Edit tour

Windows Analysis Report
SHIPMENTDOCUMENTSPDF.exe

Overview

General Information

Sample Name:	SHIPMENTDOCUMENTSPDF.exe
Analysis ID:	598602
MD5:	db995bcbc1b1ffe95cbde7f316b577bc
SHA1:	95049e53f64a1b5050d697d88ccc8bf62d58e3f6
SHA256:	bb95fa20a55260f729584b7932c7dba208dcc5b0a7597be447a72e481e0dcb09
Infos:

Detection

AveMaria UACMe

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Yara detected UACMe UAC Bypass tool

Antivirus detection for URL or domain

Yara detected AveMaria stealer

Initial sample is a PE file and has a suspicious name

Contains functionality to hide user accounts

Contains functionality to steal e-mail passwords

Contains functionality to steal Chrome passwords or cookies

C2 URLs / IPs found in malware configuration

Contains functionality to inject threads in other processes

Uses 32bit PE files

Contains functionality to create new users

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to enumerate running services

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Installs a raw input device (often for capturing keystrokes)

Tries to load missing DLLs

Contains functionality to read the PEB

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Found evaded block containing many API calls

Contains functionality to retrieve information about pressed keystrokes

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64native

SHIPMENTDOCUMENTSPDF.exe (PID: 6764 cmdline: "C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe" MD5: DB995BCBC1B1FFE95CBDE7F316B577BC)

cleanup

Malware Configuration

Threatname: AveMaria

{"C2 url": "goodies.dynamic-dns.net", "port": 5200}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x1972f:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1972f:$c1: Elevation:Administrator!new:
00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
Process Memory Space: SHIPMENTDOCUMENTSPDF.exe PID: 6764	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: SHIPMENTDOCUMENTSPDF.exe PID: 6764	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.SHIPMENTDOCUMENTSPDF.exe.27389af.1.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
2.2.SHIPMENTDOCUMENTSPDF.exe.27389af.1.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xd80:$c1: Elevation:Administrator!new:
2.2.SHIPMENTDOCUMENTSPDF.exe.27389af.1.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x17ff0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x17ff0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x17ff0:$c1: Elevation:Administrator!new:
2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x138e8:$a1: \Opera Software\Opera Stable\Login Data 0x13c10:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13558:$a3: \Google\Chrome\User Data\Default\Login Data
2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack	AveMaria_WarZone	unknown	unknown	0x15a30:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1580c:$str2: MsgBox.exe 0x15a9c:$str4: \System32\cmd.exe 0x156e0:$str6: Ave_Maria 0x14f78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14278:$str8: SMTP Password 0x13558:$str11: \Google\Chrome\User Data\Default\Login Data 0x14f44:$str12: \sqlmap.dll 0x17ff0:$str16: Elevation:Administrator!new 0x18110:$str17: /n:%temp%
2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x15add:$r1: Classes\Folder\shell\open\command 0x15b00:$k1: DelegateExecute
2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x154e4:$s1: RDPClip 0x15bcc:$s2: Grabber 0x156e0:$s3: Ave_Maria Stealer OpenSource 0x157e0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x18110:$s6: /n:%temp%\ellocnak.xml 0x18140:$s7: Hey I'm Admin 0x13050:$s8: warzone160
2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x166dd:$r1: Classes\Folder\shell\open\command 0x16700:$k1: DelegateExecute
2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x160e4:$s1: RDPClip 0x167cc:$s2: Grabber 0x162e0:$s3: Ave_Maria Stealer OpenSource 0x163e0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x19310:$s6: /n:%temp%\ellocnak.xml 0x19340:$s7: Hey I'm Admin 0x13c50:$s8: warzone160
2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x166dd:$r1: Classes\Folder\shell\open\command 0x16700:$k1: DelegateExecute
2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x160e4:$s1: RDPClip 0x167cc:$s2: Grabber 0x162e0:$s3: Ave_Maria Stealer OpenSource 0x163e0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x19310:$s6: /n:%temp%\ellocnak.xml 0x19340:$s7: Hey I'm Admin 0x13c50:$s8: warzone160
Click to see the 25 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack

Malware Configuration Extractor: AveMaria {"C2 url": "goodies.dynamic-dns.net", "port": 5200}

Multi AV Scanner detection for submitted file

Source: SHIPMENTDOCUMENTSPDF.exe	Virustotal: Detection: 57%	Perma Link
Source: SHIPMENTDOCUMENTSPDF.exe	Metadefender: Detection: 23%	Perma Link
Source: SHIPMENTDOCUMENTSPDF.exe	ReversingLabs: Detection: 61%

Antivirus / Scanner detection for submitted sample

Source: SHIPMENTDOCUMENTSPDF.exe

Avira: detected

Antivirus detection for URL or domain

Source: goodies.dynamic-dns.net

Avira URL Cloud: Label: phishing

Yara detected AveMaria stealer

Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack	Avira: Label: TR/Patched.Ren.Gen3
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack	Avira: Label: TR/Redcap.ghjpt

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,	2_2_0312A632
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312CAFC CryptUnprotectData,LocalAlloc,LocalFree,	2_2_0312CAFC
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312CF58 LocalAlloc,BCryptDecrypt,LocalFree,	2_2_0312CF58
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,	2_2_0312CC54
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,	2_2_0312CCB4
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312B15E lstrlenA,CryptStringToBinaryA,lstrcpyA,	2_2_0312B15E

Exploits

Yara detected UACMe UAC Bypass tool

Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.27389af.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SHIPMENTDOCUMENTSPDF.exe PID: 6764, type: MEMORYSTR

Source: SHIPMENTDOCUMENTSPDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: SHIPMENTDOCUMENTSPDF.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\DynamicConsumer\licensing.pdb source: SHIPMENTDOCUMENTSPDF.exe

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312FF27 FindFirstFileW,FindNextFileW,		2_2_0312FF27
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_03129DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,		2_2_03129DF6

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0313002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

2_2_0313002B

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: goodies.dynamic-dns.net

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_031227D3 URLDownloadToFileW,ShellExecuteW,

2_2_031227D3

Source: SHIPMENTDOCUMENTSPDF.exe	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_031227D3 URLDownloadToFileW,ShellExecuteW,

2_2_031227D3

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312902E DefWindowProcA,GetRawInputData,GetRawInputData,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrcpyW,CreateFileW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,CloseHandle,PostQuitMessage,RegisterRawInputDevices,

2_2_0312902E

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_031289D5 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx,

2_2_031289D5

E-Banking Fraud

Yara detected AveMaria stealer

Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.27389af.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: SHIPMENTDOCUMENTSPDF.exe

Source: SHIPMENTDOCUMENTSPDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.27389af.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.27389af.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_007D0E50	2_2_007D0E50
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0077EE20	2_2_0077EE20
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0077F730	2_2_0077F730
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_03131BF8	2_2_03131BF8
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_02731537	2_2_02731537

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: String function: 00754DD1 appears 270 times
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: String function: 00751E1F appears 606 times
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: String function: 031235E5 appears 40 times
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: String function: 007525E5 appears 49 times
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: String function: 00751DBB appears 36 times
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: String function: 03130969 appears 47 times

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Section loaded: edgegdi.dll

Jump to behavior

Source: SHIPMENTDOCUMENTSPDF.exe	Virustotal: Detection: 57%
Source: SHIPMENTDOCUMENTSPDF.exe	Metadefender: Detection: 23%
Source: SHIPMENTDOCUMENTSPDF.exe	ReversingLabs: Detection: 61%

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

File read: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Jump to behavior

Source: SHIPMENTDOCUMENTSPDF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312F619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,

2_2_0312F619

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0077C250 CoCreateInstance,

2_2_0077C250

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312D508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

2_2_0312D508

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_031320B8 RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

2_2_031320B8

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0077EBA0 LoadResource,LockResource,SizeofResource,

2_2_0077EBA0

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

File created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: SHIPMENTDOCUMENTSPDF.exe

Static file information: File size 2554880 > 1048576

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: SHIPMENTDOCUMENTSPDF.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x165000

Source: SHIPMENTDOCUMENTSPDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SHIPMENTDOCUMENTSPDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SHIPMENTDOCUMENTSPDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SHIPMENTDOCUMENTSPDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SHIPMENTDOCUMENTSPDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SHIPMENTDOCUMENTSPDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SHIPMENTDOCUMENTSPDF.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: SHIPMENTDOCUMENTSPDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\DynamicConsumer\licensing.pdb source: SHIPMENTDOCUMENTSPDF.exe

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_03121190 push eax; ret	2_2_031211A4
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_03121190 push eax; ret	2_2_031211CC
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_02720ACF push eax; ret	2_2_02720AE3
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_02720ACF push eax; ret	2_2_02720B0B
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_02733DF0 push ebp; retf	2_2_02733EA3

Source: SHIPMENTDOCUMENTSPDF.exe

Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312F51D LoadLibraryA,GetProcAddress,

2_2_0312F51D

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312D418 NetUserAdd,NetLocalGroupAddMembers,

2_2_0312D418

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_031227D3 URLDownloadToFileW,ShellExecuteW,

2_2_031227D3

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312A6C8 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,		2_2_0312A6C8
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,		2_2_0312AC0A

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312D508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

2_2_0312D508

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: SHIPMENTDOCUMENTSPDF.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe TID: 4900

Thread sleep count: 60 > 30

Jump to behavior

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,

2_2_0312DA5B

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Evaded block: after key decision

graph_2-57950

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

API coverage: 6.6 %

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_007D520F VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

2_2_007D520F

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312FF27 FindFirstFileW,FindNextFileW,		2_2_0312FF27
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_03129DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,		2_2_03129DF6

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0313002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

2_2_0313002B

Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000003.160895547606.0000000000663000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_00784490 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_00784490

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_007D520F VirtualProtect ?,-00000001,00000104,?,?,?,0000001C

2_2_007D520F

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312F51D LoadLibraryA,GetProcAddress,

2_2_0312F51D

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_00776870 GetProcessHeap,

2_2_00776870

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_007DA290 mov eax, dword ptr fs:[00000030h]	2_2_007DA290
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_03130619 mov eax, dword ptr fs:[00000030h]	2_2_03130619
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_03130620 mov eax, dword ptr fs:[00000030h]	2_2_03130620
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0313094E mov eax, dword ptr fs:[00000030h]	2_2_0313094E
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0273028D mov eax, dword ptr fs:[00000030h]	2_2_0273028D
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_02720467 mov eax, dword ptr fs:[00000030h]	2_2_02720467
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_027384B1 mov eax, dword ptr fs:[00000030h]	2_2_027384B1
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0272FF58 mov eax, dword ptr fs:[00000030h]	2_2_0272FF58
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0272FF5F mov eax, dword ptr fs:[00000030h]	2_2_0272FF5F

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_00784490 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00784490
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_00784740 SetUnhandledExceptionFilter,	2_2_00784740
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_00782EB0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00782EB0
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0079B370 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0079B370

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_031279E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,		2_2_031279E8
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_03131FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,		2_2_03131FD8

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe

2_2_031320B8

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_031318BA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,

2_2_031318BA

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312F56D AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,

2_2_0312F56D

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312F93F cpuid

2_2_0312F93F

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_00784870 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_00784870

Stealing of Sensitive Information

Yara detected AveMaria stealer

Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to steal e-mail passwords

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: POP3 Password	2_2_0312A29A
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: SMTP Password	2_2_0312A29A
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: IMAP Password	2_2_0312A29A

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: \Google\Chrome\User Data\Default\Login Data		2_2_0312C1B2
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: \Chromium\User Data\Default\Login Data		2_2_0312C1B2

Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SHIPMENTDOCUMENTSPDF.exe PID: 6764, type: MEMORYSTR

Remote Access Functionality

Yara detected AveMaria stealer

Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	21 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Service Execution	1 Create Account	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 System Service Discovery	Remote Desktop Protocol	21 Input Capture	Exfiltration Over Bluetooth	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	1 Windows Service	1 Windows Service	2 Obfuscated Files or Information	1 Credentials In Files	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	11 Process Injection	1 Software Packing	NTDS	14 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	21 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	11 Process Injection	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Hidden Users	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SHIPMENTDOCUMENTSPDF.exe	58%	Virustotal		Browse
SHIPMENTDOCUMENTSPDF.exe	24%	Metadefender		Browse
SHIPMENTDOCUMENTSPDF.exe	62%	ReversingLabs	Win32.Trojan.AveMariaRat
SHIPMENTDOCUMENTSPDF.exe	100%	Avira	TR/AD.MortyStealer.vctqk

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack	100%	Avira	TR/Patched.Ren.Gen3		Download File
2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack	100%	Avira	TR/Redcap.ghjpt		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
goodies.dynamic-dns.net	3%	Virustotal		Browse
goodies.dynamic-dns.net	100%	Avira URL Cloud	phishing

Name	Malicious	Antivirus Detection	Reputation
goodies.dynamic-dns.net	true	3%, Virustotal, Browse Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/syohex/java-simple-mine-sweeperC:	SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp	false		high
https://github.com/syohex/java-simple-mine-sweeper	SHIPMENTDOCUMENTSPDF.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	598602
Start date and time:	2022-03-28 18:37:46 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SHIPMENTDOCUMENTSPDF.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 85% Number of executed functions: 26 Number of non-executed functions: 130
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe
Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, ctldl.windowsupdate.com, wdcp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	3.945070832085131
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SHIPMENTDOCUMENTSPDF.exe
File size:	2554880
MD5:	db995bcbc1b1ffe95cbde7f316b577bc
SHA1:	95049e53f64a1b5050d697d88ccc8bf62d58e3f6
SHA256:	bb95fa20a55260f729584b7932c7dba208dcc5b0a7597be447a72e481e0dcb09
SHA512:	c09beeab2ab7c7b65d92547f1559409012a2b1f787b4d399d8c745bf16ed2178261c64ae089582123b0111a385ba6c7d698091fe4ce72ab8af1f17a40214f120
SSDEEP:	12288:3BEnRe1ljhm1xvNkPJziiPuumDNWnr3Q5WOVI6L4qj7neunRxHfk7D4pa7+oJb:+o1ld8r2JUNJ5WOVI6L7jr/
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M5h4.T.g.T.g.T.gf0.f.T.gf0.f.T.gf0.f.T.g.#.f.T.g.#.f.T.g.#.f:T.gf0.f.T.gf0.f.T.g.T.g.T.g.#.f.T.g.#.g.T.g.#.f.T.gRich.T.g.......

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4010af
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x620E49BC [Thu Feb 17 13:12:28 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	05bdc6a6adf04eca38d0953caca5e0fa

Entrypoint Preview

Instruction
jmp 00007F21008CDD81h
jmp 00007F210094BFACh
jmp 00007F2100920537h
jmp 00007F21008CEBB2h
jmp 00007F2100955B1Dh
jmp 00007F21008D3F78h
jmp 00007F21008D9B53h
jmp 00007F21008B0E9Eh
jmp 00007F21008C2BD9h
jmp 00007F21008C2024h
jmp 00007F210095390Fh
jmp 00007F21008D517Ah
jmp 00007F210090F5C5h
jmp 00007F21008CDD00h
jmp 00007F21008F6E6Bh
jmp 00007F21008C16E6h
jmp 00007F21008F1A71h
jmp 00007F21008B0E0Ch
jmp 00007F21008FC737h
jmp 00007F210092663Eh
jmp 00007F210090591Dh
jmp 00007F21008FC2C8h
jmp 00007F21008D1BB3h
jmp 00007F21008D4C8Eh
jmp 00007F2100905BA9h
jmp 00007F21009123E4h
jmp 00007F210092729Fh
jmp 00007F2100910E7Ah
jmp 00007F21008D1995h
jmp 00007F210090FF10h
jmp 00007F21008D199Bh
jmp 00007F21009344D6h
jmp 00007F21008F6C11h
jmp 00007F21008D1D0Ch
jmp 00007F21008B34A7h
jmp 00007F21008B0852h
jmp 00007F21008F145Dh
jmp 00007F21008CB668h
jmp 00007F21008D4C63h
jmp 00007F210095167Eh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x26b43c	0xc8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26f000	0x43c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x270000	0x6004	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xfdeb0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xfea0c	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xfdee8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x26b000	0x43c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xd1f14	0xd2000	False	0.273263113839	data	5.42725734583	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xd3000	0x2e7dc	0x2e800	False	0.167485719086	data	3.57125252786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x102000	0x168e58	0x165000	False	0.111753490459	data	1.96106010749	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x26b000	0x15f0	0x1600	False	0.334339488636	data	4.55588507155	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x26d000	0x309	0x400	False	0.021484375	data	0.0111738187212	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.00cfg	0x26e000	0x10e	0x200	False	0.03515625	data	0.110557131259	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x26f000	0x43c	0x600	False	0.182291666667	data	2.14297088193	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x270000	0x7d11	0x7e00	False	0.57902405754	data	5.74904151788	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x26f170	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	HeapFree, HeapSize, GetProcessHeap, InitializeCriticalSectionEx, DeleteCriticalSection, Sleep, VirtualAlloc, VirtualProtect, FindResourceExW, LoadResource, LockResource, SizeofResource, FindResourceW, MultiByteToWideChar, WideCharToMultiByte, FreeConsole, AcquireSRWLockExclusive, AssignProcessToJobObject, CloseHandle, CompareStringW, ConnectNamedPipe, CreateDirectoryW, CreateEventW, HeapReAlloc, GetProcessId, GetProcessTimes, GetQueuedCompletionStatus, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemDefaultLCID, GetSystemDirectoryW, IsValidLocale, IsWow64Process, K32GetPerformanceInfo, K32GetProcessMemoryInfo, K32QueryWorkingSetEx, ReadConsoleW, ReadFile, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, SetStdHandle, HeapQueryInformation, SetEnvironmentVariableW, FreeEnvironmentStringsW, HeapAlloc, HeapDestroy, SetLastError, GetLastError, RaiseException, GetProcessHeaps, DecodePointer, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, SetConsoleCtrlHandler, WriteConsoleW, GetFileType, EnumSystemLocalesW, GetUserDefaultLCID, GetLocaleInfoW, CreateFileW, LCMapStringW, GetTimeFormatW, GetDateFormatW, GetCurrentThread, WriteFile, HeapValidate, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, IsDebuggerPresent, OutputDebugStringW, EnterCriticalSection, LeaveCriticalSection, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, SetEvent, ResetEvent, WaitForSingleObjectEx, GetModuleHandleW, GetProcAddress, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetSystemInfo, VirtualQuery
USER32.dll	GetActiveWindow, SetProcessWindowStation, TranslateMessage, UnregisterClassW, SendMessageTimeoutW, MessageBoxW, SetProcessDPIAware, UnregisterClassA
ADVAPI32.dll	GetKernelObjectSecurity, GetAce, FreeSid, EventWrite, EventUnregister, GetLengthSid
ole32.dll	CoTaskMemRealloc, CoTaskMemFree, CoInitialize, CoUninitialize, CoCreateInstance
OLEAUT32.dll	SysAllocString, VariantCopy, SysAllocStringLen, SysFreeString, SafeArrayDestroy, VariantInit, VariantClear, VariantChangeType
SHLWAPI.dll	PathMatchSpecW
USERENV.dll	DestroyEnvironmentBlock, CreateEnvironmentBlock
VERSION.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
WINMM.dll	timeGetTime

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	2
Start time:	20:39:38
Start date:	28/03/2022
Path:	C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe"
Imagebase:	0x750000
File size:	2554880 bytes
MD5 hash:	DB995BCBC1B1FFE95CBDE7F316B577BC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	97%
Signature Coverage:	0.8%
Total number of Nodes:	372
Total number of Limit Nodes:	16

Executed Functions

Function 0075DE20 Relevance: 84.3, APIs: 6, Strings: 42, Instructions: 295
windowmemorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00A00000,00003000,00000040), ref: 0075DFE2
VirtualProtect.KERNEL32(?,00000100,00000040,00000000), ref: 0075E00F
MessageBoxW.USER32(00000000,connected,connected,00000002), ref: 0075E15A
MessageBoxW.USER32(00000000,connected,connected,00000001), ref: 0075E1C0
MessageBoxW.USER32(00000000,connected,connected,00000000), ref: 0075E1E4
Sleep.KERNEL32(00001388), ref: 0075E299

Strings

connected, xrefs: 0075E1DD
#, xrefs: 0075DE74
0, xrefs: 0075DF64
y, xrefs: 0075DF14
k, xrefs: 0075DF10
i, xrefs: 0075DFBC
v, xrefs: 0075DEA4
L, xrefs: 0075DE90
+, xrefs: 0075DE8C
6, xrefs: 0075DF0C
c, xrefs: 0075DF94
L, xrefs: 0075DEF8
W, xrefs: 0075DF68
F, xrefs: 0075DF84
n, xrefs: 0075DF38
connected, xrefs: 0075E1B9
P, xrefs: 0075DFA8
X, xrefs: 0075DFCC
&, xrefs: 0075DEC0
:, xrefs: 0075DE6C
connected, xrefs: 0075E1D8
R, xrefs: 0075DF30
!, xrefs: 0075DEF0
d, xrefs: 0075E175
h, xrefs: 0075DEE4
<, xrefs: 0075DF4C
y, xrefs: 0075DE5C
X, xrefs: 0075DF60
2, xrefs: 0075DF74
, xrefs: 0075DEF4
x, xrefs: 0075DE88
F, xrefs: 0075DE60
X, xrefs: 0075DF20
T, xrefs: 0075DEAC
connected, xrefs: 0075E153
d, xrefs: 0075DE68
C, xrefs: 0075DF00
connected, xrefs: 0075E1B4
M, xrefs: 0075DF28
connected, xrefs: 0075E14E
i, xrefs: 0075DECC
D, xrefs: 0075DF24

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: Message$Virtual$AllocProtectSleep
String ID: $!$#$&$+$0$2$6$:$<$C$D$F$F$L$L$M$P$R$T$W$X$X$X$c$connected$connected$connected$connected$connected$connected$d$d$h$i$i$k$n$v$x$y$y
API String ID: 521561353-2757031617
Opcode ID: 0cf2273d5da193bbfbe8754cc28e5b6215ab9a49b598f26d1d89f317bc8e0040
Instruction ID: 2cc69f522acff8abdaf480859fae02a25235ab217ff995ea99e3445e1051998f
Opcode Fuzzy Hash: 0cf2273d5da193bbfbe8754cc28e5b6215ab9a49b598f26d1d89f317bc8e0040
Instruction Fuzzy Hash: E7F13C30D087C9CEEB22CBBC88487DDBFB16B16324F184298D5A46B3D2C7B50546CB66

Uniqueness

Uniqueness Score: -1.00%

Function 03133457 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 188
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 03133489
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 031334A5

Part of subcall function 03131E21: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,031334BF), ref: 03131E4E
Part of subcall function 03131E21: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,031334BF), ref: 03131E61
Part of subcall function 03131E21: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,031334BF), ref: 03131E72
Part of subcall function 03131E21: FindCloseChangeNotification.KERNEL32(00000000,?,?,00000000,?,?,031334BF), ref: 03131E7F

Part of subcall function 03121085: GetProcessHeap.KERNEL32(00000000,?,03131E36,00400000,?,?,00000000,?,?,031334BF), ref: 0312108B
Part of subcall function 03121085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,031334BF), ref: 03121092

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0313350C
GetLastError.KERNEL32 ref: 03133517
RegCreateKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 03133551
RegSetValueExA.ADVAPI32(?,MaxConnectionsPer1_0Server,00000000,00000004,?,00000004), ref: 03133570
RegSetValueExA.ADVAPI32(?,MaxConnectionsPerServer,00000000,00000004,?,00000004), ref: 03133585
RegCloseKey.ADVAPI32(?), ref: 0313358B
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,?,?), ref: 031335E7
lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 031335FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 03133609

Part of subcall function 03131A3C: GetModuleFileNameW.KERNEL32(00000000,0326CBF0,00000208,00000000,00000000,?,?,?,031257B9,?,00000000,00000000), ref: 03131A58
Part of subcall function 03131A3C: IsUserAnAdmin.SHELL32 ref: 03131A5E
Part of subcall function 03131A3C: FindResourceW.KERNEL32(00000000,00000066,WM_DSP,?,?,?,?,031257B9,?,00000000,00000000), ref: 03131A87
Part of subcall function 03131A3C: LoadResource.KERNEL32(00000000,00000000,?,?,?,?,031257B9,?,00000000,00000000,?,?,?,?,?,?), ref: 03131A91
Part of subcall function 03131A3C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,031257B9,?,00000000,00000000,?,?,?,?,?,?), ref: 03131A9B
Part of subcall function 03131A3C: LockResource.KERNEL32(00000000,?,?,?,?,031257B9,?,00000000,00000000,?,?,?,?,?,?,00000000), ref: 03131AA2

Part of subcall function 03131136: CopyFileW.KERNEL32(?,?,00000000,?,03134684,?,00000000,?,?,?,?,00000000,76A5FAD0,00000000), ref: 031311D7

Part of subcall function 0312362D: lstrcpyW.KERNEL32(00000000,76A5FAD0), ref: 03123657

Part of subcall function 03130BD9: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,76A5FAD0,00000000), ref: 03130C14

Part of subcall function 03125EA5: VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

Strings

MaxConnectionsPer1_0Server, xrefs: 03133567
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 03133547
MaxConnectionsPerServer, xrefs: 0313357C
\Microsoft Vision\, xrefs: 031335ED

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: File$Create$Resource$CloseFindHeapModuleNameProcessValue$AdminAllocateChangeCopyCountDirectoryErrorEventFolderFreeLastLoadLockNotificationPathReadSizeSizeofTickUserVirtuallstrcatlstrcpy
String ID: MaxConnectionsPer1_0Server$MaxConnectionsPerServer$Software\Microsoft\Windows\CurrentVersion\Internet Settings$\Microsoft Vision\
API String ID: 3977721202-2552559493
Opcode ID: 755ef02b20b532728d9a584f7c68ef9b5515c76ef53ab8bc2f8824c2edd2d477
Instruction ID: e860104ac0dbc51b2c1f9a6effd4f065176bb03dc28ba6aa1a8b22f31ea05981
Opcode Fuzzy Hash: 755ef02b20b532728d9a584f7c68ef9b5515c76ef53ab8bc2f8824c2edd2d477
Instruction Fuzzy Hash: 98617EB5548344AFD724FF61D884EAFBBACEF8D204F040D2EF29596150DB309A48CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0075D6A0 Relevance: 22.8, APIs: 3, Strings: 10, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNEL32(00000000,?,00783B17,?,00783B17), ref: 0075D6A6
CoInitialize.OLE32(00000000), ref: 0075D6AE
CoUninitialize.OLE32 ref: 0075D783

Strings

2 - CDynamicStringAccessor, xrefs: 0075D70A
C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\DynamicConsumer\DynamicConsumer.cpp, xrefs: 0075D6CE
1 - CDynamicAccessor, xrefs: 0075D6FD
3 - CXMLAccessor, xrefs: 0075D717
Dynamic Accessor Sample, xrefs: 0075D6E3
4 - CDynamicParameterAccessor, xrefs: 0075D724
Enter 1-4 to continue: , xrefs: 0075D73A
(((HRESULT)(hr)) >= 0), xrefs: 0075D6BD
%ls, xrefs: 0075D6C2
Which accessor do you want to use?, xrefs: 0075D6F0

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: ConsoleFreeInitializeUninitialize
String ID: %ls$(((HRESULT)(hr)) >= 0)$1 - CDynamicAccessor$2 - CDynamicStringAccessor$3 - CXMLAccessor$4 - CDynamicParameterAccessor$C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\DynamicConsumer\DynamicConsumer.cpp$Dynamic Accessor Sample$Enter 1-4 to continue: $Which accessor do you want to use?
API String ID: 1020786866-3690709560
Opcode ID: 20a471beecccdbd9ab950593fa5caa1a2de71046f94ed6e1cad653d7fc95a6ca
Instruction ID: 30d126cf204dd5dd9d896e4d02f7c434ca12037944003baf5f45a7d1d4b52caf
Opcode Fuzzy Hash: 20a471beecccdbd9ab950593fa5caa1a2de71046f94ed6e1cad653d7fc95a6ca
Instruction Fuzzy Hash: 19119071E48308FBE620BBA4AC0FBDD7270EB24703F504570FC16A1382EAF91A485A57

Uniqueness

Uniqueness Score: -1.00%

Function 0312E703 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(0326E020), ref: 0312E710

Part of subcall function 03125F53: GetProcessHeap.KERNEL32(00000000,000000F4,03130477,?,76A5FAD0,00000000,03125A34), ref: 03125F56
Part of subcall function 03125F53: HeapAlloc.KERNEL32(00000000), ref: 03125F5D

Part of subcall function 031231D4: ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 03123207

Part of subcall function 03123437: lstrcpyW.KERNEL32(00000000,00000000), ref: 0312345C

Part of subcall function 03125EA5: VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

Strings

\rfxvmt.dll, xrefs: 0312E843
\sqlmap.dll, xrefs: 0312E872, 0312E879, 0312E87F
TermService, xrefs: 0312E773
%ProgramFiles%, xrefs: 0312E789, 0312E793, 0312E805
%ProgramW6432%, xrefs: 0312E7DA
\rdpwrap.ini, xrefs: 0312E866
%windir%\System32, xrefs: 0312E79B
\Microsoft DN1, xrefs: 0312E82E, 0312E835, 0312E83B

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Heap$AllocCriticalEnvironmentExpandFreeInitializeProcessSectionStringsVirtuallstrcpy
String ID: %ProgramFiles%$%ProgramW6432%$%windir%\System32$TermService$\Microsoft DN1$\rdpwrap.ini$\rfxvmt.dll$\sqlmap.dll
API String ID: 2811233055-3289620323
Opcode ID: 9eb2964e0c55f3d680130a987327c1c1188f011c3e14d590717db4354f565802
Instruction ID: ea83d0840b3f6d3deb50b62878b1a230b90470fff9fed6464b13502cc323bbe8
Opcode Fuzzy Hash: 9eb2964e0c55f3d680130a987327c1c1188f011c3e14d590717db4354f565802
Instruction Fuzzy Hash: 3D3127BCB10B74ABDB09FF249A9492D7F6A9FDE600711881EE0027F280DF744D958760

Uniqueness

Uniqueness Score: -1.00%

Function 0313290F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 138
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 0313291E
CoCreateInstance.OLE32(031345E0,00000000,00000001,031373F0,?,?,?,?,03132F37,?,?,?,0313227B), ref: 0313293E
VariantInit.OLEAUT32(?), ref: 0313299A
CoUninitialize.OLE32(?,?,?,03132F37,?,?,?,0313227B), ref: 03132A60

Strings

FriendlyName, xrefs: 031329BF
Description, xrefs: 031329A8

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: CreateInitInitializeInstanceUninitializeVariant
String ID: Description$FriendlyName
API String ID: 4142528535-3192352273
Opcode ID: f131d96c123d63c3bef1155de019d5b27cb5335631fad405d81bef9a2cf20adc
Instruction ID: 285670a12126cd62d4b613d81ec385e731db2141dcbfca24a7edf404cae7faee
Opcode Fuzzy Hash: f131d96c123d63c3bef1155de019d5b27cb5335631fad405d81bef9a2cf20adc
Instruction Fuzzy Hash: 34412275A00205AFCB24DFA5C844DAEBBB9FF89705B14485DE446EB250DB70D942DB60

Uniqueness

Uniqueness Score: -1.00%

Function 031299A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 38
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(0326DB10,?,03121221), ref: 031299D3
LoadLibraryW.KERNEL32(User32.dll,?,03121221), ref: 031299FE

Part of subcall function 03130969: lstrcmpA.KERNEL32(?,03131BD0,?,open,03131BD0), ref: 031309A2

Strings

GetRawInputData, xrefs: 03129A06
User32.dll, xrefs: 031299EC
MapVirtualKeyA, xrefs: 03129A24
ToUnicode, xrefs: 03129A13

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: CriticalInitializeLibraryLoadSectionlstrcmp
String ID: GetRawInputData$MapVirtualKeyA$ToUnicode$User32.dll
API String ID: 4274177235-2474467583
Opcode ID: 0727407ca2d9f7eed85abc6052fe2c3802b31ba4b01208bf9de9604b6a34d2fd
Instruction ID: db1b63b09c055d7df608b5538d945cde69379033f92a85ce9cc85948c0635751
Opcode Fuzzy Hash: 0727407ca2d9f7eed85abc6052fe2c3802b31ba4b01208bf9de9604b6a34d2fd
Instruction Fuzzy Hash: AA016D75B2066C8F8204FF2675582193AE5AF8DA20711C11EE40AEB34CEB3008C2CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0272002D Relevance: 7.9, APIs: 5, Instructions: 392
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?,?,?,?,02720005), ref: 027200EB
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,02720005), ref: 02720113

Memory Dump Source

Source File: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID:
API String ID: 2032221330-0
Opcode ID: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
Instruction ID: 3648cc63ed634c4ee2560b33ac4f067a71ff7e20c961fa0cf5b2fd04bc758bd3
Opcode Fuzzy Hash: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
Instruction Fuzzy Hash: 8EE1D471A083268FDB24CF59C88472AB7E1FFA5318F08452DE8959B241E774E849CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03125CE2 Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 03125CE9
GetStartupInfoA.KERNEL32(?), ref: 03125D38
GetModuleHandleA.KERNEL32(00000000), ref: 03125D54
ExitProcess.KERNEL32 ref: 03125D69

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: CommandExitHandleInfoLineModuleProcessStartup
String ID:
API String ID: 2164999147-0
Opcode ID: 31e4c5be07eb216f35a2c97ffc85f0e2fd8d01fa866831f75b5fc241bb93eda4
Instruction ID: 69fa982f5afac66877cf3f2d54b3ffb54cec114b9ddb8fc0ff966c6c67d300be
Opcode Fuzzy Hash: 31e4c5be07eb216f35a2c97ffc85f0e2fd8d01fa866831f75b5fc241bb93eda4
Instruction Fuzzy Hash: 1A01F92840425C5FD728EB74ACCD6E9BFAB9F0F244BA81088D486CB246DB124C978665

Uniqueness

Uniqueness Score: -1.00%

Function 03131E21 Relevance: 6.0, APIs: 4, Instructions: 48
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03121085: GetProcessHeap.KERNEL32(00000000,?,03131E36,00400000,?,?,00000000,?,?,031334BF), ref: 0312108B
Part of subcall function 03121085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,031334BF), ref: 03121092

CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,031334BF), ref: 03131E4E
GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,031334BF), ref: 03131E61
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,031334BF), ref: 03131E72
FindCloseChangeNotification.KERNEL32(00000000,?,?,00000000,?,?,031334BF), ref: 03131E7F

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindNotificationProcessReadSize
String ID:
API String ID: 2557216016-0
Opcode ID: 9c3e852792181fd62a2f5796561e443d278dcd4ec09e8aa8fcd7f2082c62b351
Instruction ID: ec756b1a06a1230f1657b659af9c798198e8d8a79f323b11199dd24fe4594eb5
Opcode Fuzzy Hash: 9c3e852792181fd62a2f5796561e443d278dcd4ec09e8aa8fcd7f2082c62b351
Instruction Fuzzy Hash: 65F06871711610BFF324AB66AC09FBB779CDB59725F200135F911E21C0EBB05D108674

Uniqueness

Uniqueness Score: -1.00%

Function 03131D0C Relevance: 3.0, APIs: 2, Instructions: 14
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000001), ref: 03131D11
GetTickCount.KERNEL32 ref: 03131D17

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: CountSleepTick
String ID:
API String ID: 2804873075-0
Opcode ID: 91232cf11641f62f692b4fd066edcb1967fb93350e2e1c49dfafaa5f889f7a7d
Instruction ID: c261d2e72b4745e61ca1297699ae6e51d866134b55673ac93a741c7c9abc2b0f
Opcode Fuzzy Hash: 91232cf11641f62f692b4fd066edcb1967fb93350e2e1c49dfafaa5f889f7a7d
Instruction Fuzzy Hash: FED0A9302481044BE30CAA0BF84A2213E4EE7E9305F04802AB50EC90D0CDA065A04460

Uniqueness

Uniqueness Score: -1.00%

Function 03130283 Relevance: 3.0, APIs: 2, Instructions: 8
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReleaseMutex.KERNEL32(?,?,0312FEFD,0313359A,03125BEC,0313359A,00000000,00000000,00000000,00000000,?,?,?,?,00000000,.bss), ref: 03130288
FindCloseChangeNotification.KERNEL32(?), ref: 03130290

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindMutexNotificationRelease
String ID:
API String ID: 4264517613-0
Opcode ID: 895270f3971e5a0e2f782aaf3ecc9121d16c0eee6b56dfc957c5c35e245713a2
Instruction ID: d4d58cc495f5683f471ddd554bf66c850ac93367b0d83add31c4e3cdc66cc873
Opcode Fuzzy Hash: 895270f3971e5a0e2f782aaf3ecc9121d16c0eee6b56dfc957c5c35e245713a2
Instruction Fuzzy Hash: 1EB0923A005020DFEB293F56F80C894BFA6FF0C251315046AF1819102C8FB21CA09BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03121085 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,03131E36,00400000,?,?,00000000,?,?,031334BF), ref: 0312108B
RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,031334BF), ref: 03121092

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 4f3e7a0704d7c78b62dce3dac806f19b57d38b4e4b27ec0b02b83ef9fd14918d
Instruction ID: b40729e6b96c127900ea05f72d8434454d42418733d982417395ed380252806e
Opcode Fuzzy Hash: 4f3e7a0704d7c78b62dce3dac806f19b57d38b4e4b27ec0b02b83ef9fd14918d
Instruction Fuzzy Hash: 81B09231404600ABDE042BE2990CB093A68AB58702F004400F205810448A7154809B21

Uniqueness

Uniqueness Score: -1.00%

Function 031231D4 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 03123207

Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,00000000,?,03131E02,00000000,00000000,.bss,00000000), ref: 031235EE
Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,?,03131E02,00000000,00000000,.bss,00000000), ref: 03123605
Part of subcall function 031235E5: lstrcpyW.KERNEL32(?,03131E02), ref: 03123620

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: lstrlen$EnvironmentExpandStringslstrcpy
String ID:
API String ID: 1709970682-0
Opcode ID: a36efb3c75901adc581d82345d9648e21cae4441eb2ef8492ea3f30c9b6c92b4
Instruction ID: b665d82a5f2d653d5701a22073ed96b35c93041ad3edc7e6fc27994f4a678d04
Opcode Fuzzy Hash: a36efb3c75901adc581d82345d9648e21cae4441eb2ef8492ea3f30c9b6c92b4
Instruction Fuzzy Hash: 55E048BA70021977DB20EA16AC05F967BADEBC8718F040475A708F61C4EA75D916C6A8

Uniqueness

Uniqueness Score: -1.00%

Function 03123335 Relevance: 1.5, APIs: 1, Instructions: 25
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03123261: lstrlenW.KERNEL32(76A5FAD0,03123646,?,?,?,0313150A,031335DB,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,031335AB,00000000,76A5FAD0,00000000), ref: 03123268

lstrcatW.KERNEL32(00000000,76A5FAD0), ref: 03123365

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: 202f434c1c6766deaaffd5afc8804cc874bfc62a63a2ce514bec0fa933e62a70
Instruction ID: a4e3c0d491b34497a74ec82965f43dd04f952c47761c55eb8c68cf341baa135d
Opcode Fuzzy Hash: 202f434c1c6766deaaffd5afc8804cc874bfc62a63a2ce514bec0fa933e62a70
Instruction Fuzzy Hash: 33E080766043345FCB05ABA9E8C496DBF5EEF9D360B040535E905DB210EF357C219AE4

Uniqueness

Uniqueness Score: -1.00%

Function 031258D3 Relevance: 1.5, APIs: 1, Instructions: 23networkCOMMON

Download Yara Rule

APIs

Part of subcall function 03130298: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,0312FEDE,?,?,03130459,?,76A5FAD0,00000000,03125A34), ref: 031302A0

WSAStartup.WS2_32(00000002,?), ref: 031258FC

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: CreateMutexStartup
String ID:
API String ID: 3730780901-0
Opcode ID: 2d10284be824d34445e27c98b202bca213ada097eb2c126be8d68adc3bfe5bc8
Instruction ID: 0a51b7a60173fda4ac9d21c9a45fad540b44248eff3636c7e40b0f2f6af4bc02
Opcode Fuzzy Hash: 2d10284be824d34445e27c98b202bca213ada097eb2c126be8d68adc3bfe5bc8
Instruction Fuzzy Hash: DDE0C975501B108BC274AF2B9544897FBE8FF986207400F1F94A782A60C7B4A5458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0312FDA5 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 03123125: lstrcatA.KERNEL32(00000000,76A5FAD0,?,00000000,?,031235C4,00000000,00000000,?,03124E98,?,?,?,?,?,00000000), ref: 03123151

CreateEventA.KERNEL32(00000000,00000001,00000000,?,?), ref: 0312FDC0

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: CreateEventlstrcat
String ID:
API String ID: 2275612694-0
Opcode ID: e1044b26a5fe607ff4e8749ca784544bca7b935363203ba3537ed6b8ac501620
Instruction ID: 56fbeeae22e41aeeb7fa98c81d9e0c68725555e4ac46e1a3417749c3984dd519
Opcode Fuzzy Hash: e1044b26a5fe607ff4e8749ca784544bca7b935363203ba3537ed6b8ac501620
Instruction Fuzzy Hash: AFD05E762442157BD710EA92DC06F86FF69EB59760F004026F65996680DBB1A030D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 03133058 Relevance: 1.5, APIs: 1, Instructions: 16threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,03125CE2,00000000,00000000,00000000), ref: 0313306D

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 6982c0f68ace47a16863c6d832eb651861bb52ef3d9c759061cc294b020d9a31
Instruction ID: 0838dfb9be64aae13b9fbf6e863eafd1d8cd23aaf448aa0639d3814eab87d969
Opcode Fuzzy Hash: 6982c0f68ace47a16863c6d832eb651861bb52ef3d9c759061cc294b020d9a31
Instruction Fuzzy Hash: 9AC08CB16902087FF600AAB22E0CDBB738CEB0A2157808820BC61C1000EA20CC208AB5

Uniqueness

Uniqueness Score: -1.00%

Function 03130298 Relevance: 1.5, APIs: 1, Instructions: 15synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,?,0312FEDE,?,?,03130459,?,76A5FAD0,00000000,03125A34), ref: 031302A0

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: fac29d5738d6e7d2ffd6bda3fbe0175f452a38fd2ffd1fbf8996a13fdb97e316
Instruction ID: 3a7fca716d207785ed364ced13a04b06e8e2b5c02b2b397d7371fab0b7b4990d
Opcode Fuzzy Hash: fac29d5738d6e7d2ffd6bda3fbe0175f452a38fd2ffd1fbf8996a13fdb97e316
Instruction Fuzzy Hash: EAD012B15045205FA324AF396C4886775DDEF9C720315CE29B4A5C71C8E6308C808770

Uniqueness

Uniqueness Score: -1.00%

Function 03125558 Relevance: 1.5, APIs: 1, Instructions: 12networkCOMMON

Download Yara Rule

APIs

WSACleanup.WS2_32 ref: 0312555B

Part of subcall function 03130283: ReleaseMutex.KERNEL32(?,?,0312FEFD,0313359A,03125BEC,0313359A,00000000,00000000,00000000,00000000,?,?,?,?,00000000,.bss), ref: 03130288
Part of subcall function 03130283: FindCloseChangeNotification.KERNEL32(?), ref: 03130290

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: ChangeCleanupCloseFindMutexNotificationRelease
String ID:
API String ID: 1413882471-0
Opcode ID: 9d753797d7d61d6c3656319aabb99e97d5535e227582fead03953b559e6b8977
Instruction ID: 0f152318c6c84e48e120c03a0e8f05a6fee549cb2710fa5f14caf1d01867d224
Opcode Fuzzy Hash: 9d753797d7d61d6c3656319aabb99e97d5535e227582fead03953b559e6b8977
Instruction Fuzzy Hash: F3D0C9380147658BC378FB30D8A08EABBB1BF1D2403800D2E90A307490AF647955CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0312F71F Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SHCreateDirectoryExW.SHELL32(00000000,?,00000000,031311A6,00000000,?,?,?,?,00000000,76A5FAD0,00000000), ref: 0312F725

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: cb97de4db27e10a3c218d4110365ba98bd98939ee890978fd981889febf32cc6
Instruction ID: 1ca5dc1ccdbc94515dae93c8180285f3e1e681faf9c1ea982960a694f03f558d
Opcode Fuzzy Hash: cb97de4db27e10a3c218d4110365ba98bd98939ee890978fd981889febf32cc6
Instruction Fuzzy Hash: CBB012303EC30157DA002A709C06F103511974AF07F200160B156D80D4CA9100005514

Uniqueness

Uniqueness Score: -1.00%

Function 03130969 Relevance: 1.3, APIs: 1, Instructions: 49stringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32(?,03131BD0,?,open,03131BD0), ref: 031309A2

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: lstrcmp
String ID:
API String ID: 1534048567-0
Opcode ID: 86c96a81031472715884925d615e80c422072cf4231b1c47e9b11e0075f0957e
Instruction ID: 7aa16f661eb5e5b017160a64c0ec01d740fefea5aa31bcda76f70f5bb111a236
Opcode Fuzzy Hash: 86c96a81031472715884925d615e80c422072cf4231b1c47e9b11e0075f0957e
Instruction Fuzzy Hash: 95017C72A00A15AFD714DF9ACC81AAAB7F8FF4E2147050179E446D7701EB30E995CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 03132C91 Relevance: 1.3, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32(?,?,0313238A,0063E518,03124D2D), ref: 03132CFF

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: 597a93b40dcc4096fd494388165f4fb00d0e47243049e32d0f15c13699aded8b
Instruction ID: 6754b9f1ed3bcba11e221a3ad8ad92cd63d40c29666afa7a3fdb3a69943bfe2a
Opcode Fuzzy Hash: 597a93b40dcc4096fd494388165f4fb00d0e47243049e32d0f15c13699aded8b
Instruction Fuzzy Hash: 000105792127108FD778EF25D99486AB7F4BF596013441A6DE8978BA60CB31F806CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03125E22 Relevance: 1.3, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,031233E2,?,03125A4F,.bss,00000000), ref: 03125E30

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8251acee66f2df4b8883e010ec834709831477303ce3bf654e8cc454dcbf313d
Instruction ID: 0b822030049dec971cc1f0cc4bc237bd4885c8287afe332481a57adf75ef41c3
Opcode Fuzzy Hash: 8251acee66f2df4b8883e010ec834709831477303ce3bf654e8cc454dcbf313d
Instruction Fuzzy Hash: A9C0122634826037F128211A7C1AF9B8D5DCBC6E71F01001AF604CA2D0DDD10C4241A4

Uniqueness

Uniqueness Score: -1.00%

Function 03129FCE Relevance: 1.3, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 8e0ee21d27a72ae6c5a9450f28985daaf9e27692b1b84d855f12171bb5337ae3
Instruction ID: 475b417324c2919e0c084cff3c8af538b4361f12a73b6ef415a50965fbf385fc
Opcode Fuzzy Hash: 8e0ee21d27a72ae6c5a9450f28985daaf9e27692b1b84d855f12171bb5337ae3
Instruction Fuzzy Hash: 14B0923438030057EE2CDB319C95F29A7167B88B06FA5458CA542EA0C48AA9E4518A18

Uniqueness

Uniqueness Score: -1.00%

Function 03125EB4 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,03123652,?,?,?,0313150A,031335DB,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,031335AB,00000000,76A5FAD0,00000000), ref: 03125EBE

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 191925d43d1107c2816c590111f06f29934df0c909b7c26e25a8e75d54839b95
Instruction ID: 1f96dd1cbee2320a15f62fad74254c8bd5016d4a457f0fb1d5040e8222bdddc8
Opcode Fuzzy Hash: 191925d43d1107c2816c590111f06f29934df0c909b7c26e25a8e75d54839b95
Instruction Fuzzy Hash: 32A002B47D53007AFD6D6761AE1FF953918A744F16F200144B30DAD0D459E025408539

Uniqueness

Uniqueness Score: -1.00%

Function 03125EA5 Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 96f502838bcb83d0ba2251d4e987520c8547a20cd72d2bf73096b2a922b12435
Instruction ID: aa94b48ff6f98035644c69d427d04487aa6cd59ac85682b33f23acabda0985b1
Opcode Fuzzy Hash: 96f502838bcb83d0ba2251d4e987520c8547a20cd72d2bf73096b2a922b12435
Instruction Fuzzy Hash: 64A002746D470066ED7867216D4AF0526146748B01F214644B641B80D44DA9A0848A68

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 031289D5 Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 286keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(00000010), ref: 03128A11
CallNextHookEx.USER32(00000000,?,?,?), ref: 03128E12

Part of subcall function 03128E66: GetForegroundWindow.USER32(?,?,?), ref: 03128E8F
Part of subcall function 03128E66: GetWindowTextW.USER32(00000000,?,00000104), ref: 03128EA2
Part of subcall function 03128E66: lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 03128F0B
Part of subcall function 03128E66: CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000,?,?), ref: 03128F79
Part of subcall function 03128E66: lstrlenW.KERNEL32(03134AD0,00000008,00000000,?,?), ref: 03128FA2
Part of subcall function 03128E66: WriteFile.KERNEL32(?,03134AD0,00000000,?,?), ref: 03128FAE

Strings

[CTRL], xrefs: 03128C81
[ALT], xrefs: 03128CD8
[TAB], xrefs: 03128B47
[DEL], xrefs: 03128BC4
[ESC], xrefs: 03128B73
[CAPS], xrefs: 03128B7D
[INSERT], xrefs: 03128BCE
[ENTER], xrefs: 03128B3D
[BKSP], xrefs: 03128B51

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: FileWindowlstrlen$AsyncCallCreateForegroundHookNextStateTextWrite
String ID: [ALT]$[BKSP]$[CAPS]$[CTRL]$[DEL]$[ENTER]$[ESC]$[INSERT]$[TAB]
API String ID: 2452648998-4143582258
Opcode ID: f15771306dccee2e722110f29ffe8d95a7e348f67ab8bf6e54c0a43bee8118a5
Instruction ID: dd62518c5ee594f37ee16bb6c90193639f9cbf9b8cc83ff03ff84410a363862e
Opcode Fuzzy Hash: f15771306dccee2e722110f29ffe8d95a7e348f67ab8bf6e54c0a43bee8118a5
Instruction Fuzzy Hash: F0912572A08238CBDA2CD55B57583B8AD65E78E201F0A441ADE43776A9EF304DF543D3

Uniqueness

Uniqueness Score: -1.00%

Function 0312902E Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 277registrystringwindowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 03129084
GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 031290A1
GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 031290D7
GetForegroundWindow.USER32 ref: 031290F4
GetWindowTextW.USER32(00000000,?,00000104), ref: 03129105
lstrlenW.KERNEL32(-00000210,-00000010,?,Unknow), ref: 031291EE
PostQuitMessage.USER32(00000000), ref: 03129381
RegisterRawInputDevices.USER32 ref: 031293B0

Strings

Unknow, xrefs: 03129132

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: InputWindow$Data$DevicesForegroundMessagePostProcQuitRegisterTextlstrlen
String ID: Unknow
API String ID: 3853268301-1240069140
Opcode ID: 46d76b38326e314cf883271bb3b0d4c4b9534328b92c9414c53c2ad6a3463f4d
Instruction ID: f6f3edcb29b72cf37c27f3a63fbece44bba16e13643fd9b91e33e48abfc658b4
Opcode Fuzzy Hash: 46d76b38326e314cf883271bb3b0d4c4b9534328b92c9414c53c2ad6a3463f4d
Instruction Fuzzy Hash: 64A189B5104310AFD704EF6AEC88EAABBE8FF8D300F440918F95597290DB75E964CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0312C1B2 Relevance: 35.2, Strings: 28, Instructions: 218COMMON

Download Yara Rule

Strings

\Comodo\Dragon\User Data\Default\Login Data, xrefs: 0312C34B
\Blisk\User Data\Default\Login Data, xrefs: 0312C2DF
\CentBrowser\User Data\Default\Login Data, xrefs: 0312C39C
\Google\Chrome\User Data\Local State, xrefs: 0312C236
\Torch\User Data\Default\Login Data, xrefs: 0312C366
\Chromium\User Data\Default\Login Data, xrefs: 0312C2FA
\UCBrowser\User Data_i18n\Local State, xrefs: 0312C288
\BraveSoftware\Brave-Browser\User Data\Local State, xrefs: 0312C310
\Google\Chrome\User Data\Default\Login Data, xrefs: 0312C23B
\Comodo\Dragon\User Data\Local State, xrefs: 0312C346
\Chromium\User Data\Local State, xrefs: 0312C2F5
\Vivaldi\User Data\Default\Login Data, xrefs: 0312C330
\Epic Privacy Browser\User Data\Local State, xrefs: 0312C251
\Torch\User Data\Local State, xrefs: 0312C361
\Microsoft\Edge\User Data\Default\Login Data, xrefs: 0312C271
\UCBrowser\User Data_i18n\Default\UC Login Data.17, xrefs: 0312C28D
\Tencent\QQBrowser\User Data\Local State, xrefs: 0312C2A3
\Tencent\QQBrowser\User Data\Default\Login Data, xrefs: 0312C2A8
\Vivaldi\User Data\Local State, xrefs: 0312C329
\Epic Privacy Browser\User Data\Default\Login Data, xrefs: 0312C256
\Microsoft\Edge\User Data\Local State, xrefs: 0312C26C
\CentBrowser\User Data\Local State, xrefs: 0312C397
\Slimjet\User Data\Default\Login Data, xrefs: 0312C381
\Slimjet\User Data\Local State, xrefs: 0312C37C
\BraveSoftware\Brave-Browser\User Data\Default\Login Data, xrefs: 0312C315
\Blisk\User Data\Local State, xrefs: 0312C2DA
\Opera Software\Opera Stable\Local State, xrefs: 0312C2BF
\Opera Software\Opera Stable\Login Data, xrefs: 0312C2C4

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: FilePath$lstrcatlstrcpy$BinaryCopyExistsOpenType$CloseCombineEnumFolderInfoPrivateProfileQuerySpecialString
String ID: \Blisk\User Data\Default\Login Data$\Blisk\User Data\Local State$\BraveSoftware\Brave-Browser\User Data\Default\Login Data$\BraveSoftware\Brave-Browser\User Data\Local State$\CentBrowser\User Data\Default\Login Data$\CentBrowser\User Data\Local State$\Chromium\User Data\Default\Login Data$\Chromium\User Data\Local State$\Comodo\Dragon\User Data\Default\Login Data$\Comodo\Dragon\User Data\Local State$\Epic Privacy Browser\User Data\Default\Login Data$\Epic Privacy Browser\User Data\Local State$\Google\Chrome\User Data\Default\Login Data$\Google\Chrome\User Data\Local State$\Microsoft\Edge\User Data\Default\Login Data$\Microsoft\Edge\User Data\Local State$\Opera Software\Opera Stable\Local State$\Opera Software\Opera Stable\Login Data$\Slimjet\User Data\Default\Login Data$\Slimjet\User Data\Local State$\Tencent\QQBrowser\User Data\Default\Login Data$\Tencent\QQBrowser\User Data\Local State$\Torch\User Data\Default\Login Data$\Torch\User Data\Local State$\UCBrowser\User Data_i18n\Default\UC Login Data.17$\UCBrowser\User Data_i18n\Local State$\Vivaldi\User Data\Default\Login Data$\Vivaldi\User Data\Local State
API String ID: 2377953819-4166025770
Opcode ID: 3661b2ce90b4f1c4095f3ea43dde19a6e49e7b76ae1487b13fce6b9dcfc00c69
Instruction ID: 99165c40da6be34a14c2d9e1928d5bd690a94c156a175807b0fc26758afc3c4d
Opcode Fuzzy Hash: 3661b2ce90b4f1c4095f3ea43dde19a6e49e7b76ae1487b13fce6b9dcfc00c69
Instruction Fuzzy Hash: 967151B4391310AFD718FB65DDA1E6E7BAAAF9FB11F00041DB1165F291CFA16810CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0312A29A Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 296registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,Account Name,00000000,00000000,?,00001000,?,?,?,?,?,76A5E2C0,763CF670,00000000,?,0312A25E), ref: 0312A31C
RegQueryValueExW.ADVAPI32(?,Email,00000000,00000000,?,00001000,?,?,?,?,?,?,?,?,76A5E2C0,763CF670), ref: 0312A363
RegQueryValueExW.ADVAPI32(?,POP3 Server,00000000,00000000,?,00001000), ref: 0312A3A7
RegQueryValueExW.ADVAPI32(?,POP3 User,00000000,00000000,?,00001000), ref: 0312A3EB
RegQueryValueExW.ADVAPI32(?,SMTP Server,00000000,00000000,?,00001000), ref: 0312A42F
RegQueryValueExW.ADVAPI32(?,POP3 Password,00000000,00000000,?,00001000), ref: 0312A473
RegQueryValueExW.ADVAPI32(?,SMTP Password,00000000,00000000,?,00001000), ref: 0312A4E0
RegQueryValueExW.ADVAPI32(?,HTTP Password,00000000,00000000,?,00001000), ref: 0312A54D
RegQueryValueExW.ADVAPI32(?,IMAP Password,00000000,00000000,?,00001000), ref: 0312A5BA

Part of subcall function 0312A632: GlobalAlloc.KERNEL32(00000040,-00000001,76A5E1F0,?,?,?,0312A5E6,00001000,?,00000000,00001000), ref: 0312A650
Part of subcall function 0312A632: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0312A5E6), ref: 0312A686
Part of subcall function 0312A632: lstrcpyW.KERNEL32(?,Could not decrypt), ref: 0312A6BD

Part of subcall function 03123261: lstrlenW.KERNEL32(76A5FAD0,03123646,?,?,?,0313150A,031335DB,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,031335AB,00000000,76A5FAD0,00000000), ref: 03123268

Strings

POP3 User, xrefs: 0312A3E5
IMAP Password, xrefs: 0312A5B4
Email, xrefs: 0312A35D
HTTP Password, xrefs: 0312A547
POP3 Server, xrefs: 0312A3A1
SMTP Password, xrefs: 0312A4DA
SMTP Server, xrefs: 0312A429
Account Name, xrefs: 0312A316
POP3 Password, xrefs: 0312A46D

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: QueryValue$AllocCryptDataGlobalUnprotectlstrcpylstrlen
String ID: Account Name$Email$HTTP Password$IMAP Password$POP3 Password$POP3 Server$POP3 User$SMTP Password$SMTP Server
API String ID: 6593746-2537589853
Opcode ID: 5cc26f4ec01536c965cf2d145ca86a1d0a814df4583a0b509b855bc63835a36b
Instruction ID: 98d8481c895ecb3e2967ff172bf21b2a3dafb279bb314a6104c41990b31c38c9
Opcode Fuzzy Hash: 5cc26f4ec01536c965cf2d145ca86a1d0a814df4583a0b509b855bc63835a36b
Instruction Fuzzy Hash: CCA13EB691026DBBDB25EAA0DD45FEE777CBF1C740F1400A5B504F6080EB78AB548BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0312AC0A Relevance: 30.2, APIs: 5, Strings: 12, Instructions: 406filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,00000000,?,03131E02,00000000,00000000,.bss,00000000), ref: 031235EE
Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,?,03131E02,00000000,00000000,.bss,00000000), ref: 03123605
Part of subcall function 031235E5: lstrcpyW.KERNEL32(?,03131E02), ref: 03123620

Part of subcall function 0312C118: lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\), ref: 0312C154
Part of subcall function 0312C118: lstrcatW.KERNEL32(?,thunderbird.exe), ref: 0312C162
Part of subcall function 0312C118: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,0312A729,?,00000104,00000000), ref: 0312C17B
Part of subcall function 0312C118: RegQueryValueExW.ADVAPI32(0312A729,Path,00000000,?,?,?,?,00000104,00000000), ref: 0312C198
Part of subcall function 0312C118: RegCloseKey.ADVAPI32(0312A729,?,00000104,00000000), ref: 0312C1A1

lstrcatW.KERNEL32(?,\firefox.exe), ref: 0312AC8C
GetBinaryTypeW.KERNEL32(?,?), ref: 0312AC9D
GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 0312B11D

Part of subcall function 03123437: lstrcpyW.KERNEL32(00000000,00000000), ref: 0312345C

Part of subcall function 03125EA5: VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

Part of subcall function 03123272: wsprintfW.USER32 ref: 0312328D

Part of subcall function 0312362D: lstrcpyW.KERNEL32(00000000,76A5FAD0), ref: 03123657

Part of subcall function 03123554: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,03124E98,?), ref: 03123581
Part of subcall function 03123554: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,03124E98,?,?,?,?,?,00000000), ref: 031235AC

CopyFileW.KERNEL32(?,?,00000000,.tmp,00000000,03134684,\logins.json,?), ref: 0312AE14

Strings

Path, xrefs: 0312B115
profiles.ini, xrefs: 0312ACDF
.tmp, xrefs: 0312ADFB
Profile, xrefs: 0312AC1B, 0312ACEC, 0312AD1F
79v, xrefs: 0312AE14
\logins.json, xrefs: 0312ADBA
encryptedPassword, xrefs: 0312AF49
\Mozilla\Firefox\, xrefs: 0312ACC6
encryptedUsername, xrefs: 0312AE7C, 0312AF0C
firefox.exe, xrefs: 0312AC5E
\firefox.exe, xrefs: 0312AC80
hostname, xrefs: 0312AECC

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: lstrcpy$ByteCharMultiWidelstrcatlstrlen$BinaryCloseCopyFileFreeOpenPrivateProfileQueryStringTypeValueVirtualwsprintf
String ID: .tmp$Path$Profile$\Mozilla\Firefox\$\firefox.exe$\logins.json$encryptedPassword$encryptedUsername$firefox.exe$hostname$profiles.ini$79v
API String ID: 288196626-1817051101
Opcode ID: fd998e33088923c6b047aefcbac2508bce14d4d9d4836c3abae4964bf129fd7b
Instruction ID: e05060f596da6e6338a2d011b87dca0b002d94728d25f528533d4d838df3cfcf
Opcode Fuzzy Hash: fd998e33088923c6b047aefcbac2508bce14d4d9d4836c3abae4964bf129fd7b
Instruction Fuzzy Hash: B5E10D79D00228ABDF15EFA0DC90DEEFB7ABF49200F10446AE516AB190DF346E65CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0312A6C8 Relevance: 26.7, APIs: 4, Strings: 11, Instructions: 404COMMON

Download Yara Rule

APIs

Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,00000000,?,03131E02,00000000,00000000,.bss,00000000), ref: 031235EE
Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,?,03131E02,00000000,00000000,.bss,00000000), ref: 03123605
Part of subcall function 031235E5: lstrcpyW.KERNEL32(?,03131E02), ref: 03123620

Part of subcall function 0312C118: lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\), ref: 0312C154
Part of subcall function 0312C118: lstrcatW.KERNEL32(?,thunderbird.exe), ref: 0312C162
Part of subcall function 0312C118: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,0312A729,?,00000104,00000000), ref: 0312C17B
Part of subcall function 0312C118: RegQueryValueExW.ADVAPI32(0312A729,Path,00000000,?,?,?,?,00000104,00000000), ref: 0312C198
Part of subcall function 0312C118: RegCloseKey.ADVAPI32(0312A729,?,00000104,00000000), ref: 0312C1A1

GetBinaryTypeW.KERNEL32(?,?), ref: 0312A747

Part of subcall function 0312362D: lstrcpyW.KERNEL32(00000000,76A5FAD0), ref: 03123657

Part of subcall function 0312B67E: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 0312B6AC
Part of subcall function 0312B67E: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0312B6B5
Part of subcall function 0312B67E: PathFileExistsW.SHLWAPI(0312A760,.dll,?,msvcr,?,msvcp,?,softokn3.dll,?,mozglue.dll,?,msvcp120.dll,?,msvcr120.dll,?,nss3.dll), ref: 0312B7A3

GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 0312ABCA

Part of subcall function 0312B67E: PathFileExistsW.SHLWAPI(0312A760,.dll,?,0312A760,?,00000104,00000000), ref: 0312B7FF
Part of subcall function 0312B67E: LoadLibraryW.KERNEL32(?,0312A760,?,00000104,00000000), ref: 0312B83E
Part of subcall function 0312B67E: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0312B849
Part of subcall function 0312B67E: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0312B854
Part of subcall function 0312B67E: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0312B85F
Part of subcall function 0312B67E: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0312B86A
Part of subcall function 0312B67E: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0312B957

Strings

Path, xrefs: 0312ABC4
profiles.ini, xrefs: 0312A79C
.tmp, xrefs: 0312A8BC
Profile, xrefs: 0312A6D9, 0312A7A9, 0312A7E0
79v, xrefs: 0312A8D5
\logins.json, xrefs: 0312A87B
encryptedPassword, xrefs: 0312AA04
thunderbird.exe, xrefs: 0312A71F
\Thunderbird\, xrefs: 0312A783
encryptedUsername, xrefs: 0312A93D, 0312A9CD
hostname, xrefs: 0312A98D

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: LibraryLoad$CurrentDirectorylstrcpy$ExistsFilePathlstrlen$BinaryCloseOpenPrivateProfileQueryStringTypeValuelstrcat
String ID: .tmp$Path$Profile$\Thunderbird\$\logins.json$encryptedPassword$encryptedUsername$hostname$profiles.ini$thunderbird.exe$79v
API String ID: 1065485167-4240551690
Opcode ID: 9d2439892d44b7e2e18d649a14245b47bf0ae65e98c040f657ffdb96e99d37e9
Instruction ID: d90a832c19a14fd47dbb497c12492e08e40d09c7d6e2b52dbd25dcd437925619
Opcode Fuzzy Hash: 9d2439892d44b7e2e18d649a14245b47bf0ae65e98c040f657ffdb96e99d37e9
Instruction Fuzzy Hash: 39E10C79D00228ABDF15EFA0DC90DEEFB7ABF49200F10446AE516AB150EF346E65CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0312D508 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 55servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0312D517
OpenServiceW.ADVAPI32(00000000,?,00000010), ref: 0312D52C
CloseServiceHandle.ADVAPI32(00000000), ref: 0312D539
StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 0312D546
GetLastError.KERNEL32 ref: 0312D550
Sleep.KERNEL32(000007D0), ref: 0312D562
StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 0312D56B
CloseServiceHandle.ADVAPI32(00000000), ref: 0312D57F
CloseServiceHandle.ADVAPI32(00000000), ref: 0312D582

Strings

ServicesActive, xrefs: 0312D50F

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$OpenStart$ErrorLastManagerSleep
String ID: ServicesActive
API String ID: 104619213-3071072050
Opcode ID: 1e8e6ca60d3a76e5bf8e58abb4923fd45311ae85f73b5e4c54e1df4d73a79f55
Instruction ID: 18187b009b8b1db1047f1fb58651170a68bb08916255486cefa656a8d1e81e93
Opcode Fuzzy Hash: 1e8e6ca60d3a76e5bf8e58abb4923fd45311ae85f73b5e4c54e1df4d73a79f55
Instruction Fuzzy Hash: 8E017C717402657BE2246A63FC4DEEB3E7CDBCEB65B150025F616D2100CFA8859086B0

Uniqueness

Uniqueness Score: -1.00%

Function 0312DA5B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167servicestringCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005), ref: 0312DA82
EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,?,?,?,00000000), ref: 0312DAB9

Part of subcall function 03125EFF: GetProcessHeap.KERNEL32(00000008,?,03122FA7,03125A42,?,?,031303FD,03125A42,?,?,76A5FAD0,00000000,?,03125A42,00000000), ref: 03125F02
Part of subcall function 03125EFF: HeapAlloc.KERNEL32(00000000,?,031303FD,03125A42,?,?,76A5FAD0,00000000,?,03125A42,00000000), ref: 03125F09

EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,?,?,?,?,00000000), ref: 0312DAE2
GetLastError.KERNEL32 ref: 0312DAEC
CloseServiceHandle.ADVAPI32(00000000), ref: 0312DAFA
OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005,00000000,00000000,00000000), ref: 0312DBBB
lstrcmpW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0312DBFE

Strings

ServicesActive, xrefs: 0312DA6A, 0312DBB4

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: EnumHeapManagerOpenServicesStatus$AllocCloseErrorHandleLastProcessServicelstrcmp
String ID: ServicesActive
API String ID: 4046592027-3071072050
Opcode ID: f19f41635a11d6bc858585450d2be66c8ce0da1a700b87123eca078f01c1b1a7
Instruction ID: 1728619d1ccffcf2a95aecf9e2d72f791955c6585ea3f45ee6145fa985df285c
Opcode Fuzzy Hash: f19f41635a11d6bc858585450d2be66c8ce0da1a700b87123eca078f01c1b1a7
Instruction Fuzzy Hash: 74516E75900229AFDF15EFA0D8A5BEEFBB8EF0D301F140069E511B6180DB74AA50CB60

Uniqueness

Uniqueness Score: -1.00%

Function 031279E8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97injectionmemorythreadCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,?,?), ref: 03127A16

Part of subcall function 03128617: GetCurrentProcess.KERNEL32(03139698,03127A03,?,?,?,?), ref: 0312861C
Part of subcall function 03128617: IsWow64Process.KERNEL32(00000000), ref: 03128623
Part of subcall function 03128617: GetProcessHeap.KERNEL32 ref: 03128629

VirtualAllocEx.KERNEL32(00000000,00000000,00100000,00003000,00000040,00000000), ref: 03127A3A
VirtualProtectEx.KERNEL32(00000000,00000000,00100000,00000040,00000000), ref: 03127A5B
VirtualAllocEx.KERNEL32(00000000,33370000,00000100,00003000,00000040), ref: 03127A73
WriteProcessMemory.KERNEL32(00000000,00000000,XXXXXX,00000000,00000000), ref: 03127A9D
WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 03127AC5
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 03127ADD

Strings

XXXXXX, xrefs: 03127A88, 03127A94, 03127AA7

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Process$Virtual$AllocMemoryWrite$CreateCurrentHeapOpenProtectRemoteThreadWow64
String ID: XXXXXX
API String ID: 813767414-582547948
Opcode ID: 02bd455e9cdb4c2a74a46b15e8646a3690a33ea6f8363f1ab01444654380f53d
Instruction ID: e5289c907a1a0003575b132a9ff304118bdd777f93719065865cc35071cab26a
Opcode Fuzzy Hash: 02bd455e9cdb4c2a74a46b15e8646a3690a33ea6f8363f1ab01444654380f53d
Instruction Fuzzy Hash: 4B21A271A01225BFEB25EAA19C05FFF7E6C9F4D721F190165F610E00C1DBB4CA508679

Uniqueness

Uniqueness Score: -1.00%

Function 03129DF6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 61fileCOMMON

Download Yara Rule

APIs

GetFullPathNameA.KERNEL32(031396A8,00000104,?,00000000), ref: 03129E17
PathCombineA.SHLWAPI(?,?,03135F88), ref: 03129E36
FindFirstFileA.KERNEL32(?,?), ref: 03129E46
PathCombineA.SHLWAPI(?,031396A8,0000002E), ref: 03129E7D
PathCombineA.SHLWAPI(?,?,Accounts\Account.rec0), ref: 03129E8C

Part of subcall function 03129ADF: CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 03129AFC
Part of subcall function 03129ADF: GetLastError.KERNEL32 ref: 03129B09
Part of subcall function 03129ADF: CloseHandle.KERNEL32(00000000), ref: 03129B10

FindNextFileA.KERNEL32(00000000,?), ref: 03129EA4

Strings

Accounts\Account.rec0, xrefs: 03129E7F
., xrefs: 03129E61

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Path$CombineFile$Find$CloseCreateErrorFirstFullHandleLastNameNext
String ID: .$Accounts\Account.rec0
API String ID: 3873318193-2526347284
Opcode ID: 2f3fcaa3e1e04a65e077250763ed14cf6cb19d41d99ab218d653a7c882b2d34a
Instruction ID: c8abf1b56e6c46da1a8b8c8ec6dc5ace9e1eaa4b99101b20c766df2da80779e0
Opcode Fuzzy Hash: 2f3fcaa3e1e04a65e077250763ed14cf6cb19d41d99ab218d653a7c882b2d34a
Instruction Fuzzy Hash: 7C1198B2A0022C6FEB24D6A4DC88FEE7B7CDB4D715F0045E6E509D3041E7749A988F60

Uniqueness

Uniqueness Score: -1.00%

Function 03131FD8 Relevance: 13.6, APIs: 9, Instructions: 81injectionmemorythreadCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001FFFFF,00000000,00000000,00000000,76A5FAD0,00000000), ref: 03131FEC
GetCurrentProcessId.KERNEL32 ref: 03131FF7

Part of subcall function 03121085: GetProcessHeap.KERNEL32(00000000,?,03131E36,00400000,?,?,00000000,?,?,031334BF), ref: 0312108B
Part of subcall function 03121085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,031334BF), ref: 03121092

GetModuleFileNameA.KERNEL32(00000000,00000000,000000FF), ref: 03132015
VirtualAllocEx.KERNEL32(00000000,00000000,00000800,00003000,00000040), ref: 0313203F
WriteProcessMemory.KERNEL32(00000000,00000000,03139158,00000800,00000000), ref: 03132057
VirtualProtectEx.KERNEL32(03131FD3,00000000,00000800,00000040,?), ref: 03132068
VirtualAllocEx.KERNEL32(03131FD3,00000000,00000103,00003000,00000004), ref: 0313207F
WriteProcessMemory.KERNEL32(03131FD3,00000000,?,00000103,00000000), ref: 03132095
CreateRemoteThread.KERNEL32(03131FD3,00000000,00000000,0000010E,00000000,00000000,00000000), ref: 031320A8

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Process$Virtual$AllocHeapMemoryWrite$AllocateCreateCurrentFileModuleNameOpenProtectRemoteThread
String ID:
API String ID: 900395357-0
Opcode ID: 3040922522b95764de34e72fab3ce2eb2c16732b48d09a55856055ac778943bb
Instruction ID: 1d392499b00980405819dafb1e33d18792e41dbb13a261cf17b38c0bad7e9c80
Opcode Fuzzy Hash: 3040922522b95764de34e72fab3ce2eb2c16732b48d09a55856055ac778943bb
Instruction Fuzzy Hash: 84212475640218BFF724AB52DC4AFEA7E6CEB49750F104165B645AA1C0DAF06E808BB4

Uniqueness

Uniqueness Score: -1.00%

Function 031318BA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48registryCOMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001,00000000,?,?,?,?,?,?,?,?,?,03131B06), ref: 031318C7
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,03131B06), ref: 031318DB
RegCreateKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00000000,00000000,00020006,0000000C,03131B06,?), ref: 03131913
RegCloseKey.ADVAPI32(03131B06), ref: 03131920
SetLastError.KERNEL32(00000000), ref: 0313192B

Strings

Software\Classes\Folder\shell\open\command, xrefs: 03131909

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: DescriptorSecurity$CloseCreateDaclErrorInitializeLast
String ID: Software\Classes\Folder\shell\open\command
API String ID: 1473660444-2536721355
Opcode ID: 47aaf62164b2401b979d9e4cf3484e922d7c2da6aaa519246663d708c3ac5116
Instruction ID: 68bcb972724a2a0a45ba16c7de690a81de5441950709835a71dde75ae4b335a6
Opcode Fuzzy Hash: 47aaf62164b2401b979d9e4cf3484e922d7c2da6aaa519246663d708c3ac5116
Instruction Fuzzy Hash: D501A571A05218BBDB20EAA2AC49EDFBFACEB0D651F041561F506B2144EB709684CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0312CCB4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

BCryptOpenAlgorithmProvider.BCRYPT(00000020,AES,00000000,00000000,?,00000000,?,?,?,0312CA5F,?), ref: 0312CCD1
BCryptSetProperty.BCRYPT(00000020,ChainingMode,ChainingModeGCM,00000020,00000000,?,0312CA5F,?), ref: 0312CCEA
BCryptGenerateSymmetricKey.BCRYPT(00000020,0312CA5F,00000000,00000000,?,00000020,00000000,?,0312CA5F,?), ref: 0312CCFF

Strings

AES, xrefs: 0312CCC7
ChainingMode, xrefs: 0312CCE3
ChainingModeGCM, xrefs: 0312CCDE

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Crypt$AlgorithmGenerateOpenPropertyProviderSymmetric
String ID: AES$ChainingMode$ChainingModeGCM
API String ID: 1692524283-1213888626
Opcode ID: 07cdd98ee96fcf8d34754a19bd36980a725b727c0c83c2bda3a5a25fb102732e
Instruction ID: 58fe48c63f1ffc57b2feed40f02d8fdfc8b426a0c54f33a5b6c6c19ba1af18e3
Opcode Fuzzy Hash: 07cdd98ee96fcf8d34754a19bd36980a725b727c0c83c2bda3a5a25fb102732e
Instruction Fuzzy Hash: E4F06D31241335BFEB245B5ADC4AE9BBFACEF4FAA1B50002AF505E2155DBA1981087E0

Uniqueness

Uniqueness Score: -1.00%

Function 0312CF58 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,-0000001F,?,?,?,00000000,?,00000000), ref: 0312CFE0
BCryptDecrypt.BCRYPT(?,0000000C,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,?,00000000), ref: 0312D00E

Part of subcall function 03121085: GetProcessHeap.KERNEL32(00000000,?,03131E36,00400000,?,?,00000000,?,?,031334BF), ref: 0312108B
Part of subcall function 03121085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,031334BF), ref: 03121092

LocalFree.KERNEL32(?), ref: 0312D096

Strings

0, xrefs: 0312CF69
v1, xrefs: 0312CF63

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: HeapLocal$AllocAllocateCryptDecryptFreeProcess
String ID: 0$v1
API String ID: 4131498132-3331332043
Opcode ID: 301299167091902c88b4532e081836dc1fb479223f1604885689f64bad1ecf42
Instruction ID: 930d7d5b280356de30004b066746771c37ee97570b64929eb06aa138f19bc5ba
Opcode Fuzzy Hash: 301299167091902c88b4532e081836dc1fb479223f1604885689f64bad1ecf42
Instruction Fuzzy Hash: 5D41A2B6D00228BBDB11DBE5DD44DEFBFBCEF48340F044026E911E6250EB758A158B65

Uniqueness

Uniqueness Score: -1.00%

Function 031320B8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 031320C7
Process32First.KERNEL32(00000000,?), ref: 031320F4
Process32Next.KERNEL32(00000000,?), ref: 0313211B
CloseHandle.KERNEL32(00000000), ref: 03132126

Strings

explorer.exe, xrefs: 03132102

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID: explorer.exe
API String ID: 420147892-3187896405
Opcode ID: 58b767d1bc219c06e0e9b882f6a856324c0802d290b7825ac65b9f4431f01818
Instruction ID: 4bc9a6b98c62f5a0655c7695ddf1ab8a1671e7c5a940d61fc4f291e1fd496f8d
Opcode Fuzzy Hash: 58b767d1bc219c06e0e9b882f6a856324c0802d290b7825ac65b9f4431f01818
Instruction Fuzzy Hash: E70186B5501224ABD764F662EC05FDA77FCDB4E710F0004A5FA05E5080EF74EAD58A64

Uniqueness

Uniqueness Score: -1.00%

Function 0312A632 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62memoryencryptionstringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,-00000001,76A5E1F0,?,?,?,0312A5E6,00001000,?,00000000,00001000), ref: 0312A650
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0312A5E6), ref: 0312A686
lstrcpyW.KERNEL32(?,Could not decrypt), ref: 0312A6BD

Strings

Could not decrypt, xrefs: 0312A6B7

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: AllocCryptDataGlobalUnprotectlstrcpy
String ID: Could not decrypt
API String ID: 3112367126-1484008118
Opcode ID: ccdf5353b0ee99b19cc07531fbdccc55f0f4424f1992d1c0a68c2a2bfb7b240d
Instruction ID: c87b3f5cabb41f98a949f7245fabe76bf76a70f5b72d0141d14baf6fad0a340a
Opcode Fuzzy Hash: ccdf5353b0ee99b19cc07531fbdccc55f0f4424f1992d1c0a68c2a2bfb7b240d
Instruction Fuzzy Hash: 0611E9769006299FC715DBA9C8809EEFFBDEF4C700B104566D955E7201EB31AA51CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0312F51D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 0312F535
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0312F545

Strings

ntdll.dll, xrefs: 0312F526
RtlGetVersion, xrefs: 0312F53F

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: 10d135525b605a1ebb87111e783e4878eda80f502e0a968411164c7f271d96b3
Instruction ID: 4773025a7a05a1d3ae8b6295ee14ad500e2c86988f00eb2ff8bd3a8aa7117ffe
Opcode Fuzzy Hash: 10d135525b605a1ebb87111e783e4878eda80f502e0a968411164c7f271d96b3
Instruction Fuzzy Hash: 3AE0123064022C5FCB28FF72BC0BADA7BB85B2A705F044194A255E1041DB74D5868E90

Uniqueness

Uniqueness Score: -1.00%

Function 0077F730 Relevance: 6.3, Strings: 4, Instructions: 1315COMMON

Download Yara Rule

Strings

__atl_condVal, xrefs: 0077F75B, 0077F85C, 0077F96E, 0077FA84, 0077FB9C, 0077FCAF, 0077FDBE, 0077FEBF, 0077FFC4, 007800C9, 007801CA, 007802DA, 007803EA, 007804FA, 0078060A, 0078072D
pAuto != 0, xrefs: 0077F7BD
C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.30.30705\atlmfc\include\atldbsch.h, xrefs: 0077F76C, 0077F7CE, 0077F86D, 0077F97F, 0077FA95, 0077FBAD, 0077FCC0, 0077FDCF, 0077FED0, 0077FFD5, 007800DA, 007801DB, 007802EB, 007803FB, 0078050B, 0078061B, 0078073E
%ls, xrefs: 0077F760, 0077F7C2, 0077F861, 0077F973, 0077FA89, 0077FBA1, 0077FCB4, 0077FDC3, 0077FEC4, 0077FFC9, 007800CE, 007801CF, 007802DF, 007803EF, 007804FF, 0078060F, 00780732

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID:
String ID: %ls$C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.30.30705\atlmfc\include\atldbsch.h$__atl_condVal$pAuto != 0
API String ID: 0-2186034341
Opcode ID: 245e7db9aee43fdf93a246e08a6de9d8532dfda81528f4a7b242a6030bc08301
Instruction ID: bb476fd171e53b512b028c735e0cbdff9c1aeda9614144c821afdafe746e0881
Opcode Fuzzy Hash: 245e7db9aee43fdf93a246e08a6de9d8532dfda81528f4a7b242a6030bc08301
Instruction Fuzzy Hash: BFA292B0A80349EBEF24DF54CC4AFAE3660AB50705F14C029FA186E2C1D7FD9995CB95

Uniqueness

Uniqueness Score: -1.00%

Function 007D520F Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 007D5238
GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 007D5250
VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004,?,?,?,0000001C), ref: 007D52A6
VirtualProtect.KERNEL32(?,-00000001,00000104,?,?,?,0000001C), ref: 007D52BB

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: 97062a73e8b79e1744e11db723a291be3daae9bb57fc9cf32e30a2c9a0e64642
Instruction ID: 833562d21b5c8d7fe510722f3486020b96a645104a0c2478f4b14107149a7940
Opcode Fuzzy Hash: 97062a73e8b79e1744e11db723a291be3daae9bb57fc9cf32e30a2c9a0e64642
Instruction Fuzzy Hash: 8221A872E04219ABCF20DFA5CD85AFEB7B8FB44751B040126E915E7241E774A908C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00784490 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0078449B
IsDebuggerPresent.KERNEL32 ref: 0078456B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00784597
UnhandledExceptionFilter.KERNEL32(?), ref: 007845A1

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: b063f660e6527451d8f5579286d7ba59bf76c85692daf02f4e63d9c5447e1ac2
Instruction ID: 7ad6bae2516ac66a9874d158ce114802b92b181810eac11a909358a895a03f04
Opcode Fuzzy Hash: b063f660e6527451d8f5579286d7ba59bf76c85692daf02f4e63d9c5447e1ac2
Instruction Fuzzy Hash: 6E3115B8D1932D9BDF10EF64C8497DDBBB4AF18300F0081D9E80D6A280EBB55A89CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0312F56D Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0312D471,?,?,00000001), ref: 0312F5C2
LookupAccountSidW.ADVAPI32(00000000,0312D471,?,00000104,?,00000010,?), ref: 0312F5E7
GetLastError.KERNEL32(?,?,00000001), ref: 0312F5F1
FreeSid.ADVAPI32(0312D471,?,?,00000001), ref: 0312F5FF

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: AccountAllocateErrorFreeInitializeLastLookup
String ID:
API String ID: 1866703397-0
Opcode ID: 8439524c55878e12701aec4b6739b7c48dab9b41156e1c4da50a7357f78f9a5c
Instruction ID: e6130fd970986582a57547599abefca7e73b6a2e0990865f251727897185ca36
Opcode Fuzzy Hash: 8439524c55878e12701aec4b6739b7c48dab9b41156e1c4da50a7357f78f9a5c
Instruction Fuzzy Hash: 37110DB590021DBFDB10DFD1DC89AEEBBBCFB08304F100566E205E2140EB749A448BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0312CC54 Relevance: 6.0, APIs: 4, Instructions: 49encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0312CC73
LocalAlloc.KERNEL32(00000040,?,?,0312CBC6,?,00000000,?,00000000,?), ref: 0312CC81
CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0312CC97
LocalFree.KERNEL32(?,?,0312CBC6,?,00000000,?,00000000,?), ref: 0312CCA5

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 1aa7a32b53f86f7a35567a4ae1a365c1e53ff04f7d78aff3d9fef5625a23a43a
Instruction ID: 5ba6de61b3db29e3a5419ce5e0f268242f7a4d04adc67aeffeb64017e9ed817a
Opcode Fuzzy Hash: 1aa7a32b53f86f7a35567a4ae1a365c1e53ff04f7d78aff3d9fef5625a23a43a
Instruction Fuzzy Hash: E501FB71201221BFE7215F5BDD49E9BBEACEF09BA1B100020FA08D6240EB718810CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 00784870 Relevance: 6.0, APIs: 4, Instructions: 37timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00784882
GetCurrentThreadId.KERNEL32 ref: 00784897
GetCurrentProcessId.KERNEL32 ref: 007848A3
QueryPerformanceCounter.KERNEL32(?), ref: 007848B3

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c88e1a58123c26a490e54937393a06aa026d7004c26da72ba707255de0e31433
Instruction ID: fd079b1a4dc77add04570c9cb957e734e7cb654f5f7347331891809479340146
Opcode Fuzzy Hash: c88e1a58123c26a490e54937393a06aa026d7004c26da72ba707255de0e31433
Instruction Fuzzy Hash: FD014CB4D1520CEFCB04DFA8D69499EFBF4FF5C210B61869AD805A7250E771AB00EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00782EB0 Relevance: 6.0, APIs: 4, Instructions: 13COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00782EB5
UnhandledExceptionFilter.KERNEL32(?), ref: 00782EBF
GetCurrentProcess.KERNEL32(C0000409), ref: 00782ECA
TerminateProcess.KERNEL32(00000000), ref: 00782ED1

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 7b6b619d3780f287c9832c5c5bdd6d49dc96cd9822a28f16870aa21a3f57bba8
Instruction ID: d61292190d7c920f6e2c25947324e5e94f475d0f7d286846216651c247cc6d9a
Opcode Fuzzy Hash: 7b6b619d3780f287c9832c5c5bdd6d49dc96cd9822a28f16870aa21a3f57bba8
Instruction Fuzzy Hash: 45D0127102C20CAFDB002BE8EE1CB493F2CEB08266F004500F74DC7190CBF0A4019B61

Uniqueness

Uniqueness Score: -1.00%

Function 0077EE20 Relevance: 5.6, Strings: 4, Instructions: 573COMMON

Download Yara Rule

Strings

__atl_condVal, xrefs: 0077EE48, 0077EF49, 0077F05B, 0077F171, 0077F285, 0077F399, 0077F4B1
pAuto != 0, xrefs: 0077EEAA
C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.30.30705\atlmfc\include\atldbsch.h, xrefs: 0077EE59, 0077EEBB, 0077EF5A, 0077F06C, 0077F182, 0077F296, 0077F3AA, 0077F4C2
%ls, xrefs: 0077EE4D, 0077EEAF, 0077EF4E, 0077F060, 0077F176, 0077F28A, 0077F39E, 0077F4B6

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID:
String ID: %ls$C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.30.30705\atlmfc\include\atldbsch.h$__atl_condVal$pAuto != 0
API String ID: 0-2186034341
Opcode ID: 9ed3889348d497897079e3b8ea0dbc4648d8ee573470a3794cb6881c6d374dbe
Instruction ID: 3c682606721780083afcef44ed9f9923f50fe3d88111f240864b8e7841e48629
Opcode Fuzzy Hash: 9ed3889348d497897079e3b8ea0dbc4648d8ee573470a3794cb6881c6d374dbe
Instruction Fuzzy Hash: 8D12BEB0A40309EBEF24DF50CC4ABBE3660AB54745F14C029FE186A2C2D7FD9995CB95

Uniqueness

Uniqueness Score: -1.00%

Function 031227D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82filenetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 0312F76B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,00000000,?), ref: 0312F79C

Part of subcall function 03123335: lstrcatW.KERNEL32(00000000,76A5FAD0), ref: 03123365

Part of subcall function 03125EA5: VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

Part of subcall function 0312362D: lstrcpyW.KERNEL32(00000000,76A5FAD0), ref: 03123657

Part of subcall function 0312351D: PathFindExtensionW.SHLWAPI(?,?,0312282E,?,?,00000000,03134684), ref: 03123527

URLDownloadToFileW.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 03122860
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0312288A

Strings

open, xrefs: 03122884

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Path$DownloadExecuteExtensionFileFindFolderFreeShellSpecialVirtuallstrcatlstrcpy
String ID: open
API String ID: 4166385161-2758837156
Opcode ID: dae5a8abd85ed02f4414619d2bdd3cf3f6cf08abdd0b7854717d67b4b595513a
Instruction ID: 755cb37de05da81d63814c8e12e20b66cfec2136077b99355d70cf16219e008c
Opcode Fuzzy Hash: dae5a8abd85ed02f4414619d2bdd3cf3f6cf08abdd0b7854717d67b4b595513a
Instruction Fuzzy Hash: 8E219779900328BBDF14FFA1C894DEEBF79AF89710F01445AE4266B240DF749A65CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0313002B Relevance: 4.6, APIs: 3, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 03125F53: GetProcessHeap.KERNEL32(00000000,000000F4,03130477,?,76A5FAD0,00000000,03125A34), ref: 03125F56
Part of subcall function 03125F53: HeapAlloc.KERNEL32(00000000), ref: 03125F5D

GetLogicalDriveStringsW.KERNEL32(00000104,00000000), ref: 03130060
GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 03130087
GetDriveTypeW.KERNEL32(?,00000000,00000000), ref: 031300B7

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Drive$HeapLogicalStrings$AllocProcessType
String ID:
API String ID: 2408535517-0
Opcode ID: c08f83d0b2f6afd59f62308096f379ff1469c4bad11fe99b0f428a6520ecfeee
Instruction ID: 67e57bdba82ed69cd34126028f759f600c0af5e138bd716889aaafe6016974a1
Opcode Fuzzy Hash: c08f83d0b2f6afd59f62308096f379ff1469c4bad11fe99b0f428a6520ecfeee
Instruction Fuzzy Hash: 02316D75E002299BCF14EFA5C5859EFFBF8AF4C240F10446AD502BB280EB745E50CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0079B370 Relevance: 4.6, APIs: 3, Instructions: 81COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0079B470
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0079B47E
UnhandledExceptionFilter.KERNEL32(?), ref: 0079B48B

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 997fb4ac27045b1813829bf9fdea233e596116d3f1acb74e4d554ab96f9a8d37
Instruction ID: 9f26b22001b4c01c7c6a374f8a55dc432a8bcd4166caa7c2fbf05c6bd5447edf
Opcode Fuzzy Hash: 997fb4ac27045b1813829bf9fdea233e596116d3f1acb74e4d554ab96f9a8d37
Instruction Fuzzy Hash: 9041B2B4C1122CDBCB25DF64D9897D9BBB4BF18310F1042EAE80D66291E7749B85CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0077EBA0 Relevance: 4.6, APIs: 3, Instructions: 62COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(?,?), ref: 0077EBAE
LockResource.KERNEL32(00000000), ref: 0077EBC8

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: Resource$LoadLock
String ID:
API String ID: 1037334470-0
Opcode ID: 06e1dfdad4babba6c549a2d8c26ebe58ab554db54dfa2dae4655383f45ec8ef6
Instruction ID: a26729222434736b1c9ebba3effa51255d7af4dfe611d686a034048965a33daa
Opcode Fuzzy Hash: 06e1dfdad4babba6c549a2d8c26ebe58ab554db54dfa2dae4655383f45ec8ef6
Instruction Fuzzy Hash: 0721DE74E00109EFCF44DFA4C5849AEBBB5FF48344F20C599E81AAB254D3349E40EB60

Uniqueness

Uniqueness Score: -1.00%

Function 0312B15E Relevance: 4.6, APIs: 3, Instructions: 61stringencryptionCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,00000000,?,0312AA4B,?,?,?,?,?,encryptedUsername,?,?,00000000,C0000000), ref: 0312B17B
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,?,00000000,00000000), ref: 0312B1A9

Part of subcall function 03125EB4: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,03123652,?,?,?,0313150A,031335DB,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,031335AB,00000000,76A5FAD0,00000000), ref: 03125EBE

lstrcpyA.KERNEL32(00000000,?), ref: 0312B1F6

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: AllocBinaryCryptStringVirtuallstrcpylstrlen
String ID:
API String ID: 573875632-0
Opcode ID: 7ec89afca54b1f834476da9ff3376b86fd3e31a945a29f526fc48456e26737a5
Instruction ID: 380a4890e6d4377eee96585fec456b85e612c23e3f0ad4bee387ee3a4307a118
Opcode Fuzzy Hash: 7ec89afca54b1f834476da9ff3376b86fd3e31a945a29f526fc48456e26737a5
Instruction Fuzzy Hash: 2611B7B6D0021DAFDB01DFA5D8848EEBBBDFF48344F10417AE515A7240DB359A55CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0312F619 Relevance: 4.6, APIs: 3, Instructions: 60COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,00000000,?,?,?,?,?,?,?,?,0312E18E), ref: 0312F644
LookupPrivilegeValueW.ADVAPI32(00000000,00000000,?), ref: 0312F655
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,?,?,?,00000000,00000000), ref: 0312F68A

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Token$AdjustLookupOpenPrivilegePrivilegesProcessValue
String ID:
API String ID: 658607936-0
Opcode ID: 159f85af76555c4f1d920db1a39c054ffeef43d6443f6653ac1bef389809a512
Instruction ID: 8297d3da5ed265e823a14646f5edede77aac4e31ff267bff169defe7d221f804
Opcode Fuzzy Hash: 159f85af76555c4f1d920db1a39c054ffeef43d6443f6653ac1bef389809a512
Instruction Fuzzy Hash: 75111C75A10229AFEB10CFF5CC849EFFBBCFB48600F00452AE501F2150E7709A458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0312CAFC Relevance: 4.5, APIs: 3, Instructions: 46memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?), ref: 0312CB24
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,0312CAD5,?,00000000,?,?,?,?,0312CA44), ref: 0312CB3B
LocalFree.KERNEL32(0312CAD5,?,?,?,?,?,0312CAD5,?,00000000,?,?,?,?,0312CA44), ref: 0312CB5B

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: e7f561b3c71773e7be23576c3bcb660c4886b34ba21972d238066adaff4a75bc
Instruction ID: 59358849d0728e48533d1ce629d3b193a2a8a182966d448ec4896526bcd1d835
Opcode Fuzzy Hash: e7f561b3c71773e7be23576c3bcb660c4886b34ba21972d238066adaff4a75bc
Instruction Fuzzy Hash: 4D01C0B5900219AFDB059FA5DC058EEBFB9EF48351B140169ED51A2340E77199548AA0

Uniqueness

Uniqueness Score: -1.00%

Function 007D0E50 Relevance: 4.4, Strings: 3, Instructions: 602COMMON

Download Yara Rule

Strings

minkernel\crts\ucrt\inc\corecrt_internal_big_integer.h, xrefs: 007D0E95
("Division by zero", false), xrefs: 007D0E84
%ls, xrefs: 007D0E89

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID:
String ID: %ls$("Division by zero", false)$minkernel\crts\ucrt\inc\corecrt_internal_big_integer.h
API String ID: 0-226933
Opcode ID: e3b17ab96c2364b88fb14a05c407ad2d1a89ad4695d8495a82cc7a5ed36d794d
Instruction ID: 9101939bfa9a58a2c2dc8a9d1740a8871ac70524343fe1086b368695e0f8b3de
Opcode Fuzzy Hash: e3b17ab96c2364b88fb14a05c407ad2d1a89ad4695d8495a82cc7a5ed36d794d
Instruction Fuzzy Hash: EE62A974A04928DFDB64CF14CD94BAAB7B2BB88316F5081DAD84DA7345DB35AE81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0312FF27 Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?), ref: 0312FF54
FindNextFileW.KERNEL32(00000000,00000010,00000000), ref: 0312FFF6

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 3b76e01020d117f7a61a305beb96ee47bc457ffbe5db66d558db53e44aaf34da
Instruction ID: 7eb18d74991670c9500925880a265297d51781deb4f2d1b73e6fdf5b78c9d116
Opcode Fuzzy Hash: 3b76e01020d117f7a61a305beb96ee47bc457ffbe5db66d558db53e44aaf34da
Instruction Fuzzy Hash: F5313E79D003199BDB14EFA5C988BEEBFB9AF4D310F104569E415A7280DB34AE94CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0312D418 Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

NetUserAdd.NETAPI32(00000000,00000001,?,00000000,?,00000000,0326E080,?,?,?,0312E634,0326E07C,0326E080), ref: 0312D45A

Part of subcall function 0312F56D: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0312D471,?,?,00000001), ref: 0312F5C2
Part of subcall function 0312F56D: LookupAccountSidW.ADVAPI32(00000000,0312D471,?,00000104,?,00000010,?), ref: 0312F5E7
Part of subcall function 0312F56D: GetLastError.KERNEL32(?,?,00000001), ref: 0312F5F1
Part of subcall function 0312F56D: FreeSid.ADVAPI32(0312D471,?,?,00000001), ref: 0312F5FF

NetLocalGroupAddMembers.NETAPI32(00000000,00000000,00000003,00010201,00000001,?,?,?,0312E634,0326E07C,0326E080), ref: 0312D47B

Part of subcall function 03125EA5: VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Free$AccountAllocateErrorGroupInitializeLastLocalLookupMembersUserVirtual
String ID:
API String ID: 188019324-0
Opcode ID: 30c5c65be10bc5e6a097ab278d3a5b6dbf9e7ea9e7219a9af3b8aeb82a3754b3
Instruction ID: 13762c2804e9222eaf08be58b05f741fb9d58ac1e40237b4ff1921908e11acb4
Opcode Fuzzy Hash: 30c5c65be10bc5e6a097ab278d3a5b6dbf9e7ea9e7219a9af3b8aeb82a3754b3
Instruction Fuzzy Hash: 4D113376900218AFDB11DFAAD8849EEFBFCFF5D314B00442AE951EB210D7B4AA448B50

Uniqueness

Uniqueness Score: -1.00%

Function 0077C250 Relevance: 1.6, APIs: 1, Instructions: 79comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0082A08C,00000000,00000001,0082A0A0,00000000), ref: 0077C278

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: ce6424d5ebdd49ba573a4db8fed7d9342be5adbe0d815442c412663a37e91ac9
Instruction ID: 0e9699fe4fc6dd1cb790baffc7fb7637f2cbedd981e59ae77728f13e5fc27b36
Opcode Fuzzy Hash: ce6424d5ebdd49ba573a4db8fed7d9342be5adbe0d815442c412663a37e91ac9
Instruction Fuzzy Hash: 22310B74D00108EFDB04EFA4D95ABEEB7B4BF08301F208159E916A7291DB786F45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00784740 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00754A20), ref: 00784748

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: cf51e34d3e63a1dbb80762773f4225615e5c1a52363afcc8840610a0f880904f
Instruction ID: 3f3991d0bee58e3dcbb4310771a7eefb3cc54021ab849aabaabf73e835bdd3ce
Opcode Fuzzy Hash: cf51e34d3e63a1dbb80762773f4225615e5c1a52363afcc8840610a0f880904f
Instruction Fuzzy Hash: CAA022300FC30CA3800023CABC0E880BF0CC202A3B3008000FB8F000820BE3200020AA

Uniqueness

Uniqueness Score: -1.00%

Function 00776870 Relevance: 1.3, APIs: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 007768A5

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: ca87222d201d7d7d1635753882250bed557168ed9f079208f14c90bfc177c005
Instruction ID: 3b64b43babb086b47c0ee8fbc9c3e566e3b3cbf4fb6544e1b78efb1928126720
Opcode Fuzzy Hash: ca87222d201d7d7d1635753882250bed557168ed9f079208f14c90bfc177c005
Instruction Fuzzy Hash: C601A5F1A60600CBCB10EB98AF879D533A19798739B040234EF06436D1E6BCB8589E62

Uniqueness

Uniqueness Score: -1.00%

Function 027384B1 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f7567a5fbc2f57699485bbede3328af11860cad7103f0f8210cbd2d61708212
Instruction ID: 043b9e3f6e7bf017a0f82c997cfd8b6381536c26e76438048341c12e230cf95e
Opcode Fuzzy Hash: 4f7567a5fbc2f57699485bbede3328af11860cad7103f0f8210cbd2d61708212
Instruction Fuzzy Hash: 3A314D76E0062A9FCB15CF98C4D09AEB7F6FF89314B1981A9E445A7712D730EA41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0312F93F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4d29e36c4944029b0d4c8b17038f74f1fe8da37328faff89e04467d3c3bd2fe
Instruction ID: 34de5842a6be488bbb873c9306f076607c2b5a103c55d6f1eb550e0c5a671cf9
Opcode Fuzzy Hash: c4d29e36c4944029b0d4c8b17038f74f1fe8da37328faff89e04467d3c3bd2fe
Instruction Fuzzy Hash: 2A21AB76D0021CABDF15DFA9C8C1BEEBFB9AF4C310F144066E505EB241E731599587A4

Uniqueness

Uniqueness Score: -1.00%

Function 02720467 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
Instruction ID: 0401b8db88b8a57d429c0b8cdd0141c088c596a9163f6783e6dfd23007761e31
Opcode Fuzzy Hash: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
Instruction Fuzzy Hash: 4731D536A0436A8FC710DF18D480A2AB7E5FF99308F4549ADE59587312E330F90ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02731537 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee9a03c5baf9720a6e7d8e5d675cdaadf48f2bf7d7bc5066cbb6e6d82dfa4c0b
Instruction ID: c32ec060d16bfcd0172565f2dc029cf8f27e1e4cac682ef32edc1737e6368238
Opcode Fuzzy Hash: ee9a03c5baf9720a6e7d8e5d675cdaadf48f2bf7d7bc5066cbb6e6d82dfa4c0b
Instruction Fuzzy Hash: 3D11E1333546210A872DD93E4D67067FBDAD3C9011788893EE49FCB296E631E3068691

Uniqueness

Uniqueness Score: -1.00%

Function 03131BF8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee9a03c5baf9720a6e7d8e5d675cdaadf48f2bf7d7bc5066cbb6e6d82dfa4c0b
Instruction ID: 6fd20c66ce5ecc5371f599e802439f028faa93f5b2db625ac66b3bffa4c72263
Opcode Fuzzy Hash: ee9a03c5baf9720a6e7d8e5d675cdaadf48f2bf7d7bc5066cbb6e6d82dfa4c0b
Instruction Fuzzy Hash: B511E5323545215B872CD83E4D57067FBDAD2CE011748893EE59BCB655E531E3068680

Uniqueness

Uniqueness Score: -1.00%

Function 007DA290 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8c40a15883035958e17f521d7f11cc0cde92f06a43d30a24313d77b40ca2d4
Instruction ID: e1ae4be31aae2af083146e3dcffe07a448aeec43748ca07bae80d78d1e37772b
Opcode Fuzzy Hash: bb8c40a15883035958e17f521d7f11cc0cde92f06a43d30a24313d77b40ca2d4
Instruction Fuzzy Hash: 06E0652190C7C8B6CF129AA684527FA7F787F92304F1800C6D4415B743C5AFE949E3A3

Uniqueness

Uniqueness Score: -1.00%

Function 0272FF5F Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
Instruction ID: 8fd49ac6c290a933f8e7fa303b239272a0e212cdcbc9a50471c0bb33e547ac79
Opcode Fuzzy Hash: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
Instruction Fuzzy Hash: 99E01233204560CBD761DB19D444A66F3F6EF87270F1A0569F456B7A61D320FC09CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03130620 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
Instruction ID: cc720a0b095413b5eefa4ce07bcaec2c403163e8310155c66996e01c6a934aa6
Opcode Fuzzy Hash: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
Instruction Fuzzy Hash: FEE08C72284510CBC620DB1AD440A16F3F6EBCE170B1B04A8E44BA7514C320FC81CA90

Uniqueness

Uniqueness Score: -1.00%

Function 0273028D Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
Instruction ID: 5fda3fd4d84cd2f22dee044ad912e4de7ecb99e7d4eebbced759c00506ef5ae4
Opcode Fuzzy Hash: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
Instruction Fuzzy Hash: ABD0EA783619418FDB51CF18C584E12B3F4FB49660B098491E905CB732DB34EC00EA00

Uniqueness

Uniqueness Score: -1.00%

Function 0313094E Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
Instruction ID: e57a158ea18e2fa2b71fe266774969b5fa86f5d4376049c149d905cc6d3b9d68
Opcode Fuzzy Hash: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
Instruction Fuzzy Hash: 49D0EA383619408FDB51CF18C684E01B3E4EB4DA60B098491E90ACB735D734ED00EA00

Uniqueness

Uniqueness Score: -1.00%

Function 0272FF58 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 03130619 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0312B67E Relevance: 47.5, APIs: 10, Strings: 17, Instructions: 219libraryCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 0312B6AC
SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0312B6B5

Part of subcall function 0312362D: lstrcpyW.KERNEL32(00000000,76A5FAD0), ref: 03123657

Part of subcall function 03123272: wsprintfW.USER32 ref: 0312328D

PathFileExistsW.SHLWAPI(0312A760,.dll,?,msvcr,?,msvcp,?,softokn3.dll,?,mozglue.dll,?,msvcp120.dll,?,msvcr120.dll,?,nss3.dll), ref: 0312B7A3
PathFileExistsW.SHLWAPI(0312A760,.dll,?,0312A760,?,00000104,00000000), ref: 0312B7FF
LoadLibraryW.KERNEL32(?,0312A760,?,00000104,00000000), ref: 0312B83E
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0312B849
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0312B854
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0312B85F
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0312B86A
SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0312B957

Part of subcall function 03125EA5: VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

Strings

msvcp120.dll, xrefs: 0312B706
msvcr, xrefs: 0312B76A
PK11_Authenticate, xrefs: 0312B8C4
msvcp, xrefs: 0312B751
PK11_GetInternalKeySlot, xrefs: 0312B8B1
msvcr120.dll, xrefs: 0312B6ED
NSS_Shutdown, xrefs: 0312B913
NSS_Init, xrefs: 0312B8A1
NSSBase64_DecodeBuffer, xrefs: 0312B8ED
.dll, xrefs: 0312B789, 0312B7E7
PR_GetError, xrefs: 0312B939
softokn3.dll, xrefs: 0312B738
PK11_CheckUserPassword, xrefs: 0312B900
PK11_FreeSlot, xrefs: 0312B926
nss3.dll, xrefs: 0312B6D4
PK11SDR_Decrypt, xrefs: 0312B8DA
mozglue.dll, xrefs: 0312B71F

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: LibraryLoad$CurrentDirectory$ExistsFilePath$FreeVirtuallstrcpywsprintf
String ID: .dll$NSSBase64_DecodeBuffer$NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$PR_GetError$mozglue.dll$msvcp$msvcp120.dll$msvcr$msvcr120.dll$nss3.dll$softokn3.dll
API String ID: 410702425-850564384
Opcode ID: 448d8b24c575756c5ac419943b4f0974c48385c16440ae1d7333af0b3f6db751
Instruction ID: b09b565ec1cf2b89ab6b59876a5eb8dd50df79480f41fe0440891e0c9614963d
Opcode Fuzzy Hash: 448d8b24c575756c5ac419943b4f0974c48385c16440ae1d7333af0b3f6db751
Instruction Fuzzy Hash: CE914F79A00219EFDB04EFB1C8809EEFBBAFF4D600F504466D5256B250DF34AA64CB90

Uniqueness

Uniqueness Score: -1.00%

Function 031295AA Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 214windowstringregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 031295BC
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 0312962B
lstrcatW.KERNEL32(-00000010,\Microsoft Vision\), ref: 03129645
CreateDirectoryW.KERNEL32(-00000010,00000000), ref: 03129651
lstrcpyW.KERNEL32(?,-00000010), ref: 0312968B
lstrcatW.KERNEL32(?,03134A58), ref: 0312969E

Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,00000000,?,03131E02,00000000,00000000,.bss,00000000), ref: 031235EE
Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,?,03131E02,00000000,00000000,.bss,00000000), ref: 03123605
Part of subcall function 031235E5: lstrcpyW.KERNEL32(?,03131E02), ref: 03123620

Part of subcall function 0312FF27: FindFirstFileW.KERNEL32(?,?,?,?), ref: 0312FF54

GetLocalTime.KERNEL32(?,00000000,ExplorerIdentifier), ref: 03129721
wsprintfW.USER32 ref: 03129758
CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000,00000010,?), ref: 0312979A
CloseHandle.KERNEL32(00000000), ref: 031297AA
RegisterClassW.USER32 ref: 031297C9
CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,?), ref: 031297E1
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 03129802
TranslateMessage.USER32(?), ref: 03129814
DispatchMessageA.USER32(?), ref: 0312981F
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0312982F

Strings

%02d-%02d-%02d_%02d.%02d.%02d, xrefs: 03129752
\Microsoft Vision\, xrefs: 0312963F
ExplorerIdentifier, xrefs: 031296E6

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Message$Create$FileHandlelstrcatlstrcpylstrlen$ClassCloseDirectoryDispatchFindFirstFolderLocalModulePathRegisterTimeTranslateWindowwsprintf
String ID: %02d-%02d-%02d_%02d.%02d.%02d$ExplorerIdentifier$\Microsoft Vision\
API String ID: 2678186124-2372768292
Opcode ID: 0d7cae75c1a041cc7baf06875b37c60a39cb230bec8acf78747de7f614ef85df
Instruction ID: 588f398fc5ffd492741a17c8cb58f4ebf41a7d65a50c14cb712083420c211018
Opcode Fuzzy Hash: 0d7cae75c1a041cc7baf06875b37c60a39cb230bec8acf78747de7f614ef85df
Instruction Fuzzy Hash: B1718AB2504304AFD714EBAADC48EABBBECBB8E700F040919F595D6180DB75D954CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0312A0D8 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 160registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 0312A12F
RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 0312A14C
lstrcpyW.KERNEL32(?,Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676), ref: 0312A19F
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0312A1B5
RegEnumKeyExW.ADVAPI32(?,00000000,?,00000800,00000000,00000000,00000000,00000000), ref: 0312A1E8
RegCloseKey.ADVAPI32(?), ref: 0312A1F9
lstrcpyW.KERNEL32(?,?), ref: 0312A20D
lstrcatW.KERNEL32(?,03134684), ref: 0312A21B
lstrcatW.KERNEL32(?,?), ref: 0312A22F
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 0312A24C
RegCloseKey.ADVAPI32(?,?), ref: 0312A261
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 0312A27E

Strings

Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0312A135
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676, xrefs: 0312A15F, 0312A16F
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0312A17C, 0312A181, 0312A191
Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0312A125
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0312A142, 0312A152

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Open$Closelstrcatlstrcpy$EnumInfoQuery
String ID: Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
API String ID: 1891545080-2020977430
Opcode ID: 30f63a9a84e1ba8c8bb1495a82a2504d549963ca53b387d7824fda9672850ac2
Instruction ID: 21f3075bd25e7386bf105e7b9746d7b193a37e77090a38633e1226e67273d628
Opcode Fuzzy Hash: 30f63a9a84e1ba8c8bb1495a82a2504d549963ca53b387d7824fda9672850ac2
Instruction Fuzzy Hash: E9411EB290022DBFDB21DA91DC44EFF7B6DEF09694F1404A5B515E2001EB719E949BB0

Uniqueness

Uniqueness Score: -1.00%

Function 03131AB9 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 90sleepregistrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0312FBFC: GetCurrentProcess.KERNEL32(00000008,00000000,76A5FAD0,00000000,76A5FAD0,00000000,?,?,?,?,031335AB,?), ref: 0312FC0E
Part of subcall function 0312FBFC: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,031335AB,?), ref: 0312FC15
Part of subcall function 0312FBFC: GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,031335AB,?), ref: 0312FC33
Part of subcall function 0312FBFC: CloseHandle.KERNEL32(00000000), ref: 0312FC48

CloseHandle.KERNEL32(?,00000000), ref: 03131AD8
GetCurrentProcess.KERNEL32(?), ref: 03131AE7
IsWow64Process.KERNEL32(00000000), ref: 03131AEE
GetModuleFileNameA.KERNEL32(00000000,?,00000400), ref: 03131B25
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 03131B57
lstrcatW.KERNEL32(?,\sdclt.exe), ref: 03131B69
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 03131B81
ShellExecuteExW.SHELL32(?), ref: 03131BB3
TerminateProcess.KERNEL32(00000000,00000000), ref: 03131BBD
Sleep.KERNEL32(000007D0), ref: 03131BD5
RegDeleteKeyA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command), ref: 03131BE5
ExitProcess.KERNEL32 ref: 03131BEC

Strings

DelegateExecute, xrefs: 03131B3E
Software\Classes\Folder\shell\open\command, xrefs: 03131BDB
\sdclt.exe, xrefs: 03131B5D
open, xrefs: 03131B79, 03131B7F
@, xrefs: 03131BA2
<, xrefs: 03131B9B

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentExecuteHandleShellToken$DeleteDirectoryExitFileInformationModuleNameOpenSleepSystemTerminateWow64lstrcat
String ID: <$@$DelegateExecute$Software\Classes\Folder\shell\open\command$\sdclt.exe$open
API String ID: 3164795406-2081737068
Opcode ID: f80d199b319145ad6583fba60f0c3bdead0064c3932e77be6ddfaf8192c3baa2
Instruction ID: 57a1ee62b38eeeb08212ccc3de3645ad0ed40c8190eb643d745e8d003909786c
Opcode Fuzzy Hash: f80d199b319145ad6583fba60f0c3bdead0064c3932e77be6ddfaf8192c3baa2
Instruction Fuzzy Hash: AD313AB1C01218FBDB14FBA6EC489DEBBBCEF4D711F0041A5F909A2144EB755A85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 031330C9 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 122filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 03123437: lstrcpyW.KERNEL32(00000000,00000000), ref: 0312345C

Part of subcall function 03125EA5: VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

LoadResource.KERNEL32(00000000,?,00000000), ref: 03133110
SizeofResource.KERNEL32(00000000,?), ref: 0313311C
LockResource.KERNEL32(00000000), ref: 03133126
GetTempPathA.KERNEL32(00000400,?), ref: 03133160
lstrcatA.KERNEL32(?,find.exe), ref: 03133174
GetTempPathA.KERNEL32(00000400,?), ref: 03133182
lstrcatA.KERNEL32(?,find.db), ref: 03133190
CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000002,00000084,00000000), ref: 031331AB
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 031331BD
CloseHandle.KERNEL32(00000000), ref: 031331C4
wsprintfA.USER32 ref: 031331F4
ShellExecuteExA.SHELL32(0000003C), ref: 03133242

Strings

find.db, xrefs: 03133184
<, xrefs: 03133200
-w %ws -d C -f %s, xrefs: 031331EE
@, xrefs: 03133213
find.exe, xrefs: 0313316E

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Resource$FilePathTemplstrcat$CloseCreateExecuteFreeHandleLoadLockShellSizeofVirtualWritelstrcpywsprintf
String ID: -w %ws -d C -f %s$<$@$find.db$find.exe
API String ID: 2504251837-265381321
Opcode ID: 5090bbdc6ffe2cb32c64f81054fc9502d2bcce043f490a32074fc43858948bc6
Instruction ID: 0f0dcc03a012e2349b3e4605789ba001936c30c1e419aaf5ad99981b9d819fa6
Opcode Fuzzy Hash: 5090bbdc6ffe2cb32c64f81054fc9502d2bcce043f490a32074fc43858948bc6
Instruction Fuzzy Hash: 4B413DB5900219ABDB14EFA5DD84EDEBBBCFF89304F004156F609A6104DB746A85CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 031330D5 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 119filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 03123437: lstrcpyW.KERNEL32(00000000,00000000), ref: 0312345C

Part of subcall function 03125EA5: VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

LoadResource.KERNEL32(00000000,?,00000000), ref: 03133110
SizeofResource.KERNEL32(00000000,?), ref: 0313311C
LockResource.KERNEL32(00000000), ref: 03133126
GetTempPathA.KERNEL32(00000400,?), ref: 03133160
lstrcatA.KERNEL32(?,find.exe), ref: 03133174
GetTempPathA.KERNEL32(00000400,?), ref: 03133182
lstrcatA.KERNEL32(?,find.db), ref: 03133190
CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000002,00000084,00000000), ref: 031331AB
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 031331BD
CloseHandle.KERNEL32(00000000), ref: 031331C4
wsprintfA.USER32 ref: 031331F4
ShellExecuteExA.SHELL32(0000003C), ref: 03133242

Strings

find.db, xrefs: 03133184
<, xrefs: 03133200
-w %ws -d C -f %s, xrefs: 031331EE
@, xrefs: 03133213
find.exe, xrefs: 0313316E

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Resource$FilePathTemplstrcat$CloseCreateExecuteFreeHandleLoadLockShellSizeofVirtualWritelstrcpywsprintf
String ID: -w %ws -d C -f %s$<$@$find.db$find.exe
API String ID: 2504251837-265381321
Opcode ID: 20d692517c9f26e2e629dd7973a4aa8b3640da034f5c9e346c4b295e538b237a
Instruction ID: 1953561e4bed7a4c38cbc4aba4ea2bdcfdb4e74ef792dfacb322f6d231be26e3
Opcode Fuzzy Hash: 20d692517c9f26e2e629dd7973a4aa8b3640da034f5c9e346c4b295e538b237a
Instruction Fuzzy Hash: 9C413DB590021DABDB10EFA5DD84EDEBBBCFF8D304F004156F609A6144DB746A858FA4

Uniqueness

Uniqueness Score: -1.00%

Function 0312882F Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135windowstringfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 03128840
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 03128894
lstrcatW.KERNEL32(-00000010,\Microsoft Vision\), ref: 031288AE
GetLocalTime.KERNEL32(?), ref: 031288B5
wsprintfW.USER32 ref: 031288E9
lstrcatW.KERNEL32(-00000010,?), ref: 03128900
CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000,00000010), ref: 0312892C
CloseHandle.KERNEL32(00000000), ref: 0312893C

Part of subcall function 03131E21: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,031334BF), ref: 03131E4E
Part of subcall function 03131E21: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,031334BF), ref: 03131E61
Part of subcall function 03131E21: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,031334BF), ref: 03131E72
Part of subcall function 03131E21: FindCloseChangeNotification.KERNEL32(00000000,?,?,00000000,?,?,031334BF), ref: 03131E7F

Part of subcall function 031309D2: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,763CF580,00000000,?,?,?,?,0312895D), ref: 031309FE

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 031289AF

Part of subcall function 03130969: lstrcmpA.KERNEL32(?,03131BD0,?,open,03131BD0), ref: 031309A2

TranslateMessage.USER32(?), ref: 03128996
DispatchMessageA.USER32(?), ref: 031289A1

Strings

c:\windows\system32\user32.dll, xrefs: 0312894A
%02d-%02d-%02d_%02d.%02d.%02d, xrefs: 031288E3
\Microsoft Vision\, xrefs: 031288A8
SetWindowsHookExA, xrefs: 03128962

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: File$Message$CloseCreateHandlelstrcat$AllocChangeDispatchFindFolderLocalModuleNotificationPathReadSizeTimeTranslateVirtuallstrcmpwsprintf
String ID: %02d-%02d-%02d_%02d.%02d.%02d$SetWindowsHookExA$\Microsoft Vision\$c:\windows\system32\user32.dll
API String ID: 1641748825-3884914687
Opcode ID: e4d5a766e00bd0afe005ee4652a4693c3b7488bd46af7753b58439661449883b
Instruction ID: c303e6dc0b526d82ce6a392c84122debf0450f09e90ecd35c8e9c5e682370e35
Opcode Fuzzy Hash: e4d5a766e00bd0afe005ee4652a4693c3b7488bd46af7753b58439661449883b
Instruction Fuzzy Hash: 21419DB1544300ABE718EBABEC49E6B7BECFB8E700F000819B545E7285DB69D954C731

Uniqueness

Uniqueness Score: -1.00%

Function 03128E66 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 147filestringCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?), ref: 03128E8F
GetWindowTextW.USER32(00000000,?,00000104), ref: 03128EA2
lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 03128F0B
lstrcpyW.KERNEL32(-00000210,?), ref: 03128F58
CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000,?,?), ref: 03128F79
lstrlenW.KERNEL32(03134AD0,00000008,00000000,?,?), ref: 03128FA2
WriteFile.KERNEL32(?,03134AD0,00000000,?,?), ref: 03128FAE
WriteFile.KERNEL32(?,?,00000000,-00000008,00000000,?,?), ref: 03128FD2
lstrlenW.KERNEL32(03134AD0,-00000008,00000000,?,?), ref: 03128FE5
WriteFile.KERNEL32(?,03134AD0,00000000,?,?), ref: 03128FF1
lstrlenW.KERNEL32(?,00000008,00000000,?,?), ref: 03129003
WriteFile.KERNEL32(?,?,00000000,?,?), ref: 03129011
CloseHandle.KERNEL32(?,?,?), ref: 0312901B

Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,00000000,?,03131E02,00000000,00000000,.bss,00000000), ref: 031235EE
Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,?,03131E02,00000000,00000000,.bss,00000000), ref: 03123605
Part of subcall function 031235E5: lstrcpyW.KERNEL32(?,03131E02), ref: 03123620

Part of subcall function 03123335: lstrcatW.KERNEL32(00000000,76A5FAD0), ref: 03123365

Part of subcall function 03125EA5: VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

Strings

{Unknown}, xrefs: 03128EED

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: lstrlen$File$Write$Windowlstrcpy$CloseCreateForegroundFreeHandleTextVirtuallstrcat
String ID: {Unknown}
API String ID: 2314120260-4054869793
Opcode ID: 408089891550772de980a8b5e7ab1a01b9c812824c2c1b96928c73195c7164f9
Instruction ID: 96386d2529667003838cc1eea722170bbebc88612850dafda29ffb2dd66048c5
Opcode Fuzzy Hash: 408089891550772de980a8b5e7ab1a01b9c812824c2c1b96928c73195c7164f9
Instruction Fuzzy Hash: 455190B5A40218AFDB04EF65DC89FAE7BA9FF0D300F054064E505AB250DB75AE90CB64

Uniqueness

Uniqueness Score: -1.00%

Function 007D5BA0 Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 299COMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000006,?,00000000), ref: 007D5BE0

Strings

(*_errno()), xrefs: 007D5FAB
Microsoft Visual C++ Runtime Library, xrefs: 007D6017
@, xrefs: 007D5D4F
_CrtDbgReport: String too long or IO Error, xrefs: 007D5FF0
common_message_window, xrefs: 007D5C5B, 007D5FA6, 007D5FE6
traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character())), xrefs: 007D5C60
minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp, xrefs: 007D5C56, 007D5FA1, 007D5FE1
@, xrefs: 007D5CAC
wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error"), xrefs: 007D5FEB

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: HandleModule
String ID: (*_errno())$@$@$Microsoft Visual C++ Runtime Library$_CrtDbgReport: String too long or IO Error$common_message_window$minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp$traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character()))$wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error")
API String ID: 4139908857-711353123
Opcode ID: 31825a46b21805b766b7a0ee0d824e54fdb49dbfd6b2d3159f82d78e1b7c6920
Instruction ID: 88fc8367459166d1668d2ce9a6a8e14098f5981a1c8020c21b85e25438994164
Opcode Fuzzy Hash: 31825a46b21805b766b7a0ee0d824e54fdb49dbfd6b2d3159f82d78e1b7c6920
Instruction Fuzzy Hash: 5BD14BB1900229EBDB24EF94CC4DBD9B7B5FB54301F1041DAE509AA390D7B89B89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 007D5580 Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 296COMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000006,?,00000000), ref: 007D55C0

Strings

(*_errno()), xrefs: 007D597C
Microsoft Visual C++ Runtime Library, xrefs: 007D59E8
_CrtDbgReport: String too long or IO Error, xrefs: 007D59C1
common_message_window, xrefs: 007D563B, 007D5977, 007D59B7
traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character())), xrefs: 007D5640
minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp, xrefs: 007D5636, 007D5972, 007D59B2
@, xrefs: 007D5720
wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error"), xrefs: 007D59BC
@, xrefs: 007D568C

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: HandleModule
String ID: (*_errno())$@$@$Microsoft Visual C++ Runtime Library$_CrtDbgReport: String too long or IO Error$common_message_window$minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp$traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character()))$wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error")
API String ID: 4139908857-711353123
Opcode ID: 222daa874eb70a5c4b1d9866ab699a61e9fde54ef4fcc28fb6c75ea83527db63
Instruction ID: ffdc7760a4fb9dfdbe07bc1f48bbf98ba387b2c851713e839719f9701a2c226c
Opcode Fuzzy Hash: 222daa874eb70a5c4b1d9866ab699a61e9fde54ef4fcc28fb6c75ea83527db63
Instruction Fuzzy Hash: 96D151B0900628DBDB24DF54CC4DBDA77B5BBA9301F1041DAE609A6380D7B85ED9CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0312E3FA Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 237registryCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,?), ref: 0312E407
DeleteCriticalSection.KERNEL32(?,?,?), ref: 0312E41E
EnterCriticalSection.KERNEL32(0326E020,?,?), ref: 0312E42A

Part of subcall function 0312DE1F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,0326E020,?,?,0312E451,?,?), ref: 0312DE51

RegCreateKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList,00000000,00000000,00000000,000F013F,00000000,?,?,00000000,00000000,?,?), ref: 0312E5FF
RegSetValueExW.ADVAPI32(?,00000000,00000004,?,00000004,?,?), ref: 0312E61A
RegCloseKey.ADVAPI32(?,?,?), ref: 0312E623
LeaveCriticalSection.KERNEL32(0326E020,00000000,0326E07C,0326E080,?,?), ref: 0312E65E

Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,00000000,?,03131E02,00000000,00000000,.bss,00000000), ref: 031235EE
Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,?,03131E02,00000000,00000000,.bss,00000000), ref: 03123605
Part of subcall function 031235E5: lstrcpyW.KERNEL32(?,03131E02), ref: 03123620

Part of subcall function 03123437: lstrcpyW.KERNEL32(00000000,00000000), ref: 0312345C

Part of subcall function 03125EA5: VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

Part of subcall function 03123261: lstrlenW.KERNEL32(76A5FAD0,03123646,?,?,?,0313150A,031335DB,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,031335AB,00000000,76A5FAD0,00000000), ref: 03123268

LeaveCriticalSection.KERNEL32(0326E020,00000000,rpdp,0326E080,00000000,rudp,0326E07C,0326E07C,0326E080,?,?), ref: 0312E6C4
LeaveCriticalSection.KERNEL32(0326E020,00000000,?,?), ref: 0312E6F4

Strings

rudp, xrefs: 0312E459, 0312E670
rpdp, xrefs: 0312E492, 0312E691
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList, xrefs: 0312E5F5

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leavelstrlen$lstrcpy$CloseCreateDeleteEnterFreeInitializeOpenValueVirtual
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList$rpdp$rudp
API String ID: 2046459734-177601018
Opcode ID: 9494ac6d5fcf826548a6cf3a8e2211cdb3181f1644fd9f8ef51eff6f7001d1e8
Instruction ID: 095ca54108fd35537eaed7397bf66e43f96127039b4ebb0c4d4b67ebb2350fd8
Opcode Fuzzy Hash: 9494ac6d5fcf826548a6cf3a8e2211cdb3181f1644fd9f8ef51eff6f7001d1e8
Instruction Fuzzy Hash: ED717B78610228AFDF15FF61DC95EEE7F29AF4C210B414419F916AE180DF34AAA5CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0312EAFB Relevance: 19.6, APIs: 13, Instructions: 135pipethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0312EA89: GetCurrentThreadId.KERNEL32 ref: 0312EA95
Part of subcall function 0312EA89: SetEvent.KERNEL32(00000000), ref: 0312EAA9
Part of subcall function 0312EA89: WaitForSingleObject.KERNEL32(0313956C,00001388), ref: 0312EAB6
Part of subcall function 0312EA89: TerminateThread.KERNEL32(0313956C,000000FE), ref: 0312EAC7

CreatePipe.KERNEL32(00000000,00000000,?,00000000,?,?,00000000), ref: 0312EB41
GetCurrentProcess.KERNEL32(00000000,00000000,00000001,00000002,?,00000000), ref: 0312EB5E
GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 0312EB64
DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 0312EB6D
CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000), ref: 0312EB85
GetCurrentProcess.KERNEL32(03139560,00000000,00000000,00000002,?,00000000), ref: 0312EB9E
GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 0312EBA4
DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 0312EBA7
GetCurrentProcess.KERNEL32(03139564,00000000,00000000,00000002,?,00000000), ref: 0312EBBC
GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 0312EBC2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0312EC18
CreateThread.KERNEL32(00000000,00000000,0312E92A,03139558,00000000,03139570), ref: 0312EC38
DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 0312EBC5

Part of subcall function 0312EC8C: CloseHandle.KERNEL32(03139568,03139558,0312EADC,?,00000000,03122A8C,00000000,exit,00000000,start), ref: 0312EC96

Part of subcall function 0312362D: lstrcpyW.KERNEL32(00000000,76A5FAD0), ref: 03123657

Part of subcall function 0312E891: CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,00000010,00000000,00000000,?,00000000,?,?,00000001), ref: 0312E8E3

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: CurrentProcess$Create$Handle$DuplicateThread$EventPipe$CloseObjectSingleTerminateWaitlstrcpy
String ID:
API String ID: 337272696-0
Opcode ID: 2871f840b32ea4f4cc8223cd3bafb5d9dc2dbc911fb485e74bc882fa60656bdb
Instruction ID: ab37f5e2dd48b54da0f8cad58eb4f194271f3d167576d8540e9a89bedaed5c05
Opcode Fuzzy Hash: 2871f840b32ea4f4cc8223cd3bafb5d9dc2dbc911fb485e74bc882fa60656bdb
Instruction Fuzzy Hash: 7E412E71A00319BBDB15EBE1DD45FEEBF78EF58751F100016A101B60D0DBB0AA64CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 03131136 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 278fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0312F481: GetModuleFileNameW.KERNEL32(00000000,00000000,000007D0,?,00000000,031335AB,?,03131618,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows), ref: 0312F4A2

Part of subcall function 03130F6E: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000001,00000001,00000000,?,00000000,76A5FAD0,?,?,03131165,?,?), ref: 03130F8E

Part of subcall function 03130FAE: RegCloseKey.ADVAPI32(?,?,0313112D,?,?,031336DB), ref: 03130FB8

CopyFileW.KERNEL32(?,?,00000000,?,03134684,?,00000000,?,?,?,?,00000000,76A5FAD0,00000000), ref: 031311D7

Part of subcall function 0313106C: RegCreateKeyExW.ADVAPI32(76A5FAD0,00000000,00000000,00000000,00000000,031335AB,00000000,?,?,?,?,031335AB,?,0313158B,80000001,?), ref: 031310A0
Part of subcall function 0313106C: RegOpenKeyExW.ADVAPI32(76A5FAD0,00000000,00000000,031335AB,?,?,?,031335AB,?,0313158B,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 031310BB

Part of subcall function 03131039: RegSetValueExW.ADVAPI32(?,76A5FAD0,00000000,?,?,?,?,?,03131432,00000000,00000000,?,00000001,?,?,?), ref: 03131058

SHGetKnownFolderPath.SHELL32(03134550,00000000,00000000,?,?,?,?,?,00000000,76A5FAD0,00000000), ref: 03131264
CopyFileW.KERNEL32(?,?,00000000,?,?,:start,?,03137204,wmic process call create '",00000000,?,?,?,:start,") do %%A,for /F "usebackq tokens=*" %%A in ("), ref: 03131382

Part of subcall function 0312F76B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,00000000,?), ref: 0312F79C

Part of subcall function 03123437: lstrcpyW.KERNEL32(00000000,00000000), ref: 0312345C

Part of subcall function 03125EA5: VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

Part of subcall function 0312F71F: SHCreateDirectoryExW.SHELL32(00000000,?,00000000,031311A6,00000000,?,?,?,?,00000000,76A5FAD0,00000000), ref: 0312F725

Part of subcall function 0312362D: lstrcpyW.KERNEL32(00000000,76A5FAD0), ref: 03123657

Part of subcall function 03123335: lstrcatW.KERNEL32(00000000,76A5FAD0), ref: 03123365

DeleteFileW.KERNEL32(?,00000000,:Zone.Identifier,?,?,?,?,?,00000000,76A5FAD0,00000000), ref: 0313147C

Strings

:start, xrefs: 03131294, 0313132F
:Zone.Identifier, xrefs: 0313145B
wmic process call create '", xrefs: 0313130A
79v, xrefs: 031311D7, 03131382
\programs.bat, xrefs: 03131275
") do %%A, xrefs: 0313128F
for /F "usebackq tokens=*" %%A in (", xrefs: 03131282

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: File$Create$CopyFolderPathlstrcpy$CloseDeleteDirectoryFreeKnownModuleNameOpenSpecialValueVirtuallstrcat
String ID: ") do %%A$:Zone.Identifier$:start$\programs.bat$for /F "usebackq tokens=*" %%A in ("$wmic process call create '"$79v
API String ID: 2154703971-588850294
Opcode ID: bf60a0cd34d812df555a44688a18e534e72653b9464815bbb21122c6067fe75c
Instruction ID: 8112040d4fda2cb492be9f42b9f84ab9ec0a04153e6978a4d308da7d21ba1dcf
Opcode Fuzzy Hash: bf60a0cd34d812df555a44688a18e534e72653b9464815bbb21122c6067fe75c
Instruction Fuzzy Hash: 7DA12479A00219AFDF15FFA0CC90CEEBB79AF5D200B504569E8166B190DF34AE65CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0312D58D Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 71serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0312D5A0
OpenServiceW.ADVAPI32(00000000,?,00000001), ref: 0312D5B9
CloseServiceHandle.ADVAPI32(00000000), ref: 0312D5C6
QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?), ref: 0312D5D5
GetLastError.KERNEL32 ref: 0312D5DF
QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?), ref: 0312D600
CloseServiceHandle.ADVAPI32(00000000), ref: 0312D611
CloseServiceHandle.ADVAPI32(00000000), ref: 0312D614
CloseServiceHandle.ADVAPI32(00000000), ref: 0312D624
CloseServiceHandle.ADVAPI32(00000000), ref: 0312D627

Part of subcall function 03121099: GetProcessHeap.KERNEL32(00000000,00000000,03131E18,00000000,00000000,00000000,00000000,.bss,00000000), ref: 0312109F
Part of subcall function 03121099: HeapFree.KERNEL32(00000000), ref: 031210A6

Strings

ServicesActive, xrefs: 0312D597

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$ConfigHeapOpenQuery$ErrorFreeLastManagerProcess
String ID: ServicesActive
API String ID: 1929760286-3071072050
Opcode ID: f7a1e8ea540e87865917df0f41f4c7b913814a5b72187fabc0f17c591c3194e5
Instruction ID: da12fab60ad64ed87ced1a3f47a8507378a5a6754627e9585e5659af6740bb9a
Opcode Fuzzy Hash: f7a1e8ea540e87865917df0f41f4c7b913814a5b72187fabc0f17c591c3194e5
Instruction Fuzzy Hash: 09114675600228BBCB24EB62ED88DDB7EADEB8D6617110065F506A7204DF749A50CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0312DED2 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 324COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0312DEEF

Part of subcall function 0312FC58: GetCurrentProcess.KERNEL32(?,?,03122D84,?,03134648,?,?,00000000,?,?,?), ref: 0312FC5C

PathFileExistsW.SHLWAPI(?), ref: 0312E099
PathFileExistsW.SHLWAPI(?), ref: 0312DF0D

Part of subcall function 0312FDF0: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,00000000,00000000,?,?,?,03129A69,?,?,?), ref: 0312FE07
Part of subcall function 0312FDF0: GetLastError.KERNEL32(?,?,?,03129A69,?,?,?), ref: 0312FE15

LeaveCriticalSection.KERNEL32(?,00000000), ref: 0312E28C

Part of subcall function 0312D9B6: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters), ref: 0312D9EA

GetCurrentProcess.KERNEL32(SeDebugPrivilege), ref: 0312E17F
LeaveCriticalSection.KERNEL32(?,00000000), ref: 0312E2CC

Strings

SeDebugPrivilege, xrefs: 0312E16F

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: CriticalFileSection$CurrentExistsLeavePathProcess$CreateEnterErrorLastOpen
String ID: SeDebugPrivilege
API String ID: 1717069549-2896544425
Opcode ID: 56705d32a8bb11a4fb99deb2bb702672d1a52bcf3272d5be11dc91a1ae41ba55
Instruction ID: 2dc69e5e6aa9e6c03a11e6f29239e504987dfc11a86c185b036e2c1dc579164b
Opcode Fuzzy Hash: 56705d32a8bb11a4fb99deb2bb702672d1a52bcf3272d5be11dc91a1ae41ba55
Instruction Fuzzy Hash: BBB13075104365ABC718FB61DC90DAFBBA8BF4C240F40092EF5529B190EF74E929CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0312DCB2 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 111registryCOMMON

Download Yara Rule

APIs

Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,00000000,?,03131E02,00000000,00000000,.bss,00000000), ref: 031235EE
Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,?,03131E02,00000000,00000000,.bss,00000000), ref: 03123605
Part of subcall function 031235E5: lstrcpyW.KERNEL32(?,03131E02), ref: 03123620

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,SYSTEM\CurrentControlSet\Services\TermService), ref: 0312DCF3

Part of subcall function 03130FC3: RegQueryValueExW.ADVAPI32(?,76A5FAD0,00000000,76A5FAD0,00000000,00000000,?,00000000,031335AB,?,?,?,031315B2,?,?,80000001), ref: 03130FE6
Part of subcall function 03130FC3: RegQueryValueExW.ADVAPI32(?,76A5FAD0,00000000,76A5FAD0,00000000,00000000,?,031315B2,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 0313100A

Part of subcall function 03125EA5: VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

Part of subcall function 03130FAE: RegCloseKey.ADVAPI32(?,?,0313112D,?,?,031336DB), ref: 03130FB8

StrStrW.SHLWAPI(?,svchost.exe,?,00000000,ImagePath,?), ref: 0312DD57
StrStrW.SHLWAPI(?,svchost.exe -k), ref: 0312DD65
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 0312DD82

Strings

svchost.exe -k, xrefs: 0312DD5D
svchost.exe, xrefs: 0312DD4F
ServiceDll, xrefs: 0312DD90
ImagePath, xrefs: 0312DD05
SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0312DCCE
SYSTEM\CurrentControlSet\Services\TermService, xrefs: 0312DCBE

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: OpenQueryValuelstrlen$CloseFreeVirtuallstrcpy
String ID: ImagePath$SYSTEM\CurrentControlSet\Services\TermService$SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll$svchost.exe$svchost.exe -k
API String ID: 2246401353-3333427388
Opcode ID: 65eb95323d27b3e88c6a7f887b76344802000cfdcb145073a90a7044cf1f49d8
Instruction ID: b829efbd4956a08abc2510dd11071c78a31841c3d0c4df73296eba0bda0d406b
Opcode Fuzzy Hash: 65eb95323d27b3e88c6a7f887b76344802000cfdcb145073a90a7044cf1f49d8
Instruction Fuzzy Hash: FB410B39D00228AFDF15EBA0DC91EEEFB79AF0D640F504469D5117A194EF346E25CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00783310 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(009B9AFC,00000FA0), ref: 00783320
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll), ref: 0078332B
GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0078333F
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0078335E
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00783370
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 007833A0

Strings

kernel32.dll, xrefs: 0078333A
WakeAllConditionVariable, xrefs: 00783367
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00783326
SleepConditionVariableCS, xrefs: 00783355

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: AddressHandleModuleProc$CountCreateCriticalEventInitializeSectionSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 4003212759-3242537097
Opcode ID: cdb1fdefc1977cb4b20f14f6db5e06cc1e4521cd01a9fb867205f80b7da39e46
Instruction ID: 03f1ef18cc23521cec5b05c0f38b62b16674a50383f44b95b4bd1c6c6fcff5e4
Opcode Fuzzy Hash: cdb1fdefc1977cb4b20f14f6db5e06cc1e4521cd01a9fb867205f80b7da39e46
Instruction Fuzzy Hash: 7E114F74EA8318FFDB10AFA8ED4DB9CBB70EB05B11F104555E915A66D0DBF81680DB01

Uniqueness

Uniqueness Score: -1.00%

Function 0075F0E0 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 216COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0075F195

Strings

C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\DynamicConsumer\DynamicConsumer.cpp, xrefs: 0075F1BE
Failed to open the rowset, xrefs: 0075F32E
(((HRESULT)(hr)) >= 0), xrefs: 0075F1EC
%ls, xrefs: 0075F1F1
%ls, xrefs: 0075F1B2
Enter 1-3 to continue: , xrefs: 0075F142
(((HRESULT)(hr)) >= 0), xrefs: 0075F1AD
C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\DynamicConsumer\DynamicConsumer.cpp, xrefs: 0075F1FD

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: ActiveWindow
String ID: %ls$%ls$(((HRESULT)(hr)) >= 0)$(((HRESULT)(hr)) >= 0)$C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\DynamicConsumer\DynamicConsumer.cpp$C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\DynamicConsumer\DynamicConsumer.cpp$Enter 1-3 to continue: $Failed to open the rowset
API String ID: 2558294473-1565370113
Opcode ID: 51edc541ea19427bd046b9c4e649a832a5966ba3e898ccec4cbc40f4afd76736
Instruction ID: 2b9c829f9bd2d143bac2e367d3de2a5f3f1834863da7799b04d072993d17cb01
Opcode Fuzzy Hash: 51edc541ea19427bd046b9c4e649a832a5966ba3e898ccec4cbc40f4afd76736
Instruction Fuzzy Hash: 26916A70D44248EADB14EBA4DD5ABDCBB70AF10712F5081A8F912761D2EBF81B8DCB51

Uniqueness

Uniqueness Score: -1.00%

Function 0312C4A8 Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 371fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0312F76B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,00000000,?), ref: 0312F79C

Part of subcall function 03123335: lstrcatW.KERNEL32(00000000,76A5FAD0), ref: 03123365

Part of subcall function 03125EA5: VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

PathFileExistsW.SHLWAPI(00000000,?,00000000,00000000,00000000,.tmp,00000000,03134684,.tmp,00000000,03134684,?,00000000), ref: 0312C5A5
PathFileExistsW.SHLWAPI(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0312C245), ref: 0312C5AF
CopyFileW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0312C5C3
CopyFileW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0312C5CF

Part of subcall function 0312CED9: LocalFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0312C66B,?,?,00000000,?), ref: 0312CF43
Part of subcall function 0312CED9: LocalFree.KERNEL32(?,00000000,00000000,00000000,00000000,?,0312C66B,?,?,00000000,?), ref: 0312CF4C

Part of subcall function 0312CF58: LocalAlloc.KERNEL32(00000040,-0000001F,?,?,?,00000000,?,00000000), ref: 0312CFE0
Part of subcall function 0312CF58: BCryptDecrypt.BCRYPT(?,0000000C,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,?,00000000), ref: 0312D00E
Part of subcall function 0312CF58: LocalFree.KERNEL32(?), ref: 0312D096

Part of subcall function 031233BF: lstrlenA.KERNEL32(?,76A5FAD0,?,03125A4F,.bss,00000000), ref: 031233C8
Part of subcall function 031233BF: lstrlenA.KERNEL32(?,?,03125A4F,.bss,00000000), ref: 031233D5
Part of subcall function 031233BF: lstrcpyA.KERNEL32(00000000,?,?,03125A4F,.bss,00000000), ref: 031233E8

Part of subcall function 03123125: lstrcatA.KERNEL32(00000000,76A5FAD0,?,00000000,?,031235C4,00000000,00000000,?,03124E98,?,?,?,?,?,00000000), ref: 03123151

Part of subcall function 0312308C: lstrlenA.KERNEL32(00000000,031230B4,76A5FAD0,00000000,00000000,?,031232DC,0312350E,00000000,-00000001,76A5FAD0,?,0312350E,00000000,?,00000000), ref: 03123093

Strings

select signon_realm, origin_url, username_value, password_value from logins, xrefs: 0312C688, 0312C692
.tmp, xrefs: 0312C4F3, 0312C4FB, 0312C531
79v, xrefs: 0312C5B5
select signon_realm, origin_url, username_value, password_value from wow_logins, xrefs: 0312C683

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: FileFreeLocal$Pathlstrlen$CopyExistslstrcat$AllocCryptDecryptFolderSpecialVirtuallstrcpy
String ID: .tmp$select signon_realm, origin_url, username_value, password_value from logins$select signon_realm, origin_url, username_value, password_value from wow_logins$79v
API String ID: 881303001-858775193
Opcode ID: db79cdc2cd6f5deb80fbc913a928a1443edb569a3f3eff2e896e2540f9fffe4f
Instruction ID: 012b4a11daed77fef99bc8faad2b0b6da51f99e8b0f65c534e7c4908c0ee402e
Opcode Fuzzy Hash: db79cdc2cd6f5deb80fbc913a928a1443edb569a3f3eff2e896e2540f9fffe4f
Instruction Fuzzy Hash: D5D14379900329ABDF15FFA4DC90EEEBF79AF49300F14442AE512AB190DF349A25CB54

Uniqueness

Uniqueness Score: -1.00%

Function 03129ADF Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 229fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 03129AFC
GetLastError.KERNEL32 ref: 03129B09
CloseHandle.KERNEL32(00000000), ref: 03129B10
GetFileSize.KERNEL32(00000000,00000000), ref: 03129B1D
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 03129B4C
CloseHandle.KERNEL32(00000000), ref: 03129B53

Strings

Password, xrefs: 03129CC3, 03129CAB, 03129CD7
Password, xrefs: 03129CDD

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateErrorLastReadSize
String ID: Password$Password
API String ID: 1366138817-7788977
Opcode ID: b8e5fe5f5983a4a38667131e71957d1665055741f6a4c7dd5fb3ab0e0f276d1a
Instruction ID: e98fd456b1cacbc34468c69f0601e5bc56f9dce225834907676b7e82b06242c8
Opcode Fuzzy Hash: b8e5fe5f5983a4a38667131e71957d1665055741f6a4c7dd5fb3ab0e0f276d1a
Instruction Fuzzy Hash: 0C814874C042A46FEF25DBACC880BBDBFB9AF4E214F1840AAD0556F181CB750972C755

Uniqueness

Uniqueness Score: -1.00%

Function 00777780 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 179COMMON

Download Yara Rule

Strings

C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.30.30705\atlmfc\include\atldbcli.h, xrefs: 007777C6, 00777819, 00777936
__atl_condVal, xrefs: 007777B5
ulPropSet == 1, xrefs: 00777925
m_spInit != 0, xrefs: 00777808
%ls, xrefs: 007777BA, 0077780D, 0077792A

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID:
String ID: %ls$C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.30.30705\atlmfc\include\atldbcli.h$__atl_condVal$m_spInit != 0$ulPropSet == 1
API String ID: 0-1734084402
Opcode ID: 6cd3d8d39d2a83570ef4d2c90a1d50c8a6667cfada7fdd2428d988b5f85fc468
Instruction ID: cfa188f16f14a5ab7576c893286accc9ba8b6885d6e618da7495433c24c09ea2
Opcode Fuzzy Hash: 6cd3d8d39d2a83570ef4d2c90a1d50c8a6667cfada7fdd2428d988b5f85fc468
Instruction Fuzzy Hash: A4613D71E04218DBCF08EF94D89ABEDB7B4BF54341F108119E916BB2A1DBB86D49CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0075F640 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 175COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0075F69D

Strings

(((HRESULT)(hr)) >= 0), xrefs: 0075F6B5
C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\DynamicConsumer\DynamicConsumer.cpp, xrefs: 0075F705
C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\DynamicConsumer\DynamicConsumer.cpp, xrefs: 0075F6C6
%ls, xrefs: 0075F6BA
Failed to open the rowset, xrefs: 0075F7EB
%ls, xrefs: 0075F6F9
(((HRESULT)(hr)) >= 0), xrefs: 0075F6F4

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: ActiveWindow
String ID: %ls$%ls$(((HRESULT)(hr)) >= 0)$(((HRESULT)(hr)) >= 0)$C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\DynamicConsumer\DynamicConsumer.cpp$C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\DynamicConsumer\DynamicConsumer.cpp$Failed to open the rowset
API String ID: 2558294473-3948184931
Opcode ID: 7ae887463eacb16853a9f06db3bc45826cc947092dd238b302464b3650441953
Instruction ID: 0259b79384150c76b39a0ff0cfb814bec5d53da892b9dcbc9d314ba587376685
Opcode Fuzzy Hash: 7ae887463eacb16853a9f06db3bc45826cc947092dd238b302464b3650441953
Instruction Fuzzy Hash: D7615D31D40248EAEB14EBA4ED5ABDCBB74AF14702F908168F512771D2EBF81A4DCB51

Uniqueness

Uniqueness Score: -1.00%

Function 0312F80E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 130comCOMMON

Download Yara Rule

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0312F825
CoInitialize.OLE32(00000000), ref: 0312F82C
CoCreateInstance.OLE32(03134490,00000000,00000017,03136E60,?,?,?,?,?,?,?,?,?,03122D0C), ref: 0312F84A
VariantInit.OLEAUT32(?), ref: 0312F8CE

Strings

root\CIMV2, xrefs: 0312F86A
SELECT Name FROM Win32_VideoController, xrefs: 0312F89C
Name, xrefs: 0312F8E0
WQL, xrefs: 0312F8A6

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Initialize$CreateInitInstanceSecurityVariant
String ID: Name$SELECT Name FROM Win32_VideoController$WQL$root\CIMV2
API String ID: 2382742315-3227336550
Opcode ID: 0a64af0782c651fee8dfba540cbfdc2b2cdc4272f1b8634607a814855534eee4
Instruction ID: e24d488457450ba78d1c9e0482383a45652203cb18deb59a960bc08d29af7160
Opcode Fuzzy Hash: 0a64af0782c651fee8dfba540cbfdc2b2cdc4272f1b8634607a814855534eee4
Instruction Fuzzy Hash: 23410934A00219BFCB14DB96CC88E9FBBB8EB8AB05B104458F515EB250DB709956CB20

Uniqueness

Uniqueness Score: -1.00%

Function 03131F13 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 75sleepprocessmemoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,76A5FAD0,00000000), ref: 03131F25
IsWow64Process.KERNEL32(00000000), ref: 03131F2C
VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040), ref: 03131F50
GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 03131F5E
lstrlenA.KERNEL32(00000000,\System32\cmd.exe,00000014), ref: 03131F6C
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 03131FA9
Sleep.KERNEL32(000003E8), ref: 03131FB8

Strings

\System32\cmd.exe, xrefs: 03131F66

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Process$AllocCreateCurrentDirectorySleepVirtualWindowsWow64lstrlen
String ID: \System32\cmd.exe
API String ID: 3151064845-2003734499
Opcode ID: 6173f7116f604fad9325499937cd71408d249f342bfb85db8409d5711875f03a
Instruction ID: 6c84c3e70abd5debe8e24645195902c915de8e9d267ebe878160fdcec7c64ebf
Opcode Fuzzy Hash: 6173f7116f604fad9325499937cd71408d249f342bfb85db8409d5711875f03a
Instruction Fuzzy Hash: 8B111FB5A04318BBEB10FAB6AC89FEF766CAB0D645F040035F605E6085DB709E488675

Uniqueness

Uniqueness Score: -1.00%

Function 0312C118 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56registrystringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\), ref: 0312C154
lstrcatW.KERNEL32(?,thunderbird.exe), ref: 0312C162
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,0312A729,?,00000104,00000000), ref: 0312C17B
RegQueryValueExW.ADVAPI32(0312A729,Path,00000000,?,?,?,?,00000104,00000000), ref: 0312C198
RegCloseKey.ADVAPI32(0312A729,?,00000104,00000000), ref: 0312C1A1

Strings

Path, xrefs: 0312C190
Software\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 0312C14E
thunderbird.exe, xrefs: 0312C15A

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValuelstrcatlstrcpy
String ID: Path$Software\Microsoft\Windows\CurrentVersion\App Paths\$thunderbird.exe
API String ID: 3135247354-1374996286
Opcode ID: 7561a144320f9ec3bf930fbc534bf1c17e995261129b66475fb0367c473d1cd0
Instruction ID: 7a300dcaa3de33b2da97e5b3412db0581659b333bfa6f196f8cf27499f943c59
Opcode Fuzzy Hash: 7561a144320f9ec3bf930fbc534bf1c17e995261129b66475fb0367c473d1cd0
Instruction Fuzzy Hash: C21112B6A4011CBFE714EAA5ED49FDE7BBCEB1D745F000075B605E2140E7709A548B71

Uniqueness

Uniqueness Score: -1.00%

Function 0313273A Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 175comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0313274C
CoCreateInstance.OLE32(031345A0,00000000,00000001,03137410,0313227B), ref: 03132779
CoUninitialize.OLE32 ref: 03132902

Part of subcall function 03132A6B: CoCreateInstance.OLE32(031345E0,00000000,00000001,031373F0,?,770FC970,00000000,00000000,?,?,031327B0), ref: 03132A99

CoCreateInstance.OLE32(031345F0,00000000,00000001,03137400,?), ref: 031327CA

Part of subcall function 031324EB: CoTaskMemFree.OLE32(?,?,00000000,03132896), ref: 031324F9

Strings

Source, xrefs: 031327D9
Grabber, xrefs: 031327E8
vids, xrefs: 03132805

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: CreateInstance$FreeInitializeTaskUninitialize
String ID: Grabber$Source$vids
API String ID: 533512943-4200688928
Opcode ID: 9389cc0b41c25f45b797a7720f6bcbc25eec2130dff1fd8f226afd042aeaf62a
Instruction ID: d90378855840e69ef3cb32a185512bea48c65609001a09fbbb16fc6650e613aa
Opcode Fuzzy Hash: 9389cc0b41c25f45b797a7720f6bcbc25eec2130dff1fd8f226afd042aeaf62a
Instruction Fuzzy Hash: BD516271A00219AFDB14EFA5C898EAEF7B9FF49705F08849CF515AB250CB719D05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0075F3F0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 172COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0075F44D

Strings

%ls, xrefs: 0075F4A9
(((HRESULT)(hr)) >= 0), xrefs: 0075F4A4
%ls, xrefs: 0075F46A
C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\DynamicConsumer\DynamicConsumer.cpp, xrefs: 0075F4B5
C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\DynamicConsumer\DynamicConsumer.cpp, xrefs: 0075F476
(((HRESULT)(hr)) >= 0), xrefs: 0075F465

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: ActiveWindow
String ID: %ls$%ls$(((HRESULT)(hr)) >= 0)$(((HRESULT)(hr)) >= 0)$C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\DynamicConsumer\DynamicConsumer.cpp$C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\DynamicConsumer\DynamicConsumer.cpp
API String ID: 2558294473-4036015773
Opcode ID: b681d61d00aa5cd8a18237d01806f6a828ed6c9931d850f93b68803be9d61385
Instruction ID: 93a08e081d37989a3a9c67447d70beebb99e07af3a270c47698dca12d8308a19
Opcode Fuzzy Hash: b681d61d00aa5cd8a18237d01806f6a828ed6c9931d850f93b68803be9d61385
Instruction Fuzzy Hash: 6B617C30D40248EADB14EBA4DC5ABECBB74AF24702F508168F552771D2EBF81A4DCB52

Uniqueness

Uniqueness Score: -1.00%

Function 03122961 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108processthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 03130F31: RegDeleteKeyW.ADVAPI32(80000001,?), ref: 03130F38

TerminateThread.KERNEL32(00000000,?,?), ref: 03131740
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 031317AD
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 03131837
CloseHandle.KERNEL32(?), ref: 03131846
CloseHandle.KERNEL32(?), ref: 0313184B
ExitProcess.KERNEL32 ref: 0313184E

Strings

cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q , xrefs: 031317BB

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$CreateDeleteExitFileModuleNameTerminateThread
String ID: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
API String ID: 3630425516-84290196
Opcode ID: d983658711ab0c0e89b6d4649ec5f2b76ddfb5e022079d80c2da3a789cf2522c
Instruction ID: 9e7bb85bfb7462eeb4834ca81ecc487094f73aac562fdd16662fecf77b8a78b5
Opcode Fuzzy Hash: d983658711ab0c0e89b6d4649ec5f2b76ddfb5e022079d80c2da3a789cf2522c
Instruction Fuzzy Hash: 91313DB6900629BFDB15EBE1DD85EEFBB7DEB0C300F000466B605A6140DB74AE54CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0076BA30 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000000,00000000,00000000,00000000), ref: 0076BA87
SysAllocStringLen.OLEAUT32(00000000,000000FF), ref: 0076BAAB
MultiByteToWideChar.KERNEL32(?,00000000,00000000,000000FF,00000000,00000000), ref: 0076BAD0
SysFreeString.OLEAUT32(00000000), ref: 0076BB13

Strings

C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.30.30705\atlmfc\include\atlconv.h, xrefs: 0076BAF2
nResult == nConvertedLen, xrefs: 0076BAE1
%ls, xrefs: 0076BAE6

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: ByteCharMultiStringWide$AllocFree
String ID: %ls$C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.30.30705\atlmfc\include\atlconv.h$nResult == nConvertedLen
API String ID: 447844807-2095365358
Opcode ID: ed48dfc484b962de5973ff88a73fda88fbe3ec139af5512b0e35ffd9dfbdec42
Instruction ID: f7ac3be2d01b8414e01aab1461cba08feb138b4c4d84c9b8e426b5a81f464407
Opcode Fuzzy Hash: ed48dfc484b962de5973ff88a73fda88fbe3ec139af5512b0e35ffd9dfbdec42
Instruction Fuzzy Hash: 1B311E74D00208EFDB14DF94D989BEEB7B4EB48311F108159E919A7284D7B86A84CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0312B559 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(vaultcli.dll,00000000,0312B229), ref: 0312B561

Part of subcall function 03130969: lstrcmpA.KERNEL32(?,03131BD0,?,open,03131BD0), ref: 031309A2

Strings

vaultcli.dll, xrefs: 0312B55A
VaultEnumerateItems, xrefs: 0312B59F
VaultFree, xrefs: 0312B5E0
VaultCloseVault, xrefs: 0312B589
VaultGetItem, xrefs: 0312B5B5
VaultOpenVault, xrefs: 0312B577

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: LibraryLoadlstrcmp
String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
API String ID: 2493137890-3967309459
Opcode ID: c35d23433b334b476fa211a2cd85527aee34f2698c492ff96cdfdd34e8398246
Instruction ID: a16a87d7ef71dbbf3787f34db5296b891e7ea5b48936de6edb4b649d5c59b42f
Opcode Fuzzy Hash: c35d23433b334b476fa211a2cd85527aee34f2698c492ff96cdfdd34e8398246
Instruction Fuzzy Hash: DC11C174A05715CFEB24DB72A804767B7E6EB8E611F18892E849E97344DB30A441CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0312D49C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0312D4AB
OpenServiceW.ADVAPI32(00000000,?,00000002), ref: 0312D4C0
CloseServiceHandle.ADVAPI32(00000000), ref: 0312D4CD
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0312D4E6
CloseServiceHandle.ADVAPI32(00000000), ref: 0312D4FA
CloseServiceHandle.ADVAPI32(00000000), ref: 0312D4FD

Strings

ServicesActive, xrefs: 0312D4A3

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID: ServicesActive
API String ID: 493672254-3071072050
Opcode ID: 570d9e3c9269782f39951ef93754b6170d2ed04ede2293574dc87eded75bed42
Instruction ID: 554a47e9e535e9dccf98b0a448dfbc1cfffd909957d8437aa352f4b3a0e00502
Opcode Fuzzy Hash: 570d9e3c9269782f39951ef93754b6170d2ed04ede2293574dc87eded75bed42
Instruction Fuzzy Hash: 26F096323042757BD6216A67AC89EDB7E6CEBCE7717150221FA26D6284CF64D85087B0

Uniqueness

Uniqueness Score: -1.00%

Function 031319C9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,000F003F,?,00000208,0326CBF0,?,?,?,?,03131A78), ref: 031319E9
RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,00000000,00000000,000F003F,00000000,?,?,?,?,?,?,03131A78), ref: 03131A06
lstrlenW.KERNEL32(0326CBF0,?,?,?,?,03131A78,?,?,?,?,031257B9,?,00000000,00000000), ref: 03131A12
RegSetValueExW.ADVAPI32(?,Install,00000000,00000001,0326CBF0,00000000,?,?,?,?,03131A78,?,?,?,?,031257B9), ref: 03131A28
RegCloseKey.ADVAPI32(?,?,?,?,?,03131A78,?,?,?,?,031257B9,?,00000000,00000000), ref: 03131A31

Strings

Install, xrefs: 03131A20
SOFTWARE\_rptls, xrefs: 031319DD, 031319E3, 03131A00

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenValuelstrlen
String ID: Install$SOFTWARE\_rptls
API String ID: 2036214137-3226779556
Opcode ID: dc57b16bed227651f3692494d3ebf02b7a463f65c0efa6a5ce36abc8a414fc5b
Instruction ID: 38c715bea08b8e289a36847196aa4cb8b689f2b5d534aba84346a88f51002551
Opcode Fuzzy Hash: dc57b16bed227651f3692494d3ebf02b7a463f65c0efa6a5ce36abc8a414fc5b
Instruction Fuzzy Hash: BFF04F72600058BFE724A697EC4DEEF7EBCEB8E751B000069B905F2145DB615E80C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 03131A3C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,0326CBF0,00000208,00000000,00000000,?,?,?,031257B9,?,00000000,00000000), ref: 03131A58
IsUserAnAdmin.SHELL32 ref: 03131A5E

Part of subcall function 0312FBFC: GetCurrentProcess.KERNEL32(00000008,00000000,76A5FAD0,00000000,76A5FAD0,00000000,?,?,?,?,031335AB,?), ref: 0312FC0E
Part of subcall function 0312FBFC: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,031335AB,?), ref: 0312FC15
Part of subcall function 0312FBFC: GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,031335AB,?), ref: 0312FC33
Part of subcall function 0312FBFC: CloseHandle.KERNEL32(00000000), ref: 0312FC48

Part of subcall function 031319C9: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,000F003F,?,00000208,0326CBF0,?,?,?,?,03131A78), ref: 031319E9
Part of subcall function 031319C9: RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,00000000,00000000,000F003F,00000000,?,?,?,?,?,?,03131A78), ref: 03131A06
Part of subcall function 031319C9: lstrlenW.KERNEL32(0326CBF0,?,?,?,?,03131A78,?,?,?,?,031257B9,?,00000000,00000000), ref: 03131A12
Part of subcall function 031319C9: RegSetValueExW.ADVAPI32(?,Install,00000000,00000001,0326CBF0,00000000,?,?,?,?,03131A78,?,?,?,?,031257B9), ref: 03131A28
Part of subcall function 031319C9: RegCloseKey.ADVAPI32(?,?,?,?,?,03131A78,?,?,?,?,031257B9,?,00000000,00000000), ref: 03131A31

FindResourceW.KERNEL32(00000000,00000066,WM_DSP,?,?,?,?,031257B9,?,00000000,00000000), ref: 03131A87
LoadResource.KERNEL32(00000000,00000000,?,?,?,?,031257B9,?,00000000,00000000,?,?,?,?,?,?), ref: 03131A91
SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,031257B9,?,00000000,00000000,?,?,?,?,?,?), ref: 03131A9B
LockResource.KERNEL32(00000000,?,?,?,?,031257B9,?,00000000,00000000,?,?,?,?,?,?,00000000), ref: 03131AA2

Part of subcall function 03131936: VirtualProtect.KERNEL32(00000000,000007D0,00000040,00000000,00000000,00000000,?,00000000,?,03131AB4,?,?,?,031257B9,?,00000000), ref: 03131974
Part of subcall function 03131936: VirtualAlloc.KERNEL32(00000000,000001FE,00001000,00000040,?,00000000,?,03131AB4,?,?,?,031257B9,?,00000000,00000000), ref: 03131988
Part of subcall function 03131936: GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000000,?,03131AB4,?,?,?,031257B9,?,00000000,00000000), ref: 03131996
Part of subcall function 03131936: lstrlenW.KERNEL32(00000000,\System32\cmd.exe,00000028,?,00000000,?,03131AB4,?,?,?,031257B9,?,00000000,00000000), ref: 031319A4

Strings

WM_DSP, xrefs: 03131A7D

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Resource$CloseOpenProcessTokenVirtuallstrlen$AdminAllocCreateCurrentDirectoryFileFindHandleInformationLoadLockModuleNameProtectSizeofUserValueWindows
String ID: WM_DSP
API String ID: 1403607128-506093727
Opcode ID: 90c8b6918f0977e247209649f6bb7098d0a5cd9255f8d8efd41779c1cc7ff71c
Instruction ID: 3e4fd45d00ef21e41aab1e5dbc9a9f4df233f293b3361c17a608000376ce941f
Opcode Fuzzy Hash: 90c8b6918f0977e247209649f6bb7098d0a5cd9255f8d8efd41779c1cc7ff71c
Instruction Fuzzy Hash: C0F062316007907BD624B6B36C0CF5F2E6CAF9F651F090874F402EA244DF2488818270

Uniqueness

Uniqueness Score: -1.00%

Function 03125CA3 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(USER32.DLL,?,031302E1,?,76A5FAD0,00000000), ref: 03125CAB
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 03125CB7
ExitProcess.KERNEL32 ref: 03125CDB

Strings

MessageBoxA, xrefs: 03125CB1
Assert, xrefs: 03125CCB
USER32.DLL, xrefs: 03125CA4
An assertion condition failed, xrefs: 03125CD0

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: AddressExitLibraryLoadProcProcess
String ID: An assertion condition failed$Assert$MessageBoxA$USER32.DLL
API String ID: 881411216-1361702557
Opcode ID: e7ffca7143b661832bec289b519916be733737ba1a3a78d49c6258c77a085fc3
Instruction ID: 994352261151487ac0258abd992ac68218a333a43f5329b190e64736795fe975
Opcode Fuzzy Hash: e7ffca7143b661832bec289b519916be733737ba1a3a78d49c6258c77a085fc3
Instruction Fuzzy Hash: 79D017647C13416FEA18E6F33C5AF696E08AB1FF16F180190B661A6186EF9290A88520

Uniqueness

Uniqueness Score: -1.00%

Function 03125F6A Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 03125F6F
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 03125F7B
ExitProcess.KERNEL32 ref: 03125F9A

Strings

A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application, xrefs: 03125F8F
MessageBoxA, xrefs: 03125F75
PureCall, xrefs: 03125F8A
USER32.DLL, xrefs: 03125F6A

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: AddressExitLibraryLoadProcProcess
String ID: A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application$MessageBoxA$PureCall$USER32.DLL
API String ID: 881411216-4134947204
Opcode ID: cef77fc66e4c2ba015dcbfbf1d4898142225d90988b0e32dd16ef8bc0b1f8071
Instruction ID: f307e83f5729e41bb4b63f94d7ad627d2a0270cf773253288d24bb1202123c32
Opcode Fuzzy Hash: cef77fc66e4c2ba015dcbfbf1d4898142225d90988b0e32dd16ef8bc0b1f8071
Instruction Fuzzy Hash: EBD092303C47416FE604A6F36C0AF1C6914AB1EE03F040050B625A4086CFD0A0908625

Uniqueness

Uniqueness Score: -1.00%

Function 03130D24 Relevance: 12.2, APIs: 8, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03130D6A
Process32FirstW.KERNEL32(00000000,0000022C), ref: 03130D83
CloseHandle.KERNEL32(00000000), ref: 03130D8E

Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,00000000,?,03131E02,00000000,00000000,.bss,00000000), ref: 031235EE
Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,?,03131E02,00000000,00000000,.bss,00000000), ref: 03123605
Part of subcall function 031235E5: lstrcpyW.KERNEL32(?,03131E02), ref: 03123620

Part of subcall function 03123437: lstrcpyW.KERNEL32(00000000,00000000), ref: 0312345C

Part of subcall function 03125EA5: VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

OpenProcess.KERNEL32(00001410,00000000,?,?), ref: 03130DF8
GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 03130E2E
CloseHandle.KERNEL32(00000000,00000000,03134C14), ref: 03130E81
Process32NextW.KERNEL32(00000000,0000022C), ref: 03130EE5
CloseHandle.KERNEL32(00000000), ref: 03130EF7

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: CloseHandle$Process32lstrcpylstrlen$CreateFileFirstFreeModuleNameNextOpenProcessSnapshotToolhelp32Virtual
String ID:
API String ID: 3514491001-0
Opcode ID: f6199cd1ad8d3ba820eef2daf1321913a0f626b0fc0b765be2acb89965382da5
Instruction ID: 0c2597d02d6b1e1a9ad33cc5aa0c4a303326bf4152be48271eb574db988f83a7
Opcode Fuzzy Hash: f6199cd1ad8d3ba820eef2daf1321913a0f626b0fc0b765be2acb89965382da5
Instruction Fuzzy Hash: 5951B576D01229AFDB14EBA0CC48EEEBBBCAF4D710F050565E416B7180EF349A95CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00777C00 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON

Download Yara Rule

APIs

CoTaskMemFree.OLE32(?), ref: 00777ED4

Strings

C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.30.30705\atlmfc\include\atldbcli.h, xrefs: 00777C46, 00777CA2, 00777CE2, 00777D0E, 00777D84
nPropCount > 0, xrefs: 00777CFD
__atl_condVal, xrefs: 00777C35, 00777C91
prgPropertyIDs != 0, xrefs: 00777CD1
%ls, xrefs: 00777C3A, 00777C96, 00777CD6, 00777D02, 00777D78

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: FreeTask
String ID: %ls$C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.30.30705\atlmfc\include\atldbcli.h$__atl_condVal$nPropCount > 0$prgPropertyIDs != 0
API String ID: 734271698-1423238636
Opcode ID: 00d84f862625316f98357288d2daf6fe7d096849cafbf4503ab3bd42d2d93c49
Instruction ID: dc8b8e804eee287290860433682fc3d76392a7349ad8569bb2ac88ed0001aeed
Opcode Fuzzy Hash: 00d84f862625316f98357288d2daf6fe7d096849cafbf4503ab3bd42d2d93c49
Instruction Fuzzy Hash: 1791C370E04218DBDF18DF54D896BEDB7B5FB58301F208069E905AB291DBB85D84CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 03132D0A Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 03132D1A
CoCreateInstance.OLE32(031345A0,00000000,00000001,03137410,0063E530,?,?), ref: 03132D32
CoCreateInstance.OLE32(031345F0,00000000,00000001,03137400,0063E53C,?,?,03134580,0063E534,?,?), ref: 03132D8C

Part of subcall function 03132A6B: CoCreateInstance.OLE32(031345E0,00000000,00000001,031373F0,?,770FC970,00000000,00000000,?,?,031327B0), ref: 03132A99

Strings

Source, xrefs: 03132D9E
Grabber, xrefs: 03132DAC
vids, xrefs: 03132DC6

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: CreateInstance$Initialize
String ID: Grabber$Source$vids
API String ID: 1108742289-4200688928
Opcode ID: a84aa00a6cb99f2bbf709374ee2e9d2a107a0dcd3a8b5d639e8dc625715edeba
Instruction ID: b90b4b33ab99b5ee65fa611de4361086fe7d5a1d162fc904ebb63e3313dcd87c
Opcode Fuzzy Hash: a84aa00a6cb99f2bbf709374ee2e9d2a107a0dcd3a8b5d639e8dc625715edeba
Instruction Fuzzy Hash: 6351AF75600311AFCF24EFA4C885E9A7B75AF4E700B144868FD15AF295CB71E812CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03127948 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64sleepprocessmemoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040,00000000,?,?), ref: 0312796B
GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 03127979
lstrlenA.KERNEL32(00000000,\System32\cmd.exe,00000014), ref: 03127987
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 031279C1
Sleep.KERNEL32(000003E8), ref: 031279D0

Strings

\System32\cmd.exe, xrefs: 03127981

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: AllocCreateDirectoryProcessSleepVirtualWindowslstrlen
String ID: \System32\cmd.exe
API String ID: 2560724043-2003734499
Opcode ID: c3eb781b3bb019f580b172abe662ee32e9acf9fba22f00bc49cf531ea53f51f5
Instruction ID: de986aa305e6827bc4c0cf7b8e8ca414fc8a1593b780886ebeb03b0d65d12bcf
Opcode Fuzzy Hash: c3eb781b3bb019f580b172abe662ee32e9acf9fba22f00bc49cf531ea53f51f5
Instruction Fuzzy Hash: 101130B5600718BFE710EBA6DC86FEF767CAB0C645F000425F601A6181DA709E048675

Uniqueness

Uniqueness Score: -1.00%

Function 03131855 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(03131B3D,03136056,?,?,03131B3D,03136056,?), ref: 0313185D
RegOpenKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00020006,?,?,?,03131B3D,03136056,?), ref: 0313187A
SetLastError.KERNEL32(00000000,?,?,03131B3D,03136056,?), ref: 03131885
RegSetValueExA.ADVAPI32(?,03136056,00000000,00000001,03131B3D,00000000,?,?,03131B3D,03136056,?), ref: 0313189D
RegCloseKey.ADVAPI32(?,?,?,03131B3D,03136056,?), ref: 031318A8

Strings

Software\Classes\Folder\shell\open\command, xrefs: 03131870

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: CloseErrorLastOpenValuelstrlen
String ID: Software\Classes\Folder\shell\open\command
API String ID: 1613093083-2536721355
Opcode ID: 7a0e53f2363925c455f0ccfb0ee68d8eb0a73764ca3924ea6980f4857643d845
Instruction ID: e7191f033468765d4a17652acaf5cdeace2e1d958427f93c0f0011f2ffe8d0eb
Opcode Fuzzy Hash: 7a0e53f2363925c455f0ccfb0ee68d8eb0a73764ca3924ea6980f4857643d845
Instruction Fuzzy Hash: 02F06D35601214FBDF256FA1BC09FDA7F69EB0E750F0141A0BD01B6144DB7589809AA4

Uniqueness

Uniqueness Score: -1.00%

Function 03127CB7 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,?,?,031286D6,00000000), ref: 03127CD3
GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 03127CE1
GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 03127CF2

Strings

RtlSetLastWin32Error, xrefs: 03127CE7
ntdll.dll, xrefs: 03127CCE
RtlNtStatusToDosError, xrefs: 03127CDB

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
API String ID: 667068680-2897241497
Opcode ID: 6fb34c185eb3dddd77a6bf0861ab9467baf6a927ca624d06b15e653f3051ab15
Instruction ID: 80dd97fe1918fe87beb9ebb4193cb3243a3995d968319e423d23b6ce2578fb50
Opcode Fuzzy Hash: 6fb34c185eb3dddd77a6bf0861ab9467baf6a927ca624d06b15e653f3051ab15
Instruction Fuzzy Hash: 72F03A782087059BDB04AF66BD09A3A7FA8AF9DA423059428E80AE3285EB3094518730

Uniqueness

Uniqueness Score: -1.00%

Function 031257FB Relevance: 9.1, APIs: 6, Instructions: 75networksynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 03123125: lstrcatA.KERNEL32(00000000,76A5FAD0,?,00000000,?,031235C4,00000000,00000000,?,03124E98,?,?,?,?,?,00000000), ref: 03123151

Part of subcall function 0313026F: WaitForSingleObject.KERNEL32(?,000000FF,03125824,76A5FAD0,?,?,00000000,03124EA0,?,?,?,?,?,00000000,76A5FAD0), ref: 03130273

getaddrinfo.WS2_32(76A5FAD0,00000000,03124EA0,00000000), ref: 03125848
socket.WS2_32(00000002,00000001,00000000), ref: 0312585F
htons.WS2_32(00000000), ref: 03125885
freeaddrinfo.WS2_32(00000000), ref: 03125895
connect.WS2_32(?,?,00000010), ref: 031258A1
ReleaseMutex.KERNEL32(?), ref: 031258CB

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: MutexObjectReleaseSingleWaitconnectfreeaddrinfogetaddrinfohtonslstrcatsocket
String ID:
API String ID: 2516106447-0
Opcode ID: 6c8b5712892ed8c4f5a61cab3aa3f7c8b53df72ca41848ce184ecbf079188119
Instruction ID: 59270c956b9761332a5fec36b2144c8e6f377ce794d41139ba13f7482e8794a4
Opcode Fuzzy Hash: 6c8b5712892ed8c4f5a61cab3aa3f7c8b53df72ca41848ce184ecbf079188119
Instruction Fuzzy Hash: 70217F75900208ABDF14EF62D884BDABBB9FF4C320F148066ED15EF194DB719954CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0312CBA8 Relevance: 9.1, APIs: 6, Instructions: 73filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00000000,00000000,?,00000000,?), ref: 0312CBDC
GetFileSizeEx.KERNEL32(00000000,?,?,00000000,?), ref: 0312CBF2
LocalAlloc.KERNEL32(00000040,?,?,?,00000000,?), ref: 0312CC0D
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,?), ref: 0312CC25
CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 0312CC48

Part of subcall function 0312CC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0312CC73
Part of subcall function 0312CC54: LocalAlloc.KERNEL32(00000040,?,?,0312CBC6,?,00000000,?,00000000,?), ref: 0312CC81
Part of subcall function 0312CC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0312CC97
Part of subcall function 0312CC54: LocalFree.KERNEL32(?,?,0312CBC6,?,00000000,?,00000000,?), ref: 0312CCA5

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: FileLocal$AllocBinaryCryptString$CloseCreateFreeHandleReadSize
String ID:
API String ID: 4225742195-0
Opcode ID: 9f47f8e6155636b434e1437be8579983cb15593a3a36e9bc93b7bb2f9e850ab8
Instruction ID: 864a6a39f76909af0d5aeeab9a6b7004b57f153d16623c8b579631360686e28f
Opcode Fuzzy Hash: 9f47f8e6155636b434e1437be8579983cb15593a3a36e9bc93b7bb2f9e850ab8
Instruction Fuzzy Hash: 0911A571600124ABDB29EB6AEC44EAEFFBCEF4DB50B044154FA05E6144DB309961CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0312562F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32(000000FF,0000FFFF,00001006,?,00000004), ref: 03125666

Part of subcall function 031233BF: lstrlenA.KERNEL32(?,76A5FAD0,?,03125A4F,.bss,00000000), ref: 031233C8
Part of subcall function 031233BF: lstrlenA.KERNEL32(?,?,03125A4F,.bss,00000000), ref: 031233D5
Part of subcall function 031233BF: lstrcpyA.KERNEL32(00000000,?,?,03125A4F,.bss,00000000), ref: 031233E8

Part of subcall function 03125EA5: VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

recv.WS2_32(000000FF,?,0000000C,00000000), ref: 031256B6
recv.WS2_32(000000FF,?,000000FF,00000000), ref: 03125726

Strings

warzone160, xrefs: 03125688
`, xrefs: 03125650

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: lstrlenrecv$FreeVirtuallstrcpysetsockopt
String ID: `$warzone160
API String ID: 3973575906-811885577
Opcode ID: 13dfbb712e3c96ee44b04dc04cde944f7e724f6df3cd0ac5cc9c2d99e1b0b977
Instruction ID: 84f6ce39c6c04fa32f5f5f963c7c5dcbac1ccb8e28737854f8e0ebf80161fff7
Opcode Fuzzy Hash: 13dfbb712e3c96ee44b04dc04cde944f7e724f6df3cd0ac5cc9c2d99e1b0b977
Instruction Fuzzy Hash: 69518279900228ABCF15EBA1DC84CEEBF39EF4D250F440569E465AB190EB745A64CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 03122CEC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0312F80E: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0312F825
Part of subcall function 0312F80E: CoInitialize.OLE32(00000000), ref: 0312F82C
Part of subcall function 0312F80E: CoCreateInstance.OLE32(03134490,00000000,00000017,03136E60,?,?,?,?,?,?,?,?,?,03122D0C), ref: 0312F84A

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 03122D1B

Part of subcall function 03131E21: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,031334BF), ref: 03131E4E
Part of subcall function 03131E21: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,031334BF), ref: 03131E61
Part of subcall function 03131E21: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,031334BF), ref: 03131E72
Part of subcall function 03131E21: FindCloseChangeNotification.KERNEL32(00000000,?,?,00000000,?,?,031334BF), ref: 03131E7F

Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,00000000,?,03131E02,00000000,00000000,.bss,00000000), ref: 031235EE
Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,?,03131E02,00000000,00000000,.bss,00000000), ref: 03123605
Part of subcall function 031235E5: lstrcpyW.KERNEL32(?,03131E02), ref: 03123620

Part of subcall function 0312FA1F: GlobalMemoryStatusEx.KERNEL32(?), ref: 0312FA30

Part of subcall function 0312FC7E: GetComputerNameW.KERNEL32(03122D7F,00000010), ref: 0312FCA1

Part of subcall function 0312FC58: GetCurrentProcess.KERNEL32(?,?,03122D84,?,03134648,?,?,00000000,?,?,?), ref: 0312FC5C

Part of subcall function 0312FBFC: GetCurrentProcess.KERNEL32(00000008,00000000,76A5FAD0,00000000,76A5FAD0,00000000,?,?,?,?,031335AB,?), ref: 0312FC0E
Part of subcall function 0312FBFC: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,031335AB,?), ref: 0312FC15
Part of subcall function 0312FBFC: GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,031335AB,?), ref: 0312FC33
Part of subcall function 0312FBFC: CloseHandle.KERNEL32(00000000), ref: 0312FC48

Part of subcall function 0312FA42: LoadLibraryA.KERNEL32(ntdll.dll), ref: 0312FA5A
Part of subcall function 0312FA42: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0312FA6A

Part of subcall function 0312FCB8: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,?,?,?,?,00000000,?,?,?), ref: 0312FCFC

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,?,?), ref: 03122DDF
lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 03122DF1
CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 03122DFF

Part of subcall function 0312990A: InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,03122E0D,?,00000001,?,?), ref: 03129916
Part of subcall function 0312990A: DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,03122E0D,?,00000001,?,?), ref: 0312992D
Part of subcall function 0312990A: EnterCriticalSection.KERNEL32(0326DB10,?,00000000,?,?,?,?,03122E0D,?,00000001,?,?), ref: 03129939
Part of subcall function 0312990A: GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,03122E0D,?,00000001,?,?), ref: 03129949
Part of subcall function 0312990A: LeaveCriticalSection.KERNEL32(0326DB10,?,00000000), ref: 0312999C

Strings

\Microsoft Vision\, xrefs: 03122DE5

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: CriticalFileSection$CreateInitializeProcess$CloseCurrentHandleModuleNameOpenTokenlstrlen$AddressChangeComputerDeleteDirectoryEnterFindFolderGlobalInformationInstanceLeaveLibraryLoadMemoryNotificationPathProcReadSecuritySizeStatuslstrcatlstrcpy
String ID: \Microsoft Vision\
API String ID: 3007156990-1618823865
Opcode ID: 67197a7578c9c00c189133a1ac57e89925b5e0cd1ecf0900e5967f8b75b483a6
Instruction ID: 8f79f87eebb715d98c640d0cc6e83d441a06ef5d6d8dd86f3f44955e28240715
Opcode Fuzzy Hash: 67197a7578c9c00c189133a1ac57e89925b5e0cd1ecf0900e5967f8b75b483a6
Instruction Fuzzy Hash: 1F316DB9A003287BCB05FBA5DC49DEEBB7DAF4D301F000468B515BA180DF745A658BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0079AAB0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 80COMMON

Download Yara Rule

Strings

cached_handle == new_handle, xrefs: 0079AB79
cached_handle == INVALID_HANDLE_VALUE, xrefs: 0079AB27
d:\a01\_work\10\s\src\vctools\crt\vcruntime\src\internal\winapi_downlevel.cpp, xrefs: 0079AB38, 0079AB8A
%ls, xrefs: 0079AB2C, 0079AB7E

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID:
String ID: %ls$cached_handle == INVALID_HANDLE_VALUE$cached_handle == new_handle$d:\a01\_work\10\s\src\vctools\crt\vcruntime\src\internal\winapi_downlevel.cpp
API String ID: 0-3937391268
Opcode ID: 3da333ae07f550c317039b71e18e48df98e408c4c992252f461e4ff0526f8d3e
Instruction ID: 6849edfe431b2e5735d729baa36f903803630bf5562d65c1fe2ba09e217174d5
Opcode Fuzzy Hash: 3da333ae07f550c317039b71e18e48df98e408c4c992252f461e4ff0526f8d3e
Instruction Fuzzy Hash: C521C1B0D1121CFBCF10DBA4EC4AB9D77B5FB00315F104654E525A72C0E6B8AA84CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 03130B2A Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61windowCOMMON

Download Yara Rule

APIs

Part of subcall function 03130969: lstrcmpA.KERNEL32(?,03131BD0,?,open,03131BD0), ref: 031309A2

MessageBoxA.USER32(00000000,Bla2,Bla2,00000000), ref: 03130B70

Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,00000000,?,03131E02,00000000,00000000,.bss,00000000), ref: 031235EE
Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,?,03131E02,00000000,00000000,.bss,00000000), ref: 03123605
Part of subcall function 031235E5: lstrcpyW.KERNEL32(?,03131E02), ref: 03123620

Part of subcall function 03130BD9: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,76A5FAD0,00000000), ref: 03130C14

Part of subcall function 03125EA5: VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

Strings

C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe, xrefs: 03130BAE
Bla2, xrefs: 03130B67, 03130B6D, 03130B6E
Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper, xrefs: 03130B7E
VirtualQuery, xrefs: 03130B37

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: lstrlen$CreateFreeMessageProcessVirtuallstrcmplstrcpy
String ID: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper$Bla2$C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe$VirtualQuery
API String ID: 1196126833-2308542105
Opcode ID: 6f824c9b8e3a4d39635ca2a7e0244c3f47a0adc97ac9d8b4792f1a11f03f32c2
Instruction ID: 98ecdddf6d52a5abc6f7a88826f9bf5c27e1d6d54da63ebc38afd08622ed480c
Opcode Fuzzy Hash: 6f824c9b8e3a4d39635ca2a7e0244c3f47a0adc97ac9d8b4792f1a11f03f32c2
Instruction Fuzzy Hash: 6D114C79A00218BFDF09FBA0DD91CEFFBBD9E4E614B10006AA407B6180DB305F14C665

Uniqueness

Uniqueness Score: -1.00%

Function 03131936 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 03121085: GetProcessHeap.KERNEL32(00000000,?,03131E36,00400000,?,?,00000000,?,?,031334BF), ref: 0312108B
Part of subcall function 03121085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,031334BF), ref: 03121092

VirtualProtect.KERNEL32(00000000,000007D0,00000040,00000000,00000000,00000000,?,00000000,?,03131AB4,?,?,?,031257B9,?,00000000), ref: 03131974
VirtualAlloc.KERNEL32(00000000,000001FE,00001000,00000040,?,00000000,?,03131AB4,?,?,?,031257B9,?,00000000,00000000), ref: 03131988
GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000000,?,03131AB4,?,?,?,031257B9,?,00000000,00000000), ref: 03131996
lstrlenW.KERNEL32(00000000,\System32\cmd.exe,00000028,?,00000000,?,03131AB4,?,?,?,031257B9,?,00000000,00000000), ref: 031319A4

Strings

\System32\cmd.exe, xrefs: 0313199E

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: HeapVirtual$AllocAllocateDirectoryProcessProtectWindowslstrlen
String ID: \System32\cmd.exe
API String ID: 2244922440-2003734499
Opcode ID: 1c98e2ad568f4c4bf2fdcd66971465f2fca94f8bc8f3b4d3f1ae339ae4ead903
Instruction ID: 3f532b89db0db470a4d37aefd94b5298a322381a9e7b0c434b1118879e27a1d0
Opcode Fuzzy Hash: 1c98e2ad568f4c4bf2fdcd66971465f2fca94f8bc8f3b4d3f1ae339ae4ead903
Instruction Fuzzy Hash: 9A01F7717407557BF221A6769D46FAB3B9CDB8EB51F000024F705FA1C0CEE5A84487A8

Uniqueness

Uniqueness Score: -1.00%

Function 0312CE83 Relevance: 8.8, APIs: 7, Instructions: 35COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(?,00000000,00000000,0312CAF5), ref: 0312CE9A
LocalFree.KERNEL32(?,00000000,00000000,0312CAF5), ref: 0312CEA5
LocalFree.KERNEL32(?,00000000,00000000,0312CAF5), ref: 0312CEB0
LocalFree.KERNEL32(?,00000000,00000000,0312CAF5), ref: 0312CEBB
LocalFree.KERNEL32(?,00000000,00000000,0312CAF5), ref: 0312CEC6
LocalFree.KERNEL32(?,00000000,00000000,0312CAF5), ref: 0312CED1
LocalFree.KERNEL32(00000000,00000000,00000000,0312CAF5), ref: 0312CED4

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: FreeLocal
String ID:
API String ID: 2826327444-0
Opcode ID: 0d44fecff9865b80902884061c8f89dfc88aca45b02cf1992f47818dd0318c44
Instruction ID: 52a48c91c27560901a8814ec53d64fe0d305474d83d9bc72f3ad5d7839c03c23
Opcode Fuzzy Hash: 0d44fecff9865b80902884061c8f89dfc88aca45b02cf1992f47818dd0318c44
Instruction Fuzzy Hash: E1F09C31010B249BD736AB2ADC0476BFEE5BF84305F090839D681519708775A4A5DB90

Uniqueness

Uniqueness Score: -1.00%

Function 03129D9A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software\Aerofox\FoxmailPreview,00000000,00020019,?), ref: 03129DB5
RegQueryValueExA.ADVAPI32(?,Executable,00000000,00000000,031397B0,?), ref: 03129DDC
PathRemoveFileSpecA.SHLWAPI(031397B0), ref: 03129DE7

Strings

Executable, xrefs: 03129DD4
software\Aerofox\FoxmailPreview, xrefs: 03129DAB

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: FileOpenPathQueryRemoveSpecValue
String ID: Executable$software\Aerofox\FoxmailPreview
API String ID: 3687894118-2371247776
Opcode ID: e549565e36eed9dba9ec5d3f65806682971fe80db688e3e8691f511f5e431d95
Instruction ID: a173b4a789c043007cba4512cf31b2f7c59eec92b262cbd48a4a87dffa1ab018
Opcode Fuzzy Hash: e549565e36eed9dba9ec5d3f65806682971fe80db688e3e8691f511f5e431d95
Instruction Fuzzy Hash: D0F0A074344208BFEB10DA96DD8AFDE7FBCDB4EB44F100058F901F2085E7B0A591A920

Uniqueness

Uniqueness Score: -1.00%

Function 0312EF4F Relevance: 7.7, APIs: 5, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: b6670322ca6e97862022e325154d59b2be6fbd434e20924bd612b0bb67a478bc
Instruction ID: 3adfdd7c52857e618f3d4bb0573c8b4ccb64d1269249290d2f060cfdae57d8fb
Opcode Fuzzy Hash: b6670322ca6e97862022e325154d59b2be6fbd434e20924bd612b0bb67a478bc
Instruction Fuzzy Hash: 0D61F471904228AFEB14DFA4D845BEEBBB9FF0C300F058059E504AF281D7B5A956CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0076CC00 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000000,000000FF,00000000,?), ref: 0076CC88

Strings

lpa != 0, xrefs: 0076CC0A
C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.30.30705\atlmfc\include\atlconv.h, xrefs: 0076CC1B, 0076CC47, 0076CCAC
lpw != 0, xrefs: 0076CC36
%ls, xrefs: 0076CC0F, 0076CC3B, 0076CCA0

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: %ls$C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.30.30705\atlmfc\include\atlconv.h$lpa != 0$lpw != 0
API String ID: 626452242-475274735
Opcode ID: 78cd0b96152b06a4578801977d1e063acfa4f65e63b104ead1776e4f2b54ef3c
Instruction ID: f7f7981bf3f453423a1d3d6b0f7986eae9e642464c729e503e7076945242fa80
Opcode Fuzzy Hash: 78cd0b96152b06a4578801977d1e063acfa4f65e63b104ead1776e4f2b54ef3c
Instruction Fuzzy Hash: DF11D631A80318FBDF109E10DC4BF763354E764B11F608514FE1DA92C0D5FC99908AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0312EE9A Relevance: 7.6, APIs: 5, Instructions: 70networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 0312EEB4
gethostbyname.WS2_32(?), ref: 0312EEBD
htons.WS2_32(?), ref: 0312EEE1
InetNtopW.WS2_32(00000002,?,?,00000802), ref: 0312EF12
connect.WS2_32(00000000,?,00000010), ref: 0312EF2B

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: InetNtopconnectgethostbynamehtonssocket
String ID:
API String ID: 2393792429-0
Opcode ID: 58b07b5e51aba8f7b9d6d10cdad9faa6e87925efe6d3f0009d82e0e7a04b85f8
Instruction ID: 3deb7a96e9ba921b3035cf0153a0135ef29b39f6f24275dd8b8797fb5dbd3744
Opcode Fuzzy Hash: 58b07b5e51aba8f7b9d6d10cdad9faa6e87925efe6d3f0009d82e0e7a04b85f8
Instruction Fuzzy Hash: 0411B6B29002687BD714A7A5AC49FBB7BACEF0D720F044466F955DB181DBB0998487B0

Uniqueness

Uniqueness Score: -1.00%

Function 0312990A Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,03122E0D,?,00000001,?,?), ref: 03129916
DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,03122E0D,?,00000001,?,?), ref: 0312992D
EnterCriticalSection.KERNEL32(0326DB10,?,00000000,?,?,?,?,03122E0D,?,00000001,?,?), ref: 03129939
GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,03122E0D,?,00000001,?,?), ref: 03129949
LeaveCriticalSection.KERNEL32(0326DB10,?,00000000), ref: 0312999C

Part of subcall function 03121F4B: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 03121F60

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: CriticalSection$CreateDeleteEnterHandleInitializeLeaveModuleThread
String ID:
API String ID: 2964645253-0
Opcode ID: 20de63ed5ce07746c99f85128dbb556d980a2ae2f928855c9e7d2bf3a488f550
Instruction ID: d457d9615c7070a961c7e13bbbc7387c65944ab21af605c296a0d56e48c44416
Opcode Fuzzy Hash: 20de63ed5ce07746c99f85128dbb556d980a2ae2f928855c9e7d2bf3a488f550
Instruction Fuzzy Hash: 6001B175A00218ABDB14FF67A84CB9F3F68EF4D320F008019F61597249DBB594E9CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03130C79 Relevance: 7.5, APIs: 5, Instructions: 44processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03130C97
Process32FirstW.KERNEL32(00000000,0000022C), ref: 03130CAC
Process32NextW.KERNEL32(00000000,0000022C), ref: 03130CC4
CloseHandle.KERNEL32(00000000,?,00000000), ref: 03130CCF
CloseHandle.KERNEL32(00000000,?,00000000), ref: 03130CE0

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1789362936-0
Opcode ID: 6b5566ff477ff18eda5bea38b82c7dd2fd999c75fa4440f0fecf991bf6566cef
Instruction ID: 3497bce479b91277fc933d2f57ccdb34b456fe151152f1398e6f12b68169b05e
Opcode Fuzzy Hash: 6b5566ff477ff18eda5bea38b82c7dd2fd999c75fa4440f0fecf991bf6566cef
Instruction Fuzzy Hash: 0701A931601214BBD724ABB6FC4CB7E7BFCEB4D765F104095E516E3180DB7498858B60

Uniqueness

Uniqueness Score: -1.00%

Function 0312B627 Relevance: 7.5, APIs: 5, Instructions: 25COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00000000,0312ABDF), ref: 0312B638
FreeLibrary.KERNEL32(?,?,?,00000000,0312ABDF), ref: 0312B648
FreeLibrary.KERNEL32(?,?,?,00000000,0312ABDF), ref: 0312B656
FreeLibrary.KERNEL32(?,?,?,00000000,0312ABDF), ref: 0312B664
FreeLibrary.KERNEL32(?,?,?,00000000,0312ABDF), ref: 0312B672

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b37a716af23c42c1a5ce295a77b71e5857765146e50241dc256724059a8b5a84
Instruction ID: ef018f0fe73d06be88b2d9ccf566ba8c769e1b98de8184a90c96601b3fcc0e4a
Opcode Fuzzy Hash: b37a716af23c42c1a5ce295a77b71e5857765146e50241dc256724059a8b5a84
Instruction Fuzzy Hash: F6F09271B00B16BED7495F768C84B86FE6AFF49260F01422B952C42221CB716464DFD2

Uniqueness

Uniqueness Score: -1.00%

Function 0312B9A9 Relevance: 7.5, APIs: 5, Instructions: 25COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,00000001,?,00000000,0312B132), ref: 0312B9BA
FreeLibrary.KERNEL32(?,?,00000000,0312B132), ref: 0312B9CA
FreeLibrary.KERNEL32(?,?,00000000,0312B132), ref: 0312B9D8
FreeLibrary.KERNEL32(?,?,00000000,0312B132), ref: 0312B9E6
FreeLibrary.KERNEL32(?,?,00000000,0312B132), ref: 0312B9F4

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b37a716af23c42c1a5ce295a77b71e5857765146e50241dc256724059a8b5a84
Instruction ID: ef018f0fe73d06be88b2d9ccf566ba8c769e1b98de8184a90c96601b3fcc0e4a
Opcode Fuzzy Hash: b37a716af23c42c1a5ce295a77b71e5857765146e50241dc256724059a8b5a84
Instruction Fuzzy Hash: F6F09271B00B16BED7495F768C84B86FE6AFF49260F01422B952C42221CB716464DFD2

Uniqueness

Uniqueness Score: -1.00%

Function 00771B50 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 369COMMON

Download Yara Rule

Strings

C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.30.30705\atlmfc\include\atldbcli.h, xrefs: 00771BAE
__atl_condVal, xrefs: 00771B9D
%ls, xrefs: 00771BA2

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID:
String ID: %ls$C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.30.30705\atlmfc\include\atldbcli.h$__atl_condVal
API String ID: 0-3505639908
Opcode ID: 3c4128a8d02398b1c9320ce0fb6f1a2f6623ee7a97387885d5c78f1c234cb257
Instruction ID: 184e69691156d7daba8b220035cbbcca91e2e5017d16c31d222e8af76a91a754
Opcode Fuzzy Hash: 3c4128a8d02398b1c9320ce0fb6f1a2f6623ee7a97387885d5c78f1c234cb257
Instruction Fuzzy Hash: EEF12D70D01209DFCF08DF98C995EEDB7B5BF48301F608559E8166B292DB78AA49CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0312B203 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 252COMMON

Download Yara Rule

APIs

Part of subcall function 0312B559: LoadLibraryA.KERNEL32(vaultcli.dll,00000000,0312B229), ref: 0312B561

FreeLibrary.KERNEL32(?), ref: 0312B506

Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,00000000,?,03131E02,00000000,00000000,.bss,00000000), ref: 031235EE
Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,?,03131E02,00000000,00000000,.bss,00000000), ref: 03123605
Part of subcall function 031235E5: lstrcpyW.KERNEL32(?,03131E02), ref: 03123620

Part of subcall function 03123248: lstrcmpW.KERNEL32(?,?), ref: 03123252

Part of subcall function 03125EA5: VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

Part of subcall function 03123437: lstrcpyW.KERNEL32(00000000,00000000), ref: 0312345C

Strings

8, xrefs: 0312B4C9
Internet Explorer, xrefs: 0312B2B4, 0312B3CF
4, xrefs: 0312B4CE

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: FreeLibrarylstrcpylstrlen$LoadVirtuallstrcmp
String ID: 4$8$Internet Explorer
API String ID: 708496175-747916358
Opcode ID: ac316acec8b476e13f107b99edd0d846511d3d12abadb36a0e48f92b341632cb
Instruction ID: e2a41d9a16e0d212fba8909fe586a223b4042e59acdd8fd155900112b74e40c1
Opcode Fuzzy Hash: ac316acec8b476e13f107b99edd0d846511d3d12abadb36a0e48f92b341632cb
Instruction Fuzzy Hash: BDA11875D00229ABCF15EFA5C884DEEFF79FF48600F144469E415BB250EB34AA65CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0312FA42 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 0312FA5A
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0312FA6A

Strings

ntdll.dll, xrefs: 0312FA4B
RtlGetVersion, xrefs: 0312FA64

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: be9c9f2ae73a93db9048adec3ec6412db070c9494a92c1d789aabf680f24aa33
Instruction ID: 667c62b7d9e37482af0be6abd4f763b85940fe498191a9b79dd20c93e2d16e92
Opcode Fuzzy Hash: be9c9f2ae73a93db9048adec3ec6412db070c9494a92c1d789aabf680f24aa33
Instruction Fuzzy Hash: F1414C30A0013C9BDF24CB55D8663FCBAB8AB09B4EF2845E5F545F4181E778CAE6CA54

Uniqueness

Uniqueness Score: -1.00%

Function 03133273 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000400,?), ref: 0313329F
lstrcatW.KERNEL32(?,send.db), ref: 031332B1

Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,00000000,?,03131E02,00000000,00000000,.bss,00000000), ref: 031235EE
Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,?,03131E02,00000000,00000000,.bss,00000000), ref: 03123605
Part of subcall function 031235E5: lstrcpyW.KERNEL32(?,03131E02), ref: 03123620

Part of subcall function 03123437: lstrcpyW.KERNEL32(00000000,00000000), ref: 0312345C

Part of subcall function 03125EA5: VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

Strings

send.db, xrefs: 031332A5
5, xrefs: 031332E6

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$FreePathTempVirtuallstrcat
String ID: 5$send.db
API String ID: 891666058-2022884741
Opcode ID: 09a6eafe713689c1794ba0cbc9c38b106536d0836b939ceeb1d91c408a5bb876
Instruction ID: b2fc36b4f632cda82c648d0aad38dd1eea7eadd3597e97f583dac3d712f33dee
Opcode Fuzzy Hash: 09a6eafe713689c1794ba0cbc9c38b106536d0836b939ceeb1d91c408a5bb876
Instruction Fuzzy Hash: 2B01C475D0022CABCB10EB64DC44FEEBBBCAF58300F008075A515A6180EF789B56CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 03133702 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 03133732
lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 03133744

Part of subcall function 03125EA5: VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

Strings

;, xrefs: 0313375F
\Microsoft Vision\, xrefs: 03133738

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: FolderFreePathVirtuallstrcat
String ID: ;$\Microsoft Vision\
API String ID: 1529938272-253167065
Opcode ID: ebcef2314c11519a21ccab54eb4e5c385a20f0d1578a911782da05dc32a7096a
Instruction ID: f6a9a175c0618db14e19f9be23f8b9d467a22e9a52f5dde80c529aa8a8435d7c
Opcode Fuzzy Hash: ebcef2314c11519a21ccab54eb4e5c385a20f0d1578a911782da05dc32a7096a
Instruction Fuzzy Hash: EB0109B5C40229ABCB10EBA1E949DDEBBB8AF1D204F104156A515A6140EB78AB95CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00769B70 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

HeapDestroy.KERNEL32(?), ref: 00769B9D

Strings

bSuccess, xrefs: 00769BAC
C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.30.30705\atlmfc\include\atlmem.h, xrefs: 00769BBA
%ls, xrefs: 00769BB1

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: DestroyHeap
String ID: %ls$C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.30.30705\atlmfc\include\atlmem.h$bSuccess
API String ID: 2435110975-1513969513
Opcode ID: f6aad1c7aea6eb672439435acc6bb8a0adb2c220168860feff73bf267ca08bc0
Instruction ID: 50d92e3f300cbba0e7029e4b7006387e827b6b9317d6b436b6f2c87d4546e562
Opcode Fuzzy Hash: f6aad1c7aea6eb672439435acc6bb8a0adb2c220168860feff73bf267ca08bc0
Instruction Fuzzy Hash: 06F09674E44218FBDB10DB54E946B5CB7B6EB40701F2481C8EA0967381C7B9AE80EB44

Uniqueness

Uniqueness Score: -1.00%

Function 0079AC30 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(0079AAF7,00000000,00000800,?,?,0079AAF7,00000000), ref: 0079AC3F
GetLastError.KERNEL32(?,?,0079AAF7), ref: 0079AC53
LoadLibraryExW.KERNEL32(0079AAF7,00000000,00000000,?,0079AAF7), ref: 0079AC7D

Strings

api-ms-, xrefs: 0079AC60

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: c2fbce327e6872d7e1a192dbc7ad5adddde92fa5c0e3014799c04e8313e71d56
Instruction ID: 51352f76ab73451e50787ba56cebde1ccc7fcdf36b1aa39b692356dcd1d9396b
Opcode Fuzzy Hash: c2fbce327e6872d7e1a192dbc7ad5adddde92fa5c0e3014799c04e8313e71d56
Instruction Fuzzy Hash: 52F05470A49208FBDB10DBA8ED5ABA93774BB01700F108514F9069E1C0E7F9ED40D7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0312F4CE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 0312F4E6
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0312F4F6

Strings

ntdll.dll, xrefs: 0312F4D7
RtlGetVersion, xrefs: 0312F4F0

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: 82c979d276deda59b5ed75e8c458c172304dada6946e67040cc29a2687a37bfe
Instruction ID: 439e6ddd5a6c50777f0d4818048497ecfdc4610e2639b99362e275c3bb2f55f9
Opcode Fuzzy Hash: 82c979d276deda59b5ed75e8c458c172304dada6946e67040cc29a2687a37bfe
Instruction Fuzzy Hash: 25E092346802682FCB28FE766C0BAEBBEB81F1E605F4801549192E1045DB64D5438AE0

Uniqueness

Uniqueness Score: -1.00%

Function 03130C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,0312FC6D,?,?,03122D84,?,03134648,?,?,00000000,?), ref: 03130C4B
GetProcAddress.KERNEL32(00000000), ref: 03130C52

Strings

IsWow64Process, xrefs: 03130C3F
kernel32, xrefs: 03130C44

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32
API String ID: 1646373207-3789238822
Opcode ID: 4e3e825a5f1b72e7de1ac684755e8828504ccda5ba3b4ccdd8b48b6d903a2e94
Instruction ID: 7066094a2741c732d689485d12de37e44c1be348c118698af230d080c3ce6683
Opcode Fuzzy Hash: 4e3e825a5f1b72e7de1ac684755e8828504ccda5ba3b4ccdd8b48b6d903a2e94
Instruction Fuzzy Hash: 32E08C3A541204FFDB24EBA2DC4AA8EB6ACEB0E252B100058B001A3200DBB4AA048760

Uniqueness

Uniqueness Score: -1.00%

Function 0312D17D Relevance: 6.3, APIs: 5, Instructions: 92COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0312D18E
LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 0312D1DD

Part of subcall function 031233F5: lstrcpyA.KERNEL32(00000000,?,?,00000000,?,03122A97,?,?,00000000,exit,00000000,start), ref: 0312341A

Part of subcall function 031257FB: getaddrinfo.WS2_32(76A5FAD0,00000000,03124EA0,00000000), ref: 03125848
Part of subcall function 031257FB: socket.WS2_32(00000002,00000001,00000000), ref: 0312585F
Part of subcall function 031257FB: htons.WS2_32(00000000), ref: 03125885
Part of subcall function 031257FB: freeaddrinfo.WS2_32(00000000), ref: 03125895
Part of subcall function 031257FB: connect.WS2_32(?,?,00000010), ref: 031258A1

LeaveCriticalSection.KERNEL32(?), ref: 0312D261
EnterCriticalSection.KERNEL32(?), ref: 0312D27E
LeaveCriticalSection.KERNEL32(?), ref: 0312D288

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Enter$connectfreeaddrinfogetaddrinfohtonslstrcpysocket
String ID:
API String ID: 4195813003-0
Opcode ID: a10b6c1751943630909e5c1f2561ad24e8817f1cac485ec80635f8787d205750
Instruction ID: aa81d018a14fcd86ef27831852dcbd22e1f3901cc2ebfac24fc82c68888b717c
Opcode Fuzzy Hash: a10b6c1751943630909e5c1f2561ad24e8817f1cac485ec80635f8787d205750
Instruction Fuzzy Hash: BC314175600726BBD709EBA1DC50EAEFFACAF0D350F504525E52996180EB70BA258BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00774CA0 Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(00000000), ref: 00774CD0
CoTaskMemFree.OLE32(?), ref: 00774DCF

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: ArrayDestroyFreeSafeTask
String ID:
API String ID: 3253174383-0
Opcode ID: a34f30270bc8f7843963e14832197c25e1a35fed5e3e264155b816bdf39decf5
Instruction ID: b77d9cff3a92e82daf8fa4c9fdf779f1c8cc8edb58b64c95ff33c4fcff92fc51
Opcode Fuzzy Hash: a34f30270bc8f7843963e14832197c25e1a35fed5e3e264155b816bdf39decf5
Instruction Fuzzy Hash: B2411874610108EFCB19DF54C894BADB7B1FF88351F10C19AE9698B394CB789E41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0312F69F Relevance: 6.1, APIs: 4, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,?,0312DCAA), ref: 0312F6AA
FindResourceW.KERNEL32(00000000,00000001,00000010,?,00000000,00000002,?,?,?,0312DCAA), ref: 0312F6BE
LoadResource.KERNEL32(00000000,00000000,?,00000000,00000002,?,?,?,0312DCAA), ref: 0312F6CA
FreeLibrary.KERNEL32(00000000,?,00000000,00000002,?,?,?,0312DCAA), ref: 0312F70F

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: LibraryLoadResource$FindFree
String ID:
API String ID: 3272429154-0
Opcode ID: cf4b799f812fc095c0ead477e00674e5a0bd85e9f961260ea5e7aa43121ed594
Instruction ID: ef96d1652db05c408f35dd8e2ab659c4a2f5236bb210e29311c2ecef1eff4d46
Opcode Fuzzy Hash: cf4b799f812fc095c0ead477e00674e5a0bd85e9f961260ea5e7aa43121ed594
Instruction Fuzzy Hash: 7A0184B5300E119FD3089F6AEC85A66BBB5FF4C314B058239E425C3390D774D856C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0312C9F2 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 0312CC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0312CC73
Part of subcall function 0312CC54: LocalAlloc.KERNEL32(00000040,?,?,0312CBC6,?,00000000,?,00000000,?), ref: 0312CC81
Part of subcall function 0312CC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0312CC97
Part of subcall function 0312CC54: LocalFree.KERNEL32(?,?,0312CBC6,?,00000000,?,00000000,?), ref: 0312CCA5

LocalFree.KERNEL32(?,00000000,-0000003A,00000000,?), ref: 0312CA6C

Part of subcall function 0312CA78: GetLastError.KERNEL32 ref: 0312CADE

LocalFree.KERNEL32(?), ref: 0312CA65

Part of subcall function 0312CCB4: BCryptOpenAlgorithmProvider.BCRYPT(00000020,AES,00000000,00000000,?,00000000,?,?,?,0312CA5F,?), ref: 0312CCD1
Part of subcall function 0312CCB4: BCryptSetProperty.BCRYPT(00000020,ChainingMode,ChainingModeGCM,00000020,00000000,?,0312CA5F,?), ref: 0312CCEA
Part of subcall function 0312CCB4: BCryptGenerateSymmetricKey.BCRYPT(00000020,0312CA5F,00000000,00000000,?,00000020,00000000,?,0312CA5F,?), ref: 0312CCFF

Strings

DPAPI, xrefs: 0312CA18
, xrefs: 0312CA4B

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Crypt$Local$Free$BinaryString$AlgorithmAllocErrorGenerateLastOpenPropertyProviderSymmetric
String ID: $DPAPI
API String ID: 379455710-1819349886
Opcode ID: 7d834654200bf766e66600e61d19faa14011f2609ee77d21da66f50af6a0ddb1
Instruction ID: cc331d54f9c51454b8f9377970c59323616ce47788f23a56bbaeb10f3ffac1d8
Opcode Fuzzy Hash: 7d834654200bf766e66600e61d19faa14011f2609ee77d21da66f50af6a0ddb1
Instruction Fuzzy Hash: BA0100B6900219BBCF10EBA1D944DDEBB78EF88700F158261E900E6004FB30AB65DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 031247EA Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetLastInputInfo.USER32(?), ref: 031247FF
GetTickCount.KERNEL32 ref: 03124805
GetForegroundWindow.USER32 ref: 03124819
GetWindowTextW.USER32(00000000,?,00000100), ref: 0312482C

Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,00000000,?,03131E02,00000000,00000000,.bss,00000000), ref: 031235EE
Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,?,03131E02,00000000,00000000,.bss,00000000), ref: 03123605
Part of subcall function 031235E5: lstrcpyW.KERNEL32(?,03131E02), ref: 03123620

Part of subcall function 03125EA5: VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Windowlstrlen$CountForegroundFreeInfoInputLastTextTickVirtuallstrcpy
String ID:
API String ID: 2567647128-0
Opcode ID: 87d7d9886e9824eb228f9bd83cf622dfd424ec6cf90a75b110ec98f2c37d3ef0
Instruction ID: b65b27ff5d60fe2a34c4c88d10f866628a0c4135c0e71651cd6a40c2ce93a5bc
Opcode Fuzzy Hash: 87d7d9886e9824eb228f9bd83cf622dfd424ec6cf90a75b110ec98f2c37d3ef0
Instruction Fuzzy Hash: 58115B79D00218ABCF04FFA5E948ADDBBB9EF5C304F004555A516B6184EF78AB94CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0312FBFC Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,00000000,76A5FAD0,00000000,76A5FAD0,00000000,?,?,?,?,031335AB,?), ref: 0312FC0E
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,031335AB,?), ref: 0312FC15
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,031335AB,?), ref: 0312FC33
CloseHandle.KERNEL32(00000000), ref: 0312FC48

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: d1b6f9781cad269de8d492d4cb579889e6163355172ec5b0c5dbd64b1d045438
Instruction ID: f1f1dd2f52262a38d594a6533263979b78a37da9d5e0ac5883978d060c579318
Opcode Fuzzy Hash: d1b6f9781cad269de8d492d4cb579889e6163355172ec5b0c5dbd64b1d045438
Instruction Fuzzy Hash: AEF04972A00218FBDB14ABA1DD09BDEBBB8EF08701F114065E901F6084DB309B94DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0312EA89 Relevance: 6.0, APIs: 4, Instructions: 35threadsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0312EA95
SetEvent.KERNEL32(00000000), ref: 0312EAA9
WaitForSingleObject.KERNEL32(0313956C,00001388), ref: 0312EAB6
TerminateThread.KERNEL32(0313956C,000000FE), ref: 0312EAC7

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Thread$CurrentEventObjectSingleTerminateWait
String ID:
API String ID: 2174867186-0
Opcode ID: 1287f1ef086b7f49cddc712761a593d32335517a9f411498bba8c3f893635de7
Instruction ID: e91860449e04e1b25652666efa87c25c17f1d515c4d7e9e6ae8dbf27e0cd6b2c
Opcode Fuzzy Hash: 1287f1ef086b7f49cddc712761a593d32335517a9f411498bba8c3f893635de7
Instruction Fuzzy Hash: 2A0181351007209BD739FF51E448AD9BBB2BF18321F140A29D052428E0CFB068B8CB71

Uniqueness

Uniqueness Score: -1.00%

Function 007747A0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,00000000,00000000), ref: 007747BC

Strings

bSuccess, xrefs: 007747CB
C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.30.30705\atlmfc\include\atlmem.h, xrefs: 007747DC
%ls, xrefs: 007747D0

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: FreeHeap
String ID: %ls$C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.30.30705\atlmfc\include\atlmem.h$bSuccess
API String ID: 3298025750-1513969513
Opcode ID: 3624baa1237f800ae25a01ced4ffbb89cdf7e96112d98dcf17412bab8beafb88
Instruction ID: 1b0f12fc31274984bbbddd77fe73292a9af6c950cf861f36648a17ad5b3a0745
Opcode Fuzzy Hash: 3624baa1237f800ae25a01ced4ffbb89cdf7e96112d98dcf17412bab8beafb88
Instruction Fuzzy Hash: 06F02734A40308FBDF10DA60CC4AF697774EB11701F208048FA086A6C0C7B89DC0C6C1

Uniqueness

Uniqueness Score: -1.00%

Function 0312FCB8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65registryCOMMON

Download Yara Rule

APIs

Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,00000000,?,03131E02,00000000,00000000,.bss,00000000), ref: 031235EE
Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,?,03131E02,00000000,00000000,.bss,00000000), ref: 03123605
Part of subcall function 031235E5: lstrcpyW.KERNEL32(?,03131E02), ref: 03123620

RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,?,?,?,?,00000000,?,?,?), ref: 0312FCFC

Part of subcall function 03125EA5: VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

Part of subcall function 03130FC3: RegQueryValueExW.ADVAPI32(?,76A5FAD0,00000000,76A5FAD0,00000000,00000000,?,00000000,031335AB,?,?,?,031315B2,?,?,80000001), ref: 03130FE6
Part of subcall function 03130FC3: RegQueryValueExW.ADVAPI32(?,76A5FAD0,00000000,76A5FAD0,00000000,00000000,?,031315B2,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 0313100A

Part of subcall function 03130FAE: RegCloseKey.ADVAPI32(?,?,0313112D,?,?,031336DB), ref: 03130FB8

Strings

MachineGuid, xrefs: 0312FD17
SOFTWARE\Microsoft\Cryptography, xrefs: 0312FCDE

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: QueryValuelstrlen$CloseFreeOpenVirtuallstrcpy
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 1903904756-1211650757
Opcode ID: 6fa42835ae4b7dd16cb73b2e4b2db7a8107986ef0ce135d3a2d17a5f6b1a2664
Instruction ID: 76032b013c59dd2ba42999d6592691c8bce2f69cecc6447a0bc245dae81987b1
Opcode Fuzzy Hash: 6fa42835ae4b7dd16cb73b2e4b2db7a8107986ef0ce135d3a2d17a5f6b1a2664
Instruction Fuzzy Hash: 0B115478E00229ABCB15EFA4CD919EDBB79EF5D600F10056AA0067B190EB705F55CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0312DE1F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,00000000,?,03131E02,00000000,00000000,.bss,00000000), ref: 031235EE
Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,?,03131E02,00000000,00000000,.bss,00000000), ref: 03123605
Part of subcall function 031235E5: lstrcpyW.KERNEL32(?,03131E02), ref: 03123620

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,0326E020,?,?,0312E451,?,?), ref: 0312DE51

Part of subcall function 03130FC3: RegQueryValueExW.ADVAPI32(?,76A5FAD0,00000000,76A5FAD0,00000000,00000000,?,00000000,031335AB,?,?,?,031315B2,?,?,80000001), ref: 03130FE6
Part of subcall function 03130FC3: RegQueryValueExW.ADVAPI32(?,76A5FAD0,00000000,76A5FAD0,00000000,00000000,?,031315B2,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 0313100A

Part of subcall function 03125EA5: VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

Part of subcall function 03130FAE: RegCloseKey.ADVAPI32(?,?,0313112D,?,?,031336DB), ref: 03130FB8

Strings

ServiceDll, xrefs: 0312DE5F
SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0312DE2C

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: QueryValuelstrlen$CloseFreeOpenVirtuallstrcpy
String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
API String ID: 1903904756-387424650
Opcode ID: 9ce64d12762f0687453d6dcd6a6d8d8fbbaa320fcbe62a7d15354b7ea0bd1930
Instruction ID: ee257877df7d8bea35beeaeb2dcf8fa3ebca8c9b296bb7f872d65de7a6742c7b
Opcode Fuzzy Hash: 9ce64d12762f0687453d6dcd6a6d8d8fbbaa320fcbe62a7d15354b7ea0bd1930
Instruction Fuzzy Hash: 87113079D00228BBCB14EBA5D995CEEBB79AF9D600B5005999812BB140EB305F64CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0312D9B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,00000000,?,03131E02,00000000,00000000,.bss,00000000), ref: 031235EE
Part of subcall function 031235E5: lstrlenW.KERNEL32(03131E02,?,03131E02,00000000,00000000,.bss,00000000), ref: 03123605
Part of subcall function 031235E5: lstrcpyW.KERNEL32(?,03131E02), ref: 03123620

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters), ref: 0312D9EA

Part of subcall function 03131039: RegSetValueExW.ADVAPI32(?,76A5FAD0,00000000,?,?,?,?,?,03131432,00000000,00000000,?,00000001,?,?,?), ref: 03131058

Part of subcall function 03125EA5: VirtualFree.KERNELBASE(?,00000000,00008000,03125C2A,00000000,?,031310EE,?,?,031336DB), ref: 03125EAD

Part of subcall function 03130FAE: RegCloseKey.ADVAPI32(?,?,0313112D,?,?,031336DB), ref: 03130FB8

Strings

ServiceDll, xrefs: 0312DA03
SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0312D9C2

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: lstrlen$CloseFreeOpenValueVirtuallstrcpy
String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
API String ID: 2854241163-387424650
Opcode ID: be57f31ce2ab35069fee193ac85978657915910900085fbb323caf75a015b764
Instruction ID: 1811b0db6cfb020abebbe68a20ecdd73a26a04763f0b760d1c2a08484b011031
Opcode Fuzzy Hash: be57f31ce2ab35069fee193ac85978657915910900085fbb323caf75a015b764
Instruction Fuzzy Hash: 29115E79D00328ABDB14EBA1CC95DEFBF79EF9D700F40446AD81276180EF345A55CA60

Uniqueness

Uniqueness Score: -1.00%

Function 03132FD7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53processCOMMON

Download Yara Rule

APIs

Part of subcall function 03121085: GetProcessHeap.KERNEL32(00000000,?,03131E36,00400000,?,?,00000000,?,?,031334BF), ref: 0312108B
Part of subcall function 03121085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,031334BF), ref: 03121092

GetModuleFileNameA.KERNEL32(00000000,00000000,00000100,?,?,?,?,?,?,?,00000000,76A5FAD0,00000000,0313364A), ref: 03133008
WinExec.KERNEL32(00000000,00000000), ref: 0313304E

Strings

powershell Add-MpPreference -ExclusionPath , xrefs: 0313300E, 03133013, 0313301A

Memory Dump Source

Source File: 00000002.00000002.160900811595.0000000003121000.00000020.00001000.00020000.00000000.sdmp, Offset: 03120000, based on PE: true

Associated: 00000002.00000002.160900790652.0000000003120000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160900942406.0000000003139000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901015874.000000000326D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_SHIPMENTDOCUMENTSPDF.jbxd

Yara matches

Similarity

API ID: Heap$AllocateExecFileModuleNameProcess
String ID: powershell Add-MpPreference -ExclusionPath
API String ID: 1183730998-2194938034
Opcode ID: c9c618ebd331fad16370a7467b95cd1cffebfd8887a0dff77ff0fdfdde53e770
Instruction ID: b6fa9254a08281ca8335cc053cf851405777d8ef06ed26a3350179f69f35d09b
Opcode Fuzzy Hash: c9c618ebd331fad16370a7467b95cd1cffebfd8887a0dff77ff0fdfdde53e770
Instruction Fuzzy Hash: 8AF06DBAA4036477E120F272ACC9FBF5E9CDF9DB51F040035F604AA181EB689D2041B9

Uniqueness

Uniqueness Score: -1.00%

Function 007DA2F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,00000000,007DA110,?,007DA110,?), ref: 007DA320

Strings

mscoree.dll, xrefs: 007DA319
CorExitProcess, xrefs: 007DA334

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: HandleModule
String ID: CorExitProcess$mscoree.dll
API String ID: 4139908857-1276376045
Opcode ID: b9c5d492fffbab856a5117175f6851b9207f566d0d0fe27c003afad85b52047c
Instruction ID: 67ca2516e74e106b6bd27e98356106a83d48332bfdf0091e41e5ef74b4e2b242
Opcode Fuzzy Hash: b9c5d492fffbab856a5117175f6851b9207f566d0d0fe27c003afad85b52047c
Instruction Fuzzy Hash: 1F11C030D04108FBCB04EFA4DD5AAEDB774FF55301F404459A816A7292DFB85A49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 007835E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000), ref: 00783654

Strings

d:\a01\_work\10\s\src\vctools\crt\vcstartup\src\misc\thread_safe_statics.cpp, xrefs: 0078362D
%ls, xrefs: 00783621

Memory Dump Source

Source File: 00000002.00000002.160897311283.000000000075D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000002.00000002.160897232524.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897249927.0000000000751000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160897287911.0000000000759000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898309828.000000000081F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898341441.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160898579994.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899774387.00000000009B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899811000.00000000009BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.160899833795.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_750000_SHIPMENTDOCUMENTSPDF.jbxd

Similarity

API ID: ObjectSingleWait
String ID: %ls$d:\a01\_work\10\s\src\vctools\crt\vcstartup\src\misc\thread_safe_statics.cpp
API String ID: 24740636-69169249
Opcode ID: 1e609e04d2764f2a6d825c86a38840f781ffe22823742a2fc8dafaeb67de26e9
Instruction ID: 16b1bca3c8810373ba26290a28fcb313c2da22959863ade29f0f07edc0fdd98a
Opcode Fuzzy Hash: 1e609e04d2764f2a6d825c86a38840f781ffe22823742a2fc8dafaeb67de26e9
Instruction Fuzzy Hash: 3801F230BA4208FBCB14EB58EE9AF9D7774AB40B21F204214FA049A2D0D6B41A40DB81

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	AWS CloudTrail logs, Authentication logs, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.
Tactics:	Defense Evasion
Data Sources:	Authentication logs, File monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SHIPMENTDOCUMENTSPDF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: AveMaria

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Windows Analysis Report
SHIPMENTDOCUMENTSPDF.exe

Function 0075DE20 Relevance: 84.3, APIs: 6, Strings: 42, Instructions: 295
windowmemorysleepCOMMON

Function 03133457 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 188
registrystringCOMMON

Function 0075D6A0 Relevance: 22.8, APIs: 3, Strings: 10, Instructions: 66
COMMON

Function 0312E703 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 121
COMMON

Function 0313290F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 138
comCOMMON

Function 031299A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 38
libraryCOMMON

Function 0272002D Relevance: 7.9, APIs: 5, Instructions: 392
memoryCOMMON

Function 03125CE2 Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Function 03131E21 Relevance: 6.0, APIs: 4, Instructions: 48
fileCOMMON

Function 03131D0C Relevance: 3.0, APIs: 2, Instructions: 14
sleepCOMMON

Function 03130283 Relevance: 3.0, APIs: 2, Instructions: 8
synchronizationCOMMON

Function 03121085 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Function 031231D4 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Function 03123335 Relevance: 1.5, APIs: 1, Instructions: 25
stringCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre