzzy Hash: 31fb0a70941a052a5645bbc3ea202696c785a21855262f31d7213c97d49b0425
Instruction Fuzzy Hash: 3E517B34B10204CFDB14EF69C494B9DB7F3AF89315F0485BCD91A9B3A1DB31A8098BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0807E8E0, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edaa9a41c456e6e52be54cbae79775818610c583eb430ea2400afea626a5b453
Instruction ID: 28ee601deef15c88a8a9b60a87ba8ec6e7314343376f3ad34ec2b7b041930706
Opcode Fuzzy Hash: edaa9a41c456e6e52be54cbae79775818610c583eb430ea2400afea626a5b453
Instruction Fuzzy Hash: E1615035E10609DFDB14EFA8D8549AEFBB2FF89300F00856DE446A7354EB30A995CB81

Uniqueness

Uniqueness Score: -1.00%

Function 08072AE8, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2e1a7501ffe0e657e1afa5b8a22389943b762679dcb53fc883a40c3f8508739
Instruction ID: 444cc79340de39321bb93c8e486c51d01f97eaa39a2579c88d078669a5cf99c6
Opcode Fuzzy Hash: d2e1a7501ffe0e657e1afa5b8a22389943b762679dcb53fc883a40c3f8508739
Instruction Fuzzy Hash: 0C51C131A0061A8FCB18DF78C45059EBBF2FF89249B10852DD51A9B790EF31E906CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 080723D9, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40eee330d1458b774be754b3c0cb51d4b8f4b37d21215766723e062bdc12071e
Instruction ID: 824f5571bec6c56b9aa738a3350cfb3713d5982e841723cab818eba15334c46e
Opcode Fuzzy Hash: 40eee330d1458b774be754b3c0cb51d4b8f4b37d21215766723e062bdc12071e
Instruction Fuzzy Hash: 9E51F634A106198FCB04DF68C89899DBBF6FF89704B1581A9E506EB371EB71EC45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0807899A, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed6231bf0090edbccf141ad97c1ebb622b382fa72dc01d3ded5bc6fe8b814f70
Instruction ID: e467874e271c5cf1a4645f176226522019d8defa0fa9f2ef727716950f99f7bb
Opcode Fuzzy Hash: ed6231bf0090edbccf141ad97c1ebb622b382fa72dc01d3ded5bc6fe8b814f70
Instruction Fuzzy Hash: 9451E57191070ACFCB41EF68C884999FBB5FF49310B14C79AE859EB255EB70E985CB80

Uniqueness

Uniqueness Score: -1.00%

Function 080723E8, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad436771e1ccea5f5227e18134f64f4b5f4eae5a9bb70b1df052e5f14d0e2e17
Instruction ID: db446e8074048b86313526991ed3d0ff480f9e845c53e98db2ec03d524dd48f3
Opcode Fuzzy Hash: ad436771e1ccea5f5227e18134f64f4b5f4eae5a9bb70b1df052e5f14d0e2e17
Instruction Fuzzy Hash: 2751F634A10609CFCB04DF68C89899DBBF6FF89701B1585A9E506AB371EB71EC45CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0807B538, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 700272b714f81708785b134d86fbd159d2d36bf74f16f2919722c461106476b2
Instruction ID: dc41daa67c598f7c15b3fabcacb6f518b2cba820eb6e2b163ac4c83dba9440c9
Opcode Fuzzy Hash: 700272b714f81708785b134d86fbd159d2d36bf74f16f2919722c461106476b2
Instruction Fuzzy Hash: C9414735B046608F8B59A374942467E36E7AFC462A715847DCA06CF3A4EF35CC02C3EA

Uniqueness

Uniqueness Score: -1.00%

Function 08079C28, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1129bfb2a71f2cc73668e5d59d6f0c5d6d8190398c5407f7f947ce28bc75a33
Instruction ID: 178d35c2288f4907618b6193e51195012974ad1430c96234730e48973c668d62
Opcode Fuzzy Hash: f1129bfb2a71f2cc73668e5d59d6f0c5d6d8190398c5407f7f947ce28bc75a33
Instruction Fuzzy Hash: 4C517575D00209DFCB04DF98D988AADBFB2FF49311F158169E806AB355DB30AE85CB80

Uniqueness

Uniqueness Score: -1.00%

Function 080715D0, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a958deacbaae4c355c12d87c31e72dad4181e0855dae43b0b0f255c93af273de
Instruction ID: 32cb1e14ac9007ddd63aee7005c2308eb1b47100aaf571465c6954f35a0fee38
Opcode Fuzzy Hash: a958deacbaae4c355c12d87c31e72dad4181e0855dae43b0b0f255c93af273de
Instruction Fuzzy Hash: EE414774B102588FDB55DBAAC894EADBBF6AF89705F1440A9E501EB3B1CB71EC01CB14

Uniqueness

Uniqueness Score: -1.00%

Function 08070040, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8dd0d4883798c856b5c52005219b6448dcfd84bd0907e68b57536f8d4946838
Instruction ID: f0f2b505a8955c2c85574bf3e3c6b02035b01120675aca7a159685a2a8c9ed4f
Opcode Fuzzy Hash: c8dd0d4883798c856b5c52005219b6448dcfd84bd0907e68b57536f8d4946838
Instruction Fuzzy Hash: 0E512874A01209EFDB14DF98D594B9EBBF2FF88311F208168E905A7390CB31AD41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 080729C7, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9e68891fa7892f9b21ec0ea8571115d591cfe1fba7f93480dd3caea6cdfd39d
Instruction ID: 1bf4b83bf3961a9260b14037cf84532e27e0d5705f91620cf1d34dd9b51acf57
Opcode Fuzzy Hash: c9e68891fa7892f9b21ec0ea8571115d591cfe1fba7f93480dd3caea6cdfd39d
Instruction Fuzzy Hash: F441AF30700301DFDB24DB29C850A9AB7F6EF8A715B14856ED446CB762DB75EC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08072CC0, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc98d9a40615080adf1fd6031b6e83f11adecbe98185c466cc14ec2cb6e68f7
Instruction ID: d87d118f302f5a001830bf2e99fb1a9084040ae26eca2b0a4d2bcf4845e0724c
Opcode Fuzzy Hash: 3cc98d9a40615080adf1fd6031b6e83f11adecbe98185c466cc14ec2cb6e68f7
Instruction Fuzzy Hash: C6414A30F002199FCB59DBB9D8806EEB7F3AF49201F10452AE106EB390EB74AD41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 08071C50, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb53f4b3781888508b91d5ad84918e5cb43d05e36e2d667a654ffaaf3a66a6c
Instruction ID: 43c7a79253d68addc5e4f14c3fe46f9d28cd2aca1f8f0064bafca6f6d4df7f34
Opcode Fuzzy Hash: 9fb53f4b3781888508b91d5ad84918e5cb43d05e36e2d667a654ffaaf3a66a6c
Instruction Fuzzy Hash: 2C413034A10719CFCB04EF78C4949DEB7B6FF89305F008559E1166B364EB71A945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 08076669, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac1f2d458d3940a88e9209fed397a0cc97bc3cfff65fb02d498f492cf101626d
Instruction ID: 2e5d70a286d43ef37fbddf011118fd9f30fff34918be81c9284de45da7769022
Opcode Fuzzy Hash: ac1f2d458d3940a88e9209fed397a0cc97bc3cfff65fb02d498f492cf101626d
Instruction Fuzzy Hash: 1B415334A10709CFCB04EF74C894ADDB7B2FF85305F018559E115AB364EB71A985CB81

Uniqueness

Uniqueness Score: -1.00%

Function 080721A2, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c01d44fd1d15197588d74ff2df7ab2d0e46a87e4a2cf8f79055d871f30ea24c
Instruction ID: 44a8fb31892104740991c940d3afc1e462d5ab7f694fb1dd683367d1486cd396
Opcode Fuzzy Hash: 5c01d44fd1d15197588d74ff2df7ab2d0e46a87e4a2cf8f79055d871f30ea24c
Instruction Fuzzy Hash: 49413838B20510CFCB44DF68C498AA977F6FF89611B1584AAE51ADB371CB70EC01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 08074420, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126c7c78190222a120247f33853b044e5dee6603b328aebb72cc4f37e64554ef
Instruction ID: 25d19e412bdb7651d577df725f4d7088c69f7d3c9bd0412ba16651e9d3d09714
Opcode Fuzzy Hash: 126c7c78190222a120247f33853b044e5dee6603b328aebb72cc4f37e64554ef
Instruction Fuzzy Hash: A2411775A0020ADFCB40DF68D88499EFBB5FF89314B14C659E918AB311E730E945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 080721B0, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 798f5b21f1f97fcc4a784aa3abded2890ce9d56dbc0304d18252e34e0fd2adc4
Instruction ID: 118068d5839ea2e9a4566e14140c3550836286a75160101abd41080d903bf0d5
Opcode Fuzzy Hash: 798f5b21f1f97fcc4a784aa3abded2890ce9d56dbc0304d18252e34e0fd2adc4
Instruction Fuzzy Hash: 22312638B205148FCB44EF68C4989697BF6FF89A11B1580AAE51ADB371CF71EC06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 08070006, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70cd5273333f6ece0caa8affc76a5227f16b613d6e7589408fc82c3ba037950e
Instruction ID: 4ba08dc6aade214ea0d5a8210fda4e6efa1f73f409c621170d07cc47e89dbfd6
Opcode Fuzzy Hash: 70cd5273333f6ece0caa8affc76a5227f16b613d6e7589408fc82c3ba037950e
Instruction Fuzzy Hash: A4415C34A063899FDB02DF64C550B9EBFF2FF49310F15819AE845AB292C635A805CB65

Uniqueness

Uniqueness Score: -1.00%

Function 08077109, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a120441a3ff9a5b9fae13742bf1fc94dddd52ced323a8235814e3edec83f50a
Instruction ID: c10395de369fc91e91e8ac79bc9b8a3efcf283735493befbb565554d5a0d4c44
Opcode Fuzzy Hash: 9a120441a3ff9a5b9fae13742bf1fc94dddd52ced323a8235814e3edec83f50a
Instruction Fuzzy Hash: E641E5B4A00206CFC754CF68D584A99FBF2BF49251B1986AAE849DB351E730EC45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 08071E90, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbb7a9cb7efb3c5e61177976846c8f94632ae2ed17000df0a436a86f810cb647
Instruction ID: fe13ae1a6597994f3e317109fdf9f091b2099e0f1de3d0b8d735da0222f30aef
Opcode Fuzzy Hash: cbb7a9cb7efb3c5e61177976846c8f94632ae2ed17000df0a436a86f810cb647
Instruction Fuzzy Hash: CF31AD75A00244CBEB45EF69D484755B7B3FF88300F49C979E8096B349EF70A484DB50

Uniqueness

Uniqueness Score: -1.00%

Function 08074430, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b762b111fe55ecba2e13dd9fa40b99fae035b766aec89f14d5ecb71002031a
Instruction ID: 36fa593491b1ee87b0eb8d1424c3d1dd63659e79346cc8e3f6868403d69ac1bf
Opcode Fuzzy Hash: 08b762b111fe55ecba2e13dd9fa40b99fae035b766aec89f14d5ecb71002031a
Instruction Fuzzy Hash: 00410675A0020ADFCB44DF68D88499EFBB5FF89310B14C699E918AB315E730E985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 08076570, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed56e1ccf6537e4e43676f8a2a41a0033781b707222f4b79c35978a57594b8e1
Instruction ID: 597f17e51cdf67cfe1b71f67d2e7a7eff7c974e3de395319850cc7b5d8a76496
Opcode Fuzzy Hash: ed56e1ccf6537e4e43676f8a2a41a0033781b707222f4b79c35978a57594b8e1
Instruction Fuzzy Hash: 6B31AF35A00619DFCF04EBA4D8448DDF7B7FF89211B148169E416AB360EB31AD56CB84

Uniqueness

Uniqueness Score: -1.00%

Function 08072E00, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07db9d2c70c00d1629c9f78e1aa36ac159ef24e233807bbb3b39f8288d98b266
Instruction ID: 1832846fab54e235fc78278efa502b7c880ea71e504b87449bed92c7b998f30c
Opcode Fuzzy Hash: 07db9d2c70c00d1629c9f78e1aa36ac159ef24e233807bbb3b39f8288d98b266
Instruction Fuzzy Hash: 2B310631E00609CFCF11DFA8D840A9DFBF1FF49311F0486AAE55AAB221E730A985CB45

Uniqueness

Uniqueness Score: -1.00%

Function 08073091, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d208ae28c9bdce3ba62a7fe7ca2b9815be81ea245bfce7634c76a3bcd0259565
Instruction ID: e0f04c8fc8e7289741f9f441129cdcc4b7fb11d49bc35b458d6bc1933c516699
Opcode Fuzzy Hash: d208ae28c9bdce3ba62a7fe7ca2b9815be81ea245bfce7634c76a3bcd0259565
Instruction Fuzzy Hash: 4C316831A00208CFCB14EF78C440AEA77F3AF89319F15856DE9599B351DB31E982CB80

Uniqueness

Uniqueness Score: -1.00%

Function 08073570, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885b0cd7efe53797682d5ab42992e04a13527d83245e57d15f53237cedb9570c
Instruction ID: 495904dcf5d7a7e10d325c949a2a7e6c07232797aa942f672da950d052fa319a
Opcode Fuzzy Hash: 885b0cd7efe53797682d5ab42992e04a13527d83245e57d15f53237cedb9570c
Instruction Fuzzy Hash: 5A319D75A103048BFB45AF68D884395BBB7FF89300F4A8579EC09AB345EF30A484DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0807C6A0, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed7ee723e56f566f0391281d0be01dfbd90a20d68edac17bafd7cc0c85ceefa
Instruction ID: 404c8475d5205983f63902e18a480b47811288ef93d1890ff2b042faee2724b9
Opcode Fuzzy Hash: 3ed7ee723e56f566f0391281d0be01dfbd90a20d68edac17bafd7cc0c85ceefa
Instruction Fuzzy Hash: EA214732B092115FDB59636894607BEB7EBDFC5715F09406ED90ADB3E1CF298C0283A9

Uniqueness

Uniqueness Score: -1.00%

Function 08072CB0, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d5db3002c89936ae76d223007f621cd7f39115197fe2029691c58fdf3ef9258
Instruction ID: fb458aeea6d9a49e62e19c25df6f8f768860f64e613d09c0121984ff9d7970d7
Opcode Fuzzy Hash: 6d5db3002c89936ae76d223007f621cd7f39115197fe2029691c58fdf3ef9258
Instruction Fuzzy Hash: 1631AE35F006199FCB54DAB9D8846EEB7F3EF49201F10453AE406A73A0EBB0AD41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 080733DC, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ef35a2049ee60973b6a94c6b81062c295c1ba682209c9c1aebf8839c294ec1
Instruction ID: 917ce9fe76b4b893029c0503a75f9acaa06af3f73876d9e6ce08110d29bba553
Opcode Fuzzy Hash: 37ef35a2049ee60973b6a94c6b81062c295c1ba682209c9c1aebf8839c294ec1
Instruction Fuzzy Hash: 3F21B5327102018FD794DF2DDC94AA977D2EF89322B19807AE41ACF7A6DE74DC058B94

Uniqueness

Uniqueness Score: -1.00%

Function 08071656, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb27d9d0c677fc747808e9849a9206ceb3f4d6d58a601ecd6d4f2e7acd37e224
Instruction ID: 8ddbbf3193f3cbe1078ceada2c7092bf8d08b4c6d93c6f9441165a46b08cd3c6
Opcode Fuzzy Hash: fb27d9d0c677fc747808e9849a9206ceb3f4d6d58a601ecd6d4f2e7acd37e224
Instruction Fuzzy Hash: 03312374B112148FDB55DBA9C894AAD7BF6BF49706F5800A9E601EB2B1CB71DC01CB14

Uniqueness

Uniqueness Score: -1.00%

Function 0807CA78, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9306d054742c1901f988caf174cd1dd6660542ecb1605ca4c2b0bed01e225b22
Instruction ID: f921ff95f5f9a3294ce1552cd52631e3466abc2dae3179c54668a6fb3c96413a
Opcode Fuzzy Hash: 9306d054742c1901f988caf174cd1dd6660542ecb1605ca4c2b0bed01e225b22
Instruction Fuzzy Hash: 2831D135B101048FDB48DF69C998A99BBF6FF89B11F2540A9E506EB371CA71EC01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0807BF44, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad8f700f25d5b3030412ea8703307a225b34c489d45d168460c7e25e58f3601
Instruction ID: b54f37d2ca79de604a2806dfb5b0b277019830e866306d4a1b0919093405474c
Opcode Fuzzy Hash: dad8f700f25d5b3030412ea8703307a225b34c489d45d168460c7e25e58f3601
Instruction Fuzzy Hash: 1131CE34B501048FDB48DF69C598AA9BBF6FF89A11F2540A9E506EB371CA71EC01CB64

Uniqueness

Uniqueness Score: -1.00%

Function 080777D8, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da9034574c3e75de24b006e51741f56d1fd4d7cf1f85fc60779635218807cf2c
Instruction ID: d86f427aa5d61e65d5c93c40343f476c26f0472369c0099b728686f41687cb53
Opcode Fuzzy Hash: da9034574c3e75de24b006e51741f56d1fd4d7cf1f85fc60779635218807cf2c
Instruction Fuzzy Hash: 86314A70E4021ACBEB95DFA9D444ADDBBF2AF49341F18446AD800FB350DB309D08DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0115D4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676530531.000000000115D000.00000040.00000001.sdmp, Offset: 0115D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115d000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d8dd72fe5f522067800be45fa30ab87e0807ec19b37d520fd65fb649cb623c1
Instruction ID: a09c36318b1c85634f2322443901456ef95fdcd1e4e526f012a88cd210311527
Opcode Fuzzy Hash: 1d8dd72fe5f522067800be45fa30ab87e0807ec19b37d520fd65fb649cb623c1
Instruction Fuzzy Hash: 5A2103B1504240DFDF49CF94E9C0B26BB75FB8832CF248569ED054B20AC336D846CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0115D3EC, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676530531.000000000115D000.00000040.00000001.sdmp, Offset: 0115D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115d000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a7b484197d75b48a9d3eaaa9ef472b0243bbbf31b2423df9d7474cd9dbfc3e3
Instruction ID: 103cd74e99ce58405eb0e35d711c4c3b3d32e374d9b93289bf6033602469baa0
Opcode Fuzzy Hash: 8a7b484197d75b48a9d3eaaa9ef472b0243bbbf31b2423df9d7474cd9dbfc3e3
Instruction Fuzzy Hash: E321F4B1504240EFDF49DF94E8C0BA6BF65FB88324F24C569DD094BA06C336E446C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 080729D8, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88eef444ca3987f6c840fdf5f344b73728222386423e11d198171cf4a7282ec1
Instruction ID: 353af8eb4b14055f1147943fa489d5894c2fe20a0b3e11efed83b1dbceb6a47c
Opcode Fuzzy Hash: 88eef444ca3987f6c840fdf5f344b73728222386423e11d198171cf4a7282ec1
Instruction Fuzzy Hash: 30213B307102109FDB68EB39C454A2A73E6EF89619B10847DE506CB771DF71EC46CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0116D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676633903.000000000116D000.00000040.00000001.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_116d000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ea77a43bbedddff20154c677ddcebe1fcdd3168b6c90178c98bd7056ac552c
Instruction ID: ab604738ab7b3f18fc3f108a9aa9c20e1ce59e05ebf28b16af1162c56cf82ccd
Opcode Fuzzy Hash: 34ea77a43bbedddff20154c677ddcebe1fcdd3168b6c90178c98bd7056ac552c
Instruction Fuzzy Hash: C5210A71604240EFDF09CF94E5C0B25BB69FB88324F24C56DE8494B246C777D856CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0116D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676633903.000000000116D000.00000040.00000001.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_116d000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8321aaf2ac7aa3759aba5a3dd8cd6286dc61ddbdd43a8b9c396da0d76957d76
Instruction ID: a5144e4968e097a2a4bc1341a43b30da5cb47afa36f3ba213ceadf52cad81d1f
Opcode Fuzzy Hash: b8321aaf2ac7aa3759aba5a3dd8cd6286dc61ddbdd43a8b9c396da0d76957d76
Instruction Fuzzy Hash: 7A212571604240DFCF19CF54E8C0B26BB69FB88354F24C569D8894B246C737D817CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 080708C0, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08cf0d36f4c48df5e9c6b4fbb7d1346c2b1ee8cf856717f598105c5de84d7ae1
Instruction ID: 0534155d2fab5b2dbb9d5b3c5ee087242a61d32377d7b2f2efeaab0e096cca1b
Opcode Fuzzy Hash: 08cf0d36f4c48df5e9c6b4fbb7d1346c2b1ee8cf856717f598105c5de84d7ae1
Instruction Fuzzy Hash: E721F632A00B49CBDB54EF28C48069AB7F6FF85315B008A7DD819AB745DB31EC85CB84

Uniqueness

Uniqueness Score: -1.00%

Function 08079B50, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb9532626c14585b2289e1e2973f16fba9e03bebcc7167af3fd8f5ecf0c2bdad
Instruction ID: d539f3b4fcf5612a22a93c6cd39abf3b6d78499f8900e076f4864079d4a23cde
Opcode Fuzzy Hash: fb9532626c14585b2289e1e2973f16fba9e03bebcc7167af3fd8f5ecf0c2bdad
Instruction Fuzzy Hash: 5A212F31A106099FCB10EF68D940599FBF5FF49311B50C26AE958A7200FB31A998CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 08072700, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe7ded188924dd5753fcbd363ed9a4ba40ec46c1d4ba5a2cf0c717132f2a160
Instruction ID: 4c006d219e97b7e04147dab51b003c96ac6cd75dc49be0cc58954fb490955e3c
Opcode Fuzzy Hash: 5fe7ded188924dd5753fcbd363ed9a4ba40ec46c1d4ba5a2cf0c717132f2a160
Instruction Fuzzy Hash: 3D11A231F0061A8BCB24EE6985506AFB7F7EF88611F14853ED516E7340EB7499028BC5

Uniqueness

Uniqueness Score: -1.00%

Function 080726F0, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15433ce1540c9380f5d9d6bb3640ede492d03a5c46864bb644dd77ced66e2940
Instruction ID: 6f37bd2cbe6d720aec4df98898846becf9445aecd6c9f73e21ed0523d8f51143
Opcode Fuzzy Hash: 15433ce1540c9380f5d9d6bb3640ede492d03a5c46864bb644dd77ced66e2940
Instruction Fuzzy Hash: 71112332F006168BCB24DE698A517AFB6F7EFC8A10F04443ED516E7340DB3499028BC4

Uniqueness

Uniqueness Score: -1.00%

Function 080777C8, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c52edbdefadd1f97209e63b1d01c5b366d373cb4285feb7a86108f2e7692f156
Instruction ID: 3eff793b4569f2b99c83867952c269f6cd3a565465ffe3fae0a858b234aedd38
Opcode Fuzzy Hash: c52edbdefadd1f97209e63b1d01c5b366d373cb4285feb7a86108f2e7692f156
Instruction Fuzzy Hash: 80219A30E402168BEB99DBA8D4446EDBBF2BF09341F188429D801FB350DB349D09DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0807C940, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a90a921b9f7706285c9726bd4669400cb3445f5f2f074f2efe130bc254386f
Instruction ID: e4f8d359f89d7fcce16348c05cccf90320783517e0de42832340ac101e802d71
Opcode Fuzzy Hash: b5a90a921b9f7706285c9726bd4669400cb3445f5f2f074f2efe130bc254386f
Instruction Fuzzy Hash: 28118E35B0121987DE78327964243AE32DBAFC4566F14043ED58AC7780DF65C802C79A

Uniqueness

Uniqueness Score: -1.00%

Function 0116D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676633903.000000000116D000.00000040.00000001.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_116d000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dbb0990ac9fcbf528e25331bb51c645209a3ff4d3a68a22eeb6960392d172d0
Instruction ID: a35ebdee9e33f8ed2977a6a2a090cac00bef747fcac341d24e5e1efeb6df7a2e
Opcode Fuzzy Hash: 3dbb0990ac9fcbf528e25331bb51c645209a3ff4d3a68a22eeb6960392d172d0
Instruction Fuzzy Hash: 99218E755093808FCB06CF24D994B15BF71EB46214F28C5EAD8898B667C33A981ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 08077BF8, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d603637ce3dc8c5ad8f9cdc6e99db1afd14f1e2edb9ffca6bd2f78b66dccfb2
Instruction ID: c1d594fde0164a0268a3da8427865a8f73d29554147316ce9694d951fb7d5d88
Opcode Fuzzy Hash: 0d603637ce3dc8c5ad8f9cdc6e99db1afd14f1e2edb9ffca6bd2f78b66dccfb2
Instruction Fuzzy Hash: FF119170B011559FDB04EB28C958A5EBBBAFF8A704F1681ADD401EB745CA35ED41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 08071E60, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f47a6f47b456d9428eb9c08e6dc085e701edc46646966851dac5b3509a04189
Instruction ID: 4b54e0f10b3304345187d9824e5317663551ae0a135de451bb40c1d75f7d4d08
Opcode Fuzzy Hash: 9f47a6f47b456d9428eb9c08e6dc085e701edc46646966851dac5b3509a04189
Instruction Fuzzy Hash: 84216A35A00709CFC724AB74C440AEAB3B3FF86246F41486ED15A1B3A1DB31A945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0807C568, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca7126cfdae2213533b9186e33a45e91ffab497d982ed398acd93468572321b
Instruction ID: f76009db10cddf1153ca44bc5922c73106ccb7749faaf41ff90406edcfcd830a
Opcode Fuzzy Hash: bca7126cfdae2213533b9186e33a45e91ffab497d982ed398acd93468572321b
Instruction Fuzzy Hash: 70119D31601204AFC758EA68E460A9EB7E6EF91354F40C87EC5698B750CF32E909CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0115D4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676530531.000000000115D000.00000040.00000001.sdmp, Offset: 0115D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115d000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
Instruction ID: e61ece91d650460169d0e5d5a7df8fef024031aee2601d3337a7a37fd8445b9f
Opcode Fuzzy Hash: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
Instruction Fuzzy Hash: 3C11B176404280CFDF16CF54D5C4B16BF71FB84328F2486A9DC054B616C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0115D3E7, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676530531.000000000115D000.00000040.00000001.sdmp, Offset: 0115D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115d000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
Instruction ID: a2ed889fa5a417f9fb14eb265e2b7411c3bb5b30aafc38fa7ddccdabd1f0c2bd
Opcode Fuzzy Hash: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
Instruction Fuzzy Hash: 4A119D76404280DFDF06CF54D5C4B56BF62FB84320F24C6A9D8094AA16C33AE456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 08075139, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969683b677f887d124255be5034108d6cd0becc9a6599707432120f833a6ed84
Instruction ID: 1e7d14b3fef1f532ccc2fd695bacdc372a9d36484ecd2fbd229d4b88dd7f46bc
Opcode Fuzzy Hash: 969683b677f887d124255be5034108d6cd0becc9a6599707432120f833a6ed84
Instruction Fuzzy Hash: 9701D2367102018FE358CA2CDC96BE937D3EF89322F19807AE405CF7A6DA38C8058794

Uniqueness

Uniqueness Score: -1.00%

Function 08077047, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 220df9597a2345bda4a3ddf9ae1f8eba4655d04fc5009347ab90e7d23cda4bb6
Instruction ID: ba5184fa3e26ab5a8181462a904a9aed86b2f20f59cd00ff1a7f1fed3267c978
Opcode Fuzzy Hash: 220df9597a2345bda4a3ddf9ae1f8eba4655d04fc5009347ab90e7d23cda4bb6
Instruction Fuzzy Hash: 5A11C832B103159BCB10ABA9EC446DEB7B6EFD9225B11452AE555E7210EF30AC09C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 08077BE7, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2519d18ea54cf556ab3f2080a8b0a23c8bb0ed27938660218aa6f0be59a7c812
Instruction ID: e35d572679d3e92a4f3b138f2cbb7a41244d23cf028ca450f566779e34f5baf3
Opcode Fuzzy Hash: 2519d18ea54cf556ab3f2080a8b0a23c8bb0ed27938660218aa6f0be59a7c812
Instruction Fuzzy Hash: B311CAB0A011129FDB08EB58C944AAAB7E6BF88200B158269D000EB748CA36ED05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0807C558, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e6e398da4bbd989467f08c12468c3ca9e3dc1cefbc8f1cfa2c642129197a1e
Instruction ID: bf326d1d4a4d523de2c6c4922e0edbd21fe7113c8d582e1d2ac21766e619cfc4
Opcode Fuzzy Hash: a2e6e398da4bbd989467f08c12468c3ca9e3dc1cefbc8f1cfa2c642129197a1e
Instruction Fuzzy Hash: AD110231205740AFC359EB28E860A9A77F6EF92349F04886DC059CBB50CB32E809CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0116D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676633903.000000000116D000.00000040.00000001.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_116d000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d36124553d90c539148c45a8a93ecca56ad8a74831c1bc612bfc5b4ddcdf7be
Instruction ID: d21c46b6e36a18248786eba45848e35577fc1146f1d8d3f7e2f690228a71cc29
Opcode Fuzzy Hash: 7d36124553d90c539148c45a8a93ecca56ad8a74831c1bc612bfc5b4ddcdf7be
Instruction Fuzzy Hash: 8611BB75A04280DFCF16CF54D5C4B25BBB1FB84224F28C6AED8894B656C33AD45ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 08077908, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ffe9c66117b0e9d5adf7aa083541aa933725ee5755c5292ae64ad9225564547
Instruction ID: 55d65346e6c1e0f0e0d430691a022ef5431c3fb09b123daacf4e4c116f372a0a
Opcode Fuzzy Hash: 8ffe9c66117b0e9d5adf7aa083541aa933725ee5755c5292ae64ad9225564547
Instruction Fuzzy Hash: 33119A31A012099FC718EB69D454BEEBBF2EF88355F10442AD505A7690DF356D05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0807DE48, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bcd11cdd22d1dcded98ac1c2ca42918e55e060431668af52955690893af9e38
Instruction ID: 84e5bd2ff1d8e8d8aa902c9b4ad3956c2ae1e59a4f5c8bb01abe9d05c808d17a
Opcode Fuzzy Hash: 1bcd11cdd22d1dcded98ac1c2ca42918e55e060431668af52955690893af9e38
Instruction Fuzzy Hash: 4801D630F405218B86A66A5CD05443EB3DBDFDAA63314852ED807DB318CFB0DC1287E5

Uniqueness

Uniqueness Score: -1.00%

Function 080715AF, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db04c166ca76c74ab02f0ad837b9b5a068bfb3d4601e8675bef1ee25aa9bc396
Instruction ID: 7a705e34f77cff0e2aeab634ba445317e1fcd301eb5fac05cc64a6ce8d39c5aa
Opcode Fuzzy Hash: db04c166ca76c74ab02f0ad837b9b5a068bfb3d4601e8675bef1ee25aa9bc396
Instruction Fuzzy Hash: 1F11D630D082999FCB12DBADDC5499DBFF5EF4A300F08409AE450FB3A2C635A900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0807B660, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99aa0dcd7a1c54d59e57b9ca8eb41071892b5c1ded89176a335fc60c9c139967
Instruction ID: 530917a3b49f7666b2996aab02192acf93953d30d89f6a1dee0503cc37af5683
Opcode Fuzzy Hash: 99aa0dcd7a1c54d59e57b9ca8eb41071892b5c1ded89176a335fc60c9c139967
Instruction Fuzzy Hash: 4201A235B109248FCB597728C418B6E37EBAF85626B058078D909DB361CF25CC01C79C

Uniqueness

Uniqueness Score: -1.00%

Function 08074FF8, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca797d72aaa86fdf4b15b2f6c08c07d8918e049e6c9764756a1dcf6c9095335
Instruction ID: 4b653605ac5b81b725d3e126668b7c5eee55d6ea9a18b230165dbd1a6f5759e1
Opcode Fuzzy Hash: 7ca797d72aaa86fdf4b15b2f6c08c07d8918e049e6c9764756a1dcf6c9095335
Instruction Fuzzy Hash: 11014536704642CBCB218A28EC15BED37E65F45662F08019ED045C72B2DB24D841C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 0807B4B0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63843bd9321ac09b600e761546233df0bd8644940c4ac8dfc67cbc42c0541f1a
Instruction ID: d8d9bcff9e4a3ccc502c1075f5c62cdbda183693c476e0a227c269f92d5ed30a
Opcode Fuzzy Hash: 63843bd9321ac09b600e761546233df0bd8644940c4ac8dfc67cbc42c0541f1a
Instruction Fuzzy Hash: 4B015E317002159FC7149A29D888B6ABBFAFF89719F14856AE91A97760CF70EC05C750

Uniqueness

Uniqueness Score: -1.00%

Function 080775A0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ac3e1c1538527d2f9dd06530875f0242fed5150804b8c07ff8f24a91750dbd
Instruction ID: 6bac2baf164ce4837cbd813fbe7b223bbcb65217f1e8720a0fa07f689df231c6
Opcode Fuzzy Hash: 13ac3e1c1538527d2f9dd06530875f0242fed5150804b8c07ff8f24a91750dbd
Instruction Fuzzy Hash: 6B01F932A043449FDB64EB65A4407EA77EBDF402A2F5004AFC509D7990EF70D544C799

Uniqueness

Uniqueness Score: -1.00%

Function 0807C8A8, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54dd12747826de49adb7910a3d47a2f43d320f9b2355bc90ee06e26489c5e226
Instruction ID: b1445696ceb940eef9c55af87960d26e8e40654468f049ace3fd541720ebaf7b
Opcode Fuzzy Hash: 54dd12747826de49adb7910a3d47a2f43d320f9b2355bc90ee06e26489c5e226
Instruction Fuzzy Hash: 7D01F430700605DBEBA8A62AC450AAAB3EBEFC5619F04843DD81AC7750CF34EC07C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0115D75D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676530531.000000000115D000.00000040.00000001.sdmp, Offset: 0115D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115d000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca14558f63826fe9288dc6837a151df5273b44159abe7d7c3a481ae2bfd4e102
Instruction ID: 99e35198a1b75b4b9c000b60f15c47019d80ede4eb541cc148d49d71d9262995
Opcode Fuzzy Hash: ca14558f63826fe9288dc6837a151df5273b44159abe7d7c3a481ae2bfd4e102
Instruction Fuzzy Hash: 9F01F771008780EAEB585E96E880766BBD8EF45628F09C419EE244B246C3789844C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 080768B0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e54fd8a7a2f0d10660da5e928e0ac87c1776c304b0b456191699c5313fb9006
Instruction ID: 05ea2f235ce1382192d5d90c4a3f492d87ebced258e4825d6903f2090f47b649
Opcode Fuzzy Hash: 1e54fd8a7a2f0d10660da5e928e0ac87c1776c304b0b456191699c5313fb9006
Instruction Fuzzy Hash: E2015E31A00B09CFC728EF39C45059A77F6EF85305B10CA6ED45A9B764EB71E942CB94

Uniqueness

Uniqueness Score: -1.00%

Function 080778FA, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a462ebb1182612a26babb3873c0357362b83edd406c3714450175e24f294b4
Instruction ID: e17ff14ac36eddc170a5835fdf83667f61430e5c5f439afd7227e8208a477467
Opcode Fuzzy Hash: f1a462ebb1182612a26babb3873c0357362b83edd406c3714450175e24f294b4
Instruction Fuzzy Hash: 0E019E31E012058BD714EA64D9657AE77F2AF88245F50481AD505EBA90DF3559058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0807DE39, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7eb2171ae09cdd87de49c8186f3765b5e5c62ccf31c75fe94098a3e3bc2eaa
Instruction ID: c9c3713b8403e210ddf725ee8cc8e2187f11ea30ba23cc33826987f6a4511092
Opcode Fuzzy Hash: 2c7eb2171ae09cdd87de49c8186f3765b5e5c62ccf31c75fe94098a3e3bc2eaa
Instruction Fuzzy Hash: BB012631F456508FC7625B1CD45486EBBA3AF96A2230481ADEC068B319CB20DC11CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 0807C820, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5e6005945435f5ab2cae49f2bd531f72dc979988a7a7f68dd64965f15f241fd
Instruction ID: aebde4ca2e5a68685e159d500b722524893771571832433b773781bcc61adff1
Opcode Fuzzy Hash: c5e6005945435f5ab2cae49f2bd531f72dc979988a7a7f68dd64965f15f241fd
Instruction Fuzzy Hash: BBF0F4313501018BE6689559D450BBA33EBAFC5945F55402DE51AD37A4DA249C0587D4

Uniqueness

Uniqueness Score: -1.00%

Function 0807C8B8, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244eda1f95acb6484f617a2cf9db1d48cb7350c6885fce9accb937b35268e348
Instruction ID: 8d483ad062524f47a58af1e6d24b6b616988e56f89bfcb0d5dd79475c537c2d1
Opcode Fuzzy Hash: 244eda1f95acb6484f617a2cf9db1d48cb7350c6885fce9accb937b35268e348
Instruction Fuzzy Hash: 94F0F430B00205CBEBA8E62AC064A6AB3D7AFC6216714843DC81ACB754DF70EC078795

Uniqueness

Uniqueness Score: -1.00%

Function 0807BF34, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e94aa74ec6748ffd1aaf535b01e996d366037bc2b3c90adf29c1e4c85a1a5106
Instruction ID: ac13a4f22b52e9249f741df776cef1fb159dd576c7fa1ff274591ebc7abe0cd8
Opcode Fuzzy Hash: e94aa74ec6748ffd1aaf535b01e996d366037bc2b3c90adf29c1e4c85a1a5106
Instruction Fuzzy Hash: 73F0F4313501118BD768A669D050BBE33DBBFC9955F50443EE41AC7764DF289C0187D5

Uniqueness

Uniqueness Score: -1.00%

Function 080720BF, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42ec0b2463a4a30929236489fc0598197c227d2b343c447f03901708aeefcc02
Instruction ID: 8e7f7f8605252224b0f4b4f2e33d1a61c86c4758442def7c669114343a70053c
Opcode Fuzzy Hash: 42ec0b2463a4a30929236489fc0598197c227d2b343c447f03901708aeefcc02
Instruction Fuzzy Hash: 75F0CD763042008FC360CA6DF884F96B7E9EF89625B1544BAE20DCB362D330DC01CB64

Uniqueness

Uniqueness Score: -1.00%

Function 080768A0, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b9eab7292b3f8a8c2460d43c96ffd8171495a707b882cc830896fd44cf65ed
Instruction ID: 65690a10ef73641d571b3f41bf0fe88038474cbfcec6a8a1409cd7bc0499bae4
Opcode Fuzzy Hash: 85b9eab7292b3f8a8c2460d43c96ffd8171495a707b882cc830896fd44cf65ed
Instruction Fuzzy Hash: 7A01B131A05B48CFC324DF38C4604A97BF2EF85305B04C66ED4969B761EB31D846CB98

Uniqueness

Uniqueness Score: -1.00%

Function 08074F87, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ddc46bd22a734730cd84ef76c09fe691b259ab87c465e1a89ddcbff0adc5b
Instruction ID: 2a2cbca67e5e0970d3001ad987b8c69fbbeb7c14eec21edc170f0d85746a3daa
Opcode Fuzzy Hash: 7f3ddc46bd22a734730cd84ef76c09fe691b259ab87c465e1a89ddcbff0adc5b
Instruction Fuzzy Hash: 58F0F035B00A285BCB397A38C415BBE76EB9FC4512F06443EE449C73A0DE24C802839D

Uniqueness

Uniqueness Score: -1.00%

Function 0807B4C0, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4461c1649494e860d12f6790c320a41b6e00bf8f199ca27b92b6263826906e6
Instruction ID: 342917532e78ad708e4873b67a666cbae71810e4c20438f2de81fe9ba85308a0
Opcode Fuzzy Hash: d4461c1649494e860d12f6790c320a41b6e00bf8f199ca27b92b6263826906e6
Instruction Fuzzy Hash: DD014B357002558FC718DB69D488A6ABBEAFF88715B14856AE51A87360CFB0EC09CB50

Uniqueness

Uniqueness Score: -1.00%

Function 08076C78, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b3d058f761d5dff677afc75a6998c7c9e25c8de79b21a78e9bc7ceae0819b4
Instruction ID: efd062934ef995c56e0700c917f0f4aa3631f37401d521e1503e9968283528ed
Opcode Fuzzy Hash: 45b3d058f761d5dff677afc75a6998c7c9e25c8de79b21a78e9bc7ceae0819b4
Instruction Fuzzy Hash: 6901D639B00B098BC712777899111EE77B6EFC1112F04055ED459AB351EF719581C7D6

Uniqueness

Uniqueness Score: -1.00%

Function 080733BC, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f67f7e7335852772e9e4b4326a8150cb93b35a943040e993b8d3a2b808f3ecc
Instruction ID: de2204ccdbfd9e540c8e0ac76fed3371d328cf2e37ce57a70e58477cdabc150c
Opcode Fuzzy Hash: 3f67f7e7335852772e9e4b4326a8150cb93b35a943040e993b8d3a2b808f3ecc
Instruction Fuzzy Hash: BDF0B434710121DB9A64562A9854AFE33EBAF89693748042DE406C3360DE24EC41D6E8

Uniqueness

Uniqueness Score: -1.00%

Function 08072657, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d63d054eac90566d7573fc0b51d350c941896398d3e221940f3ab4be4b69703
Instruction ID: 3f1fb76a13677b7f589389aca8a49aab462c55ae48e742df2042f55f14e6f282
Opcode Fuzzy Hash: 0d63d054eac90566d7573fc0b51d350c941896398d3e221940f3ab4be4b69703
Instruction Fuzzy Hash: 900131357100108FD7049B2CD85CEA977EAEF8C612F1580BAE509C77A1DF30DC468B60

Uniqueness

Uniqueness Score: -1.00%

Function 08076CF8, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3cd1e75a9610cbe38b6b6de5cba0e2f99896d1c4cc6826c85b302b680ee66e4
Instruction ID: 1838dc2bef9c5199fe982db3b234751ee681e04cc1ffc7424ec226a76bf04503
Opcode Fuzzy Hash: f3cd1e75a9610cbe38b6b6de5cba0e2f99896d1c4cc6826c85b302b680ee66e4
Instruction Fuzzy Hash: 13F02232601600CFC325AB55E464999B7F6AF89222705056BE54ACB764CB329C86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0807437F, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74ef083159c293dda479e21b860f6252ce200f0ca99cb7bc7afd25480c057df
Instruction ID: f73f56fb3e9f12bc81493050c21f32a3eca6844067b1d081053bb6de70492623
Opcode Fuzzy Hash: f74ef083159c293dda479e21b860f6252ce200f0ca99cb7bc7afd25480c057df
Instruction Fuzzy Hash: 14010871D146099FCB40EFA8C84499EBBF4FF49210B1185AAE849EB321E7709A40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08076C88, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30056ecc31977e7a1a8bdad46dd50d2e99ec0267f6ee94822e1652139d38a04d
Instruction ID: 37341627ad941b6f7fe0c6d5442323984ec3e0ac51729d36263b792d95551ca2
Opcode Fuzzy Hash: 30056ecc31977e7a1a8bdad46dd50d2e99ec0267f6ee94822e1652139d38a04d
Instruction Fuzzy Hash: 21F0C235B00B088BCB117B7488011FEB7BAEFC1211F00066DD95967310EFB2A541C6C9

Uniqueness

Uniqueness Score: -1.00%

Function 08077058, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31be9ebd23b386f9d8fa911c5306941f73569f53654ec47427ae3503b07f8aff
Instruction ID: 3f9c5e3e83fbe4420dcab219580ede43e069c5f729344629e73789b6d6d4ee1f
Opcode Fuzzy Hash: 31be9ebd23b386f9d8fa911c5306941f73569f53654ec47427ae3503b07f8aff
Instruction Fuzzy Hash: 2DF082327147155F9714AFAAF88485ABBEAEFC82753004A3AE11AC7720DF719C0987D4

Uniqueness

Uniqueness Score: -1.00%

Function 0115D75C, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676530531.000000000115D000.00000040.00000001.sdmp, Offset: 0115D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115d000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15339b37fedd9069adc265f703a7fe40c653bb0651de508d957632abb7b7e4cc
Instruction ID: 11364d646559e13b62049807b0ea01bbf81e787de6187e76dca092691a3a6625
Opcode Fuzzy Hash: 15339b37fedd9069adc265f703a7fe40c653bb0651de508d957632abb7b7e4cc
Instruction Fuzzy Hash: 8CF0C871404284DEEB558A16DCC4B62FF98EB41634F18C45AED144B256C3789844CB71

Uniqueness

Uniqueness Score: -1.00%

Function 08074F98, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbadd6863fcefe82e50a5afbac82da8b7f692e11fde5c52e0f3ea911ab23894
Instruction ID: 86049b300a7fe3629bca28cca333a540ee41045bf61915e58e560b440a6948a1
Opcode Fuzzy Hash: cfbadd6863fcefe82e50a5afbac82da8b7f692e11fde5c52e0f3ea911ab23894
Instruction Fuzzy Hash: F9F0A739B00928879B796A799054BBD72DB9FC4513B16803EE909CB3A0DF74DC02D79D

Uniqueness

Uniqueness Score: -1.00%

Function 08076D08, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08621ea6a13dbcb6298c64092189f535a4f7be91235f7274d883b104eef3bd09
Instruction ID: 8ef870f01384caff6a7424027c23f4fc31a52cd450603917fbe24a4bc804ef62
Opcode Fuzzy Hash: 08621ea6a13dbcb6298c64092189f535a4f7be91235f7274d883b104eef3bd09
Instruction Fuzzy Hash: 7BF08931701600DFC724AB1AD45495AB7FBEFCD725754052EE50A87724CF32AC46CB95

Uniqueness

Uniqueness Score: -1.00%

Function 080770B0, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df747b33ab74c949eb30b378586ee0883aece133c9d2ab5701a9a25ffd0a22fe
Instruction ID: 11127333af8d44b3f2051b9b8f170245fd2493950363713c440d3fa2e91804fc
Opcode Fuzzy Hash: df747b33ab74c949eb30b378586ee0883aece133c9d2ab5701a9a25ffd0a22fe
Instruction Fuzzy Hash: 44F0F4312106108FC714DB28D598E997BF6EF4AB19B1648A9E44ADB772CB62EC44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08074390, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 415a98354f481804678503669b410b367e1382afbbb7bb76b5bfc71221c3715a
Instruction ID: b105c5b1868ae04cfa1ddd1b704dd66ce8f7e3962ddbf292189fdf1a2f6bd757
Opcode Fuzzy Hash: 415a98354f481804678503669b410b367e1382afbbb7bb76b5bfc71221c3715a
Instruction Fuzzy Hash: 4E01B675D10609DFCB40EFACC54489DBBF4FF49210B1185AAE859EB321E770AA44CF91

Uniqueness

Uniqueness Score: -1.00%

Function 080705AC, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35107f77d41376ec4cbe48cf832028d22e8ed710f127576742aac3491cb2f4bc
Instruction ID: 5aad451845d32275b282286aac54c33012963887a7c680b9f5ac11b1ac6cd862
Opcode Fuzzy Hash: 35107f77d41376ec4cbe48cf832028d22e8ed710f127576742aac3491cb2f4bc
Instruction Fuzzy Hash: 53F0A071B40A245B470CE77EA45046AB7EBEFC8310344C82AD40EC7B25EF71AD01CAC5

Uniqueness

Uniqueness Score: -1.00%

Function 080725E0, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b15ffeb4835497ea22f682194ab41d6d03046ec8b3e0d4296d4985a0b21de6b
Instruction ID: 358abe0ee8752b2ab7049d8780522e8f4361af4e18862db1c5cfc2b9e994d892
Opcode Fuzzy Hash: 8b15ffeb4835497ea22f682194ab41d6d03046ec8b3e0d4296d4985a0b21de6b
Instruction Fuzzy Hash: 22F09631314742EED724DB38E450BC9B7D2AB46228F454F2CC0B94B695C774784987E2

Uniqueness

Uniqueness Score: -1.00%

Function 0807A83C, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5568fa7b3f65dfb77f4c1042bbd54e54ac996c023a5c2298a7c4656352b7a6aa
Instruction ID: 2a16d84de1f9d620c4378c0d79bd5c53b2a8dec220b68776b192c7bbbcc39d0c
Opcode Fuzzy Hash: 5568fa7b3f65dfb77f4c1042bbd54e54ac996c023a5c2298a7c4656352b7a6aa
Instruction Fuzzy Hash: 01F09A36B041549FCB00CFA8E895AACBBB1FF4A316F0040DAE506DB271DB30994ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 08072020, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d22e51e817becf8e0400184a5de7517a1495da978c2baa907f80975cbe8b89e7
Instruction ID: 8dfc8d0766599daf450bf86483fd3887ed5d8ac64366ad9115f3c9768a560fde
Opcode Fuzzy Hash: d22e51e817becf8e0400184a5de7517a1495da978c2baa907f80975cbe8b89e7
Instruction Fuzzy Hash: F5F01C367206108FC715CB6CD885D95B7FAAF89A2131680EAE209DB772DA71DC11CB64

Uniqueness

Uniqueness Score: -1.00%

Function 08070624, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614b35f1ae107b191027d8d1aaa964d8c511eecb15eda25cc3035d55c535492f
Instruction ID: 5aa9bb999f8d302ebdb6d94c36b2e43a5789266987c73581846378ac14535174
Opcode Fuzzy Hash: 614b35f1ae107b191027d8d1aaa964d8c511eecb15eda25cc3035d55c535492f
Instruction Fuzzy Hash: 59F0E54260D7D45FD30312785C652563FB8A953241B4901DFD081CB6B3E5448605C3A9

Uniqueness

Uniqueness Score: -1.00%

Function 080770C0, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 195b4e1cd347b2fd9d6c2227b1065607069aaa97cce65c1a7376b496255da6e5
Instruction ID: b09225d78152b747ff0372d18ccc6c0905db14d1cb9cb09ccd49b7f06b7b228b
Opcode Fuzzy Hash: 195b4e1cd347b2fd9d6c2227b1065607069aaa97cce65c1a7376b496255da6e5
Instruction Fuzzy Hash: 15F0DF30250610CFC718DB28D588C997BE6EF4AB1931248A9E10ACB772CB72EC44CB80

Uniqueness

Uniqueness Score: -1.00%

Function 08072030, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9667396a62f5ec7388eac8ad916d32927dae2263cf5ad9d22d4e997f3e3306
Instruction ID: 80675f6a7601e63e8f279d14332fc375105f8f2ad9c431b013994a5ee4b6ac78
Opcode Fuzzy Hash: ab9667396a62f5ec7388eac8ad916d32927dae2263cf5ad9d22d4e997f3e3306
Instruction Fuzzy Hash: D2E0E5353605148FC758DB2ED848D55B7E9EF89A2171640BAF209CB372DA62EC01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 08079DE9, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acf7c6a4d7ffbd4372b1aa428eee112c5f99a4c38f58bf568b6d2af12389c274
Instruction ID: 21624277aeeba601d47bc528e7ce7211988c8799f216a155345b41a2b64ac251
Opcode Fuzzy Hash: acf7c6a4d7ffbd4372b1aa428eee112c5f99a4c38f58bf568b6d2af12389c274
Instruction Fuzzy Hash: E0F01576D0021ACBCF00DF84C4405DCFBB2FF45321F15829AD9007B201D330AA96CB80

Uniqueness

Uniqueness Score: -1.00%

Function 08071ED0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba37703d44434bdde36a06f1af8f28fa2b1f96fded97ecd77c93506f55fc2580
Instruction ID: d1af5a13b37c1af732439c9a14286170448fb4424eb8cd1a766c5ab35a1e1392
Opcode Fuzzy Hash: ba37703d44434bdde36a06f1af8f28fa2b1f96fded97ecd77c93506f55fc2580
Instruction Fuzzy Hash: 5AE0CD303146149F8324D71DF4C089D73EEEF8C2113604969F009C7724DB50FC044788

Uniqueness

Uniqueness Score: -1.00%

Function 080705EA, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1ee761cdf4ee58fe655e7ebb92d01da538b992676eed866c200acee250c1e94
Instruction ID: 357727e16b3aeffb81ee60cf316501e3efb62923cfeeb8cd46f711f72859d6c3
Opcode Fuzzy Hash: a1ee761cdf4ee58fe655e7ebb92d01da538b992676eed866c200acee250c1e94
Instruction Fuzzy Hash: E9D02E6370852867E300606DAC6ABAB31ECF7E665AF84022FE048D2B60E900C20212EC

Uniqueness

Uniqueness Score: -1.00%

Function 08072AA0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0698ca0e255116d67203f6ec7dec7943780f5b6aadcb25026ca3eaf6763dbcf
Instruction ID: 44a2f1cc2d97b38af02431651e2640d04d3811dd9283599638fedaee4495cf65
Opcode Fuzzy Hash: a0698ca0e255116d67203f6ec7dec7943780f5b6aadcb25026ca3eaf6763dbcf
Instruction Fuzzy Hash: 39E012367501286FC701961CD815E9E7FE9DB89724F09806AF949C7361CB61DC019695

Uniqueness

Uniqueness Score: -1.00%

Function 08074F52, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885d19d1081bee11066a69893727503845bdbca0ac73fd2bc9370f0fdc07e94c
Instruction ID: 859c96dd4e0aa8cd678d43295021d8f5eb717b0b3afdb4fbc5f3333be3363c69
Opcode Fuzzy Hash: 885d19d1081bee11066a69893727503845bdbca0ac73fd2bc9370f0fdc07e94c
Instruction Fuzzy Hash: BEE08C367006008FC328CA4CF890A9A73E69FC8621724896AE009CB760CA24EC454654

Uniqueness

Uniqueness Score: -1.00%

Function 08072069, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfba214eaf0f7f19436ed64db5b089e2f1ddff27fbebd2220b77ff3c28bf7777
Instruction ID: 2f4d76ccc497477496f43d0d06b0c6f0e7f6a324365a37532f60ac8621c6060b
Opcode Fuzzy Hash: bfba214eaf0f7f19436ed64db5b089e2f1ddff27fbebd2220b77ff3c28bf7777
Instruction Fuzzy Hash: 60E07D727007004FC309DB259550462B7A37FC4600304C69FC44ECBA6ADF31AE02CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 080705F8, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a416ef737840a7ee19c7a2c5b4dec6df241225bbb820509dcc2e7312591d88
Instruction ID: edf72c2c23d90bb37af2fce136ff95f1874f5f3c1bafc26770395dccb799ca50
Opcode Fuzzy Hash: 16a416ef737840a7ee19c7a2c5b4dec6df241225bbb820509dcc2e7312591d88
Instruction Fuzzy Hash: 5ED0A7313042344B8B1E37B8741806D33DDEEC96BA300017EF50EC3700DEA5898143C8

Uniqueness

Uniqueness Score: -1.00%

Function 080701DB, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5973ef5718d4e919dc3fdca30310f3de4ed2fe7a62f7da273c2520109c69ab72
Instruction ID: 7f1f1d2118a83040c7ad6e73d5dce21b1a363a78a1e13a18da09cdb9d6f924d5
Opcode Fuzzy Hash: 5973ef5718d4e919dc3fdca30310f3de4ed2fe7a62f7da273c2520109c69ab72
Instruction Fuzzy Hash: C1E01236A0200EEBDF00DF80E841BDEBB32FB88311F208111FA0127290C7325A21DB90

Uniqueness

Uniqueness Score: -1.00%

Function 08072AB0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6618b9c4272083731c20794081b29b73a0dc7d5f6a7d8c1b4a0fc8f7cf3e13a7
Instruction ID: 01192218d124fdd3f42f099b70fad585a1613c42f1f88315b4f6ea9bf2937d08
Opcode Fuzzy Hash: 6618b9c4272083731c20794081b29b73a0dc7d5f6a7d8c1b4a0fc8f7cf3e13a7
Instruction Fuzzy Hash: 86D0C9367101289F87049B68E408CA97BE9EB4D7613158066F909C7321CF72EC109BD4

Uniqueness

Uniqueness Score: -1.00%

Function 08076DA9, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a4c0fe3125c8ce6bcbe16756f3a0dc2a14d9e0dc1556fa9f5769b7c160c30a
Instruction ID: 0c989f10b0287f3fe0ad3c51b6d07c48606d02a3ccd44425ceb9e236e66313da
Opcode Fuzzy Hash: 33a4c0fe3125c8ce6bcbe16756f3a0dc2a14d9e0dc1556fa9f5769b7c160c30a
Instruction Fuzzy Hash: E5D022033043544FC349126CB82006D2683EBE51A2309017BF62ADB390CE061D8A4BC1

Uniqueness

Uniqueness Score: -1.00%

Function 080708A0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43aca4b85a3047e416f75f6a2bf1fb923589da3b1258cbd9b3112f2c034e2ae0
Instruction ID: fd3b7ce27ef17681c1fc761eb95a129d4c9f1684a25782dd1daa94d1283bc00a
Opcode Fuzzy Hash: 43aca4b85a3047e416f75f6a2bf1fb923589da3b1258cbd9b3112f2c034e2ae0
Instruction Fuzzy Hash: BBB092CF9042C642EB06FA72AC5934A1E237FD2206F8D84BC6C4191203EC1CD0006321

Uniqueness

Uniqueness Score: -1.00%

Function 080701D2, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688630274.0000000008070000.00000040.00000001.sdmp, Offset: 08070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8070000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc304a26ba6a9b8e09db51e88682a954301326f375d2764bec1dfa900b44145
Instruction ID: 8edf350ab73e4385b340aee6ef4f1c0c9202ac0f246999718f1f7f92f0273942
Opcode Fuzzy Hash: 8fc304a26ba6a9b8e09db51e88682a954301326f375d2764bec1dfa900b44145
Instruction Fuzzy Hash: ECB09237E45008C9EB008A88B4813EEF720E780326F104123C211524418372016496E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: powershell.exe PID: 5992 Parent PID: 7028 powershell.exeCOMMON

Execution Graph

Execution Coverage:	12.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	42
Total number of Limit Nodes:	2

Executed Functions

Function 008F4DD8, Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(00000000), ref: 008F4E50

Memory Dump Source

Source File: 00000002.00000002.761980466.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_powershell.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 64cd19385d01957c253448b74db621477234435baa48e36387eddb3aba98737b
Instruction ID: 86088cf8392686ba6b929c4846c5a96ae8e422161c8a62ea3dfe9c7127dd969c
Opcode Fuzzy Hash: 64cd19385d01957c253448b74db621477234435baa48e36387eddb3aba98737b
Instruction Fuzzy Hash: 8E2136B1C046199BCB10CFAAD844BEEFBB4FB48720F00812AE518B7600D778A904CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 008F3F9C, Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(00000000), ref: 008F4E50

Memory Dump Source

Source File: 00000002.00000002.761980466.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_powershell.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2cdfeef374a3d2e60f0e904fa95cc75b3654226cce3d2942a40edff8890c36e1
Instruction ID: 45b308932610933945a5c27fc4fd6274581a22d0ba958f20312ab17d812bf28c
Opcode Fuzzy Hash: 2cdfeef374a3d2e60f0e904fa95cc75b3654226cce3d2942a40edff8890c36e1
Instruction Fuzzy Hash: AD2103B1D046599BCB10CFAAD8447AEFBB4FB48724F10812AD919A7700D778AA04CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 0060D006, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.761352746.000000000060D000.00000040.00000001.sdmp, Offset: 0060D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c1028dd8b0d667a10550522e91dbf2ed78919d7c396663acbec725f5a13a81
Instruction ID: 76124aeaf82db7dc23ca57c451d85c179cb9326347ad68d3652f9123569c02de
Opcode Fuzzy Hash: f1c1028dd8b0d667a10550522e91dbf2ed78919d7c396663acbec725f5a13a81
Instruction Fuzzy Hash: BC01406140D3C05FD7164B258C94752BFB4DF53624F0981DBD9898F2E7C2695849C772

Uniqueness

Uniqueness Score: -1.00%

Function 0060D01D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.761352746.000000000060D000.00000040.00000001.sdmp, Offset: 0060D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0944d635fcf93aae1ebc88a3dd55a6b0db789097252ff38226a42fc435920204
Instruction ID: cc069dd43c5666173ff6abc2c2217b8948b6698f1df7e25b192377703e3ce32e
Opcode Fuzzy Hash: 0944d635fcf93aae1ebc88a3dd55a6b0db789097252ff38226a42fc435920204
Instruction Fuzzy Hash: 57012B71408340AAE7184E56DC84BA7FBD9EF55724F18C619ED4E0B3C6C3799846C6B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: Shipping Documents000000000000000000020.exe PID: 5752 Parent PID: 7028 Shipping Documents000000000000000000020.exeCOMMON

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	106
Total number of Limit Nodes:	4

Executed Functions

Function 00D42D50, Relevance: .9, Instructions: 904COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118f0dbc0e7a4653e85c21b7da391ea4628ca06f4957d5010c06d270858cfb4b
Instruction ID: 785968032d42b44d7d8785e6e66606b7d803c7b7b95fd0c20e7a074931010a7b
Opcode Fuzzy Hash: 118f0dbc0e7a4653e85c21b7da391ea4628ca06f4957d5010c06d270858cfb4b
Instruction Fuzzy Hash: 30821970A00209DFCB14CF69C984AAEBBF2FF89314F198559E4599B7A1D730EE41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D41FF0, Relevance: .6, Instructions: 561COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 041384dd2a2cc97d9f514d6a1263571ccaf0904c342bf5308efc523b8515a0cb
Instruction ID: 0f350c97a2a75777df8e2c4cfd63956f0dba4ad46bf0921d7c4bcc63c01ebbef
Opcode Fuzzy Hash: 041384dd2a2cc97d9f514d6a1263571ccaf0904c342bf5308efc523b8515a0cb
Instruction Fuzzy Hash: 0C229D30A002198FDB24DF64C894BAEBBF2EF88304F548469E906DB395DB74DC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D50CA0, Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909901197.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d50000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8312d630e953a4b44eb27528279e8d3d85732903b5c5a44ece28b72532f32054
Instruction ID: faa0ef2cb3c9af4f3abdd3bbcc9ed9b1453eeba79541beaaa3a6dd86a950ecb5
Opcode Fuzzy Hash: 8312d630e953a4b44eb27528279e8d3d85732903b5c5a44ece28b72532f32054
Instruction Fuzzy Hash: 17F1A334F002089BEF24DBA8C895BADB7F2EB85315F288425E915EB791CB35DC85C761

Uniqueness

Uniqueness Score: -1.00%

Function 00D4BBF0, Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93494a9d166dabc8b79c189452369728a18f8dddbba611d5219d983118fb84be
Instruction ID: 01b123fde56eb5c4b1b7cb90e0380fee3ecae68d207f14c698e951df2eda0e99
Opcode Fuzzy Hash: 93494a9d166dabc8b79c189452369728a18f8dddbba611d5219d983118fb84be
Instruction Fuzzy Hash: D2D1D330B002149FDB68EB788C5476EB6E3EFC5354F188429E51A9B794EF789C06C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00D42768, Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ecf1dc768dba0cda1bfca3a7fc92a662074be39ab60e62b8743216dbbedb49e
Instruction ID: 84eedabe81f886a5d1150154f1400ae78bb388f875d7fb93b55140b311c66abd
Opcode Fuzzy Hash: 3ecf1dc768dba0cda1bfca3a7fc92a662074be39ab60e62b8743216dbbedb49e
Instruction Fuzzy Hash: 68D10931A00119DFCB14CFA9C985AADBBF2FF98304F998065F855AB265DB30DD81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02995133, Relevance: 1.6, APIs: 1, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.911055657.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2990000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c50c4d0e411cfd3f52e9e4565d6942097e3b2a68fbeca0d15d714a52650bb60
Instruction ID: f8065b90e15a99236c42ab1f0ee0bdbd09c57724a5d6b1b6a3c3e72c40c0f464
Opcode Fuzzy Hash: 1c50c4d0e411cfd3f52e9e4565d6942097e3b2a68fbeca0d15d714a52650bb60
Instruction Fuzzy Hash: 8A5103B1C00249AFDF12CFA9C984ADEBFB6FF48314F55816AE808AB220D7759845CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02993C7C, Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 029952A2

Memory Dump Source

Source File: 00000005.00000002.911055657.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2990000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b9e3ec325495d91828cad4f55a86b4caaccf8bc29a8ccfd483aeb88bc3183085
Instruction ID: 6142846b8f7aa427034cf015b12c89ac3e01cf2ec4202574087b8611560ee098
Opcode Fuzzy Hash: b9e3ec325495d91828cad4f55a86b4caaccf8bc29a8ccfd483aeb88bc3183085
Instruction Fuzzy Hash: B451CFB1D10349DFDF15CFA9C884ADEBBB5BF88314F65812AE819AB210D774A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02996E3B, Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02996DFF

Memory Dump Source

Source File: 00000005.00000002.911055657.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2990000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 23154998bcdb12bd6c10186ffb31e42349bcba474d6187a887b388edcd68e4d2
Instruction ID: 268db713a49b0dcb7dd3568dbae66e96304721e1a877c81287a75058ce7b0081
Opcode Fuzzy Hash: 23154998bcdb12bd6c10186ffb31e42349bcba474d6187a887b388edcd68e4d2
Instruction Fuzzy Hash: E2417374A803449FE711DF64EA59BAD7BF5FB48324F104429E9059B7C5CB789902CF22

Uniqueness

Uniqueness Score: -1.00%

Function 02996964, Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02997CF9

Memory Dump Source

Source File: 00000005.00000002.911055657.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2990000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 31047598a2d105470d737c4eb404f70ff9448f46de3cf27f514679a87f2d9b8a
Instruction ID: ccd904ed398a08657dfef429442b7f9e7530e5455033734fd0fedb13f47fb766
Opcode Fuzzy Hash: 31047598a2d105470d737c4eb404f70ff9448f46de3cf27f514679a87f2d9b8a
Instruction Fuzzy Hash: 66411AB4A102459FDB14CF99C548BAAFBF5FF88324F148899D519AB351DB34A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0299C329, Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0299C3B2

Memory Dump Source

Source File: 00000005.00000002.911055657.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2990000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 8b54e426b4f592c19bccf8e5c21f71d4c1e907cfbd937060bf61cd3f3d444514
Instruction ID: ab389b60d718d012e726b927a91d6c411ba5a963002f14d8eac2f34620c6d738
Opcode Fuzzy Hash: 8b54e426b4f592c19bccf8e5c21f71d4c1e907cfbd937060bf61cd3f3d444514
Instruction Fuzzy Hash: 863181758043849FEB20CF68D90539E7FF4EB4A328F14845AE444E7242C7795919CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02996D73, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02996DFF

Memory Dump Source

Source File: 00000005.00000002.911055657.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2990000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1a68bdc00f1c9e1a5e9a02f6d56aef121a7077a29d75bd435c297c28d42913e6
Instruction ID: b97b7c4cafa846eb96e1f5534afb9a5b89536db88ea800afc5bb387b73cca607
Opcode Fuzzy Hash: 1a68bdc00f1c9e1a5e9a02f6d56aef121a7077a29d75bd435c297c28d42913e6
Instruction Fuzzy Hash: 2621E4B5900248AFDF10CF99D884ADEBBF8EB48324F14801AE914A7310D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02996D78, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02996DFF

Memory Dump Source

Source File: 00000005.00000002.911055657.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2990000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 16d9de4b70459ebc0c38300dd382b1ca1ca34377022dd524f23de5401c6413bc
Instruction ID: 4100c16dd290651e9249830d2e5bace8a55d6fbae753c664e7e831582c8e59f4
Opcode Fuzzy Hash: 16d9de4b70459ebc0c38300dd382b1ca1ca34377022dd524f23de5401c6413bc
Instruction Fuzzy Hash: A521D5B5D002489FDF10CF99D984ADEBBF9FB48324F14845AE914A7310D778A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0299C338, Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0299C3B2

Memory Dump Source

Source File: 00000005.00000002.911055657.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2990000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: a18e4e54fad9655d4812de9702d1207ef99f02cc298604e534da6ef7f73496aa
Instruction ID: 8be76b6be7b4ef4e665c74d4de133f019785e47b3ddfe538e9e4cca51be33c90
Opcode Fuzzy Hash: a18e4e54fad9655d4812de9702d1207ef99f02cc298604e534da6ef7f73496aa
Instruction Fuzzy Hash: 1D1159719003458FEF20DFA9D90979EBBF4FB48324F14842AE805A7601CB796904CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D4C128, Relevance: 1.3, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P@4k, xrefs: 00D4C19F

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID: P@4k
API String ID: 0-4221113945
Opcode ID: dec86886d7794e285c715c8873b550db5032b7b5b267ff64b94d453341464d56
Instruction ID: 458cc2da5a801d6c6957685bd1d89f8d04a03cb55eb07e2adabcfaf62f81f630
Opcode Fuzzy Hash: dec86886d7794e285c715c8873b550db5032b7b5b267ff64b94d453341464d56
Instruction Fuzzy Hash: 9331E131B002048FCB54AFB4D8542AEB7E7AF88344B14846DD406EB395DF78DC05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D4C123, Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

P@4k, xrefs: 00D4C19F

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID: P@4k
API String ID: 0-4221113945
Opcode ID: 1cf7c62631b4fccf32f42feeec90e04c768a65306b197d134dc0bff18b70a575
Instruction ID: 3107d24283bac5ae16b3f9dada866eec77055601ca714b461b0cc4cc512ecf1d
Opcode Fuzzy Hash: 1cf7c62631b4fccf32f42feeec90e04c768a65306b197d134dc0bff18b70a575
Instruction Fuzzy Hash: 1B31D031B002048FCB54AFB4D8582AEB7E7AF88344B18846DD406EB395DF78DD06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D4A770, Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad3958ad518bbe5b2b257e9b2f73d28784a8d67928bf337ff6db84d0f620b39
Instruction ID: 593f2f565afc622ab675a977c4c0b2e517523de98a309a1ac80f137aa57058ab
Opcode Fuzzy Hash: 3ad3958ad518bbe5b2b257e9b2f73d28784a8d67928bf337ff6db84d0f620b39
Instruction Fuzzy Hash: 42E19235B442058FCB14DBB8D9856ADBBB2EF89304F25846AE406DB395DB34DC42CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D44B68, Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de03d1444182bc5d22d2a3868f59edc0ef4fc27ad620f5e355e66ab820b79f9
Instruction ID: 3bcc4abb6476defd4b5687edfaf63833699709968f5260bacd55814b3985aa71
Opcode Fuzzy Hash: 1de03d1444182bc5d22d2a3868f59edc0ef4fc27ad620f5e355e66ab820b79f9
Instruction Fuzzy Hash: 2DD1FC71E00215CFCB14CFA9D584A9DBBF2FF98315B1A8099E415AB362CB34EC85CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00D4AD08, Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbdd519b2d65bd329727c644d2b9c7b6b03ef9b398a84ffde6b9b484634c1d6a
Instruction ID: 0a2479b014512a909389ee16566962e932ac64855f3db1ac340c3a31cdde3d47
Opcode Fuzzy Hash: cbdd519b2d65bd329727c644d2b9c7b6b03ef9b398a84ffde6b9b484634c1d6a
Instruction Fuzzy Hash: 72B13C30E402098FDF20DB6CD484BAEB7B1EB59315F688926F415DB791DB34DC858BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D4AD00, Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed41045e5710abf5d4a29e9e973c31a5e329b94ef8e18b5095a5614d110dd9d6
Instruction ID: ae008ee9bb38805ea62f997098b11bda51363d53d973e6d38c2d3a3622990429
Opcode Fuzzy Hash: ed41045e5710abf5d4a29e9e973c31a5e329b94ef8e18b5095a5614d110dd9d6
Instruction Fuzzy Hash: 82B15D30E402098FDF20DB6CD484BAEB7B1EB59314F688926F415EB751DB34DC858BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D42D4B, Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed7b3de65786f267b8f759119cef6d19cff69d99b2cc52f9faec9aa69f268239
Instruction ID: 28f63f8bbbf7b25d676378ba7a906185f9b6f265fe29db195d131c20967d7ff4
Opcode Fuzzy Hash: ed7b3de65786f267b8f759119cef6d19cff69d99b2cc52f9faec9aa69f268239
Instruction Fuzzy Hash: 2EC11A30A002099FCB14CFA9C884AAEBBF2BF48314F598559F855AB761D731ED45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00D416C8, Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec5bcbf30cc2dd1fa3c3c35aaaf29eba34da204c3cc6a558186a58c23e07c634
Instruction ID: 01d2765e4618a50c4995a5d5b9fc77f11821149b86a5ccb86fb47b2593962565
Opcode Fuzzy Hash: ec5bcbf30cc2dd1fa3c3c35aaaf29eba34da204c3cc6a558186a58c23e07c634
Instruction Fuzzy Hash: 2091E1383042159FDB259F24C854B7E7BE2AFC9344F188429E9468B385DF79CC86CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D41AD0, Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a73f46e8c872015e250cb3bb084eff33c6cdced58038348c2c3c154617dd0e4
Instruction ID: 0b847f702028a3dadd3c023b7076fb76c41a1648538cace4e7200b63d0ca327d
Opcode Fuzzy Hash: 4a73f46e8c872015e250cb3bb084eff33c6cdced58038348c2c3c154617dd0e4
Instruction Fuzzy Hash: AE81A278B40516CFCB14CF69C884AAAB7F2FF89345B198169D416D7361DB31EC81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D44C70, Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00fbab3e341e6ecc65c040ff6f5c4112c299c2edda9431bd8648bbea637242a0
Instruction ID: 9bff72f1fc297d6938afc77ae07f49fa621f52b5fca5938bc02ca933ef6bb49f
Opcode Fuzzy Hash: 00fbab3e341e6ecc65c040ff6f5c4112c299c2edda9431bd8648bbea637242a0
Instruction Fuzzy Hash: F891A575E00219CFCB14CFA9D584A9DBBF2BF98315F5A8095E415AB362CB30EC85CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00D512B8, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909901197.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d50000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a809c2c347117663c907248ac9d28a3e37bbaa17284de452b8d865a4db675ef7
Instruction ID: 2d142556625a117d1d8566c674bd5abac39af21cb71e0d6287a3ba478a9e19ae
Opcode Fuzzy Hash: a809c2c347117663c907248ac9d28a3e37bbaa17284de452b8d865a4db675ef7
Instruction Fuzzy Hash: B3510736F002205BEF346A24586677E65539BC1751F1C8039FE1BAF7C5DEB98C4A83A2

Uniqueness

Uniqueness Score: -1.00%

Function 00D43AD8, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d8f4b5097a6c80e40d26e95834a31da10bb399dd2df732fd10b8a01192e6a8e
Instruction ID: d51e1f223b89eec50b91422de20208d35a100a03ea6be71510606ef75b8a792f
Opcode Fuzzy Hash: 5d8f4b5097a6c80e40d26e95834a31da10bb399dd2df732fd10b8a01192e6a8e
Instruction Fuzzy Hash: EA617A303141558FCB14DF3EC885A6A7BE9FF49750B1944AAE856CB361DB31DE41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D4EDF4, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d0fcaf2758de8f84b7e5fb09ff3e3cda2e64482e6cbcf8b541528c541c7c84b
Instruction ID: 01a0282b362d3013e1c68ef9d50ec9d0b0a6f1735f3f4878e2639d033cb73526
Opcode Fuzzy Hash: 3d0fcaf2758de8f84b7e5fb09ff3e3cda2e64482e6cbcf8b541528c541c7c84b
Instruction Fuzzy Hash: 5A61AD30B002549FD714AB74C85976EBAE3AFC5344F18C439E5169B3A2DF799C42C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00D4EE00, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 501c9d0ae722fa968b865c6e229137e639830f407be01ee4316332371b19d621
Instruction ID: 90fad54e6e4754625a5af4bc8a61478a29e8c35136523a49d4a67199b014672c
Opcode Fuzzy Hash: 501c9d0ae722fa968b865c6e229137e639830f407be01ee4316332371b19d621
Instruction Fuzzy Hash: D061DF30B002549FD718AB74C859B6EB6E3AFC5344F18C429E5169F3A2DF799C42C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00D50040, Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909901197.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d50000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4ba2a5e5de2efbfcde84a819d9a489b019f165c4150866f310306ffc62e74e
Instruction ID: c173cd86466eb3a5ad586f5036ca5e421b80285dd5ab2268097a8ac3cd05a57a
Opcode Fuzzy Hash: 3b4ba2a5e5de2efbfcde84a819d9a489b019f165c4150866f310306ffc62e74e
Instruction Fuzzy Hash: C361C631F002189BDF54ABB4D8197AEBAE7AFC8315F24842AD905EB391CE744D059BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D50ABD, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909901197.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d50000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d888165fdbd92a4e750fffdb81efb762d9ae5fa3e5836995fd6f2c6a7b88620
Instruction ID: 92f14e600ac34881c02f37390d38bfed83f1a6bcb30e6212aca084ff098fabfa
Opcode Fuzzy Hash: 9d888165fdbd92a4e750fffdb81efb762d9ae5fa3e5836995fd6f2c6a7b88620
Instruction Fuzzy Hash: CE518331B0020A8FDF30CF69D8806AEBBB2EF95315F148929DD56DB650D731D94ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D50027, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909901197.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d50000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e0324f004cf729d0058362710303d3e98807333cf2141644bd9640791520a6
Instruction ID: c4f30084be65fef6fdce30cb5ada0d08c6cc2b4f296d8b43de78ea89bee2a581
Opcode Fuzzy Hash: a7e0324f004cf729d0058362710303d3e98807333cf2141644bd9640791520a6
Instruction Fuzzy Hash: EF510270B002449FEB14ABB4882576E7FF3AFC9305F18806AD505DB3A2DE784C05DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D4CA70, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4f4a48312147740cb4f45f6358c473bcfdfd7280675cbb3659ec456a3cda54
Instruction ID: 4f75813914f3575dff516a4500968f9704a25f11fa29beac36d5be28f709dfdd
Opcode Fuzzy Hash: aa4f4a48312147740cb4f45f6358c473bcfdfd7280675cbb3659ec456a3cda54
Instruction Fuzzy Hash: D941B031B102168FCB28EF74D85566E7BA7EBC9384F188429D9069B745CF789C0287E2

Uniqueness

Uniqueness Score: -1.00%

Function 00D4E340, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b269783b169e91a7e83be1d586cbd49812399e28c3a3f50f534a05422afa003
Instruction ID: 227c97bb682fea182914d70137fb0d6b1406d1c3b1506068d25a281124aecde2
Opcode Fuzzy Hash: 5b269783b169e91a7e83be1d586cbd49812399e28c3a3f50f534a05422afa003
Instruction Fuzzy Hash: 6141C430A042909BDB60DB29D58075EFBA2FF85304F28C5AAD91D9F347E776C846C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00D449B0, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af8a35733142f52a1a8c73cd481e186abed7ee83ec76e9d2798d9e33d131da4
Instruction ID: 2238f33fc14198f064ad69a443fe0a61491fd27869157b72a165a9046faf4cf5
Opcode Fuzzy Hash: 0af8a35733142f52a1a8c73cd481e186abed7ee83ec76e9d2798d9e33d131da4
Instruction Fuzzy Hash: 0941E1317042048FCB289B64D859BAE7BF6EFC9214F18406AE90ADB391DF35DC42C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00D45500, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e810335ffc5b400acaf3ff821c623dc0d6010efffe3841f5d20b5c91dfa22b28
Instruction ID: 5fd133eee748eb7c2687b137e04fc11504f19c0461b5a75a9192f6bb281ea2f2
Opcode Fuzzy Hash: e810335ffc5b400acaf3ff821c623dc0d6010efffe3841f5d20b5c91dfa22b28
Instruction Fuzzy Hash: 7241F3313046558FCB159F68E81467E3BA7EF89310F19806AF90ACB3A2DB34CC02CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D4AAA0, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5acfcc1e2087518f23e38850039549b2e5f815f145e4b970b5645022ee184d0
Instruction ID: 3cdbadec67c40eb4e1767e11ecc755dd2e1a3dffff062d35c64261ae2c7eb7e8
Opcode Fuzzy Hash: d5acfcc1e2087518f23e38850039549b2e5f815f145e4b970b5645022ee184d0
Instruction Fuzzy Hash: 77319E70B402158BDB24ABB8E88136E73A7EB85315F28483DD40ADB394EB39DC41C762

Uniqueness

Uniqueness Score: -1.00%

Function 00D4AAA8, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea6b42c37066dfa910ac6580a3a9f7c9104940419e0ccc54fc2da67a875782d
Instruction ID: 6526f8f1d30bac020f74babff263a8c2d7b047238e881cc84343db82b54dd0c3
Opcode Fuzzy Hash: aea6b42c37066dfa910ac6580a3a9f7c9104940419e0ccc54fc2da67a875782d
Instruction Fuzzy Hash: B2318F70B442158BDB24ABBCE88176E73A7EB85355F28483DD40ADB394EB35DC41C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00D438D8, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a853a1c9a76d7d59bddf8d3dc79b620088734526a8aa01a6834920537d485f3
Instruction ID: 5bb24f5c5371269dd5eec228e3abcba8bb927075ed8efa36c692dd256881aa0d
Opcode Fuzzy Hash: 0a853a1c9a76d7d59bddf8d3dc79b620088734526a8aa01a6834920537d485f3
Instruction Fuzzy Hash: 0D4126757102599FCB14DF28C888AAE7BB6BF88314F144069F9568B3B1CB71DE41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D453F8, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fcaf60ee814e6c4f8fbf2b3ce98bba76a62dfdaa771298e0e8653e733c90003
Instruction ID: c34cac3e31c62a83be6591f22265e4d87226912022f3ad4931468fbe56fa19fa
Opcode Fuzzy Hash: 9fcaf60ee814e6c4f8fbf2b3ce98bba76a62dfdaa771298e0e8653e733c90003
Instruction Fuzzy Hash: 3131F331B042598FCB10DFA9E884AAEBBB9EF48311F14406BE508DB352D734DD46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D44890, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdbe1b94c2df076324dfe3de192ef1cb48775341fe63e53f00e4fba98ce8f3f7
Instruction ID: e4b9a7cb74e7c0837562f335b9cdde8df013a93b361490cb5c8bf658a8492af9
Opcode Fuzzy Hash: bdbe1b94c2df076324dfe3de192ef1cb48775341fe63e53f00e4fba98ce8f3f7
Instruction Fuzzy Hash: 4B31B4303181158BDF659B28989573FB76AEB81740B29486EE0D6CB3A1DF24CCC1DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D43D08, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59efc00e301d3245dfa4546c590d6adc71773ff0540b843d1c94e5720a6677b1
Instruction ID: 10bfadf1c0fdd88d003990a6cf6c9e065f19645f390daf56fda72d0ce844979c
Opcode Fuzzy Hash: 59efc00e301d3245dfa4546c590d6adc71773ff0540b843d1c94e5720a6677b1
Instruction Fuzzy Hash: 6A21F6317002158BCB28673DD89563E3AABEFD0754F288039E903CB7A1DF29CD4297A1

Uniqueness

Uniqueness Score: -1.00%

Function 00D43D18, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e5600f31abdf5d7d4a6a140972d6a801131b34c00d0cdb60995b06f81618654
Instruction ID: 5e26e002a7c24db6e12f2c0d266b5730dcbe68b944ca231bace5e094e5eb7e6b
Opcode Fuzzy Hash: 9e5600f31abdf5d7d4a6a140972d6a801131b34c00d0cdb60995b06f81618654
Instruction Fuzzy Hash: 3821A4317042154BDB28663DD89573E3AABDFD5754F288039E902CF7A4DF29CD4293A1

Uniqueness

Uniqueness Score: -1.00%

Function 00D44B58, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ea40421fed3e64f04666a900af6fb30ddeb1de8200584f303ff33f40602b74
Instruction ID: c514bc6e031e7d62e75f0a500304354c3960bd7b90a47c3d9acc3aa67f0ebefe
Opcode Fuzzy Hash: d8ea40421fed3e64f04666a900af6fb30ddeb1de8200584f303ff33f40602b74
Instruction Fuzzy Hash: 7E318471F015168FCB04CF6CC8D4AAEBBF2EF85350B198159E4269B3A5D7349C42CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D414F0, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f4e3cacc55b4dc88f499b9e22df1863330b5a6d726713192e5d10aba5e6801
Instruction ID: 06ecb7a65c546bb6126d59b9a9069849a98fca047178b75e3c6a0b31d3cf0dd3
Opcode Fuzzy Hash: 89f4e3cacc55b4dc88f499b9e22df1863330b5a6d726713192e5d10aba5e6801
Instruction Fuzzy Hash: 40315A352001199FCF15AF64D845AAE7BB6EF89310F148015FA0687250CB35CDA2ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D4E2EB, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e466f3c2585cfc34e301bac664015e5019cd0ade263e3b1f303d850cdeb78961
Instruction ID: c570708717ddddd5fcba303d7469f710699f28160be0e7c0e2b20edbb7382470
Opcode Fuzzy Hash: e466f3c2585cfc34e301bac664015e5019cd0ade263e3b1f303d850cdeb78961
Instruction Fuzzy Hash: 9421DB30B082C05FDB629728954475DBB92AB96308F2CC4DAC09D8F647D776C80AC772

Uniqueness

Uniqueness Score: -1.00%

Function 00FDD450, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.910588985.0000000000FDD000.00000040.00000001.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fdd000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03cfbe87c1c1d624bc9f269abaf26b55575999d8de719f1e0a47e82ce271f69d
Instruction ID: 0fa872460de09ba10379973a6801b09976ed8fb3cc2a2655ca0bc83c2956a84f
Opcode Fuzzy Hash: 03cfbe87c1c1d624bc9f269abaf26b55575999d8de719f1e0a47e82ce271f69d
Instruction Fuzzy Hash: B2212872904240EFDB15DF10E9C0F27BF66FB98324F28856AD8054B346C336E856E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00FDD53C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.910588985.0000000000FDD000.00000040.00000001.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fdd000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb468b82e0f5ebfb66eefa232347c2be8c591eb366e1ea5cc5d1679228a5332
Instruction ID: 356977c68fcebc3c009022dc1e699a9dc9490bf47bc18c78ca3752ee6eca70ca
Opcode Fuzzy Hash: cdb468b82e0f5ebfb66eefa232347c2be8c591eb366e1ea5cc5d1679228a5332
Instruction Fuzzy Hash: 3521F8B2504244EFDB05DF14E9C0B26BF66FB98328F2C856AE8054B346C336D856E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00D419F0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08708767b203e0fa8684c0516ba4570d1b6267c369acd95213b1a891744b1557
Instruction ID: 7f027549c961b5a8ab700c8adf1635a53ebb98652853b19001e5470ecf9c30e8
Opcode Fuzzy Hash: 08708767b203e0fa8684c0516ba4570d1b6267c369acd95213b1a891744b1557
Instruction Fuzzy Hash: B821D5367016218FC7259B25D85653EB3A6EFC5754B18856AE906CB350CF34DC8387E0

Uniqueness

Uniqueness Score: -1.00%

Function 00D4E510, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a42e9cc9be972234bd1574242c657ce53de1f30b1e49097f9d4c38078badd9c
Instruction ID: c02b642142672792989f42d6983287f9c285d9a5403249c29e46cf2beed4499a
Opcode Fuzzy Hash: 0a42e9cc9be972234bd1574242c657ce53de1f30b1e49097f9d4c38078badd9c
Instruction Fuzzy Hash: C6215E31B00115ABDB14DB78C915BAE77F6BF88728F248169E505EB3E0EB719D009BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FED01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.910630785.0000000000FED000.00000040.00000001.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fed000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3855171cc1ffba5fd20ef8276dcb3575680f2e4a9d15d6766904459419d9356c
Instruction ID: c08d47f42b68c7768b641ab21ba52926b0a9246932882f92123c419077ab7d27
Opcode Fuzzy Hash: 3855171cc1ffba5fd20ef8276dcb3575680f2e4a9d15d6766904459419d9356c
Instruction Fuzzy Hash: B9210771608280DFCB14CF14D8C4B26BB65FB88324F28C569DA0A4BB4AC737D847DA62

Uniqueness

Uniqueness Score: -1.00%

Function 00D4E50B, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44cd1b4abac265e47649cfaf56c2bffbf02566a28f026d6bcc6b795379b283a4
Instruction ID: 65baed2bcbfe0253d2a83f509b5b7db013127495f73c27ee05de476a181ed1b7
Opcode Fuzzy Hash: 44cd1b4abac265e47649cfaf56c2bffbf02566a28f026d6bcc6b795379b283a4
Instruction Fuzzy Hash: 62216031B001559FDB14DB78C914BAE77F6BF88714F248169E506EB3A0EB71CD009BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D4E33C, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b8c1e1721d3eefe9c47f8b9e5454fdd42af25aeb57d9f910156a0ee62c94244
Instruction ID: a4337a4c1065b9da6cff6101e8391a2a87eaae7f43f48fc18ae26ab4e6273d3f
Opcode Fuzzy Hash: 9b8c1e1721d3eefe9c47f8b9e5454fdd42af25aeb57d9f910156a0ee62c94244
Instruction Fuzzy Hash: D2216620B041D05BDB71966C928475EBB92AB86708F2CC4DAC45D4E647D7B7C84683F3

Uniqueness

Uniqueness Score: -1.00%

Function 00D4C398, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6261e4bd00206759fe2579dc369674609e4fb89dbe142b033764fea3a4791d0
Instruction ID: 13f99f92819631c6ad33d493562867145cf571bfc72e8c341cc11a2549fc4c8e
Opcode Fuzzy Hash: f6261e4bd00206759fe2579dc369674609e4fb89dbe142b033764fea3a4791d0
Instruction Fuzzy Hash: 931123307197608FC7649B79852827EBBE69FC1601F09C46AE05AC3652DE7DEC06C320

Uniqueness

Uniqueness Score: -1.00%

Function 00D419E3, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb92a2e599a44191183684ae045a81b8432d6c79826ba85b034636eed457ddd8
Instruction ID: bf9f3833935c2a284cd68bdba1e3cd263fd371f1bb2fd354d23daddfe697b2a3
Opcode Fuzzy Hash: fb92a2e599a44191183684ae045a81b8432d6c79826ba85b034636eed457ddd8
Instruction Fuzzy Hash: B811E036301A118FC7249A29D896A3EB7A6FF85791F284569E906CB350CF24DC8387A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FED005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.910630785.0000000000FED000.00000040.00000001.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fed000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f775f215e89e309427d29658d1282cfcb477a559aab23aaa2004c07be9f4d2
Instruction ID: 390f899068142e56b32e1e188b6e4ba63cd02fbe22717b8552d2ae26ab7327ef
Opcode Fuzzy Hash: f2f775f215e89e309427d29658d1282cfcb477a559aab23aaa2004c07be9f4d2
Instruction Fuzzy Hash: 6D2150755093C08FCB12CF24D994715BF71EB46324F28C5EAD9498B697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D449AC, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8683b7fa52026f3edf3d1ab242bd574ac2c95ffe889c0ccc1c1e390f0801c80
Instruction ID: 6115aa85450c3a38b15f95993638eea73057b0663e8fd6be966a4895da6ce0de
Opcode Fuzzy Hash: a8683b7fa52026f3edf3d1ab242bd574ac2c95ffe889c0ccc1c1e390f0801c80
Instruction Fuzzy Hash: 1E115E35B102049FDB148F64D946B9DBBB6EB8C721F144469E905A7290CA719C51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D42608, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb4b1b0c4322a52636ff903ae7225284949680bb3db862910f168e08a053dd7
Instruction ID: 5d71494997dbcb306a85e3a41f6adc68205ce6b1dcfdf30ee609f58f24417dde
Opcode Fuzzy Hash: bdb4b1b0c4322a52636ff903ae7225284949680bb3db862910f168e08a053dd7
Instruction Fuzzy Hash: AB21C770A04208DFCB20CF98C908BBABBF6EF88310F08846AE4599B611D374DD18CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00FDD44B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.910588985.0000000000FDD000.00000040.00000001.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fdd000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
Instruction ID: 86ef9a9514dae5c5d2674de563ee4de347fd6529db6240e9d48acd0a3e2a36f0
Opcode Fuzzy Hash: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
Instruction Fuzzy Hash: 9A11B476804280CFCF11CF10D9C4B16BF72FB94324F2886AAD8054B656C336D85ADB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FDD537, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.910588985.0000000000FDD000.00000040.00000001.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fdd000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
Instruction ID: c7c7d35a5c2cb7e6532f3603f2182a4f8750c598a2f7d4200930cd4d2a514f37
Opcode Fuzzy Hash: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
Instruction Fuzzy Hash: EB11B476804280CFCB11CF10D5C4B16BF72FB94324F2886AAD8054B616C336D856DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00D4D433, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8db1cd942d962fcb807642e1a973d11f5a7162d2aaa1a6ca2fb00f162059c3df
Instruction ID: 06ff6265e2e3fc6af56e70f77e0f7dd9d7535cac1a37c2c667dac55d23501186
Opcode Fuzzy Hash: 8db1cd942d962fcb807642e1a973d11f5a7162d2aaa1a6ca2fb00f162059c3df
Instruction Fuzzy Hash: 7E117075B00225DF8B40EBB8D845A9EB7F2EF8C2157518426E509E3354EB349D028BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D4D438, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2873fd08f8dd0f2b3b42a65f866bbdaede58fb224d334dcc5c75d834d87836c
Instruction ID: 888e1e5d289315e58148ad3879323d45ffcd00c5eeb749d5c3f0be114195e075
Opcode Fuzzy Hash: f2873fd08f8dd0f2b3b42a65f866bbdaede58fb224d334dcc5c75d834d87836c
Instruction Fuzzy Hash: 11117075B00225CF8B40EBB8D84599EB7F2EF8C2157508426E509E3354EB349D028BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D4C3F0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701e9574dc9e8b931e1ba3bb1db2c1092d94105d6cb8107dc9119c06374e2dbe
Instruction ID: 47fd02779a2e185cb64c1af6f971a9b3fde421c18c99ae8c08921e35b8c2ff56
Opcode Fuzzy Hash: 701e9574dc9e8b931e1ba3bb1db2c1092d94105d6cb8107dc9119c06374e2dbe
Instruction Fuzzy Hash: 4B01B130B117108FCB249A79952C67EBAEADBC5B05F49C82AE05AC3751DE79EC06C710

Uniqueness

Uniqueness Score: -1.00%

Function 00D4A76B, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b8368af6e9acb6c009f90c7a164649ae10676c71e542c8e9f1b5fbace64b140
Instruction ID: a7ab653fdb32e8a9ceaec547f92db8ba0beda93a6c3c23cfaf9b3e4983875bee
Opcode Fuzzy Hash: 7b8368af6e9acb6c009f90c7a164649ae10676c71e542c8e9f1b5fbace64b140
Instruction Fuzzy Hash: BC116D70E00219DFCB54DFA8D6856DDFBF2EF88314F24842AD408A7304D330A941CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D45454, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fa4e95607486ba561e251d41bd82bb9d8404b92c3e4a57c00db0e73d3fa3b5e
Instruction ID: 801135404722f0128faec81ad6d34d9097d780fdf705a4d75b77cacb7e8bf0d8
Opcode Fuzzy Hash: 4fa4e95607486ba561e251d41bd82bb9d8404b92c3e4a57c00db0e73d3fa3b5e
Instruction Fuzzy Hash: 80113C71E0121A9FCF10DFA9D8445BFBBB5EF88311F14442AE919E7305D7748A55CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D41638, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98eeb643f7cb38395bd838c0677c4353f39dbd98b26014466c9f53510938d365
Instruction ID: 06e1b45d9619ff102a19c471fa6b46b3e60a5c3885226484d596df0c6ee6bc8f
Opcode Fuzzy Hash: 98eeb643f7cb38395bd838c0677c4353f39dbd98b26014466c9f53510938d365
Instruction Fuzzy Hash: 8A01D632B001156F8F159E699C00AAF3BAFDFC8790F19802AF505C7340DE75DD519BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D454F9, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d75f1155606c4ec904d43d903d54d567811f72fc2e51fc9d934ea0efcbaa4f
Instruction ID: 97c1dde880fa736ac38ce37383cbfe80b1e8b7d612d612e8c0c25829631d811e
Opcode Fuzzy Hash: 62d75f1155606c4ec904d43d903d54d567811f72fc2e51fc9d934ea0efcbaa4f
Instruction Fuzzy Hash: 1E01AD72700A058FCB14DF19F55562E37E7EFC8320B188029E90ACB316EA34DC129B60

Uniqueness

Uniqueness Score: -1.00%

Function 00D41628, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b885fe6301ef21134614ef2531c84437ad8aec69e67044156b18ec4489bab3a
Instruction ID: 67f98a17e6920766e664a8089e7831ade913387b56e43da7b043442bddfdd7d2
Opcode Fuzzy Hash: 1b885fe6301ef21134614ef2531c84437ad8aec69e67044156b18ec4489bab3a
Instruction Fuzzy Hash: C901D136600104AFDB118F65AC04BEF3FABEB88790F188029F919C3290CB36C8519BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D4BBE5, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb9f4a7b7d042a4c012adb8fb7b4983dad61de798053ad8be41210cc76551fe5
Instruction ID: 1be7aa68d9cd278dbca9110ac4368ea80a9bb9360c3dfa490d84c43b279ad7b5
Opcode Fuzzy Hash: cb9f4a7b7d042a4c012adb8fb7b4983dad61de798053ad8be41210cc76551fe5
Instruction Fuzzy Hash: EF01A274F002188FCF80EBB899856AEBBF2EF84314B14006AC509E7704EF349E01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00D4CFF3, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d31440fa0930793f3d3bd793c98646cfd73461ccaba33d8d25cfce09d3e3fe2
Instruction ID: 8fd65acdaa0b5e0aab4bf1f86548973f061cb0b101b2a8527d4da6cbbb7460fa
Opcode Fuzzy Hash: 5d31440fa0930793f3d3bd793c98646cfd73461ccaba33d8d25cfce09d3e3fe2
Instruction Fuzzy Hash: F701FB70E012198FCF54EFB9D9016EEBBF1AF48204F14852AD419F7254EB398906CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D4CFF8, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26f32151a295d2d06e27fbb663c4d6ffb01be267eb072c7cb7d83743fdcf6c21
Instruction ID: 7a8e9eb88e202725142991e126bd056b565e26e940c8a19ee23ced58ecd80e62
Opcode Fuzzy Hash: 26f32151a295d2d06e27fbb663c4d6ffb01be267eb072c7cb7d83743fdcf6c21
Instruction Fuzzy Hash: E801E470E00219CFCF54EFB9D8016EEBBF5AF48204F108529D819E7250EB399A02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D4E1B5, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d31a77458d43516b5abd4b7d316aa1cf1f70f1866e9fc48eb2bdc690529b1d56
Instruction ID: fcf682b1aaef9bc81857718f30a104617b133426026d690434215158155506e0
Opcode Fuzzy Hash: d31a77458d43516b5abd4b7d316aa1cf1f70f1866e9fc48eb2bdc690529b1d56
Instruction Fuzzy Hash: 1FF05E72F002195BCB50ABBC980929F7AF9EB88350F100475E809E7341EA388E028BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00D4E1B8, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc25bf3e86761308cc07b5bb62cf323df302655f41e75f39081595ff95256e89
Instruction ID: 2b2539857003b66d89dc0dab1be8ab618e59d4448fcc3b8d9e0b31140a09b42c
Opcode Fuzzy Hash: cc25bf3e86761308cc07b5bb62cf323df302655f41e75f39081595ff95256e89
Instruction Fuzzy Hash: 07F01276F002195B8B50BBBD580569F7AF9EF88250B144575D909D7351EE348E028BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00D45228, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 928b1176c49ed7a0584604af060381a3e67486b16a189ececb96433eaaf1d71d
Instruction ID: 14258bc291ebaccdd7a3402829ec3992bd4268c1da2b3ba74e3b5fbb429d01f5
Opcode Fuzzy Hash: 928b1176c49ed7a0584604af060381a3e67486b16a189ececb96433eaaf1d71d
Instruction Fuzzy Hash: 49F0ED363545248FC714DFBCD889C5877E8EF09A6535A44E6F509CB332CA65DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00D45224, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53a11aa1809e7f209be8e267d333c4c026b36d5772d691431bfb7109cdd86f8e
Instruction ID: 1d6b0cc878bb7a52701f47531c5f5c5e0e3104fc35e1e2f1942a2ece477a7a94
Opcode Fuzzy Hash: 53a11aa1809e7f209be8e267d333c4c026b36d5772d691431bfb7109cdd86f8e
Instruction Fuzzy Hash: 3EF0C2362605208FC714DF6CD48A8A87BE4EF09A2135A4096F406CB732CB25EC41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00D4D498, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4341357f699f59570c9532b4c6705de03524405cc961057d2aa8221059cf0a
Instruction ID: c518c4cd371a7af99362e050345c73dc721dffbca494f9e9bf2d14ce67785a33
Opcode Fuzzy Hash: 7f4341357f699f59570c9532b4c6705de03524405cc961057d2aa8221059cf0a
Instruction Fuzzy Hash: 2AE0C935B101159B8F40EBB8E84599DB3E2ABC82257118465E50AE7354DE3498018B61

Uniqueness

Uniqueness Score: -1.00%

Function 00D52050, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909901197.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d50000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f7f0a0452987b5e3dc86d84f21d4d81b314a650e74202784b94fa8de7847ad
Instruction ID: 7592fff523c0d3d9f41ec44bb5240812d777eabe7542a80d51f393b60b635255
Opcode Fuzzy Hash: e8f7f0a0452987b5e3dc86d84f21d4d81b314a650e74202784b94fa8de7847ad
Instruction Fuzzy Hash: E7E0E635B101148FDB589B75A85927D77A7EBCC26571480A5E906C3245DE344D069740

Uniqueness

Uniqueness Score: -1.00%

Function 00D52B80, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909901197.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d50000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd1be0536d1a2496e7e43c267e77386527a9090e40e910daf67b1e6e8eadb82
Instruction ID: 033abc2d353deb9da56115ef323c5e0318da79eab6cbb4e9502ff94cfaa86f51
Opcode Fuzzy Hash: 0dd1be0536d1a2496e7e43c267e77386527a9090e40e910daf67b1e6e8eadb82
Instruction Fuzzy Hash: 70E0C2323453021BAB4485799C8073EB6CB8BD2365B8CC136AC4887B46D828CC0DA376

Uniqueness

Uniqueness Score: -1.00%

Function 00D4C396, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d12464d96502afc7105d5957018f1ee1945de5c49e6734d06fd288654e12798
Instruction ID: e6d7fb3c20c9a1cf083aeddf55c748066c8ef3462dc5513a4c4172890d091bac
Opcode Fuzzy Hash: 6d12464d96502afc7105d5957018f1ee1945de5c49e6734d06fd288654e12798
Instruction Fuzzy Hash: 5FD02B333115604FC3649B58A50427E73E98BC4323F08803EE09AC7940CEB8CC43C360

Uniqueness

Uniqueness Score: -1.00%

Function 00D44889, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 601bbe6ec3a6ade673952ba9304457b8571d2568a8ce3b8c7010a99061aeb147
Instruction ID: a2ad699f18e2303884d446110a0b6f09659321e6cf1e06aea84923add74733b0
Opcode Fuzzy Hash: 601bbe6ec3a6ade673952ba9304457b8571d2568a8ce3b8c7010a99061aeb147
Instruction Fuzzy Hash: CBD0127365E0616FE729408E3C94AF39B4CC2C53B5A39027FF09CD764088564CC25175

Uniqueness

Uniqueness Score: -1.00%

Function 00D41D6F, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa13b606031dec1338a080db7204ffa281a53ef9cc993a344cbf32cd472432f8
Instruction ID: 4ffbc91b6f54833f30e31ca0daf6900c6aa4320c0c16665ead50ca5b5141cccb
Opcode Fuzzy Hash: aa13b606031dec1338a080db7204ffa281a53ef9cc993a344cbf32cd472432f8
Instruction Fuzzy Hash: DAD05B304686066BC751EB64FE47659371B9B81344F404C2170090776CDF78554A57C6

Uniqueness

Uniqueness Score: -1.00%

Function 00D41D80, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241cf204e07cbc1521a513caf509b7dc5a336623c41fc7c331240e84ade58b71
Instruction ID: 12dce029d24e6632cb3e4ab5f068bdbacfe523a3f03bd8fd3ee03d1dc18d31b6
Opcode Fuzzy Hash: 241cf204e07cbc1521a513caf509b7dc5a336623c41fc7c331240e84ade58b71
Instruction Fuzzy Hash: 0EC012305683065AC740FB70FD4245D372F57C23083408D21B0080AB2D9FB86A4997C7

Uniqueness

Uniqueness Score: -1.00%

Function 00D45721, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.909867433.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d40000_Shipping Documents000000000000000000020.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86807bfe8c3fbeed98f7418752ac00224e1ee8a8be54cf30b825c2faf55b8a9
Instruction ID: 33b683437633db64328cd977733821709933a1f2b8e40fb6f603e2c34b47504f
Opcode Fuzzy Hash: d86807bfe8c3fbeed98f7418752ac00224e1ee8a8be54cf30b825c2faf55b8a9
Instruction Fuzzy Hash: 42C08C3AF01018CB5F00CAD4B0400DCB3A4EB88238B208053E509522038B318B218AA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Shipping Documents000000000000000000020.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: Shipping Documents000000000000000000020.exe PID: 7028 Parent PID: 5904

Function 080A00CB, Relevance: 1.5, Strings: 1, Instructions: 217
COMMON

Function 080A027D, Relevance: 1.5, Strings: 1, Instructions: 205
COMMON

Function 0807D370, Relevance: .7, Instructions: 651
COMMON

Function 02AAD510, Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Function 08071EF0, Relevance: 2.7, Strings: 2, Instructions: 151
COMMON

Function 08073770, Relevance: 2.6, Strings: 2, Instructions: 150
COMMON

Function 02AADB40, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 08078C70, Relevance: 1.5, Strings: 1, Instructions: 268
COMMON

Function 08078C60, Relevance: 1.5, Strings: 1, Instructions: 201
COMMON

Function 08079010, Relevance: .7, Instructions: 729
COMMON