Edit tour

Windows Analysis Report
CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Overview

General Information

Sample Name:	CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Analysis ID:	736949
MD5:	045f22ce9be3d33b07a00780ee66fcfd
SHA1:	91b74e75d55c33d8d82b10bed51ca7d3ad80147c
SHA256:	e05ec32c2edc10b6917a3cbcac9d823cb37db908cc51f3ec459800992e2b8b37
Infos:

Detection

GuLoader

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected GuLoader

Initial sample is a PE file and has a suspicious name

Tries to detect Any.run

Executable has a suspicious name (potential lure to open the executable)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries the volume information (name, serial number etc) of a device

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Sleep loop found (likely to delay execution)

Detected potential crypto function

PE / OLE file has an invalid certificate

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe (PID: 4848 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 045F22CE9BE3D33B07A00780EE66FCFD)

dllhost.exe (PID: 2364 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

backgroundTaskHost.exe (PID: 4408 cmdline: "C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca MD5: DA7063B17DBB8BBB3015351016868006)

dllhost.exe (PID: 4508 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

BackgroundTransferHost.exe (PID: 4480 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: C5D813D92E83CDE3FECD9343933E3421)

BackgroundTransferHost.exe (PID: 5560 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: C5D813D92E83CDE3FECD9343933E3421)

ieinstal.exe (PID: 5400 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 1820 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 6908 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 1396 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 4268 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 4772 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 7620 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 6588 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 3156 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 5924 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 3988 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ielowutil.exe (PID: 7732 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 4760 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 7756 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 4612 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 3852 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 6596 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 6516 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 7348 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 7808 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 7380 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)

ExtExport.exe (PID: 5404 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)

ExtExport.exe (PID: 7588 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)

ExtExport.exe (PID: 5708 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)

ExtExport.exe (PID: 8104 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)

ExtExport.exe (PID: 1160 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)

ExtExport.exe (PID: 6700 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)

ExtExport.exe (PID: 6248 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)

ExtExport.exe (PID: 5524 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)

ExtExport.exe (PID: 5904 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)

backgroundTaskHost.exe (PID: 5840 cmdline: "C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca MD5: DA7063B17DBB8BBB3015351016868006)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bestyrelsesformanden

Jump to behavior

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_0040676F FindFirstFileW,FindClose,	2_2_0040676F
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_00405B23 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405B23
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_00402902 FindFirstFileW,	2_2_00402902

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: imprbeacons.dat.~tmp.4.dr	String found in binary or memory: https://arc.msn.com/v3/Delivery/Events/Impression=&PID=400089837&TID=700129702&CID=12800000000040292
Source: e9594213-9e57-49dd-91fb-0ee2aae6c086.56802ae0-e7ec-49c1-9ab4-e41cf1ffbd66.down_meta.7.dr, aa790838-db48-4eec-9b8a-be8242eb173a.56802ae0-e7ec-49c1-9ab4-e41cf1ffbd66.down_meta.7.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4XJ8e?ver=993fLast-Mo
Source: fce64348-a319-4f43-89cb-85a2ff3766b6.5e70bb71-9767-4cfd-9295-d09782f797ca.down_meta.7.dr, dd6a1354-220a-435c-9960-7f2e2f731c6f.5e70bb71-9767-4cfd-9295-d09782f797ca.down_meta.7.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Y3Xg?ver=4bf1Content
Source: 8086b025-ce16-4435-9cc3-d2a0f33fe026.efb8d39c-14d5-4f68-9688-1978db758a90.down_meta.7.dr, 585053d0-ba98-49e5-b1a4-c6f5d9974c26.efb8d39c-14d5-4f68-9688-1978db758a90.down_meta.7.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Ysjy?ver=4a06Content
Source: 4aa5b1fb-1301-4194-8203-1cbb67304ae7.e160842f-d7d2-487c-becb-ff7f735e3216.down_meta.7.dr, b554ff5d-428f-46a5-8fa9-db35cc2cdf59.e160842f-d7d2-487c-becb-ff7f735e3216.down_meta.7.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4YzZS?ver=7b46Content
Source: 8d48d2a6-6a56-420d-bb18-5dfe26c1259c.c22ac765-aa10-4c35-8f7c-a01d4239152c.down_meta.7.dr, f9e08879-735a-4e9f-beea-148234195053.c22ac765-aa10-4c35-8f7c-a01d4239152c.down_meta.7.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWEDKu?ver=7737Content-
Source: 3843bffb-4eef-4da1-af04-618c0facc656.e7219a3a-5edb-4393-8e4b-a78a641e7e36.down_meta.7.dr, 0f40a9a4-7ba9-4798-b98b-f18214009bbd.e7219a3a-5edb-4393-8e4b-a78a641e7e36.down_meta.7.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWEyIE?ver=7beaLast-Mod
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Code function: 2_2_004055B8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

2_2_004055B8

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Executable has a suspicious name (potential lure to open the executable)

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Static file information: Suspicious name

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\BackgroundTransferHost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\BackgroundTransferHost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: edgegdi.dll

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Code function: 2_2_004034C5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

2_2_004034C5

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_00407458	2_2_00407458
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_00406C81	2_2_00406C81
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_73841B5F	2_2_73841B5F
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA5E2E	2_2_02BA5E2E
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA709F	2_2_02BA709F
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA9A9D	2_2_02BA9A9D
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA5C89	2_2_02BA5C89
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B936F6	2_2_02B936F6
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA76EE	2_2_02BA76EE
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B934E5	2_2_02B934E5
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA88D2	2_2_02BA88D2
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B93ACC	2_2_02B93ACC
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA7223	2_2_02BA7223
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA8C76	2_2_02BA8C76
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA844B	2_2_02BA844B
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA75B8	2_2_02BA75B8
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA5FA7	2_2_02BA5FA7
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B96B99	2_2_02B96B99
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B92593	2_2_02B92593
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B96397	2_2_02B96397
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA7D89	2_2_02BA7D89
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B96BFD	2_2_02B96BFD
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B96BF6	2_2_02B96BF6
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B943EE	2_2_02B943EE
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA7BE0	2_2_02BA7BE0
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B96BE2	2_2_02B96BE2
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B96138	2_2_02B96138
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B9333A	2_2_02B9333A
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA6334	2_2_02BA6334
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B93123	2_2_02B93123
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B93F22	2_2_02B93F22
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B90318	2_2_02B90318
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA851B	2_2_02BA851B
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B9310D	2_2_02B9310D
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B96176	2_2_02B96176
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA596B	2_2_02BA596B
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B93153	2_2_02B93153
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B96355	2_2_02B96355
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B96556	2_2_02B96556
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B94347	2_2_02B94347

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Code function: 2_2_02BA871D NtProtectVirtualMemory,

2_2_02BA871D

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

File read: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Jump to behavior

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Windows\System32\backgroundTaskHost.exe "C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Windows\System32\backgroundTaskHost.exe "C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Windows\System32\backgroundTaskHost.exe "C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Windows\System32\backgroundTaskHost.exe "C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

2_2_004034C5

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

File created: C:\Users\user\AppData\Roaming\Shoved

Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

File created: C:\Users\user\AppData\Local\Temp\nsb7B5D.tmp

Jump to behavior

Source: classification engine

Classification label: mal64.troj.evad.winEXE@2073/48@0/0

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Code function: 2_2_004021A2 CoCreateInstance,

2_2_004021A2

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Code function: 2_2_00404858 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

2_2_00404858

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bestyrelsesformanden

Jump to behavior

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B911B2 push ecx; retf	2_2_02B910EB
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B92EBD push 39022ACFh; ret	2_2_02B92ECB
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B97431 push ebx; retf	2_2_02B97433
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B92404 push esp; iretd	2_2_02B92420
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B98C06 push edx; iretd	2_2_02B98C08
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B9105D push ecx; retf	2_2_02B910EB
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B915D1 push edi; retf	2_2_02B915D6
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B90318 push ecx; retf	2_2_02B910EB

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Code function: 2_2_73841B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

2_2_73841B5F

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

File created: C:\Users\user\AppData\Local\Temp\nsdCB34.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\BackgroundTransferHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\BackgroundTransferHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe, 00000002.00000002.110029376244.0000000000657000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE13
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe, 00000002.00000002.110029376244.0000000000657000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Window / User API: threadDelayed 2035

Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Thread sleep count: Count: 2035 delay: -10

Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Code function: 2_2_02B93EA8 rdtsc

2_2_02B93EA8

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_0040676F FindFirstFileW,FindClose,	2_2_0040676F
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_00405B23 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405B23
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_00402902 FindFirstFileW,	2_2_00402902

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	API call chain: ExitProcess graph end node			graph_2-6617
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	API call chain: ExitProcess graph end node			graph_2-6771

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe, 00000002.00000002.110030571431.0000000002D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe, 00000002.00000002.110030571431.0000000002D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe, 00000002.00000002.110030571431.0000000002D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe, 00000002.00000002.110030571431.0000000002D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe, 00000002.00000002.110030571431.0000000002D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe, 00000002.00000002.110030571431.0000000002D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe, 00000002.00000002.110030571431.0000000002D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe, 00000002.00000002.110029376244.0000000000657000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe13
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe, 00000002.00000002.110030571431.0000000002D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe, 00000002.00000002.110030571431.0000000002D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe, 00000002.00000002.110029376244.0000000000657000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe, 00000002.00000002.110030571431.0000000002D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe, 00000002.00000002.110030571431.0000000002D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B974BF mov eax, dword ptr fs:[00000030h]	2_2_02B974BF
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA7D89 mov eax, dword ptr fs:[00000030h]	2_2_02BA7D89
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B93123 mov eax, dword ptr fs:[00000030h]	2_2_02B93123
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA6918 mov eax, dword ptr fs:[00000030h]	2_2_02BA6918
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B9310D mov eax, dword ptr fs:[00000030h]	2_2_02B9310D
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B96355 mov eax, dword ptr fs:[00000030h]	2_2_02B96355

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Code function: 2_2_73841B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

2_2_73841B5F

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Code function: 2_2_02B93EA8 rdtsc

2_2_02B93EA8

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Code function: 2_2_02BA5E2E CreateFileA,LdrLoadDll,

2_2_02BA5E2E

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Windows\System32\backgroundTaskHost.exe "C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Windows\System32\backgroundTaskHost.exe "C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\96bc58feee9343f4adb4276226731ce3_1 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280815 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280815\9dbf5cda030a4e60a261641156804856_1 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338389 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338389\03d0615dae6b45498e652e3e555b3e3d_1 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1667478730 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1667478730 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\32d6c3b77f79c994287f18a9e394a4c647daf89026c18d1d25ddcadc8a70b531 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\6be1c3a3d724301812ee103a5aec7433c46a3c9115c97fb13883704815c24367 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\86ff803d03a9f7dd72f32ca9f45f900b7e9007aa4de113108c9834e5cde15bba VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\d3eedb83164482c35b9bf5057a67514a6d30ccc1c43cadacc08c0526ac994779 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\2158c55723c14af0c30c7aafe4020aec95cb2eda148e7ca6a75034a8d5c5ae85 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\178764b5981a2aee4c1fc7d893b8a2d95269220d41eede955e9c867ff12350d5 VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

2_2_004034C5

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 Windows Service	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Windows Service	12 Virtualization/Sandbox Evasion	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	11 Process Injection	1 Access Token Manipulation	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 DLL Side-Loading	11 Process Injection	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	14 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	10%	ReversingLabs	Win32.Downloader.Minix

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsdCB34.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsdCB34.tmp\System.dll	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsdCB34.tmp\System.dll	4%	Metadefender	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	736949
Start date and time:	2022-11-03 12:30:06 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.troj.evad.winEXE@2073/48@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 37.3% (good quality ratio 36.6%) Quality average: 87% Quality standard deviation: 21.2%
HCA Information:	Successful, ratio: 97% Number of executed functions: 52 Number of non-executed functions: 69
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 20.82.210.154, 95.101.54.129, 95.101.54.113, 20.234.34.18
Excluded domains from analysis (whitelisted): spclient.wg.spotify.com, client.wns.windows.com, asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, wdcp.microsoft.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, wdcpalt.microsoft.com, login.live.com, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:31:58	API Interceptor	1x Sleep call for process: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe modified
12:31:58	API Interceptor	2x Sleep call for process: dllhost.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsdCB34.tmp\System.dll	WELTER zahnrad GmbH Urgent enquiry Order nr543.exe	Get hash	malicious	Browse
	WELTER zahnrad GmbH Urgent enquiry Order nr543.exe	Get hash	malicious	Browse
	Pipetek Supplies Ltd - Quotation No. 40406 Revised.exe	Get hash	malicious	Browse
	Pipetek Supplies Ltd - Quotation No. 40406 Revised.exe	Get hash	malicious	Browse
	Eminencer.exe	Get hash	malicious	Browse
	Shipment Notification.exe	Get hash	malicious	Browse
	Prokuraers.exe	Get hash	malicious	Browse
	RFQ-08-057-SAFETY SHOWER UNIT WITH COOLING SYSTEM.exe	Get hash	malicious	Browse
	Eminencer.exe	Get hash	malicious	Browse
	Shipment Notification.exe	Get hash	malicious	Browse
	COSTCO Purchase Order.exe	Get hash	malicious	Browse
	Prokuraers.exe	Get hash	malicious	Browse
	RFQ-08-057-SAFETY SHOWER UNIT WITH COOLING SYSTEM.exe	Get hash	malicious	Browse
	NEW GIZA - INFRA - RFQ ( Pump ).exe	Get hash	malicious	Browse
	COSTCO Purchase Order.exe	Get hash	malicious	Browse
	NEW GIZA - INFRA - RFQ ( Pump ).exe	Get hash	malicious	Browse
	AWB DHL 7214306201 Shipment Notification.exe	Get hash	malicious	Browse
	AWB DHL 7214306201 Shipment Notification.exe	Get hash	malicious	Browse
	SecuriteInfo.com.NSIS.Injector.AOW.tr.16179.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\0f40a9a4-7ba9-4798-b98b-f18214009bbd.e7219a3a-5edb-4393-8e4b-a78a641e7e36.down_meta

Download File

Process:	C:\Windows\System32\BackgroundTransferHost.exe
File Type:	data
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	3.6100919570774668
Encrypted:	false
SSDEEP:	24:LLVR2mRie/km6wrHXpjgWzgxjX+vUVieQBQT1+InEysafxOc2CpX3QAbbW0VB:LLD2mRiOxzXpjPgVX+v8iTBkZ7rfeIXj
MD5:	D0E6F8A432143B3A4D4B296D928643DB
SHA1:	1C5ABADDDD94750B8E62B9C12F8671404833EB6C
SHA-256:	5B3A44CF2FF858861F73F129D818DED5CE7AD498B568CCB015DF4FA4E716DDE4
SHA-512:	275C970EDA97E19E1324CEA8AF28BFCF7BAC6B1BD6234297A5B7EAB274BF692C1748AAEA8C256B7B9F1EE186D95C2EE4D9E15CC21976E7F766DF41A03A43227F
Malicious:	false
Preview:	h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.E.y.I.E.?.v.e.r.=.7.b.e.a...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .F.r.i.,. .1.6. .S.e.p. .2.0.2.2. .0.0.:.4.2.:.4.4. .G.M.T...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. ....C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.E.y.I.E.?.v.e.r.=.7.b.e.a...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .4.5.6.2.4.2...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .c.8.f.5.3.a.8.b.-.1.7.5.c.-.4.d.c.b.-.8.c.3.f.-.8.8.8.1.8.9.d.f.4.d.0.9...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. ....X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .D.E.N.Y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .4.5.6.2.4.2...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.l.i.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\0f40a9a4-7ba9-4798-b98b-f18214009bbd.up_meta_secure

Download File

Process:	C:\Windows\System32\BackgroundTransferHost.exe
File Type:	data
Category:	dropped
Size (bytes):	502
Entropy (8bit):	7.293651679671136
Encrypted:	false
SSDEEP:	12:QU6NKGS32dZvsN6KbJst2vsU/YbX2JXngFJ3zfBro:QUfpKe6KbJst2R/YbXuXMB8
MD5:	C23766093AE0D9E3CBC24D662874023B
SHA1:	86C9C96A3518CED83CCAC3108CEA1207C40EF5E0
SHA-256:	EC59F368FF841989E4ACCCDBC7D3343EDDE3BDA92352C46F86D3A8E5DDE2102E
SHA-512:	F3DEAF9C47C3BB8977DD8862FF5DCC05FCA8CA12AB661228D0FE3369BB098AA0AC01945B66DBFEA02B7094BC05217223A1E447EBCBC64BB731CCAB12492B4FC6
Malicious:	false
Preview:	............z..O.........A.n.N...U.s.............f...... ........!b4:o7.K(.Z..k,...B~...Itn............ ...##.$......6..V.C.*CKA....t[.X.s .....<...`.=.S.A0{.F......U.h@..p.".+....R...j..pO.x...Jj....e.=...mI.pk=..O1b.#......0. Z.'`}...wl8..\....m..@k..4.$q.is.......e..........l_"b@...wz.$a...8.....%...].y............`.....2..aw....K....Ns...X..1Yj4.....U;k.`.j.....6...}.d..;r5..vQ[....m.6..E....X.....O>E].}5..@...=~....)hgS.}.~.v..v4X.r?.........j..7..R..3'..y....:....oL.Pr.N.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\3843bffb-4eef-4da1-af04-618c0facc656.down_data

Download File

Process:	C:\Windows\System32\BackgroundTransferHost.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1920x1080, components 3
Category:	dropped
Size (bytes):	456242
Entropy (8bit):	7.901591558066316
Encrypted:	false
SSDEEP:	6144:NFYwf2vzmMr8881AQEGZ4TduN7vx9M8W5l31cRdZBFTZk9Rb/fnGk1+tG8:MwOvzm08T1AQlqAM8W/31ct/ZmRafL
MD5:	475D42621D87B431D87BA232216E25B8
SHA1:	9F44DC4AE1ED0D3473198B1C9DE2D4C8D813C79C
SHA-256:	562619314F336727FE5DFD3428B45C1ECF913C8E9ED90EFEAE18C6992F8B5A85
SHA-512:	9BC8BDD2BE82CAB886571EA2A9A2968069927B7E578FE38879A587A4D3B6DEC189AD01E4FCD8D3804889624C4AD7DE7B5EC497194F0CAC920B8A42636D754D5D
Malicious:	false
Preview:	......JFIF.....`.`.....C....................................................................C.......................................................................8...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..JM...J.....r=..&.J,2-..jJ)..4.V.m.;..R.vPU.........6.P]..T....#=.6.].]1..6...I..W1.._..EM...1IS.I..dU.h.....;..m.).iX...IO.F...).j]....{iZ(*.T.6.J.r-.m.h.d.d>]!...6.a..3mN.B.h.JH.m%K...H\|.m'.R.t.)..v.T.).]..DT.j]....#....M.m.wd^^i.UO......JO..e.R...l....M.@..\|.n......6Ryuc....+.l..].)......3%.]+.1..J...........F.,>b-..-.Xw"....6Qa...t.6.6..9.v.yu/.N.J...

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\3843bffb-4eef-4da1-af04-618c0facc656.e7219a3a-5edb-4393-8e4b-a78a641e7e36.down_meta

Download File

Process:	C:\Windows\System32\BackgroundTransferHost.exe
File Type:	data
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	3.6100919570774668
Encrypted:	false
SSDEEP:	24:LLVR2mRie/km6wrHXpjgWzgxjX+vUVieQBQT1+InEysafxOc2CpX3QAbbW0VB:LLD2mRiOxzXpjPgVX+v8iTBkZ7rfeIXj
MD5:	D0E6F8A432143B3A4D4B296D928643DB
SHA1:	1C5ABADDDD94750B8E62B9C12F8671404833EB6C
SHA-256:	5B3A44CF2FF858861F73F129D818DED5CE7AD498B568CCB015DF4FA4E716DDE4
SHA-512:	275C970EDA97E19E1324CEA8AF28BFCF7BAC6B1BD6234297A5B7EAB274BF692C1748AAEA8C256B7B9F1EE186D95C2EE4D9E15CC21976E7F766DF41A03A43227F
Malicious:	false
Preview:	h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.E.y.I.E.?.v.e.r.=.7.b.e.a...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .F.r.i.,. .1.6. .S.e.p. .2.0.2.2. .0.0.:.4.2.:.4.4. .G.M.T...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. ....C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.E.y.I.E.?.v.e.r.=.7.b.e.a...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .4.5.6.2.4.2...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .c.8.f.5.3.a.8.b.-.1.7.5.c.-.4.d.c.b.-.8.c.3.f.-.8.8.8.1.8.9.d.f.4.d.0.9...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. ....X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .D.E.N.Y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .4.5.6.2.4.2...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.l.i.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\3843bffb-4eef-4da1-af04-618c0facc656.up_meta_secure

Download File

Process:	C:\Windows\System32\backgroundTaskHost.exe
File Type:	data
Category:	dropped
Size (bytes):	502
Entropy (8bit):	7.293651679671136
Encrypted:	false
SSDEEP:	12:QU6NKGS32dZvsN6KbJst2vsU/YbX2JXngFJ3zfBro:QUfpKe6KbJst2R/YbXuXMB8
MD5:	C23766093AE0D9E3CBC24D662874023B
SHA1:	86C9C96A3518CED83CCAC3108CEA1207C40EF5E0
SHA-256:	EC59F368FF841989E4ACCCDBC7D3343EDDE3BDA92352C46F86D3A8E5DDE2102E
SHA-512:	F3DEAF9C47C3BB8977DD8862FF5DCC05FCA8CA12AB661228D0FE3369BB098AA0AC01945B66DBFEA02B7094BC05217223A1E447EBCBC64BB731CCAB12492B4FC6
Malicious:	false
Preview:	............z..O.........A.n.N...U.s.............f...... ........!b4:o7.K(.Z..k,...B~...Itn............ ...##.$......6..V.C.*CKA....t[.X.s .....<...`.=.S.A0{.F......U.h@..p.".+....R...j..pO.x...Jj....e.=...mI.pk=..O1b.#......0. Z.'`}...wl8..\....m..@k..4.$q.is.......e..........l_"b@...wz.$a...8.....%...].y............`.....2..aw....K....Ns...X..1Yj4.....U;k.`.j.....6...}.d..;r5..vQ[....m.6..E....X.....O>E].}5..@...=~....)hgS.}.~.v..v4X.r?.........j..7..R..3'..y....:....oL.Pr.N.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\4aa5b1fb-1301-4194-8203-1cbb67304ae7.down_data

Download File

Process:	C:\Windows\System32\BackgroundTransferHost.exe
File Type:	JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 21.1 (Windows), datetime=2021:11:11 06:55:38]
Category:	dropped
Size (bytes):	1654488
Entropy (8bit):	6.926504673655095
Encrypted:	false
SSDEEP:	24576:1k44jNiVr4qVhre8lekiZaSEKBcf/prV/RRJGoGaEqKEHisGpp7quKRDR7ripxi6:H4jNiVr4qXlZvKV9pp7qPRDNripY6
MD5:	3C36C820F3E016E8A3A63C34BA7BEF07
SHA1:	AF2A7EBB7A6D6C1815190C24EF732B2089115331
SHA-256:	F62AFA107BBFE2FEAEF84AB87277D31DFE1AAABF61400F241FDD50C45AB19D7F
SHA-512:	1074A8603B932052ED17825E83403D5F4EC3CD8CC7DB94BC4F262146DDA054640CBFB126FD728AB35C8B2B20285BC71CFE20BB3DEB3BDF8CC4B2877595B94C86
Malicious:	false
Preview:	......Exif..MM..............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop 21.1 (Windows).2021:11:11 06:55:38.............................8..........................................."............(.....................2...................H.......H..........Adobe_CM......Adobe.d...................................................................................................................................................Z.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..(..].1.............}S.... ..4mp#...w..[..`.[.P.=...g.w.U{........{..?..<..I..`..:._..d.T.k.q.m....;..1..........@..A1..5w.kZCk...`....~....$9.{..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\4aa5b1fb-1301-4194-8203-1cbb67304ae7.e160842f-d7d2-487c-becb-ff7f735e3216.down_meta

Download File

Process:	C:\Windows\System32\BackgroundTransferHost.exe
File Type:	data
Category:	dropped
Size (bytes):	1230
Entropy (8bit):	3.6235419859275795
Encrypted:	false
SSDEEP:	24:LLVR2mRiwhXpjgWzgxjX+vUViwjAw2BKsDB1+euEsafxOc2CpX3KsDmbFJruZVB:LLD2mRicXpjPgVX+v8iZvBKQDbrfeIXp
MD5:	3B52759DDB62950FDD73FFE0E7B8A307
SHA1:	356FCD01F5AC95FDEBE645B7EBBA5F6346DDB2B6
SHA-256:	DF771B4E1E0AE7DB1CF36B0DCA500EFF0E6562BFC5F58BF38A04A0E35E9720E0
SHA-512:	68720AEA626BB0CEB4D04823CF9ADE719DC2FF8B83372451AECA3E587DCB5BE00CD7BE38B4965EAE035AD13DB519CE92495E311AD134FC633DDB60171CF0DABB
Malicious:	false
Preview:	h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.Y.z.Z.S.?.v.e.r.=.7.b.4.6...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. ....C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.Y.z.Z.S.?.v.e.r.=.7.b.4.6...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .M.o.n.,. .0.3. .O.c.t. .2.0.2.2. .1.0.:.0.5.:.3.4. .G.M.T...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.6.5.4.4.8.8...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .f.f.9.4.b.8.f.d.-.1.6.c.b.-.4.a.3.6.-.8.2.b.1.-.e.5.9.8.3.4.4.5.9.0.8.f...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. ....X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .D.E.N.Y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.6.5.4.4.8.8...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\4aa5b1fb-1301-4194-8203-1cbb67304ae7.up_meta_secure

Download File

Process:	C:\Windows\System32\backgroundTaskHost.exe
File Type:	data
Category:	dropped
Size (bytes):	502
Entropy (8bit):	7.269805200963284
Encrypted:	false
SSDEEP:	12:QU6N355QkpCJrX5hNwLBB5EwCM3Aa9Tg3gyT+UXT:QUq55e/wLB3E5+9TygpUD
MD5:	66D3F7A7F2F4C9A353D053B070431446
SHA1:	628EACB479271620DBF593D6A4395D43465F99B9
SHA-256:	5BE78EBC19D0A5BC10354FC64EB6C2CB7C8FB9763A84B6FB3B5ED201D97C2986
SHA-512:	E5B2D8BAAAAF73DFF1F7A35C3FDB9717C1ECC2F0CA2DBC25619A76E935B1A996DC836EBB23945F9A61CDAB35435D6BDFC2A3C825CB3037381A32F9E890FA5CF5
Malicious:	false
Preview:	............z..O.........A.n.N...U.s.............f...... .............A$Hur..<..`...3.gMl............. ...3H..Ir.B..Z.{..}...(q...@.6$pH. ...(._r..\|.......o&..L..Fyg....g.8.....#m.My.\|u.$..0..`...o[.......<p..!..Ce.n.8..q.....f.\|i.XA.OSV....#d.<vG+HJ.....<.?.:Lt...4.}I. .A...&)...<.....V_a>.~.3........J..q...U...+.E..1..t.l.Q.>O..[b.. G+........r+..*w..R.+..G..V.4...[..<T.em.../.[...............iC..hj.G..Z.(.U...@.......ER C.(..`.......&3.X7......h.@q.nSQ.)_.b1..h..._GB..+.{..)

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\585053d0-ba98-49e5-b1a4-c6f5d9974c26.efb8d39c-14d5-4f68-9688-1978db758a90.down_meta

Download File

Process:	C:\Windows\System32\BackgroundTransferHost.exe
File Type:	data
Category:	dropped
Size (bytes):	1230
Entropy (8bit):	3.593729487352936
Encrypted:	false
SSDEEP:	24:LLVR2mRiwsXpjgWzgxjX+vUViwiAw2BKO1+0+YsafxOc2CpX3KPbGwaVB:LLD2mRixXpjPgVX+v8iUvBKEN3rfeIXJ
MD5:	C3787AE54DB8F9B354295299F9C92DCB
SHA1:	D6E0FC5E90A6D1388BA4B400BA0E8EC042E79D5E
SHA-256:	26950ED11A16146199E0E0BF4F217FAC2992CFD4DDB41C01EED158F5114F4E6B
SHA-512:	5C85EA904FF3257C0A61A7A93183B6741BA61358450433346DC81DB41AB9EE64B6D25F3FFC90A2332E000212F0C56376FDDE713640A2C598E16297AE77D95098
Malicious:	false
Preview:	h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.Y.s.j.y.?.v.e.r.=.4.a.0.6...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. ....C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.Y.s.j.y.?.v.e.r.=.4.a.0.6...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .M.o.n.,. .0.3. .O.c.t. .2.0.2.2. .1.0.:.0.5.:.3.4. .G.M.T...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.8.2.9.9.9.4...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .0.a.a.6.c.f.7.0.-.b.9.6.6.-.4.9.9.0.-.a.b.1.0.-.e.a.4.b.a.6.e.8.9.0.0.4...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. ....X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .D.E.N.Y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.8.2.9.9.9.4...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\585053d0-ba98-49e5-b1a4-c6f5d9974c26.up_meta_secure

Download File

Process:	C:\Windows\System32\BackgroundTransferHost.exe
File Type:	data
Category:	dropped
Size (bytes):	502
Entropy (8bit):	7.2558971277972875
Encrypted:	false
SSDEEP:	12:QU6Nk8GuvaljuYNBPw+bWPcbcSegEgEEyzaYRdJn:QUX8Gui9XDdCPcbcrXEy2YRL
MD5:	CED4A764244AD6D3539993F812F02670
SHA1:	D1D3631ED7D56CF12174B61E468B177B98A40B47
SHA-256:	37047289C039B71534073052EE7985D242B2DAB4C28030F056E262A61F9C6123
SHA-512:	27E8BA27F01FA8BB6354C840250E3605746F46884C3130D953EE6AF183D87D369F5D6CBCBDF32A150275EB7B209B4146A5EF6876E04F3B8D79ECC58BF8A3523B
Malicious:	false
Preview:	............z..O.........A.n.N...U.s.............f...... ........N.I.V=J.QMj.&..28a................... ............x....6.....H..y.... ....O..Y#=.z...=3.....ZQ...[SB<_...(..``..m..x...:...MW..]JPm[..A..9\|.f..U.>.....L.4.7..hc.K..L.s3...}..jc[h..F....."?W....G-`...7.O:..%=..L4.2..`.....1..j=.<f.h.l..8qf.>...f.7.o..3..*..r..+\|......N...K.....1ys.B..s...T..%....M:r.J...i..V@.'.T.(.. ..;.D..P&.0:.#qW}.....k.P..o..@....:..O..(l..W.wf.r....Cf...L.A.M.+06..A$e.......T+\|.;.}0qx~K..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\8086b025-ce16-4435-9cc3-d2a0f33fe026.down_data

Download File

Process:	C:\Windows\System32\BackgroundTransferHost.exe
File Type:	JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 21.1 (Windows), datetime=2021:11:11 06:54:34]
Category:	dropped
Size (bytes):	1829994
Entropy (8bit):	7.092403290156545
Encrypted:	false
SSDEEP:	24576:LdC81bzA4GeD+kaZRfEyfcA/ir2/R0JGSUmfyttS6dSTeuErzQP/Lg40bw2Rf02b:LdC81bz/Dq39STvErQ/05d0k
MD5:	4FB1CD4A9C7B4165BF8CD730F367600C
SHA1:	1FD8481802A3512CC65105B600C9339784A31E10
SHA-256:	E60B827FEE4A3A7FF6033C3F244AE04D5A51D7E581936BE750F2EABE4F72E2A0
SHA-512:	C3D101D94A75EFE81C7E8AB1F45654271A67048A6439C2C202589038519D24B62A98F77EA267AE320ED2FC9AFBB7D6C4AE4B079C19AA05E4F7D7BA7A87C79E61
Malicious:	false
Preview:	......Exif..MM..............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop 21.1 (Windows).2021:11:11 06:54:34.........................................8..............................."............(.....................2...................H.......H..........Adobe_CM......Adobe.d.................................................................................................................................................Z...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...n.fx..w.V..^N[..k .u....T.y._M.=..$..k.G..gV...i..4..j.)..k..a~.~.K.2....:..-wc..[....(....X....&y.<...pu..C@..>.J......k.8..........@..xdx...:.V..X

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\8086b025-ce16-4435-9cc3-d2a0f33fe026.efb8d39c-14d5-4f68-9688-1978db758a90.down_meta

Download File

Process:	C:\Windows\System32\BackgroundTransferHost.exe
File Type:	data
Category:	dropped
Size (bytes):	1230
Entropy (8bit):	3.593729487352936
Encrypted:	false
SSDEEP:	24:LLVR2mRiwsXpjgWzgxjX+vUViwiAw2BKO1+0+YsafxOc2CpX3KPbGwaVB:LLD2mRixXpjPgVX+v8iUvBKEN3rfeIXJ
MD5:	C3787AE54DB8F9B354295299F9C92DCB
SHA1:	D6E0FC5E90A6D1388BA4B400BA0E8EC042E79D5E
SHA-256:	26950ED11A16146199E0E0BF4F217FAC2992CFD4DDB41C01EED158F5114F4E6B
SHA-512:	5C85EA904FF3257C0A61A7A93183B6741BA61358450433346DC81DB41AB9EE64B6D25F3FFC90A2332E000212F0C56376FDDE713640A2C598E16297AE77D95098
Malicious:	false
Preview:	h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.Y.s.j.y.?.v.e.r.=.4.a.0.6...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. ....C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.Y.s.j.y.?.v.e.r.=.4.a.0.6...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .M.o.n.,. .0.3. .O.c.t. .2.0.2.2. .1.0.:.0.5.:.3.4. .G.M.T...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.8.2.9.9.9.4...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .0.a.a.6.c.f.7.0.-.b.9.6.6.-.4.9.9.0.-.a.b.1.0.-.e.a.4.b.a.6.e.8.9.0.0.4...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. ....X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .D.E.N.Y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.8.2.9.9.9.4...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\8086b025-ce16-4435-9cc3-d2a0f33fe026.up_meta_secure

Download File

Process:	C:\Windows\System32\backgroundTaskHost.exe
File Type:	data
Category:	dropped
Size (bytes):	502
Entropy (8bit):	7.2558971277972875
Encrypted:	false
SSDEEP:	12:QU6Nk8GuvaljuYNBPw+bWPcbcSegEgEEyzaYRdJn:QUX8Gui9XDdCPcbcrXEy2YRL
MD5:	CED4A764244AD6D3539993F812F02670
SHA1:	D1D3631ED7D56CF12174B61E468B177B98A40B47
SHA-256:	37047289C039B71534073052EE7985D242B2DAB4C28030F056E262A61F9C6123
SHA-512:	27E8BA27F01FA8BB6354C840250E3605746F46884C3130D953EE6AF183D87D369F5D6CBCBDF32A150275EB7B209B4146A5EF6876E04F3B8D79ECC58BF8A3523B
Malicious:	false
Preview:	............z..O.........A.n.N...U.s.............f...... ........N.I.V=J.QMj.&..28a................... ............x....6.....H..y.... ....O..Y#=.z...=3.....ZQ...[SB<_...(..``..m..x...:...MW..]JPm[..A..9\|.f..U.>.....L.4.7..hc.K..L.s3...}..jc[h..F....."?W....G-`...7.O:..%=..L4.2..`.....1..j=.<f.h.l..8qf.>...f.7.o..3..*..r..+\|......N...K.....1ys.B..s...T..%....M:r.J...i..V@.'.T.(.. ..;.D..P&.0:.#qW}.....k.P..o..@....:..O..(l..W.wf.r....Cf...L.A.M.+06..A$e.......T+\|.;.}0qx~K..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\8d48d2a6-6a56-420d-bb18-5dfe26c1259c.c22ac765-aa10-4c35-8f7c-a01d4239152c.down_meta

Download File

Process:	C:\Windows\System32\BackgroundTransferHost.exe
File Type:	data
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	3.615198547271788
Encrypted:	false
SSDEEP:	24:LLVR2mRi5WXpjgWzgxjX+vUVi5u5Bzup1+Zb0IWsafxOc2CpX3zuObB0VB:LLD2mRiEXpjPgVX+v8iM5BqLIb0JrfeR
MD5:	FCE9B615BD0A241DCDB86B117046C824
SHA1:	DA1C473288C318B53360BEA6BFD49A8A95430247
SHA-256:	17B032A7A4C60F0AD0A3C229C7A85C175D02CBA73BF036B0E6A5317BB4A9AFED
SHA-512:	4769E86FFA24DA5ADA5349F28C09623BF0C26BF01F0BD072753EFE147521832A5C5278898C7218AF9DEDD723A293974065F572754C2C0804F9C1CBCF974C9CCF
Malicious:	false
Preview:	h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.E.D.K.u.?.v.e.r.=.7.7.3.7...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. ....C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.E.D.K.u.?.v.e.r.=.7.7.3.7...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .S.a.t.,. .1.7. .S.e.p. .2.0.2.2. .1.2.:.4.2.:.3.5. .G.M.T...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .3.9.7.6.4.0...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .0.f.b.f.8.5.c.1.-.3.a.5.a.-.4.e.4.4.-.8.a.9.f.-.4.c.5.9.9.1.5.9.c.1.5.f...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. ....X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .D.E.N.Y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .3.9.7.6.4.0...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.l.i.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\8d48d2a6-6a56-420d-bb18-5dfe26c1259c.up_meta_secure

Download File

Process:	C:\Windows\System32\BackgroundTransferHost.exe
File Type:	data
Category:	dropped
Size (bytes):	502
Entropy (8bit):	7.2992415773292185
Encrypted:	false
SSDEEP:	12:QU6N7/eJekA9YsweveCA8PPC+0LxaRGrbyaYwpPfU:QUmOek6Pr2CA8LwQwr9Yw2
MD5:	53C3609CC7AF4DBA67354111D16094BA
SHA1:	C644F7C4E9547328C64A8F3BEFD70A5169F44AAA
SHA-256:	71214DDCE705BF07EC16F43A468E46D6A80F220B0BFA7AECA19C704C365A3F47
SHA-512:	BB8CC703C91A3AD283F403385EC4816CAD73ABFE85CA826C290A3C12044B9468FF9537F80A64CB1F27EE0FB8FB55B5ADF22DA5E20D96AAFFE1653912A817FDD2
Malicious:	false
Preview:	............z..O.........A.n.N...U.s.............f...... .......].g..g.....O..Gso../..0.............. ...2......eA..2..X/...j^..d......;. ...O!..n.`.5rFL..o?+..c.&..xg.0\|.pk...Q..(t. ....P..X......,)....H4.QFi;.I.....&....T..x.K.._..S..c..Fc#...`.^......f... +t..QS...v.a.B.t.E...wL9....Z.a(.&(.5 8 .T+1....p.d..'........{..;y..[..nd...H.~...@.h.T/.I'J.!..@.........C...#P...L*&s.z/Y..c.n. }..o....[.\.....X....]......@......>l<.0p..}bE...`.t....[L.t. ...T-.Oh3..{V..pP.n+.[._..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\aa790838-db48-4eec-9b8a-be8242eb173a.56802ae0-e7ec-49c1-9ab4-e41cf1ffbd66.down_meta

Download File

Process:	C:\Windows\System32\BackgroundTransferHost.exe
File Type:	data
Category:	dropped
Size (bytes):	1232
Entropy (8bit):	3.609594899197458
Encrypted:	false
SSDEEP:	24:LLVR2mRiwsL8DWzgx71+gbMVmsafxOc2CpXpjjX+vUViwZBKPX3KUbNbCVB:LLD2mRi18kgvT7rfeIXpjjX+v8iUBKPm
MD5:	94D6269766C4BDEB60E83DEFEA9C4AE8
SHA1:	383EC055E6A59CC3C6B3C8994AA2E4947154D684
SHA-256:	4CD83D88ED67ED332238C8F97C9A6EF86D3A08722846A3CE4CF9C41C6C3FD41D
SHA-512:	6478BFE17F0EE86564D2A775B2EDE3920DFA4C403706B585B8BE107FCA1A31E79A9CFE15464A5E693D3AAB931276119C7D0F380A990CCC504B438DD6FF6171EF
Malicious:	false
Preview:	h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.X.J.8.e.?.v.e.r.=.9.9.3.f...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .W.e.d.,. .2.8. .S.e.p. .2.0.2.2. .0.8.:.0.2.:.1.5. .G.M.T...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. ....X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .9.3.9.a.c.f.2.3.-.1.5.7.8.-.4.6.8.3.-.9.c.d.8.-.8.4.4.3.e.1.e.f.f.f.7.7...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. ....X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .D.E.N.Y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.X.J.8.e.?.v.e.r.=.9.9.3.f...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.6.5.2.5.9.5...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.6.5.2.5.9.5...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\aa790838-db48-4eec-9b8a-be8242eb173a.down_data

Download File

Process:	C:\Windows\System32\BackgroundTransferHost.exe
File Type:	JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 23.2 (Windows), datetime=2022:03:03 09:46:40]
Category:	dropped
Size (bytes):	1652595
Entropy (8bit):	6.7587223054274475
Encrypted:	false
SSDEEP:	24576:d4jNiVr4qVKKSPh75tPWCwK6RinQe53HN/R0JyN2e8Fu06VSshmuOZxtELH9GpmO:d4jNiVr4qo9t5+eFSxtEhamzKj
MD5:	A2EBF8AC1E98A85396D4976E14C07BB0
SHA1:	EB25BA46DEDCB9A54A83DA926B0417EDB08D8F49
SHA-256:	9815B6989D443E6C57C6497EF9439227871E1CDBBF31EF505E2C1CB0C8A647C9
SHA-512:	A7CB9B8BDE6DD85E78DA613FBB34F9ECB32A5A74022567FA344EE4331C55021AADC89685E57446514E28FD179FAF2DD9EC9DF61AA8EDCEDADCEAE7CB004766D4
Malicious:	false
Preview:	......Exif..MM..............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop 23.2 (Windows).2022:03:03 09:46:40.............................8..........................................."............(.....................2...........f.......H.......H..........Adobe_CM......Adobe.d...................................................................................................................................................Z.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..gH....s<..x..4..I...1.6...Z..[V.1.c.xw...S.og........0...k2..e.Y.c.7.]..-.......!.~B.Y.n...O......w.op.p.?..D..T....8..G.X........$..f......U..-.y

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\aa790838-db48-4eec-9b8a-be8242eb173a.up_meta_secure

Download File

Process:	C:\Windows\System32\backgroundTaskHost.exe
File Type:	data
Category:	dropped
Size (bytes):	502
Entropy (8bit):	7.299771858446448
Encrypted:	false
SSDEEP:	12:QU6N7L/A0a05huwq4BTpdY2edfHXmdRoi382teGlWI+:QUx0a0buwqQe2pdRooqOh+
MD5:	A24D374427AF1AB4862B64045D7109EE
SHA1:	550395453ADD226347182AB61A969BA3A479A519
SHA-256:	7128CF988FD86A99BA691E032E09D1737F689E8A90A438D8A3B08A98FA79D255
SHA-512:	398146F31EAB10DC4C889B52786ADA00D1B6ECE2ECDD661299D73A672551C8DACDBE487AE0C20535CC10A2770A1EB4D37A7A51A9C5089707FECBFDA727EABC13
Malicious:	false
Preview:	............z..O.........A.n.N...U.s.............f...... ....N.N..pqp..f.Yf['..2U..C...{............... ....@....e.TN...+....90......y... .......Cd..?.f..YjBX...W.<?.....[Sv$.D.S....e...}1.+^...R..&z.e.<f.<\..,\|./t....i..........q.....g.....L...Q.~..WW.).1!SP.j...<".....F".~`)Y"..\H....!..f.....P.f.d..R>...r.....mVq.'.y..%.6.iW.4.Y...L~f..sp.......e5..d.RI.:....ko5.....2..O5..5...c..C.If...W.1...h..KW.tV......C@...~..>..2...3... E./...y.q.k..%}F...$(.A..D..P..k...D.UKP.$.[

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\b554ff5d-428f-46a5-8fa9-db35cc2cdf59.e160842f-d7d2-487c-becb-ff7f735e3216.down_meta

Download File

Process:	C:\Windows\System32\BackgroundTransferHost.exe
File Type:	data
Category:	dropped
Size (bytes):	1230
Entropy (8bit):	3.6235419859275795
Encrypted:	false
SSDEEP:	24:LLVR2mRiwhXpjgWzgxjX+vUViwjAw2BKsDB1+euEsafxOc2CpX3KsDmbFJruZVB:LLD2mRicXpjPgVX+v8iZvBKQDbrfeIXp
MD5:	3B52759DDB62950FDD73FFE0E7B8A307
SHA1:	356FCD01F5AC95FDEBE645B7EBBA5F6346DDB2B6
SHA-256:	DF771B4E1E0AE7DB1CF36B0DCA500EFF0E6562BFC5F58BF38A04A0E35E9720E0
SHA-512:	68720AEA626BB0CEB4D04823CF9ADE719DC2FF8B83372451AECA3E587DCB5BE00CD7BE38B4965EAE035AD13DB519CE92495E311AD134FC633DDB60171CF0DABB
Malicious:	false
Preview:	h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.Y.z.Z.S.?.v.e.r.=.7.b.4.6...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. ....C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.Y.z.Z.S.?.v.e.r.=.7.b.4.6...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .M.o.n.,. .0.3. .O.c.t. .2.0.2.2. .1.0.:.0.5.:.3.4. .G.M.T...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.6.5.4.4.8.8...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .f.f.9.4.b.8.f.d.-.1.6.c.b.-.4.a.3.6.-.8.2.b.1.-.e.5.9.8.3.4.4.5.9.0.8.f...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. ....X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .D.E.N.Y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.6.5.4.4.8.8...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\b554ff5d-428f-46a5-8fa9-db35cc2cdf59.up_meta_secure

Download File

Process:	C:\Windows\System32\BackgroundTransferHost.exe
File Type:	data
Category:	dropped
Size (bytes):	502
Entropy (8bit):	7.269805200963284
Encrypted:	false
SSDEEP:	12:QU6N355QkpCJrX5hNwLBB5EwCM3Aa9Tg3gyT+UXT:QUq55e/wLB3E5+9TygpUD
MD5:	66D3F7A7F2F4C9A353D053B070431446
SHA1:	628EACB479271620DBF593D6A4395D43465F99B9
SHA-256:	5BE78EBC19D0A5BC10354FC64EB6C2CB7C8FB9763A84B6FB3B5ED201D97C2986
SHA-512:	E5B2D8BAAAAF73DFF1F7A35C3FDB9717C1ECC2F0CA2DBC25619A76E935B1A996DC836EBB23945F9A61CDAB35435D6BDFC2A3C825CB3037381A32F9E890FA5CF5
Malicious:	false
Preview:	............z..O.........A.n.N...U.s.............f...... .............A$Hur..<..`...3.gMl............. ...3H..Ir.B..Z.{..}...(q...@.6$pH. ...(._r..\|.......o&..L..Fyg....g.8.....#m.My.\|u.$..0..`...o[.......<p..!..Ce.n.8..q.....f.\|i.XA.OSV....#d.<vG+HJ.....<.?.:Lt...4.}I. .A...&)...<.....V_a>.~.3........J..q...U...+.E..1..t.l.Q.>O..[b.. G+........r+..*w..R.+..G..V.4...[..<T.em.../.[...............iC..hj.G..Z.(.U...@.......ER C.(..`.......&3.X7......h.@q.nSQ.)_.b1..h..._GB..+.{..)

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\dd6a1354-220a-435c-9960-7f2e2f731c6f.5e70bb71-9767-4cfd-9295-d09782f797ca.down_meta

Download File

Process:	C:\Windows\System32\BackgroundTransferHost.exe
File Type:	data
Category:	dropped
Size (bytes):	1232
Entropy (8bit):	3.612607647376319
Encrypted:	false
SSDEEP:	24:LLVR2mRiw+XpjgWzgxjX+vUViwo4+E1BKt1+CsafxOc2CpX3Ki5bvO/QGyV7j:LLD2mRi/XpjPgVX+v8iOPBKvbrfeIX3t
MD5:	20CAF8E9934BC613D1C78271AACCC35C
SHA1:	54067DC0B9689DF0A5EEB87552B2EFD4BF51116E
SHA-256:	A7E00C64022723DA851747B3321E5078CE412B662827B9163C76ABE108B38801
SHA-512:	BA0B8AFF5B21B92F2A6F93E25ACFC53361811C0D94C5D761ADDB15FF93C07939512B9593B0EE33389E36B6D31DCCF6E7CAF2C2678B1868920BA6C3C12DF22826
Malicious:	false
Preview:	h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.Y.3.X.g.?.v.e.r.=.4.b.f.1...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. ....C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.Y.3.X.g.?.v.e.r.=.4.b.f.1...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .S.u.n.,. .2.5. .S.e.p. .2.0.2.2. .1.9.:.2.9.:.0.6. .G.M.T...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.6.7.0.3.6.6...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .e.0.e.4.2.d.9.4.-.7.4.2.5.-.4.a.6.5.-.b.f.b.1.-.7.4.5.a.8.1.5.0.d.1.b.d...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. ....X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .D.E.N.Y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.6.7.0.3.6.6...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\dd6a1354-220a-435c-9960-7f2e2f731c6f.up_meta_secure

Download File

Process:	C:\Windows\System32\BackgroundTransferHost.exe
File Type:	data
Category:	dropped
Size (bytes):	502
Entropy (8bit):	7.269579834552022
Encrypted:	false
SSDEEP:	12:QU6N0FTddHZsfPtwSuWawd5n41jrGNaKNtp9Rmy:QUXPHS3iSu0kFutNtp9Rmy
MD5:	07112CA1A43AB14CF7FC496AD8CCF2B9
SHA1:	34524F5C29FC1EDC0E2E4B5B3B17909791455AF7
SHA-256:	24A1BBA0E9E5E6C7C5625B18AC2F4BEBD414D1D163430C3762464913A583A6F5
SHA-512:	13795D08031352F224FD5834D21F7295FFD3A2FE55B85B298845AF40A07FE09F70BE131E3850694998C265D65624DE59423B0495843103E02A151619BD3AF49E
Malicious:	false
Preview:	............z..O.........A.n.N...U.s.............f...... ...}..b........^.=K........F.\|L.r............. ...g....bW8.U..E.Y.F.b.o...2. ...4{?.$6Z...l......b.m..P..P.....D6....>]l`w.K=....P....._.Xe)....B..3.).4..\|....?\|m9U.A.$...a.gj..;.)..B....!a.j..ro.4.w3.w..}A..2F.%.....!.}..<..^\|r.CZ_...a.E....Z.6... .O.......J...X.Y\.P.?."(-.L.N.zX..84.v;..\Q...I._...._.....c...F...2$...D.....s.....>\|...z.}....Z4Yi1..3...@........F.O.....d..5L.UI..B.D.2.:. ....'-wxY..\l....\|.....\...{.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\e9594213-9e57-49dd-91fb-0ee2aae6c086.56802ae0-e7ec-49c1-9ab4-e41cf1ffbd66.down_meta

Download File

Process:	C:\Windows\System32\BackgroundTransferHost.exe
File Type:	data
Category:	dropped
Size (bytes):	1232
Entropy (8bit):	3.609594899197458
Encrypted:	false
SSDEEP:	24:LLVR2mRiwsL8DWzgx71+gbMVmsafxOc2CpXpjjX+vUViwZBKPX3KUbNbCVB:LLD2mRi18kgvT7rfeIXpjjX+v8iUBKPm
MD5:	94D6269766C4BDEB60E83DEFEA9C4AE8
SHA1:	383EC055E6A59CC3C6B3C8994AA2E4947154D684
SHA-256:	4CD83D88ED67ED332238C8F97C9A6EF86D3A08722846A3CE4CF9C41C6C3FD41D
SHA-512:	6478BFE17F0EE86564D2A775B2EDE3920DFA4C403706B585B8BE107FCA1A31E79A9CFE15464A5E693D3AAB931276119C7D0F380A990CCC504B438DD6FF6171EF
Malicious:	false
Preview:	h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.X.J.8.e.?.v.e.r.=.9.9.3.f...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .W.e.d.,. .2.8. .S.e.p. .2.0.2.2. .0.8.:.0.2.:.1.5. .G.M.T...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. ....X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .9.3.9.a.c.f.2.3.-.1.5.7.8.-.4.6.8.3.-.9.c.d.8.-.8.4.4.3.e.1.e.f.f.f.7.7...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. ....X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .D.E.N.Y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.X.J.8.e.?.v.e.r.=.9.9.3.f...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.6.5.2.5.9.5...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.6.5.2.5.9.5...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\e9594213-9e57-49dd-91fb-0ee2aae6c086.up_meta_secure

Download File

Process:	C:\Windows\System32\BackgroundTransferHost.exe
File Type:	data
Category:	dropped
Size (bytes):	502
Entropy (8bit):	7.299771858446448
Encrypted:	false
SSDEEP:	12:QU6N7L/A0a05huwq4BTpdY2edfHXmdRoi382teGlWI+:QUx0a0buwqQe2pdRooqOh+
MD5:	A24D374427AF1AB4862B64045D7109EE
SHA1:	550395453ADD226347182AB61A969BA3A479A519
SHA-256:	7128CF988FD86A99BA691E032E09D1737F689E8A90A438D8A3B08A98FA79D255
SHA-512:	398146F31EAB10DC4C889B52786ADA00D1B6ECE2ECDD661299D73A672551C8DACDBE487AE0C20535CC10A2770A1EB4D37A7A51A9C5089707FECBFDA727EABC13
Malicious:	false
Preview:	............z..O.........A.n.N...U.s.............f...... ....N.N..pqp..f.Yf['..2U..C...{............... ....@....e.TN...+....90......y... .......Cd..?.f..YjBX...W.<?.....[Sv$.D.S....e...}1.+^...R..&z.e.<f.<\..,\|./t....i..........q.....g.....L...Q.~..WW.).1!SP.j...<".....F".~`)Y"..\H....!..f.....P.f.d..R>...r.....mVq.'.y..%.6.iW.4.Y...L~f..sp.......e5..d.RI.:....ko5.....2..O5..5...c..C.If...W.1...h..KW.tV......C@...~..>..2...3... E./...y.q.k..%}F...$(.A..D..P..k...D.UKP.$.[

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\f9e08879-735a-4e9f-beea-148234195053.c22ac765-aa10-4c35-8f7c-a01d4239152c.down_meta

Download File

Process:	C:\Windows\System32\BackgroundTransferHost.exe
File Type:	data
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	3.615198547271788
Encrypted:	false
SSDEEP:	24:LLVR2mRi5WXpjgWzgxjX+vUVi5u5Bzup1+Zb0IWsafxOc2CpX3zuObB0VB:LLD2mRiEXpjPgVX+v8iM5BqLIb0JrfeR
MD5:	FCE9B615BD0A241DCDB86B117046C824
SHA1:	DA1C473288C318B53360BEA6BFD49A8A95430247
SHA-256:	17B032A7A4C60F0AD0A3C229C7A85C175D02CBA73BF036B0E6A5317BB4A9AFED
SHA-512:	4769E86FFA24DA5ADA5349F28C09623BF0C26BF01F0BD072753EFE147521832A5C5278898C7218AF9DEDD723A293974065F572754C2C0804F9C1CBCF974C9CCF
Malicious:	false
Preview:	h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.E.D.K.u.?.v.e.r.=.7.7.3.7...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. ....C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.E.D.K.u.?.v.e.r.=.7.7.3.7...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .S.a.t.,. .1.7. .S.e.p. .2.0.2.2. .1.2.:.4.2.:.3.5. .G.M.T...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .3.9.7.6.4.0...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .0.f.b.f.8.5.c.1.-.3.a.5.a.-.4.e.4.4.-.8.a.9.f.-.4.c.5.9.9.1.5.9.c.1.5.f...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. ....X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .D.E.N.Y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .3.9.7.6.4.0...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.l.i.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\f9e08879-735a-4e9f-beea-148234195053.down_data

Download File

Process:	C:\Windows\System32\BackgroundTransferHost.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1080x1920, components 3
Category:	dropped
Size (bytes):	397640
Entropy (8bit):	7.973540203770047
Encrypted:	false
SSDEEP:	12288:OA4HfjzlA5igAwJiGDW/CXceHRU8755e/2bhC:OA4HfNA0yJs0FU+Te/2bo
MD5:	94F381B1037C31F2F07DA813CB7CDBB0
SHA1:	D3C0DD5BC4181F267D9D33A6C55E720AF4027A61
SHA-256:	E1984ABEC89E01F9CCA9982CA6A1504AC4A6F7E39825617B04F24CD61BFBB91B
SHA-512:	F61E86C8C7519C9B3B21D36430628442CDDFB0A501AB45733C3014854614FC67AD78C0D2F48164AAF5744164BECE936BB4A7CABE8C6CC45E3DB4FD6439F1AC42
Malicious:	false
Preview:	......JFIF.....`.`.....C....................................................................C.........................................................................8.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....R{T.%i1._.V?...06.....J...m<.M...&.J...4tZ.\i_...b..m.......N.)J..(......m...'4.....S....i..`v..S...c.A<...F.H9.....5 OZ]...F.K...oJ\\|.R..l.6...'.&?*v...zM......75@3m.EI............F.@\m....]....KO`)0{.+...F.R..E.q.{Q..E.q.}...F.@\n.A...P+...]....h..3h..t.m..W..R.....n.JG.;...@5z....K.....M.....M..j.......q.c......E?...;..m..i.z..P+......\n.F>j

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\f9e08879-735a-4e9f-beea-148234195053.up_meta_secure

Download File

Process:	C:\Windows\System32\backgroundTaskHost.exe
File Type:	data
Category:	dropped
Size (bytes):	502
Entropy (8bit):	7.2992415773292185
Encrypted:	false
SSDEEP:	12:QU6N7/eJekA9YsweveCA8PPC+0LxaRGrbyaYwpPfU:QUmOek6Pr2CA8LwQwr9Yw2
MD5:	53C3609CC7AF4DBA67354111D16094BA
SHA1:	C644F7C4E9547328C64A8F3BEFD70A5169F44AAA
SHA-256:	71214DDCE705BF07EC16F43A468E46D6A80F220B0BFA7AECA19C704C365A3F47
SHA-512:	BB8CC703C91A3AD283F403385EC4816CAD73ABFE85CA826C290A3C12044B9468FF9537F80A64CB1F27EE0FB8FB55B5ADF22DA5E20D96AAFFE1653912A817FDD2
Malicious:	false
Preview:	............z..O.........A.n.N...U.s.............f...... .......].g..g.....O..Gso../..0.............. ...2......eA..2..X/...j^..d......;. ...O!..n.`.5rFL..o?+..c.&..xg.0\|.pk...Q..(t. ....P..X......,)....H4.QFi;.I.....&....T..x.K.._..S..c..Fc#...`.^......f... +t..QS...v.a.B.t.E...wL9....Z.a(.&(.5 8 .T+1....p.d..'........{..;y..[..nd...H.~...@.h.T/.I'J.!..@.........C...#P...L*&s.z/Y..c.n. }..o....[.\.....X....]......@......>l<.0p..}bE...`.t....[L.t. ...T-.Oh3..{V..pP.n+.[._..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\fce64348-a319-4f43-89cb-85a2ff3766b6.5e70bb71-9767-4cfd-9295-d09782f797ca.down_meta

Download File

Process:	C:\Windows\System32\BackgroundTransferHost.exe
File Type:	data
Category:	dropped
Size (bytes):	1232
Entropy (8bit):	3.612607647376319
Encrypted:	false
SSDEEP:	24:LLVR2mRiw+XpjgWzgxjX+vUViwo4+E1BKt1+CsafxOc2CpX3Ki5bvO/QGyV7j:LLD2mRi/XpjPgVX+v8iOPBKvbrfeIX3t
MD5:	20CAF8E9934BC613D1C78271AACCC35C
SHA1:	54067DC0B9689DF0A5EEB87552B2EFD4BF51116E
SHA-256:	A7E00C64022723DA851747B3321E5078CE412B662827B9163C76ABE108B38801
SHA-512:	BA0B8AFF5B21B92F2A6F93E25ACFC53361811C0D94C5D761ADDB15FF93C07939512B9593B0EE33389E36B6D31DCCF6E7CAF2C2678B1868920BA6C3C12DF22826
Malicious:	false
Preview:	h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.Y.3.X.g.?.v.e.r.=.4.b.f.1...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. ....C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.Y.3.X.g.?.v.e.r.=.4.b.f.1...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .S.u.n.,. .2.5. .S.e.p. .2.0.2.2. .1.9.:.2.9.:.0.6. .G.M.T...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.6.7.0.3.6.6...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .e.0.e.4.2.d.9.4.-.7.4.2.5.-.4.a.6.5.-.b.f.b.1.-.7.4.5.a.8.1.5.0.d.1.b.d...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. ....X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .D.E.N.Y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.6.7.0.3.6.6...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\fce64348-a319-4f43-89cb-85a2ff3766b6.down_data

Download File

Process:	C:\Windows\System32\BackgroundTransferHost.exe
File Type:	JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 23.2 (Windows), datetime=2022:03:03 09:45:32]
Category:	dropped
Size (bytes):	1670366
Entropy (8bit):	6.84484961165673
Encrypted:	false
SSDEEP:	24576:+dC81bz/KLQUBy+kzZJsxKdZC/2HO/R0JybmnI4asdAj/5Vf:+dC81bzuyusJdY7
MD5:	AFC98C94747E800CA80B6F2B6F6D0E99
SHA1:	7A2D652D3FBEBAEAC38E68B0EF2704B56AAA3656
SHA-256:	DCF5BB4FBC695E62BA816F65037F27BE9538EEFBED455085DEF9F0C286F0D46D
SHA-512:	B51478D385F934CE7ACE2B602CE5CE929B9091246144B26AE46AC753EA5CE72DB2100C9028A4E70DAA81E9EC3CCC158E1AFEAC8EDD81AF4D11C1DB123F5E963F
Malicious:	false
Preview:	......Exif..MM..............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop 23.2 (Windows).2022:03:03 09:45:32.........................................8..............................."............(.....................2...................H.......H..........Adobe_CM......Adobe.d.................................................................................................................................................Z...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....n..<.....5c;.........}..5...f7....$.&....[N.+.v.-%...]..Oe..I.........O[.ja.N....ub\.c....Yf5....<.......d.@sA..Lo.......c(....UT...\|.w....i.....

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\fce64348-a319-4f43-89cb-85a2ff3766b6.up_meta_secure

Download File

Process:	C:\Windows\System32\backgroundTaskHost.exe
File Type:	data
Category:	dropped
Size (bytes):	502
Entropy (8bit):	7.269579834552022
Encrypted:	false
SSDEEP:	12:QU6N0FTddHZsfPtwSuWawd5n41jrGNaKNtp9Rmy:QUXPHS3iSu0kFutNtp9Rmy
MD5:	07112CA1A43AB14CF7FC496AD8CCF2B9
SHA1:	34524F5C29FC1EDC0E2E4B5B3B17909791455AF7
SHA-256:	24A1BBA0E9E5E6C7C5625B18AC2F4BEBD414D1D163430C3762464913A583A6F5
SHA-512:	13795D08031352F224FD5834D21F7295FFD3A2FE55B85B298845AF40A07FE09F70BE131E3850694998C265D65624DE59423B0495843103E02A151619BD3AF49E
Malicious:	false
Preview:	............z..O.........A.n.N...U.s.............f...... ...}..b........^.=K........F.\|L.r............. ...g....bW8.U..E.Y.F.b.o...2. ...4{?.$6Z...l......b.m..P..P.....D6....>]l`w.K=....P....._.Xe)....B..3.).4..\|....?\|m9U.A.$...a.gj..;.)..B....!a.j..ro.4.w3.w..}A..2F.%.....!.}..<..^\|r.CZ_...a.E....Z.6... .O.......J...X.Y\.P.?."(-.L.N.zX..84.v;..\Q...I._...._.....c...F...2$...D.....s.....>\|...z.}....Z4Yi1..3...@........F.O.....d..5L.UI..B.D.2.:. ....'-wxY..\l....\|.....\...{.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1667478730 (copy)

Download File

Process:	C:\Windows\System32\backgroundTaskHost.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (25333), with no line terminators
Category:	dropped
Size (bytes):	50668
Entropy (8bit):	3.8628690863148045
Encrypted:	false
SSDEEP:	384:LqkpwmyvKwm7t3wmCC6IOaYoCGvgLbuLixSgLldfPOaY3NEoDJjmoKxo9029OaYO:AmQmamCC6mTMes5ldfFOtdz902XX
MD5:	3776917BCA6DD986576E21239AE97F3C
SHA1:	4F08609AF6856B66A9BAF1E6D1C2D0EAA3AB1310
SHA-256:	2B612E3F467B50610CD1BF5A3F0719728388821FBAB925CBA5DFF61B1474E0C8
SHA-512:	2D86E8358C0AE28EE5A467128E581209D65187C878B86517ECF85FB071CCA4E0308EDE6521CD8097F6A43CC150E92C9E8F5D6474BF170D5D049E11985999631A
Malicious:	false
Preview:	..{.".b.a.t.c.h.r.s.p.".:.{.".v.e.r.".:.".1...0.".,.".i.t.e.m.s.".:.[.{.".i.t.e.m.".:.".{.\.".f.\.".:.\.".r.a.f.\.".,.\.".v.\.".:.\.".1...0.\.".,.\.".r.d.r.\.".:.[.{.\.".c.\.".:.\.".C.D.M.\.".,.\.".u.\.".:.\.".S.u.b.s.c.r.i.b.e.d.C.o.n.t.e.n.t.\.".}.].,.\.".a.d.\.".:.{.\.".c.l.a.s.s.\.".:.\.".c.o.n.t.e.n.t.\.".,.\.".c.o.l.l.e.c.t.i.o.n.s.\.".:.[.].,.\.".n.a.m.e.\.".:.\.".L.o.c.k.S.c.r.e.e.n.\.".,.\.".p.r.o.p.e.r.t.y.M.a.n.i.f.e.s.t.\.".:.{.\.".l.a.n.d.s.c.a.p.e.I.m.a.g.e.\.".:.{.\.".t.y.p.e.\.".:.\.".i.m.a.g.e.\.".}.,.\.".p.o.r.t.r.a.i.t.I.m.a.g.e.\.".:.{.\.".t.y.p.e.\.".:.\.".i.m.a.g.e.\.".}.,.\.".s.h.o.w.I.m.a.g.e.O.n.S.e.c.u.r.e.L.o.c.k.\.".:.{.\.".i.s.O.p.t.i.o.n.a.l.\.".:.t.r.u.e.,.\.".t.y.p.e.\.".:.\.".b.o.o.l.e.a.n.\.".}.,.\.".o.n.R.e.n.d.e.r.\.".:.{.\.".t.y.p.e.\.".:.\.".a.c.t.i.o.n.\.".}.}.,.\.".p.r.o.p.e.r.t.i.e.s.\.".:.{.\.".l.a.n.d.s.c.a.p.e.I.m.a.g.e.\.".:.{.\.".f.i.l.e.S.i.z.e.\.".:.1.8.2.9.9.9.4.,.\.".h.e.i.g.h.t.\.".:.1.0.8.0.,.\.".s.h.a.2.5.6.\.".:.\.".5.g.u.C.f.+.5.K.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1667478730.~tmp

Download File

Process:	C:\Windows\System32\backgroundTaskHost.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (25333), with no line terminators
Category:	dropped
Size (bytes):	50668
Entropy (8bit):	3.8628690863148045
Encrypted:	false
SSDEEP:	384:LqkpwmyvKwm7t3wmCC6IOaYoCGvgLbuLixSgLldfPOaY3NEoDJjmoKxo9029OaYO:AmQmamCC6mTMes5ldfFOtdz902XX
MD5:	3776917BCA6DD986576E21239AE97F3C
SHA1:	4F08609AF6856B66A9BAF1E6D1C2D0EAA3AB1310
SHA-256:	2B612E3F467B50610CD1BF5A3F0719728388821FBAB925CBA5DFF61B1474E0C8
SHA-512:	2D86E8358C0AE28EE5A467128E581209D65187C878B86517ECF85FB071CCA4E0308EDE6521CD8097F6A43CC150E92C9E8F5D6474BF170D5D049E11985999631A
Malicious:	false
Preview:	..{.".b.a.t.c.h.r.s.p.".:.{.".v.e.r.".:.".1...0.".,.".i.t.e.m.s.".:.[.{.".i.t.e.m.".:.".{.\.".f.\.".:.\.".r.a.f.\.".,.\.".v.\.".:.\.".1...0.\.".,.\.".r.d.r.\.".:.[.{.\.".c.\.".:.\.".C.D.M.\.".,.\.".u.\.".:.\.".S.u.b.s.c.r.i.b.e.d.C.o.n.t.e.n.t.\.".}.].,.\.".a.d.\.".:.{.\.".c.l.a.s.s.\.".:.\.".c.o.n.t.e.n.t.\.".,.\.".c.o.l.l.e.c.t.i.o.n.s.\.".:.[.].,.\.".n.a.m.e.\.".:.\.".L.o.c.k.S.c.r.e.e.n.\.".,.\.".p.r.o.p.e.r.t.y.M.a.n.i.f.e.s.t.\.".:.{.\.".l.a.n.d.s.c.a.p.e.I.m.a.g.e.\.".:.{.\.".t.y.p.e.\.".:.\.".i.m.a.g.e.\.".}.,.\.".p.o.r.t.r.a.i.t.I.m.a.g.e.\.".:.{.\.".t.y.p.e.\.".:.\.".i.m.a.g.e.\.".}.,.\.".s.h.o.w.I.m.a.g.e.O.n.S.e.c.u.r.e.L.o.c.k.\.".:.{.\.".i.s.O.p.t.i.o.n.a.l.\.".:.t.r.u.e.,.\.".t.y.p.e.\.".:.\.".b.o.o.l.e.a.n.\.".}.,.\.".o.n.R.e.n.d.e.r.\.".:.{.\.".t.y.p.e.\.".:.\.".a.c.t.i.o.n.\.".}.}.,.\.".p.r.o.p.e.r.t.i.e.s.\.".:.{.\.".l.a.n.d.s.c.a.p.e.I.m.a.g.e.\.".:.{.\.".f.i.l.e.S.i.z.e.\.".:.1.8.2.9.9.9.4.,.\.".h.e.i.g.h.t.\.".:.1.0.8.0.,.\.".s.h.a.2.5.6.\.".:.\.".5.g.u.C.f.+.5.K.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat (copy)

Download File

Process:	C:\Windows\System32\backgroundTaskHost.exe
File Type:	ASCII text, with very long lines (601), with CRLF line terminators
Category:	dropped
Size (bytes):	1206
Entropy (8bit):	5.375635149442958
Encrypted:	false
SSDEEP:	24:2AsfLWhHyUwHqbwB6wwTasfjuAsfLWhHyUwHqbwB6wwTasfjf:psTsyTWHa8uAsTsyTWHa8f
MD5:	6027FD964E3D12F5E55E7F303D62DB64
SHA1:	4584C8EEE83AFC96C0EE6FEF5D24CF79D4AED6C2
SHA-256:	2278FBCA6F5DD52C49BC652BCF24AFC0FAF0643046437E975B24B69FE3C0E0C9
SHA-512:	DB496C3FF495F6BB7447AE273AB7B2E02388163CF6ABFC94643833DBFFF4765B207539587DAC2EC681C099469AD19B74B564C57A2834FBF6F3CDF602559ACB42
Malicious:	false
Preview:	https://ris.api.iris.microsoft.com/v1/a/impression?CID=128000000000402926&region=GB&lang=EN-US%2CEN-GB&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.19041.1023&mo=&cap=&EID=&&PID=400089837&UIT=P-&TargetID=700129702&AN=810648797&PG=PC000P0FR5.0000000IRT&REQASID=A673BE2E1D34470DB597AE0CE296C629&UNID=338388&ASID=96bc58feee9343f4adb4276226731ce3&PERSID=A8E1006BB917B201DA028024D9D24847&GLOBALDEVICEID=6825809749837015&LOCALID=w:B4DB5D29-CE1F-133C-E940-0BE8A7B2FF54&DS_EVTID=7d047d8fca6a4380a636a3f3e6e776c5&DEVOSVER=10.0.19042.1165&REQT=20221103T113138&TIME=20221103T123210Z&ARCRAS=&CLR=CDM..https://ris.api.iris.microsoft.com/v1/a/impression?CID=128000000000402926&region=GB&lang=EN-US%2CEN-GB&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.19041.1023&mo=&cap=&EID=&&PID=400089837&UIT=P-&TargetID=700129702&AN=810648797&PG=PC000P0FR5.0000000IRT&REQASID=A673BE2E1D34470DB597AE0CE296C629&UNID=338388&ASID=96bc58feee9343f4adb4276226731ce3&PERSID=A8E1006BB917B201DA028024D9D24847&

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat.~tmp

Download File

Process:	C:\Windows\System32\backgroundTaskHost.exe
File Type:	ASCII text, with very long lines (601), with CRLF line terminators
Category:	dropped
Size (bytes):	1206
Entropy (8bit):	5.375635149442958
Encrypted:	false
SSDEEP:	24:2AsfLWhHyUwHqbwB6wwTasfjuAsfLWhHyUwHqbwB6wwTasfjf:psTsyTWHa8uAsTsyTWHa8f
MD5:	6027FD964E3D12F5E55E7F303D62DB64
SHA1:	4584C8EEE83AFC96C0EE6FEF5D24CF79D4AED6C2
SHA-256:	2278FBCA6F5DD52C49BC652BCF24AFC0FAF0643046437E975B24B69FE3C0E0C9
SHA-512:	DB496C3FF495F6BB7447AE273AB7B2E02388163CF6ABFC94643833DBFFF4765B207539587DAC2EC681C099469AD19B74B564C57A2834FBF6F3CDF602559ACB42
Malicious:	false
Preview:	https://ris.api.iris.microsoft.com/v1/a/impression?CID=128000000000402926&region=GB&lang=EN-US%2CEN-GB&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.19041.1023&mo=&cap=&EID=&&PID=400089837&UIT=P-&TargetID=700129702&AN=810648797&PG=PC000P0FR5.0000000IRT&REQASID=A673BE2E1D34470DB597AE0CE296C629&UNID=338388&ASID=96bc58feee9343f4adb4276226731ce3&PERSID=A8E1006BB917B201DA028024D9D24847&GLOBALDEVICEID=6825809749837015&LOCALID=w:B4DB5D29-CE1F-133C-E940-0BE8A7B2FF54&DS_EVTID=7d047d8fca6a4380a636a3f3e6e776c5&DEVOSVER=10.0.19042.1165&REQT=20221103T113138&TIME=20221103T123210Z&ARCRAS=&CLR=CDM..https://ris.api.iris.microsoft.com/v1/a/impression?CID=128000000000402926&region=GB&lang=EN-US%2CEN-GB&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.19041.1023&mo=&cap=&EID=&&PID=400089837&UIT=P-&TargetID=700129702&AN=810648797&PG=PC000P0FR5.0000000IRT&REQASID=A673BE2E1D34470DB597AE0CE296C629&UNID=338388&ASID=96bc58feee9343f4adb4276226731ce3&PERSID=A8E1006BB917B201DA028024D9D24847&

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat~RFf6a9d0.TMP (copy)

Download File

Process:	C:\Windows\System32\backgroundTaskHost.exe
File Type:	ASCII text, with very long lines (601), with CRLF line terminators
Category:	dropped
Size (bytes):	1206
Entropy (8bit):	5.375635149442958
Encrypted:	false
SSDEEP:	24:2AsfLWhHyUwHqbwB6wwTasfjuAsfLWhHyUwHqbwB6wwTasfjf:psTsyTWHa8uAsTsyTWHa8f
MD5:	6027FD964E3D12F5E55E7F303D62DB64
SHA1:	4584C8EEE83AFC96C0EE6FEF5D24CF79D4AED6C2
SHA-256:	2278FBCA6F5DD52C49BC652BCF24AFC0FAF0643046437E975B24B69FE3C0E0C9
SHA-512:	DB496C3FF495F6BB7447AE273AB7B2E02388163CF6ABFC94643833DBFFF4765B207539587DAC2EC681C099469AD19B74B564C57A2834FBF6F3CDF602559ACB42
Malicious:	false
Preview:	https://ris.api.iris.microsoft.com/v1/a/impression?CID=128000000000402926&region=GB&lang=EN-US%2CEN-GB&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.19041.1023&mo=&cap=&EID=&&PID=400089837&UIT=P-&TargetID=700129702&AN=810648797&PG=PC000P0FR5.0000000IRT&REQASID=A673BE2E1D34470DB597AE0CE296C629&UNID=338388&ASID=96bc58feee9343f4adb4276226731ce3&PERSID=A8E1006BB917B201DA028024D9D24847&GLOBALDEVICEID=6825809749837015&LOCALID=w:B4DB5D29-CE1F-133C-E940-0BE8A7B2FF54&DS_EVTID=7d047d8fca6a4380a636a3f3e6e776c5&DEVOSVER=10.0.19042.1165&REQT=20221103T113138&TIME=20221103T123210Z&ARCRAS=&CLR=CDM..https://ris.api.iris.microsoft.com/v1/a/impression?CID=128000000000402926&region=GB&lang=EN-US%2CEN-GB&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.19041.1023&mo=&cap=&EID=&&PID=400089837&UIT=P-&TargetID=700129702&AN=810648797&PG=PC000P0FR5.0000000IRT&REQASID=A673BE2E1D34470DB597AE0CE296C629&UNID=338388&ASID=96bc58feee9343f4adb4276226731ce3&PERSID=A8E1006BB917B201DA028024D9D24847&

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\imprbeacons.dat (copy)

Download File

Process:	C:\Windows\System32\backgroundTaskHost.exe
File Type:	ASCII text, with very long lines (1749), with CRLF line terminators
Category:	dropped
Size (bytes):	1751
Entropy (8bit):	5.187469039060151
Encrypted:	false
SSDEEP:	24:28/SgQwCqjJNwB6wwTaseehjhcwhwBMDjkoDUfsLNKomN5rrxZT12KfUNiYsiIj:xx/nJ9HagNLfYsBiLTfUwSa
MD5:	2C93AB13CC18A0981DCBA4DE3AD6CA1C
SHA1:	7029805FC58E10ACC1D0F114FF437282FBDD9155
SHA-256:	35FA3451B626296266258496D5CF9E341CE8175EE37426C21C39434D85A68944
SHA-512:	ECD887D87FD377FC5D3A37D1CDCDF77EBE9172ECE58D26442E95A36F1682A2780A41F7CC9ACE1D23959E070DEC2F4FA070FCA361A7302568F7C2E672BA00E366
Malicious:	false
Preview:	https://arc.msn.com/v3/Delivery/Events/Impression=&PID=400089837&TID=700129702&CID=128000000000402926&BID=810648797&PG=PC000P0FR5.0000000IRT&TPID=400089837&REQASID=A673BE2E1D34470DB597AE0CE296C629&ASID=96bc58feee9343f4adb4276226731ce3&TIME=20221103T123210Z&SLOT=1&REQT=20221103T113138&MA_Score=2&PERSID=A8E1006BB917B201DA028024D9D24847&GLOBALDEVICEID=6825809749837015&LOCALID=w:B4DB5D29-CE1F-133C-E940-0BE8A7B2FF54&DS_EVTID=7d047d8fca6a4380a636a3f3e6e776c5&BCNT=1&PG=PC000P0FR5.0000000IRT&UNID=338388&MAP_TID=1EF5E8B5-9E46-4080-B9ED-081BF922B225&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=A673BE2E1D34470DB597AE0CE296C629&REQASID=A673BE2E1D34470DB597AE0CE296C629&ARC=1&EMS=1&AUTH=1&LOCALE=EN-US&COUNTRY=GB&HTD=-1&LANG=1033&DEVLANG=EN&CIP=102.129.143.37&ID=A8E1006BB917B201DA028024D9D24847&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19042.1165&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19042&DEVOSMINBLD=1165&LOD=443&LOH=24&LO=637949&RAFB=0&MARKETBASEDCOUNT

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\imprbeacons.dat.~tmp

Download File

Process:	C:\Windows\System32\backgroundTaskHost.exe
File Type:	ASCII text, with very long lines (1749), with CRLF line terminators
Category:	dropped
Size (bytes):	1751
Entropy (8bit):	5.187469039060151
Encrypted:	false
SSDEEP:	24:28/SgQwCqjJNwB6wwTaseehjhcwhwBMDjkoDUfsLNKomN5rrxZT12KfUNiYsiIj:xx/nJ9HagNLfYsBiLTfUwSa
MD5:	2C93AB13CC18A0981DCBA4DE3AD6CA1C
SHA1:	7029805FC58E10ACC1D0F114FF437282FBDD9155
SHA-256:	35FA3451B626296266258496D5CF9E341CE8175EE37426C21C39434D85A68944
SHA-512:	ECD887D87FD377FC5D3A37D1CDCDF77EBE9172ECE58D26442E95A36F1682A2780A41F7CC9ACE1D23959E070DEC2F4FA070FCA361A7302568F7C2E672BA00E366
Malicious:	false
Preview:	https://arc.msn.com/v3/Delivery/Events/Impression=&PID=400089837&TID=700129702&CID=128000000000402926&BID=810648797&PG=PC000P0FR5.0000000IRT&TPID=400089837&REQASID=A673BE2E1D34470DB597AE0CE296C629&ASID=96bc58feee9343f4adb4276226731ce3&TIME=20221103T123210Z&SLOT=1&REQT=20221103T113138&MA_Score=2&PERSID=A8E1006BB917B201DA028024D9D24847&GLOBALDEVICEID=6825809749837015&LOCALID=w:B4DB5D29-CE1F-133C-E940-0BE8A7B2FF54&DS_EVTID=7d047d8fca6a4380a636a3f3e6e776c5&BCNT=1&PG=PC000P0FR5.0000000IRT&UNID=338388&MAP_TID=1EF5E8B5-9E46-4080-B9ED-081BF922B225&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=A673BE2E1D34470DB597AE0CE296C629&REQASID=A673BE2E1D34470DB597AE0CE296C629&ARC=1&EMS=1&AUTH=1&LOCALE=EN-US&COUNTRY=GB&HTD=-1&LANG=1033&DEVLANG=EN&CIP=102.129.143.37&ID=A8E1006BB917B201DA028024D9D24847&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19042.1165&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19042&DEVOSMINBLD=1165&LOD=443&LOH=24&LO=637949&RAFB=0&MARKETBASEDCOUNT

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1667478730 (copy)

Download File

Process:	C:\Windows\System32\backgroundTaskHost.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (3298), with no line terminators
Category:	dropped
Size (bytes):	6598
Entropy (8bit):	3.8115883227521836
Encrypted:	false
SSDEEP:	192:Lv44wFiEMGyoO4XD3gyeXonj4fjkwRcmtGw:L6yGBRvuNtGw
MD5:	B235E75FBC79F8026E7C60436D985965
SHA1:	DB1961A8DD30D0B3C3987A9E768ED6542CCFE798
SHA-256:	7CA22885B25318C77E3A20E6A534BEECB32F63D1FD0877E5D6AC827B45B21C34
SHA-512:	9804B766E35CA7E2F1C354908A2D84D1CFA5BB1AEB2D8E734E7457B41C22E80DC78222257BE4D9EE16AEC7CCAF365F97AEC1E5E74F934B40897FC353BB6A6D85
Malicious:	false
Preview:	..{.".b.a.t.c.h.r.s.p.".:.{.".v.e.r.".:.".1...0.".,.".i.t.e.m.s.".:.[.{.".i.t.e.m.".:.".{.\.".f.\.".:.\.".r.a.f.\.".,.\.".v.\.".:.\.".1...0.\.".,.\.".r.d.r.\.".:.[.{.\.".c.\.".:.\.".C.D.M.\.".,.\.".u.\.".:.\.".S.u.b.s.c.r.i.b.e.d.C.o.n.t.e.n.t.\.".}.].,.\.".a.d.\.".:.{.\.".c.l.a.s.s.\.".:.\.".c.o.n.t.e.n.t.\.".,.\.".c.o.l.l.e.c.t.i.o.n.s.\.".:.[.].,.\.".i.t.e.m.P.r.o.p.e.r.t.y.M.a.n.i.f.e.s.t.\.".:.{.\.".n.o.O.p.\.".:.{.\.".t.y.p.e.\.".:.\.".a.c.t.i.o.n.\.".}.}.,.\.".i.t.e.m.s.\.".:.[.{.\.".p.r.o.p.e.r.t.i.e.s.\.".:.{.\.".n.o.O.p.\.".:.{.\.".e.v.e.n.t.\.".:.\.".n.o.n.e.\.".,.\.".p.a.r.a.m.e.t.e.r.s.\.".:.{.}.,.\.".a.c.t.i.o.n.\.".:.\.".n.o.O.p.\.".}.}.,.\.".t.r.a.c.k.i.n.g.\.".:.{.\.".e.v.e.n.t.s.\.".:.[.{.\.".i.d.\.".:.\.".i.m.p.r.e.s.s.i.o.n.\.".}.].,.\.".p.a.r.a.m.e.t.e.r.i.z.e.d.\.".:.[.{.\.".u.r.i.\.".:.\.".h.t.t.p.s.:.\./.\./.r.i.s...a.p.i...i.r.i.s...m.i.c.r.o.s.o.f.t...c.o.m.\./.v.1.\./.a.\./.{.A.C.T.I.O.N.}.?.C.I.D.=.1.2.8.0.0.0.0.0.0.0.0.1.6.2.7.4.0.9.&.r.e.g.i.o.n.=.G.B.&.l.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1667478730.~tmp

Download File

Process:	C:\Windows\System32\backgroundTaskHost.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (3298), with no line terminators
Category:	dropped
Size (bytes):	6598
Entropy (8bit):	3.8115883227521836
Encrypted:	false
SSDEEP:	192:Lv44wFiEMGyoO4XD3gyeXonj4fjkwRcmtGw:L6yGBRvuNtGw
MD5:	B235E75FBC79F8026E7C60436D985965
SHA1:	DB1961A8DD30D0B3C3987A9E768ED6542CCFE798
SHA-256:	7CA22885B25318C77E3A20E6A534BEECB32F63D1FD0877E5D6AC827B45B21C34
SHA-512:	9804B766E35CA7E2F1C354908A2D84D1CFA5BB1AEB2D8E734E7457B41C22E80DC78222257BE4D9EE16AEC7CCAF365F97AEC1E5E74F934B40897FC353BB6A6D85
Malicious:	false
Preview:	..{.".b.a.t.c.h.r.s.p.".:.{.".v.e.r.".:.".1...0.".,.".i.t.e.m.s.".:.[.{.".i.t.e.m.".:.".{.\.".f.\.".:.\.".r.a.f.\.".,.\.".v.\.".:.\.".1...0.\.".,.\.".r.d.r.\.".:.[.{.\.".c.\.".:.\.".C.D.M.\.".,.\.".u.\.".:.\.".S.u.b.s.c.r.i.b.e.d.C.o.n.t.e.n.t.\.".}.].,.\.".a.d.\.".:.{.\.".c.l.a.s.s.\.".:.\.".c.o.n.t.e.n.t.\.".,.\.".c.o.l.l.e.c.t.i.o.n.s.\.".:.[.].,.\.".i.t.e.m.P.r.o.p.e.r.t.y.M.a.n.i.f.e.s.t.\.".:.{.\.".n.o.O.p.\.".:.{.\.".t.y.p.e.\.".:.\.".a.c.t.i.o.n.\.".}.}.,.\.".i.t.e.m.s.\.".:.[.{.\.".p.r.o.p.e.r.t.i.e.s.\.".:.{.\.".n.o.O.p.\.".:.{.\.".e.v.e.n.t.\.".:.\.".n.o.n.e.\.".,.\.".p.a.r.a.m.e.t.e.r.s.\.".:.{.}.,.\.".a.c.t.i.o.n.\.".:.\.".n.o.O.p.\.".}.}.,.\.".t.r.a.c.k.i.n.g.\.".:.{.\.".e.v.e.n.t.s.\.".:.[.{.\.".i.d.\.".:.\.".i.m.p.r.e.s.s.i.o.n.\.".}.].,.\.".p.a.r.a.m.e.t.e.r.i.z.e.d.\.".:.[.{.\.".u.r.i.\.".:.\.".h.t.t.p.s.:.\./.\./.r.i.s...a.p.i...i.r.i.s...m.i.c.r.o.s.o.f.t...c.o.m.\./.v.1.\./.a.\./.{.A.C.T.I.O.N.}.?.C.I.D.=.1.2.8.0.0.0.0.0.0.0.0.1.6.2.7.4.0.9.&.r.e.g.i.o.n.=.G.B.&.l.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280815\9dbf5cda030a4e60a261641156804856_1 (copy)

Download File

Process:	C:\Windows\System32\backgroundTaskHost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1765
Entropy (8bit):	5.589251299472814
Encrypted:	false
SSDEEP:	48:YrLtp5jEi8kLsPSVZGcuDieRHFzkwhSgNPUV:Ev5gjshZGDZuGSgNPUV
MD5:	F3F1CC40AF34CBC0A78B3408B31631F0
SHA1:	E613A2B2B79CACAF7B274EC0F7C401CD0D7BB80C
SHA-256:	29A9061FAA1C52D4E50476DC7ED84401E14FAE066935F91C97B0825F351CE2E5
SHA-512:	34ED34EDB12439BCDD00905651856652159B083151EE12CEE05AB291C76AB82CECE43F4BEEB2D0EE0C9E962FDFA044D9BE82580FA8BC57492731F082BA9B6337
Malicious:	false
Preview:	{"class":"content","collections":[],"itemPropertyManifest":{"noOp":{"type":"action"}},"items":[{"properties":{"noOp":{"event":"none","parameters":{"ctx.action":"noOp","ctx.containerPath":"//item[0]","ctx.contentId":"9dbf5cda030a4e60a261641156804856","ctx.creativeId":"1667478696`128000000001627409`0`9dbf5cda030a4e60a261641156804856`604800`280815`137271744000000000","ctx.cv":"vMqjYPUZwU+dfMfc.0","ctx.expiration":"137271744000000000","ctx.placementId":"SubscribedContent-280815","noOp":"//item[0]/property[noOp]"},"action":"noOp"}},"tracking":{"events":[{"id":"//item[0]?eventName=impression","name":"impression"}],"parameterized":[{"uri":"https://ris.api.iris.microsoft.com/v1/a/{ACTION}?CID=128000000001627409&region=GB&lang=EN-US%2CEN-GB&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.19041.1023&mo=&cap=&EID={EID}&&PID=425116123&UIT=P-&TargetID=700333390&AN=57390238&PG=PC000P0FR5.0000000INM&REQASID=BC595D179AA34712BB1EB30ACBBCDBC0&UNID=280815&ID=A8E1006BB917B201DA028024D9D24847&AS

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280815\9dbf5cda030a4e60a261641156804856_1.~tmp

Download File

Process:	C:\Windows\System32\backgroundTaskHost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1765
Entropy (8bit):	5.589251299472814
Encrypted:	false
SSDEEP:	48:YrLtp5jEi8kLsPSVZGcuDieRHFzkwhSgNPUV:Ev5gjshZGDZuGSgNPUV
MD5:	F3F1CC40AF34CBC0A78B3408B31631F0
SHA1:	E613A2B2B79CACAF7B274EC0F7C401CD0D7BB80C
SHA-256:	29A9061FAA1C52D4E50476DC7ED84401E14FAE066935F91C97B0825F351CE2E5
SHA-512:	34ED34EDB12439BCDD00905651856652159B083151EE12CEE05AB291C76AB82CECE43F4BEEB2D0EE0C9E962FDFA044D9BE82580FA8BC57492731F082BA9B6337
Malicious:	false
Preview:	{"class":"content","collections":[],"itemPropertyManifest":{"noOp":{"type":"action"}},"items":[{"properties":{"noOp":{"event":"none","parameters":{"ctx.action":"noOp","ctx.containerPath":"//item[0]","ctx.contentId":"9dbf5cda030a4e60a261641156804856","ctx.creativeId":"1667478696`128000000001627409`0`9dbf5cda030a4e60a261641156804856`604800`280815`137271744000000000","ctx.cv":"vMqjYPUZwU+dfMfc.0","ctx.expiration":"137271744000000000","ctx.placementId":"SubscribedContent-280815","noOp":"//item[0]/property[noOp]"},"action":"noOp"}},"tracking":{"events":[{"id":"//item[0]?eventName=impression","name":"impression"}],"parameterized":[{"uri":"https://ris.api.iris.microsoft.com/v1/a/{ACTION}?CID=128000000001627409&region=GB&lang=EN-US%2CEN-GB&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.19041.1023&mo=&cap=&EID={EID}&&PID=425116123&UIT=P-&TargetID=700333390&AN=57390238&PG=PC000P0FR5.0000000INM&REQASID=BC595D179AA34712BB1EB30ACBBCDBC0&UNID=280815&ID=A8E1006BB917B201DA028024D9D24847&AS

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\96bc58feee9343f4adb4276226731ce3_1 (copy)

Download File

Process:	C:\Windows\System32\backgroundTaskHost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3399
Entropy (8bit):	5.649193848711768
Encrypted:	false
SSDEEP:	48:YrfBVUdGEFZ8Ht35cLsRkT+Ha8uDwsKkTJsuDxHaHn4FzkuLsRkT+Ha8uDCo0U/:KVySHt35EnZj88xgHnhunZjmpU/
MD5:	584C23585E9708AD7C1AEBFB8AE84ADD
SHA1:	D86FBE6C9A75624DA1E6FE8EF6352B0EB1DC22DC
SHA-256:	03E90F3EACA529DDCFB10BF15925FF410D11550D4B2B161A63FD55190E2D51DB
SHA-512:	FA7E78C8D01482BA59C91276B99FFE3AF173D3D6E97625E92C5B7D6B5E50CEF92C20D97EFCDA7A750CE38C697AECD8F5CC893912F3AAC181BCFDFFF1CDAB3E84
Malicious:	false
Preview:	{"class":"content","collections":[],"itemPropertyManifest":{"templateType":{"type":"text"},"onRender":{"type":"action"}},"items":[{"properties":{"templateType":{"text":"hidden"},"onRender":{"event":"none","parameters":{"collectionId":"Start.Suggestions","ctx.action":"addTileToCollection","ctx.containerPath":"//item[0]","ctx.contentId":"96bc58feee9343f4adb4276226731ce3","ctx.creativeId":"1667478697`128000000000402926`0`96bc58feee9343f4adb4276226731ce3`3600`338388`137270879400000000","ctx.cv":"Qk3e8FposEiXXDUU.0","ctx.expiration":"137270879400000000","ctx.placementId":"SubscribedContent-338388","onRender":"//item[0]/property[onRender]","templateType":"hidden"},"action":"addTileToCollection"}},"tracking":{"events":[{"id":"//item[0]?eventName=impression","name":"impression"},{"id":"//item[0]?eventName=click","name":"click"},{"id":"//item[0]?eventName=install","name":"install"},{"id":"//item[0]?eventName=installComplete","name":"installComplete"},{"id":"//item[0]?eventName=dislike","name":"

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\96bc58feee9343f4adb4276226731ce3_1.~tmp

Download File

Process:	C:\Windows\System32\backgroundTaskHost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3399
Entropy (8bit):	5.649193848711768
Encrypted:	false
SSDEEP:	48:YrfBVUdGEFZ8Ht35cLsRkT+Ha8uDwsKkTJsuDxHaHn4FzkuLsRkT+Ha8uDCo0U/:KVySHt35EnZj88xgHnhunZjmpU/
MD5:	584C23585E9708AD7C1AEBFB8AE84ADD
SHA1:	D86FBE6C9A75624DA1E6FE8EF6352B0EB1DC22DC
SHA-256:	03E90F3EACA529DDCFB10BF15925FF410D11550D4B2B161A63FD55190E2D51DB
SHA-512:	FA7E78C8D01482BA59C91276B99FFE3AF173D3D6E97625E92C5B7D6B5E50CEF92C20D97EFCDA7A750CE38C697AECD8F5CC893912F3AAC181BCFDFFF1CDAB3E84
Malicious:	false
Preview:	{"class":"content","collections":[],"itemPropertyManifest":{"templateType":{"type":"text"},"onRender":{"type":"action"}},"items":[{"properties":{"templateType":{"text":"hidden"},"onRender":{"event":"none","parameters":{"collectionId":"Start.Suggestions","ctx.action":"addTileToCollection","ctx.containerPath":"//item[0]","ctx.contentId":"96bc58feee9343f4adb4276226731ce3","ctx.creativeId":"1667478697`128000000000402926`0`96bc58feee9343f4adb4276226731ce3`3600`338388`137270879400000000","ctx.cv":"Qk3e8FposEiXXDUU.0","ctx.expiration":"137270879400000000","ctx.placementId":"SubscribedContent-338388","onRender":"//item[0]/property[onRender]","templateType":"hidden"},"action":"addTileToCollection"}},"tracking":{"events":[{"id":"//item[0]?eventName=impression","name":"impression"},{"id":"//item[0]?eventName=click","name":"click"},{"id":"//item[0]?eventName=install","name":"install"},{"id":"//item[0]?eventName=installComplete","name":"installComplete"},{"id":"//item[0]?eventName=dislike","name":"

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338389\03d0615dae6b45498e652e3e555b3e3d_1 (copy)

Download File

Process:	C:\Windows\System32\backgroundTaskHost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1767
Entropy (8bit):	5.577925996504267
Encrypted:	false
SSDEEP:	48:YrLtLku8kLsPSR5NuDiemHFzkwhkKQyUs:ENkPslueuGkuUs
MD5:	F475EFAFBB0FAB970B2FA43682541384
SHA1:	A8C2A3C78EAEDCE3A3B81A2D3A3E7B26BD94AEE8
SHA-256:	633F87D55B480221AD0E76D1A5CEC296BD4115EA1770A3C2E0B8CE0EDD3B7A43
SHA-512:	6F64E07F6E630A2C753D56B16D8F8357D9C6DC3C90CB23E5BC347FC530F988D72F4759FCB91115A5020E8C7915107995C3242AC3FB0EF5A7D48F5DC2805A8EF9
Malicious:	false
Preview:	{"class":"content","collections":[],"itemPropertyManifest":{"noOp":{"type":"action"}},"items":[{"properties":{"noOp":{"event":"none","parameters":{"ctx.action":"noOp","ctx.containerPath":"//item[0]","ctx.contentId":"03d0615dae6b45498e652e3e555b3e3d","ctx.creativeId":"1667478696`128000000001627409`0`03d0615dae6b45498e652e3e555b3e3d`604800`338389`137271744000000000","ctx.cv":"49s6YbKJiUGNere0.0","ctx.expiration":"137271744000000000","ctx.placementId":"SubscribedContent-338389","noOp":"//item[0]/property[noOp]"},"action":"noOp"}},"tracking":{"events":[{"id":"//item[0]?eventName=impression","name":"impression"}],"parameterized":[{"uri":"https://ris.api.iris.microsoft.com/v1/a/{ACTION}?CID=128000000001627409&region=GB&lang=EN-US%2CEN-GB&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.19041.1023&mo=&cap=&EID={EID}&&PID=425116219&UIT=P-&TargetID=700333446&AN=1262935398&PG=PC000P0FR5.0000000IRU&REQASID=75EF775624424489969BB6FE3EAA1836&UNID=338389&ID=A8E1006BB917B201DA028024D9D24847&

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338389\03d0615dae6b45498e652e3e555b3e3d_1.~tmp

Download File

Process:	C:\Windows\System32\backgroundTaskHost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1767
Entropy (8bit):	5.577925996504267
Encrypted:	false
SSDEEP:	48:YrLtLku8kLsPSR5NuDiemHFzkwhkKQyUs:ENkPslueuGkuUs
MD5:	F475EFAFBB0FAB970B2FA43682541384
SHA1:	A8C2A3C78EAEDCE3A3B81A2D3A3E7B26BD94AEE8
SHA-256:	633F87D55B480221AD0E76D1A5CEC296BD4115EA1770A3C2E0B8CE0EDD3B7A43
SHA-512:	6F64E07F6E630A2C753D56B16D8F8357D9C6DC3C90CB23E5BC347FC530F988D72F4759FCB91115A5020E8C7915107995C3242AC3FB0EF5A7D48F5DC2805A8EF9
Malicious:	false
Preview:	{"class":"content","collections":[],"itemPropertyManifest":{"noOp":{"type":"action"}},"items":[{"properties":{"noOp":{"event":"none","parameters":{"ctx.action":"noOp","ctx.containerPath":"//item[0]","ctx.contentId":"03d0615dae6b45498e652e3e555b3e3d","ctx.creativeId":"1667478696`128000000001627409`0`03d0615dae6b45498e652e3e555b3e3d`604800`338389`137271744000000000","ctx.cv":"49s6YbKJiUGNere0.0","ctx.expiration":"137271744000000000","ctx.placementId":"SubscribedContent-338389","noOp":"//item[0]/property[noOp]"},"action":"noOp"}},"tracking":{"events":[{"id":"//item[0]?eventName=impression","name":"impression"}],"parameterized":[{"uri":"https://ris.api.iris.microsoft.com/v1/a/{ACTION}?CID=128000000001627409&region=GB&lang=EN-US%2CEN-GB&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.19041.1023&mo=&cap=&EID={EID}&&PID=425116219&UIT=P-&TargetID=700333446&AN=1262935398&PG=PC000P0FR5.0000000IRU&REQASID=75EF775624424489969BB6FE3EAA1836&UNID=338389&ID=A8E1006BB917B201DA028024D9D24847&

C:\Users\user\AppData\Local\Temp\nsdCB34.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.737556724687435
Encrypted:	false
SSDEEP:	192:MenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBaIwL:M8+Qlt70Fj/lQRY/9VjjgL
MD5:	6E55A6E7C3FDBD244042EB15CB1EC739
SHA1:	070EA80E2192ABC42F358D47B276990B5FA285A9
SHA-256:	ACF90AB6F4EDC687E94AAF604D05E16E6CFB5E35873783B50C66F307A35C6506
SHA-512:	2D504B74DA38EDC967E3859733A2A9CACD885DB82F0CA69BFB66872E882707314C54238344D45945DC98BAE85772ACEEF71A741787922D640627D3C8AE8F1C35
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse Antivirus: Metadefender, Detection: 4%, Browse
Joe Sandbox View:	Filename: WELTER zahnrad GmbH Urgent enquiry Order nr543.exe, Detection: malicious, Browse Filename: WELTER zahnrad GmbH Urgent enquiry Order nr543.exe, Detection: malicious, Browse Filename: Pipetek Supplies Ltd - Quotation No. 40406 Revised.exe, Detection: malicious, Browse Filename: Pipetek Supplies Ltd - Quotation No. 40406 Revised.exe, Detection: malicious, Browse Filename: Eminencer.exe, Detection: malicious, Browse Filename: Shipment Notification.exe, Detection: malicious, Browse Filename: Prokuraers.exe, Detection: malicious, Browse Filename: RFQ-08-057-SAFETY SHOWER UNIT WITH COOLING SYSTEM.exe, Detection: malicious, Browse Filename: Eminencer.exe, Detection: malicious, Browse Filename: Shipment Notification.exe, Detection: malicious, Browse Filename: COSTCO Purchase Order.exe, Detection: malicious, Browse Filename: Prokuraers.exe, Detection: malicious, Browse Filename: RFQ-08-057-SAFETY SHOWER UNIT WITH COOLING SYSTEM.exe, Detection: malicious, Browse Filename: NEW GIZA - INFRA - RFQ ( Pump ).exe, Detection: malicious, Browse Filename: COSTCO Purchase Order.exe, Detection: malicious, Browse Filename: NEW GIZA - INFRA - RFQ ( Pump ).exe, Detection: malicious, Browse Filename: AWB DHL 7214306201 Shipment Notification.exe, Detection: malicious, Browse Filename: AWB DHL 7214306201 Shipment Notification.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.Injector.AOW.tr.16179.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...X..`...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text...O .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.....................@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Shoved\Factorist\dialog-warning-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	286
Entropy (8bit):	6.880810677512409
Encrypted:	false
SSDEEP:	6:6v/lhPysDQqinrW8/97kGwr/F+Elz3hsKrnLIuYK/SwtNVp:6v/7ZiK817kG3Mz3ZIiSoN7
MD5:	03DEC13C99CA8B2766C9B4468E0E781B
SHA1:	DA2202AF040D5494D7281FAB003C748457255CEE
SHA-256:	DEBC1949821086D01AE4A60BFFF1A73CFF47E7AB100E9028556496C254C05655
SHA-512:	566533ABC453A817570660154026D2206866073AB28CA6243C15AFF6A57C4A8B686EB7F23B4161EF4AE2A2C5C71F3DD6FD7271F4667A8C2E606D7CA19CC71FE7
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8...?J.A.....A....../.%.2....<.......6...H..i..-.'Eva.qw_.`.\|.3.0.s.....O_2..Y=....p..N..].J.......t.Q6..y... ..u.......\|.u....1.D..b...2\|..H..........HS]=...~.M..$.>q.............\|..wq.~vZ.\|a..f..Tg.x._I....IEND.B`.

C:\Users\user\AppData\Roaming\Shoved\skrupforelskede.bin

Download File

Process:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
File Type:	data
Category:	dropped
Size (bytes):	106887
Entropy (8bit):	7.75553468119485
Encrypted:	false
SSDEEP:	1536:bYpDSzihO1IsnBzEfH5ZR0fha22stcSuYZtL+8VdfWuZTJrBWmlRsMM:mDcgO1IeQfH5ZRXstcgKodfhrBBDM
MD5:	73A6739AA8670352F00CA22E28B2E5E3
SHA1:	14B5E6BB7FA6A534D9CCB20C19F57D82C8C8D634
SHA-256:	1E182B58911811ED9709B682EFE83DD96093AC013DA58698D2687E526E4D3B96
SHA-512:	46D0E7F0B7EC4042B66B0CF98076D9E59157B3A011A9EB2E1238D4B5B579B9B9194F257F3B6DB9191F66F135232B0D9DA85360CBC8F87B612847FAE471083971
Malicious:	false
Preview:	Tw8... ......x.q.f..a.!..P..........r...D..L.i.:....D...\|..$d.....u......................<..g..b..`..........3...<....;......^.........#............;<._......W<V....s.w......5XU....F...5G6.<Q..%-L...<...,-...C....y5........<`........[1.......`@......@..m<s@.....@<L..K=L...u..W..........l.......`]h.Q..&.-.X[?S..;.c..vh..^.!....o.......ue.@....C&<..}....G/.E....N.b.Sx.k...0..-.V..F.....gCV....a$r".q..<2)..@^$.i ...5./.Y...z'...5)jJI..:.J.[S.....`e.D_(.yp.[?....A..6uD7+......WHf..Vp....\g.8.;....k.9....Z.W....8D.+..+..+..+..+..+..+..+..+..+..+..+.~..{.q...p...9..t...G.X.e.X.\..D.V...8H.+..+..+..+..+..+..+..+..+..+..+..+..+..~p....W...qr..?...\|.]q,..t.2.....!0I.V...q.C..l..A-.'R..*.....pf...'..q.%........V.!>...4.......,;c.....5\%\q/.]..Y......W..p.a...%.?. &...`.u/E..R.]h.h.b....~p...5P..\|V....m.W.~....n.`......&.l5v..E.a.q..E..?......U......Uz...~p.e...~p..U.i..(.c..`.........5...a.\|V............@\|N......\|.X..V..h.a... &

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.688048037898308
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
File size:	236896
MD5:	045f22ce9be3d33b07a00780ee66fcfd
SHA1:	91b74e75d55c33d8d82b10bed51ca7d3ad80147c
SHA256:	e05ec32c2edc10b6917a3cbcac9d823cb37db908cc51f3ec459800992e2b8b37
SHA512:	c363c64fe3b52d615601810b577168be5b3339ba6bde011ae0c76bbee76718782f8b737b0c9f6d82d34197045ce1c35389cba26622349bb2c0c77f62ed29d063
SSDEEP:	6144:vT4DtMeWIPR0PVPCespE0s67yIMYxrzWJougaEzEk:vTpeZ00SI18ogC
TLSH:	2134014177B5C463ED564A30C813A7F2A9B97C11D9E89F4707423E8EBC76382DA1A32D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...P..`.................h.........

File Icon


Icon Hash:	879b931b3bb3b393

Static PE Info

General

Entrypoint:	0x4034c5
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x60FC9250 [Sat Jul 24 22:21:04 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	6e7f9a29f2c85394521a08b9f31f6275

Authenticode Signature

Signature Valid:	false
Signature Issuer:	OU="Squatterism Autodialing ", E=Wirestitched@Longobardian.No, O=driftier, L=West Tarbert, S=Scotland, C=GB
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	17/07/2022 17:44:12 16/07/2025 17:44:12
Subject Chain	OU="Squatterism Autodialing ", E=Wirestitched@Longobardian.No, O=driftier, L=West Tarbert, S=Scotland, C=GB
Version:	3
Thumbprint MD5:	CE0B0A248006454637FB21369D393B35
Thumbprint SHA-1:	FDB8159D5CAE5E96B90D0300979493249FE76435
Thumbprint SHA-256:	67AA1334C6C443A496FCD527B5F1A30A2CA661AC20D33E7BCCADEF6982D2575C
Serial:	33616A6CE5467077

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080CCh]
call dword ptr [004080D0h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [00434F0Ch], eax
je 00007FF0B0CBF363h
push ebx
call 00007FF0B0CC2651h
cmp eax, ebx
je 00007FF0B0CBF359h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007FF0B0CC25CBh
push esi
call dword ptr [00408154h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007FF0B0CBF33Ch
push 0000000Bh
call 00007FF0B0CC2624h
push 00000009h
call 00007FF0B0CC261Dh
push 00000007h
mov dword ptr [00434F04h], eax
call 00007FF0B0CC2611h
cmp eax, ebx
je 00007FF0B0CBF361h
push 0000001Eh
call eax
test eax, eax
je 00007FF0B0CBF359h
or byte ptr [00434F0Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408298h]
mov dword ptr [00434FD8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0042B228h
call dword ptr [0040818Ch]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7e000	0x147e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x37ca8	0x20b8	.ndata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6793	0x6800	False	0.6720628004807693	data	6.495258513279076	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14a4	0x1600	False	0.4385653409090909	data	5.01371465125838	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2b018	0x600	False	0.5240885416666666	data	4.155579717739458	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x36000	0x48000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x7e000	0x147e8	0x14800	False	0.8290658346036586	data	7.314494987254223	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x7e4f0	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States
RT_ICON	0x7e858	0x820b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x86a68	0x39ac	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	English	United States
RT_ICON	0x8a418	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States
RT_ICON	0x8c9c0	0x14fa	PNG image data, 256 x 256, 4-bit colormap, non-interlaced	English	United States
RT_ICON	0x8dec0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_ICON	0x8ef68	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304	English	United States
RT_ICON	0x8fe10	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	English	United States
RT_ICON	0x906b8	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States
RT_ICON	0x90d20	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256	English	United States
RT_ICON	0x91288	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_ICON	0x916f0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States
RT_ICON	0x919d8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States
RT_DIALOG	0x91b00	0x144	data	English	United States
RT_DIALOG	0x91c48	0x13c	data	English	United States
RT_DIALOG	0x91d88	0x100	data	English	United States
RT_DIALOG	0x91e88	0x11c	data	English	United States
RT_DIALOG	0x91fa8	0xc4	data	English	United States
RT_DIALOG	0x92070	0xb6	data	English	United States
RT_DIALOG	0x92128	0x60	data	English	United States
RT_GROUP_ICON	0x92188	0xae	data	English	United States
RT_VERSION	0x92238	0x270	data	English	United States
RT_MANIFEST	0x924a8	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, SetWindowPos, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersion, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, ExitProcess, CopyFileW, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exePID: 4848, Parent PID: 4788

General

Target ID:	2
Start time:	12:31:58
Start date:	03/11/2022
Path:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x400000
File size:	236896 bytes
MD5 hash:	045F22CE9BE3D33B07A00780EE66FCFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: dllhost.exePID: 2364, Parent PID: 812

General

Target ID:	3
Start time:	12:31:58
Start date:	03/11/2022
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Imagebase:	0x7ff612890000
File size:	21312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: backgroundTaskHost.exePID: 4408, Parent PID: 812

General

Target ID:	4
Start time:	12:32:09
Start date:	03/11/2022
Path:	C:\Windows\System32\backgroundTaskHost.exe
Wow64 process (32bit):	false
Commandline:	"C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Imagebase:	0x7ff618d70000
File size:	19776 bytes
MD5 hash:	DA7063B17DBB8BBB3015351016868006
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: dllhost.exePID: 4508, Parent PID: 812

General

Target ID:	5
Start time:	12:32:10
Start date:	03/11/2022
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Imagebase:	0x7ff612890000
File size:	21312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: BackgroundTransferHost.exePID: 4480, Parent PID: 812

General

Target ID:	7
Start time:	12:32:11
Start date:	03/11/2022
Path:	C:\Windows\System32\BackgroundTransferHost.exe
Wow64 process (32bit):	false
Commandline:	"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
Imagebase:	0x7ff609480000
File size:	37376 bytes
MD5 hash:	C5D813D92E83CDE3FECD9343933E3421
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: BackgroundTransferHost.exePID: 5560, Parent PID: 812

General

Target ID:	8
Start time:	12:32:14
Start date:	03/11/2022
Path:	C:\Windows\System32\BackgroundTransferHost.exe
Wow64 process (32bit):	false
Commandline:	"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
Imagebase:	0x7ff609480000
File size:	37376 bytes
MD5 hash:	C5D813D92E83CDE3FECD9343933E3421
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 5400, Parent PID: 4848

General

Target ID:	9
Start time:	12:32:28
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x570000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 1820, Parent PID: 4848

General

Target ID:	10
Start time:	12:32:29
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x570000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 6908, Parent PID: 4848

General

Target ID:	11
Start time:	12:32:29
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x570000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 1396, Parent PID: 4848

General

Target ID:	12
Start time:	12:32:29
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x570000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 4268, Parent PID: 4848

General

Target ID:	13
Start time:	12:32:29
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x570000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 4772, Parent PID: 4848

General

Target ID:	14
Start time:	12:32:30
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x570000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 7620, Parent PID: 4848

General

Target ID:	15
Start time:	12:32:30
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x570000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 6588, Parent PID: 4848

General

Target ID:	16
Start time:	12:32:30
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x570000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 3156, Parent PID: 4848

General

Target ID:	17
Start time:	12:32:31
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x570000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 5924, Parent PID: 4848

General

Target ID:	18
Start time:	12:32:31
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x570000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 3988, Parent PID: 4848

General

Target ID:	19
Start time:	12:32:31
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x570000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ielowutil.exePID: 7732, Parent PID: 4848

General

Target ID:	20
Start time:	12:32:31
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ielowutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x520000
File size:	221696 bytes
MD5 hash:	650FE7460630188008BF8C8153526CEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ielowutil.exePID: 4760, Parent PID: 4848

General

Target ID:	21
Start time:	12:32:32
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ielowutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x520000
File size:	221696 bytes
MD5 hash:	650FE7460630188008BF8C8153526CEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ielowutil.exePID: 7756, Parent PID: 4848

General

Target ID:	22
Start time:	12:32:32
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ielowutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x520000
File size:	221696 bytes
MD5 hash:	650FE7460630188008BF8C8153526CEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ielowutil.exePID: 4612, Parent PID: 4848

General

Target ID:	23
Start time:	12:32:32
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ielowutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x520000
File size:	221696 bytes
MD5 hash:	650FE7460630188008BF8C8153526CEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ielowutil.exePID: 3852, Parent PID: 4848

General

Target ID:	24
Start time:	12:32:33
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ielowutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x520000
File size:	221696 bytes
MD5 hash:	650FE7460630188008BF8C8153526CEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ielowutil.exePID: 6596, Parent PID: 4848

General

Target ID:	25
Start time:	12:32:33
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ielowutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x520000
File size:	221696 bytes
MD5 hash:	650FE7460630188008BF8C8153526CEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ielowutil.exePID: 6516, Parent PID: 4848

General

Target ID:	26
Start time:	12:32:33
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ielowutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x520000
File size:	221696 bytes
MD5 hash:	650FE7460630188008BF8C8153526CEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ielowutil.exePID: 7348, Parent PID: 4848

General

Target ID:	27
Start time:	12:32:34
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ielowutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x520000
File size:	221696 bytes
MD5 hash:	650FE7460630188008BF8C8153526CEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ielowutil.exePID: 7808, Parent PID: 4848

General

Target ID:	28
Start time:	12:32:34
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ielowutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x520000
File size:	221696 bytes
MD5 hash:	650FE7460630188008BF8C8153526CEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ielowutil.exePID: 7380, Parent PID: 4848

General

Target ID:	29
Start time:	12:32:34
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ielowutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x520000
File size:	221696 bytes
MD5 hash:	650FE7460630188008BF8C8153526CEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ExtExport.exePID: 5404, Parent PID: 4848

General

Target ID:	30
Start time:	12:32:35
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ExtExport.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x610000
File size:	45056 bytes
MD5 hash:	3253FD643C51C133C3489A146781913B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ExtExport.exePID: 7588, Parent PID: 4848

General

Target ID:	31
Start time:	12:32:35
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ExtExport.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x610000
File size:	45056 bytes
MD5 hash:	3253FD643C51C133C3489A146781913B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ExtExport.exePID: 5708, Parent PID: 4848

General

Target ID:	32
Start time:	12:32:35
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ExtExport.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x610000
File size:	45056 bytes
MD5 hash:	3253FD643C51C133C3489A146781913B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ExtExport.exePID: 8104, Parent PID: 4848

General

Target ID:	33
Start time:	12:32:36
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ExtExport.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x610000
File size:	45056 bytes
MD5 hash:	3253FD643C51C133C3489A146781913B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ExtExport.exePID: 1160, Parent PID: 4848

General

Target ID:	34
Start time:	12:32:36
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ExtExport.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x610000
File size:	45056 bytes
MD5 hash:	3253FD643C51C133C3489A146781913B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ExtExport.exePID: 6700, Parent PID: 4848

General

Target ID:	35
Start time:	12:32:36
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ExtExport.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x610000
File size:	45056 bytes
MD5 hash:	3253FD643C51C133C3489A146781913B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ExtExport.exePID: 6248, Parent PID: 4848

General

Target ID:	36
Start time:	12:32:36
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ExtExport.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x610000
File size:	45056 bytes
MD5 hash:	3253FD643C51C133C3489A146781913B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ExtExport.exePID: 5524, Parent PID: 4848

General

Target ID:	37
Start time:	12:32:36
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ExtExport.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x610000
File size:	45056 bytes
MD5 hash:	3253FD643C51C133C3489A146781913B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ExtExport.exePID: 5904, Parent PID: 4848

General

Target ID:	38
Start time:	12:32:37
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ExtExport.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x610000
File size:	45056 bytes
MD5 hash:	3253FD643C51C133C3489A146781913B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: backgroundTaskHost.exePID: 5840, Parent PID: 812

General

Target ID:	39
Start time:	12:32:37
Start date:	03/11/2022
Path:	C:\Windows\System32\backgroundTaskHost.exe
Wow64 process (32bit):	false
Commandline:	"C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Imagebase:	0x7ff618d70000
File size:	19776 bytes
MD5 hash:	DA7063B17DBB8BBB3015351016868006
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exePID: 4848, Parent PID: 4788COMMON

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	9.5%
Signature Coverage:	20.2%
Total number of Nodes:	1739
Total number of Limit Nodes:	52

Executed Functions

Function 004034C5 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			_entry_() {
				signed int _t51;
				intOrPtr* _t56;
				WCHAR* _t60;
				char* _t62;
				void* _t65;
				void* _t67;
				int _t69;
				int _t71;
				int _t74;
				intOrPtr* _t75;
				int _t76;
				int _t78;
				void* _t102;
				signed int _t119;
				void* _t122;
				void* _t127;
				intOrPtr _t146;
				intOrPtr _t147;
				intOrPtr* _t148;
				int _t150;
				void* _t153;
				int _t154;
				signed int _t158;
				signed int _t163;
				signed int _t168;
				void* _t170;
				void* _t172;
				int* _t174;
				signed int _t180;
				signed int _t183;
				CHAR* _t184;
				WCHAR* _t185;
				void* _t191;
				char* _t192;
				void* _t195;
				void* _t196;
				void* _t242;

				_t170 = 0x20;
				_t150 = 0;
				 *(_t196 + 0x14) = 0;
				 *(_t196 + 0x10) = L"Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t196 + 0x1c) = 0;
				SetErrorMode(0x8001); // executed
				_t51 = GetVersion() & 0xbfffffff;
				 *0x434f0c = _t51;
				if(_t51 != 6) {
					_t148 = E00406806(0);
					if(_t148 != 0) {
						 *_t148(0xc00);
					}
				}
				_t184 = "UXTHEME";
				goto L4;
				L8:
				__imp__#17(_t191);
				__imp__OleInitialize(_t150); // executed
				 *0x434fd8 = _t56;
				SHGetFileInfoW(0x42b228, _t150, _t196 + 0x34, 0x2b4, _t150); // executed
				E00406411(0x433f00, L"NSIS Error");
				_t60 = GetCommandLineW();
				_t192 = L"\"C:\\Users\\Arthur\\Desktop\\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe\"";
				E00406411(_t192, _t60);
				 *0x434f00 = 0x400000;
				_t62 = _t192;
				if(L"\"C:\\Users\\Arthur\\Desktop\\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe\"" == 0x22) {
					_t62 =  &M00440002;
					_t170 = 0x22;
				}
				_t154 = CharNextW(E00405D13(_t62, _t170));
				 *(_t196 + 0x18) = _t154;
				_t65 =  *_t154;
				if(_t65 == _t150) {
					L33:
					_t185 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
					GetTempPathW(0x400, _t185);
					_t67 = E00403494(_t154, 0);
					_t224 = _t67;
					if(_t67 != 0) {
						L36:
						DeleteFileW(L"1033"); // executed
						_t69 = E00403015(_t226,  *(_t196 + 0x1c)); // executed
						 *(_t196 + 0x10) = _t69;
						if(_t69 != _t150) {
							L48:
							E00403A06();
							__imp__OleUninitialize();
							_t238 =  *(_t196 + 0x10) - _t150;
							if( *(_t196 + 0x10) == _t150) {
								__eflags =  *0x434fb4 - _t150;
								if( *0x434fb4 == _t150) {
									L72:
									_t71 =  *0x434fcc;
									__eflags = _t71 - 0xffffffff;
									if(_t71 != 0xffffffff) {
										 *(_t196 + 0x10) = _t71;
									}
									ExitProcess( *(_t196 + 0x10));
								}
								_t74 = OpenProcessToken(GetCurrentProcess(), 0x28, _t196 + 0x14);
								__eflags = _t74;
								if(_t74 != 0) {
									LookupPrivilegeValueW(_t150, L"SeShutdownPrivilege", _t196 + 0x20);
									 *(_t196 + 0x34) = 1;
									 *(_t196 + 0x40) = 2;
									AdjustTokenPrivileges( *(_t196 + 0x28), _t150, _t196 + 0x24, _t150, _t150, _t150);
								}
								_t75 = E00406806(4);
								__eflags = _t75 - _t150;
								if(_t75 == _t150) {
									L70:
									_t76 = ExitWindowsEx(2, 0x80040002);
									__eflags = _t76;
									if(_t76 != 0) {
										goto L72;
									}
									goto L71;
								} else {
									_t78 =  *_t75(_t150, _t150, _t150, 0x25, 0x80040002);
									__eflags = _t78;
									if(_t78 == 0) {
										L71:
										E0040140B(9);
										goto L72;
									}
									goto L70;
								}
							}
							E00405A77( *(_t196 + 0x10), 0x200010);
							ExitProcess(2);
						}
						if( *0x434f20 == _t150) {
							L47:
							 *0x434fcc =  *0x434fcc | 0xffffffff;
							 *(_t196 + 0x14) = E00403AE0( *0x434fcc);
							goto L48;
						}
						_t174 = E00405D13(_t192, _t150);
						if(_t174 < _t192) {
							L44:
							_t235 = _t174 - _t192;
							 *(_t196 + 0x10) = L"Error launching installer";
							if(_t174 < _t192) {
								_t172 = E004059E2(_t238);
								lstrcatW(_t185, L"~nsu");
								if(_t172 != _t150) {
									lstrcatW(_t185, "A");
								}
								lstrcatW(_t185, L".tmp");
								_t194 = L"C:\\Users\\Arthur\\Desktop";
								if(lstrcmpiW(_t185, L"C:\\Users\\Arthur\\Desktop") != 0) {
									_push(_t185);
									if(_t172 == _t150) {
										E004059C5();
									} else {
										E00405948();
									}
									SetCurrentDirectoryW(_t185);
									_t242 = L"C:\\Users\\Arthur\\AppData\\Roaming\\Shoved" - _t150; // 0x43
									if(_t242 == 0) {
										E00406411(L"C:\\Users\\Arthur\\AppData\\Roaming\\Shoved", _t194);
									}
									E00406411(0x436000,  *(_t196 + 0x18));
									_t155 = "A" & 0x0000ffff;
									 *0x436800 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
									_t195 = 0x1a;
									do {
										E0040644E(_t150, 0x42aa28, _t185, 0x42aa28,  *((intOrPtr*)( *0x434f14 + 0x120)));
										DeleteFileW(0x42aa28);
										if( *(_t196 + 0x10) != _t150 && CopyFileW(L"C:\\Users\\Arthur\\Desktop\\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe", 0x42aa28, 1) != 0) {
											E004061D7(_t155, 0x42aa28, _t150);
											E0040644E(_t150, 0x42aa28, _t185, 0x42aa28,  *((intOrPtr*)( *0x434f14 + 0x124)));
											_t102 = E004059FA(0x42aa28);
											if(_t102 != _t150) {
												CloseHandle(_t102);
												 *(_t196 + 0x10) = _t150;
											}
										}
										 *0x436800 =  *0x436800 + 1;
										_t195 = _t195 - 1;
									} while (_t195 != 0);
									E004061D7(_t155, _t185, _t150);
								}
								goto L48;
							}
							 *_t174 = _t150;
							_t175 =  &(_t174[2]);
							if(E00405DEE(_t235,  &(_t174[2])) == 0) {
								goto L48;
							}
							E00406411(L"C:\\Users\\Arthur\\AppData\\Roaming\\Shoved", _t175);
							E00406411(L"C:\\Users\\Arthur\\AppData\\Roaming\\Shoved\\Factorist", _t175);
							 *(_t196 + 0x10) = _t150;
							goto L47;
						}
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_t158 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
						_t119 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t163 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
						while( *_t174 != _t158 || _t174[1] != _t119) {
							_t174 = _t174;
							if(_t174 >= _t192) {
								continue;
							}
							break;
						}
						_t150 = 0;
						goto L44;
					}
					GetWindowsDirectoryW(_t185, 0x3fb);
					lstrcatW(_t185, L"\\Temp");
					_t122 = E00403494(_t154, _t224);
					_t225 = _t122;
					if(_t122 != 0) {
						goto L36;
					}
					GetTempPathW(0x3fc, _t185);
					lstrcatW(_t185, L"Low");
					SetEnvironmentVariableW(L"TEMP", _t185);
					SetEnvironmentVariableW(L"TMP", _t185);
					_t127 = E00403494(_t154, _t225);
					_t226 = _t127;
					if(_t127 == 0) {
						goto L48;
					}
					goto L36;
				} else {
					do {
						_t153 = 0x20;
						if(_t65 != _t153) {
							L13:
							if( *_t154 == 0x22) {
								_t154 = _t154 + 2;
								_t153 = 0x22;
							}
							if( *_t154 != 0x2f) {
								goto L27;
							} else {
								_t154 = _t154 + 2;
								if( *_t154 == 0x53) {
									_t147 =  *((intOrPtr*)(_t154 + 2));
									if(_t147 == 0x20 || _t147 == 0) {
										 *0x434fc0 = 1;
									}
								}
								asm("cdq");
								asm("cdq");
								_t168 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t180 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t168;
								if( *_t154 == (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t168) &&  *((intOrPtr*)(_t154 + 4)) == _t180) {
									_t146 =  *((intOrPtr*)(_t154 + 8));
									if(_t146 == 0x20 || _t146 == 0) {
										 *(_t196 + 0x1c) =  *(_t196 + 0x1c) | 0x00000004;
									}
								}
								asm("cdq");
								asm("cdq");
								_t163 = L" /D=" & 0x0000ffff;
								asm("cdq");
								_t183 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t163;
								if( *(_t154 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t163) ||  *_t154 != _t183) {
									goto L27;
								} else {
									 *(_t154 - 4) =  *(_t154 - 4) & 0x00000000;
									__eflags = _t154;
									E00406411(L"C:\\Users\\Arthur\\AppData\\Roaming\\Shoved", _t154);
									L32:
									_t150 = 0;
									goto L33;
								}
							}
						} else {
							goto L12;
						}
						do {
							L12:
							_t154 = _t154 + 2;
						} while ( *_t154 == _t153);
						goto L13;
						L27:
						_t154 = E00405D13(_t154, _t153);
						if( *_t154 == 0x22) {
							_t154 = _t154 + 2;
						}
						_t65 =  *_t154;
					} while (_t65 != 0);
					goto L32;
				}
				L4:
				E00406796(_t184); // executed
				_t184 =  &(_t184[lstrlenA(_t184) + 1]);
				if( *_t184 != 0) {
					goto L4;
				} else {
					E00406806(0xb);
					 *0x434f04 = E00406806(9);
					_t56 = E00406806(7);
					if(_t56 != _t150) {
						_t56 =  *_t56(0x1e);
						if(_t56 != 0) {
							 *0x434f0f =  *0x434f0f | 0x00000040;
						}
					}
					goto L8;
				}
			}

0x004034d0
0x004034d1
0x004034d8
0x004034dc
0x004034e4
0x004034e8
0x004034f4
0x004034fd
0x00403502
0x00403505
0x0040350c
0x00403513
0x00403513
0x0040350c
0x00403515
0x00403515
0x0040355d
0x0040355e
0x00403565
0x0040356b
0x00403581
0x00403591
0x00403596
0x0040359c
0x004035a3
0x004035b0
0x004035ba
0x004035bc
0x004035c0
0x004035c5
0x004035c5
0x004035d4
0x004035d6
0x004035da
0x004035e0
0x004036f7
0x004036fd
0x00403708
0x0040370a
0x0040370f
0x00403711
0x00403769
0x0040376e
0x00403778
0x0040377f
0x00403783
0x00403834
0x00403834
0x00403839
0x0040383f
0x00403844
0x0040396a
0x00403970
0x004039ee
0x004039ee
0x004039f3
0x004039f6
0x004039f8
0x004039f8
0x00403a00
0x00403a00
0x00403980
0x00403986
0x00403988
0x00403995
0x004039a8
0x004039b0
0x004039b8
0x004039b8
0x004039c0
0x004039c5
0x004039cc
0x004039da
0x004039dd
0x004039e3
0x004039e5
0x00000000
0x00000000
0x00000000
0x004039ce
0x004039d4
0x004039d6
0x004039d8
0x004039e7
0x004039e9
0x00000000
0x004039e9
0x00000000
0x004039d8
0x004039cc
0x00403853
0x0040385a
0x0040385a
0x0040378f
0x00403824
0x00403824
0x00403830
0x00000000
0x00403830
0x0040379c
0x004037a0
0x004037ee
0x004037ee
0x004037f0
0x004037f8
0x0040386b
0x0040386d
0x00403874
0x0040387c
0x0040387c
0x00403887
0x0040388c
0x0040389b
0x0040389f
0x004038a0
0x004038a9
0x004038a2
0x004038a2
0x004038a2
0x004038af
0x004038b5
0x004038bc
0x004038c4
0x004038c4
0x004038d2
0x004038de
0x004038ec
0x004038f1
0x004038f7
0x00403903
0x00403909
0x00403913
0x00403929
0x0040393a
0x00403940
0x00403947
0x0040394a
0x00403950
0x00403950
0x00403947
0x00403954
0x0040395b
0x0040395b
0x00403960
0x00403960
0x00000000
0x0040389b
0x004037fa
0x004037fd
0x00403808
0x00000000
0x00000000
0x00403810
0x0040381b
0x00403820
0x00000000
0x00403820
0x004037a9
0x004037c1
0x004037d2
0x004037d3
0x004037d7
0x004037d9
0x004037e7
0x004037ea
0x00000000
0x00000000
0x00000000
0x004037ea
0x004037ec
0x00000000
0x004037ec
0x00403719
0x00403725
0x0040372a
0x0040372f
0x00403731
0x00000000
0x00000000
0x00403739
0x00403741
0x00403752
0x0040375a
0x0040375c
0x00403761
0x00403763
0x00000000
0x00000000
0x00000000
0x004035e6
0x004035e6
0x004035e8
0x004035ec
0x004035f5
0x004035f9
0x004035fe
0x004035ff
0x004035ff
0x00403604
0x00000000
0x0040360a
0x0040360b
0x00403610
0x00403612
0x0040361a
0x00403621
0x00403621
0x0040361a
0x00403632
0x00403645
0x00403646
0x0040365b
0x00403660
0x00403664
0x0040366d
0x00403675
0x0040367c
0x0040367c
0x00403675
0x00403688
0x0040369b
0x0040369c
0x004036b1
0x004036b7
0x004036bb
0x00000000
0x004036e2
0x004036e2
0x004036e7
0x004036f0
0x004036f5
0x004036f5
0x00000000
0x004036f5
0x004036bb
0x00000000
0x00000000
0x00000000
0x004035ee
0x004035ee
0x004035ef
0x004035f0
0x00000000
0x004036c3
0x004036ca
0x004036d0
0x004036d3
0x004036d3
0x004036d4
0x004036d7
0x00000000
0x004036e0
0x0040351a
0x0040351b
0x00403527
0x0040352e
0x00000000
0x00403530
0x00403532
0x00403540
0x00403545
0x0040354c
0x00403550
0x00403554
0x00403556
0x00403556
0x00403554
0x00000000
0x0040354c

APIs

SetErrorMode.KERNELBASE ref: 004034E8
GetVersion.KERNEL32 ref: 004034EE
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403521
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 0040355E
OleInitialize.OLE32(00000000), ref: 00403565
SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 00403581
GetCommandLineW.KERNEL32(00433F00,NSIS Error,?,00000007,00000009,0000000B), ref: 00403596
CharNextW.USER32(00000000,"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe",00000020,"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe",00000000,?,00000007,00000009,0000000B), ref: 004035CE

Part of subcall function 00406806: GetModuleHandleA.KERNEL32(?,00000020,?,00403537,0000000B), ref: 00406818
Part of subcall function 00406806: GetProcAddress.KERNEL32(00000000,?), ref: 00406833

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403708
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 00403719
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403725
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403739
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403741
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 00403752
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 0040375A
DeleteFileW.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 0040376E

Part of subcall function 00406411: lstrcpynW.KERNEL32(?,?,00000400,00403596,00433F00,NSIS Error,?,00000007,00000009,0000000B), ref: 0040641E

OleUninitialize.OLE32(00000007,?,00000007,00000009,0000000B), ref: 00403839
ExitProcess.KERNEL32 ref: 0040385A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 0040386D
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 0040387C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403887
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 00403893
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004038AF
DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00436000,00000009,?,00000007,00000009,0000000B), ref: 00403909
CopyFileW.KERNEL32(C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe,0042AA28,00000001,?,00000007,00000009,0000000B), ref: 0040391D
CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000,?,00000007,00000009,0000000B), ref: 0040394A
GetCurrentProcess.KERNEL32(00000028,0000000B,00000007,00000009,0000000B), ref: 00403979
OpenProcessToken.ADVAPI32(00000000), ref: 00403980
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403995
AdjustTokenPrivileges.ADVAPI32 ref: 004039B8
ExitWindowsEx.USER32(00000002,80040002), ref: 004039DD
ExitProcess.KERNEL32 ref: 00403A00

Strings

\Temp, xrefs: 0040371F
Low, xrefs: 0040373B
SeShutdownPrivilege, xrefs: 0040398F
C:\Users\user\AppData\Roaming\Shoved, xrefs: 004036EB, 0040380B, 004038B5, 004038BF
Error launching installer, xrefs: 004037F0
TMP, xrefs: 00403755
NSIS Error, xrefs: 00403587
~nsu, xrefs: 00403865
C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe, xrefs: 00403918
UXTHEME, xrefs: 00403515, 0040351A, 00403520
"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe", xrefs: 0040359C, 004035A2, 00403796
1033, xrefs: 00403769
TEMP, xrefs: 0040374D
C:\Users\user\AppData\Roaming\Shoved\Factorist, xrefs: 00403816
C:\Users\user\AppData\Local\Temp\, xrefs: 004036FD, 00403702, 00403718, 00403724, 00403733, 00403740, 0040374C, 00403754, 0040386A, 0040387B, 00403886, 00403892, 0040389F, 004038AE, 0040395F
C:\Users\user\Desktop, xrefs: 0040388C, 00403891, 004038BE
.tmp, xrefs: 00403881

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Shoved$C:\Users\user\AppData\Roaming\Shoved\Factorist$C:\Users\user\Desktop$C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-3004311783
Opcode ID: ce25b764dac2c90f857618beb49180f73b32db989e1771c1845c73eb86c2c21e
Instruction ID: 633452ec6b1f102921f1489b21fe302f429ce1b90f1906ff0e0a9b5b291269fb
Opcode Fuzzy Hash: ce25b764dac2c90f857618beb49180f73b32db989e1771c1845c73eb86c2c21e
Instruction Fuzzy Hash: 7DD12671600311ABE7207F659D45B3B3AACEB8070AF11443FF581B62D1DBBD89518B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405B23 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405B23(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405DEE(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x434fa8 =  *0x434fa8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406411(0x42f270, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405D32(_t68);
					} else {
						lstrcatW(0x42f270, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x42f270,  &_v604);
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406411(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405ADB(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E00405479(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x434fa8 =  *0x434fa8 + 1;
										} else {
											E00405479(0xfffffff1, _t68);
											E004061D7(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405B23(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x42f270 - 0x5c;
					if( *0x42f270 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E0040676F(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405CE6(_t68);
							_t38 = E00405ADB(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E00405479(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E00405479(0xfffffff1, _t68);
							return E004061D7(_t67, _t68, 0);
						}
						L30:
						 *0x434fa8 =  *0x434fa8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405b2d
0x00405b32
0x00405b3b
0x00405b3e
0x00405b46
0x00405b49
0x00405b4c
0x00405b54
0x00405b56
0x00405b57
0x00000000
0x00405b57
0x00405b62
0x00405b65
0x00405b65
0x00405b65
0x00405b69
0x00405b7c
0x00405b83
0x00405b88
0x00405b8c
0x00405b9c
0x00405b8e
0x00405b94
0x00405b94
0x00405ba1
0x00405ba5
0x00405bb1
0x00405bb7
0x00405bbc
0x00405bc2
0x00405bcd
0x00405bd3
0x00405bd5
0x00405bd8
0x00405c82
0x00405c82
0x00405c86
0x00405c88
0x00405c88
0x00405c88
0x00405c88
0x00000000
0x00000000
0x00000000
0x00000000
0x00405bde
0x00405bde
0x00405bde
0x00405be6
0x00405c06
0x00405c0e
0x00405c13
0x00405c1a
0x00405c35
0x00405c3a
0x00405c3c
0x00405c60
0x00405c3e
0x00405c3e
0x00405c41
0x00405c55
0x00405c43
0x00405c46
0x00405c4e
0x00405c4e
0x00405c41
0x00405c1c
0x00405c22
0x00405c24
0x00405c2a
0x00405c2a
0x00405c24
0x00000000
0x00405c1a
0x00405be8
0x00405bf0
0x00000000
0x00000000
0x00405bf2
0x00405bfa
0x00000000
0x00000000
0x00405bfc
0x00405c04
0x00000000
0x00000000
0x00000000
0x00405c65
0x00405c6d
0x00405c73
0x00405c73
0x00405c7c
0x00000000
0x00405c7c
0x00405ba7
0x00405baf
0x00000000
0x00000000
0x00000000
0x00405b6b
0x00405b6b
0x00405b6d
0x00405c8d
0x00405c8f
0x00405c92
0x00405ce3
0x00405ce3
0x00405ce3
0x00405c94
0x00405c97
0x00405ca2
0x00405ca7
0x00405ca9
0x00000000
0x00000000
0x00405cac
0x00405cb8
0x00405cbd
0x00405cbf
0x00000000
0x00405cda
0x00405cc1
0x00405cc4
0x00000000
0x00000000
0x00405cc9
0x00000000
0x00405cd0
0x00405c99
0x00405c99
0x00000000
0x00405c99
0x00405b73
0x00405b76
0x00000000
0x00000000
0x00000000
0x00405b76

APIs

DeleteFileW.KERNELBASE(?,?,75423420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B4C
lstrcatW.KERNEL32(0042F270,\*.*), ref: 00405B94
lstrcatW.KERNEL32(?,0040A014), ref: 00405BB7
lstrlenW.KERNEL32(?,?,0040A014,?,0042F270,?,?,75423420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BBD
FindFirstFileW.KERNEL32(0042F270,?,?,?,0040A014,?,0042F270,?,?,75423420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BCD
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C6D
FindClose.KERNEL32(00000000), ref: 00405C7C

Strings

"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe", xrefs: 00405B23
\*.*, xrefs: 00405B8E
C:\Users\user\AppData\Local\Temp\, xrefs: 00405B30

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3960578727
Opcode ID: d511c024af8fdc6ff868d432ce58507b2a66eda6578bf5e7436de137c1c2de65
Instruction ID: 64ad53015563eb9bad7c636b6f780160dd5a6986b89d0419f795064a900c36f2
Opcode Fuzzy Hash: d511c024af8fdc6ff868d432ce58507b2a66eda6578bf5e7436de137c1c2de65
Instruction Fuzzy Hash: 8941B330804B18AAEB21AB658D89AAF7778EF41714F24417FF802B11D1D77C5E81DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040676F Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040676F(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x4302b8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4302b8;
			}

0x0040677a
0x00406783
0x00000000
0x00406790
0x00406786
0x00000000

APIs

FindFirstFileW.KERNELBASE(?,004302B8,0042FA70,00405E37,0042FA70,0042FA70,00000000,0042FA70,0042FA70, 4Bu,?,C:\Users\user\AppData\Local\Temp\,00405B43,?,75423420,C:\Users\user\AppData\Local\Temp\), ref: 0040677A
FindClose.KERNEL32(00000000), ref: 00406786

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
Instruction ID: c6bcef3f8635fd9f58624a192a3d19c105278d067f6c5fe4f3eb3d2c281a06a9
Opcode Fuzzy Hash: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
Instruction Fuzzy Hash: F0D012315242206FC3805B386E0C84B7A989F16335B218B36B4AAF21E0D7349C3287BC

Uniqueness

Uniqueness Score: -1.00%

Function 02BA5E2E Relevance: 1.7, APIs: 1, Instructions: 208fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,7D7C4965,00000044), ref: 02BA5F88

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: bc09973c0a1a1f5175889d4a9e21eb01732cf42e300595618ad239e1dd6e8942
Instruction ID: 63c313f0cd1cde040d38e64973b91856143a4116edc7f9f917ebfa760a59c64e
Opcode Fuzzy Hash: bc09973c0a1a1f5175889d4a9e21eb01732cf42e300595618ad239e1dd6e8942
Instruction Fuzzy Hash: 7D6146B160434A9FCF349E788DE47EB77A7AF59390F85422EDD8A9B200D7314A85CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02BA871D Relevance: 1.5, APIs: 1, Instructions: 36nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 02BA8795

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: efcb07d4f46636acb536b0b6ac866f642b644eaf245c0111486021dcc2d33c8e
Instruction ID: 004e4d3bd8ff076f9d7584d65d1f7cde8e490e0cdfa991f4e78dcce14793802a
Opcode Fuzzy Hash: efcb07d4f46636acb536b0b6ac866f642b644eaf245c0111486021dcc2d33c8e
Instruction Fuzzy Hash: 06013CB46453459FEB30DE59C888AEA7BA6FFC8300F95842EDC8997605C7319E45CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02BA5FA7 Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec6c8da827cf7c5f0beaea0162627eac92cbee6525caef8304384d7bc20879cc
Instruction ID: 64c2fc9bdfa1cb1219df3730535d18599312595c9a57cf2e02fb55fe9ef39c1d
Opcode Fuzzy Hash: ec6c8da827cf7c5f0beaea0162627eac92cbee6525caef8304384d7bc20879cc
Instruction Fuzzy Hash: ABC177725053458FDF258E74C9A43EA3BA2EF53364FA942AECD868B650D3364987CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02B94347 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56371d6cc4658879a082902c186ff7a0ba371db4ab00ffcae7c40338254e98bf
Instruction ID: 0de355795a7b96f7d0ad8d139e227d4f7766c320f91968c19eeab41f4e8a900c
Opcode Fuzzy Hash: 56371d6cc4658879a082902c186ff7a0ba371db4ab00ffcae7c40338254e98bf
Instruction Fuzzy Hash: CDC1F571A043599FDF34AE2889A43EE77E6EF59350F85442EDCCAD7250D3308A85CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00404DD4 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 490
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00404DD4(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				int _v32;
				void* _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t191;
				signed int _t203;
				void* _t206;
				long _t212;
				signed int _t216;
				signed int _t227;
				void* _t230;
				void* _t231;
				int _t237;
				long _t242;
				long _t243;
				signed int _t244;
				signed int _t249;
				signed int _t251;
				signed char _t252;
				signed char _t260;
				void* _t265;
				void* _t267;
				signed char* _t285;
				signed char _t286;
				long _t288;
				long _t291;
				void* _t298;
				signed int* _t299;
				int _t300;
				long _t301;
				int _t303;
				long _t304;
				int _t305;
				signed int _t306;
				signed int _t309;
				signed int _t316;
				signed char* _t324;
				int _t329;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t191 = GetDlgItem(_a4, 0x408);
				_t298 =  *0x434f48;
				_t331 = SendMessageW;
				_v8 = _t191;
				_v36 = _t298;
				_v24 =  *0x434f14 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t307 = _a16;
					} else {
						_a12 = 0;
						_t307 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t307;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t307 + 4)) == 0x408) {
							if(( *0x434f1d & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t242 = _v16;
									if( *((intOrPtr*)(_t242 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t242 + 0x5c)); // executed
									}
									_t243 = _v16;
									if( *((intOrPtr*)(_t243 + 8)) == 0xfffffe39) {
										_t244 =  *(_t243 + 0x5c);
										if( *((intOrPtr*)(_t243 + 0xc)) != 2) {
											 *(_t244 * 0x818 + _t298 + 8) =  *(_t244 * 0x818 + _t298 + 8) & 0xffffffdf;
										} else {
											 *(_t244 * 0x818 + _t298 + 8) =  *(_t244 * 0x818 + _t298 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t307 = 0 | _a8 != 0x00000413;
								_t249 = E00404D22(_v8, _a8 != 0x413);
								_v20 = _t249;
								if(_t249 >= 0) {
									_t100 = _t298 + 8; // 0x8
									_t307 = _t249 * 0x818 + _t100;
									_t251 =  *_t307;
									if((_t251 & 0x00000010) == 0) {
										if((_t251 & 0x00000040) == 0) {
											_t252 = _t251 ^ 0x00000001;
										} else {
											_t260 = _t251 ^ 0x00000080;
											if(_t260 >= 0) {
												_t252 = _t260 & 0x000000fe;
											} else {
												_t252 = _t260 | 0x00000001;
											}
										}
										 *_t307 = _t252;
										E0040117D(_v20);
										_a8 = 0x40f;
										_a12 = _v20 + 1;
										_a16 =  !( *0x434f1c) >> 0x00000008 & 0x00000001;
									}
								}
								goto L41;
							}
							_t307 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t230 =  *0x42d24c;
								if(_t230 != 0) {
									ImageList_Destroy(_t230);
								}
								_t231 =  *0x42d260;
								if(_t231 != 0) {
									GlobalFree(_t231);
								}
								 *0x42d24c = 0;
								 *0x42d260 = 0;
								 *0x434f80 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x434f1d & 0x00000001) != 0) {
									_t329 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t329);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t329);
								}
								goto L93;
							} else {
								E004011EF(_t307, 0, 0);
								_t203 = _a12;
								if(_t203 != 0) {
									if(_t203 != 0xffffffff) {
										_t203 = _t203 - 1;
									}
									_push(_t203);
									_push(8);
									E00404DA2();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t307, 0, 0);
									_v36 =  *0x42d260;
									_t206 =  *0x434f48;
									_v64 = 0xf030;
									_v20 = 0;
									if( *0x434f4c <= 0) {
										L86:
										if( *0x434f0c == 4) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x433edc + 0x10)) != 0) {
											E00404CDD(0x3ff, 0xfffffffb, E00404CF5(5));
										}
										goto L90;
									}
									_t299 = _t206 + 8;
									do {
										_t212 =  *((intOrPtr*)(_v36 + _v20 * 4));
										if(_t212 != 0) {
											_t309 =  *_t299;
											_v72 = _t212;
											_v76 = 8;
											if((_t309 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t299[4]);
												_t299[0] = _t299[0] & 0x000000fe;
											}
											if((_t309 & 0x00000040) == 0) {
												_t216 = (_t309 & 0x00000001) + 1;
												if((_t309 & 0x00000010) != 0) {
													_t216 = _t216 + 3;
												}
											} else {
												_t216 = 3;
											}
											_v68 = (_t216 << 0x0000000b | _t309 & 0x00000008) + (_t216 << 0x0000000b | _t309 & 0x00000008) | _t309 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t309 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v20 = _v20 + 1;
										_t299 =  &(_t299[0x206]);
									} while (_v20 <  *0x434f4c);
									goto L86;
								} else {
									_t300 = E004012E2( *0x42d260);
									E00401299(_t300);
									_t227 = 0;
									_t307 = 0;
									if(_t300 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t307, 0);
										_a16 = _t300;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t227 * 4)) != 0) {
											_t307 = _t307 + 1;
										}
										_t227 = _t227 + 1;
									} while (_t227 < _t300);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t237 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t237 == 0xffffffff) {
								goto L93;
							}
							_t301 = SendMessageW(_v12, 0x150, _t237, 0);
							if(_t301 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t301 * 4)) == 0) {
								_t301 = 0x20;
							}
							E00401299(_t301);
							SendMessageW(_a4, 0x420, 0, _t301);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x434f80 = _a4;
					_t303 = 2;
					_v32 = 0;
					_v20 = _t303;
					 *0x42d260 = GlobalAlloc(0x40,  *0x434f4c << 2);
					_t265 = LoadImageW( *0x434f00, 0x6e, 0, 0, 0, 0);
					 *0x42d254 =  *0x42d254 | 0xffffffff;
					_v16 = _t265;
					 *0x42d25c = SetWindowLongW(_v8, 0xfffffffc, E004053ED);
					_t267 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42d24c = _t267;
					ImageList_AddMasked(_t267, _v16, 0xff00ff);
					SendMessageW(_v8, 0x1109, _t303,  *0x42d24c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v16);
					_t304 = 0;
					do {
						_t273 =  *((intOrPtr*)(_v24 + _t304 * 4));
						if( *((intOrPtr*)(_v24 + _t304 * 4)) != 0) {
							if(_t304 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E0040644E(_t304, 0, _t331, 0, _t273)), _t304);
						}
						_t304 = _t304 + 1;
					} while (_t304 < 0x21);
					_t305 = _a16;
					_push( *((intOrPtr*)(_t305 + 0x30 + _v20 * 4)));
					_push(0x15);
					E00404367(_a4);
					_push( *((intOrPtr*)(_t305 + 0x34 + _v20 * 4)));
					_push(0x16);
					E00404367(_a4);
					_t306 = 0;
					_v16 = 0;
					if( *0x434f4c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t324 = _v36 + 8;
						_v28 = _t324;
						do {
							_t285 =  &(_t324[0x10]);
							if( *_t285 != 0) {
								_v64 = _t285;
								_t286 =  *_t324;
								_v88 = _v16;
								_t316 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t316;
								_v44 = _t306;
								_v72 = _t286 & _t316;
								if((_t286 & 0x00000002) == 0) {
									if((_t286 & 0x00000004) == 0) {
										_t288 = SendMessageW(_v8, 0x1132, 0,  &_v88); // executed
										 *( *0x42d260 + _t306 * 4) = _t288;
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t291 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v32 = 1;
									 *( *0x42d260 + _t306 * 4) = _t291;
									_v16 =  *( *0x42d260 + _t306 * 4);
								}
							}
							_t306 = _t306 + 1;
							_t324 =  &(_v28[0x818]);
							_v28 = _t324;
						} while (_t306 <  *0x434f4c);
						if(_v32 != 0) {
							L20:
							if(_v20 != 0) {
								E0040439C(_v8);
								_t298 = _v36;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E0040439C(_v12);
								L93:
								return E004043CE(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404df2
0x00404df8
0x00404dfa
0x00404e00
0x00404e06
0x00404e1c
0x00404e1f
0x00404e22
0x00405055
0x0040505c
0x00405070
0x0040505e
0x00405060
0x00405063
0x00405064
0x0040506b
0x0040506b
0x0040507c
0x0040508a
0x0040508d
0x004050a3
0x0040511b
0x0040511e
0x00405120
0x0040512a
0x00405138
0x00405138
0x0040513a
0x00405144
0x0040514a
0x0040514d
0x00405168
0x0040514f
0x00405159
0x00405159
0x0040514d
0x00405144
0x00000000
0x0040511e
0x004050a8
0x004050b3
0x004050b8
0x004050bf
0x004050c6
0x004050c9
0x004050d1
0x004050d1
0x004050d5
0x004050d9
0x004050dd
0x004050f0
0x004050df
0x004050df
0x004050e6
0x004050ec
0x004050e8
0x004050e8
0x004050e8
0x004050e6
0x004050f6
0x004050f8
0x00405100
0x00405108
0x00405118
0x00405118
0x004050d9
0x00000000
0x004050c9
0x004050aa
0x004050b1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040516b
0x0040516b
0x00405172
0x004051e3
0x004051ea
0x004051f6
0x004051f6
0x004051ff
0x00405201
0x00405208
0x0040520b
0x0040520b
0x00405211
0x00405218
0x0040521b
0x0040521b
0x00405221
0x00405227
0x0040522d
0x0040522d
0x0040523a
0x0040539a
0x004053a1
0x004053be
0x004053c4
0x004053d6
0x004053d6
0x00000000
0x00405240
0x00405242
0x00405247
0x0040524c
0x00405251
0x00405253
0x00405253
0x00405254
0x00405255
0x00405257
0x00405257
0x0040525f
0x004052a0
0x004052a2
0x004052b2
0x004052b5
0x004052ba
0x004052c1
0x004052c4
0x00405366
0x0040536e
0x00405376
0x00405376
0x00405384
0x00405395
0x00405395
0x00000000
0x00405384
0x004052ca
0x004052cd
0x004052d3
0x004052d8
0x004052da
0x004052dc
0x004052e2
0x004052e9
0x004052ee
0x004052f5
0x004052f8
0x004052f8
0x004052ff
0x0040530b
0x0040530f
0x00405311
0x00405311
0x00405301
0x00405303
0x00405303
0x00405331
0x0040533d
0x0040534c
0x0040534c
0x0040534e
0x00405351
0x0040535a
0x00000000
0x00405261
0x0040526c
0x0040526f
0x00405274
0x00405276
0x0040527a
0x0040528a
0x00405294
0x00405296
0x00405299
0x00000000
0x00000000
0x00000000
0x00000000
0x0040527c
0x0040527c
0x00405282
0x00405284
0x00405284
0x00405285
0x00405286
0x00000000
0x0040527c
0x0040525f
0x0040523a
0x0040517a
0x00000000
0x00405190
0x0040519a
0x0040519f
0x00000000
0x00000000
0x004051b1
0x004051b6
0x004051c2
0x004051c2
0x004051c4
0x004051d3
0x004051d5
0x004051d9
0x004051dc
0x00000000
0x004051dc
0x0040517a
0x00404e28
0x00404e2d
0x00404e37
0x00404e38
0x00404e41
0x00404e50
0x00404e5b
0x00404e61
0x00404e6f
0x00404e84
0x00404e89
0x00404e94
0x00404e9d
0x00404eb2
0x00404ec3
0x00404ed0
0x00404ed0
0x00404ed5
0x00404edb
0x00404edd
0x00404ee0
0x00404ee5
0x00404eea
0x00404eec
0x00404eec
0x00404f0c
0x00404f0c
0x00404f0e
0x00404f0f
0x00404f14
0x00404f1a
0x00404f1e
0x00404f23
0x00404f2b
0x00404f2f
0x00404f34
0x00404f39
0x00404f41
0x00404f44
0x00405014
0x00405027
0x00000000
0x00404f4a
0x00404f4d
0x00404f50
0x00404f53
0x00404f53
0x00404f59
0x00404f62
0x00404f65
0x00404f69
0x00404f6c
0x00404f6f
0x00404f78
0x00404f81
0x00404f84
0x00404f87
0x00404f8a
0x00404fc8
0x00404feb
0x00404ff3
0x00404fca
0x00404fd9
0x00404fd9
0x00404f8c
0x00404f8f
0x00404f9d
0x00404fa7
0x00404faf
0x00404fb6
0x00404fc1
0x00404fc1
0x00404f8a
0x00404ff9
0x00404ffa
0x00405006
0x00405006
0x00405012
0x0040502d
0x00405030
0x0040504d
0x00405052
0x00000000
0x00405032
0x00405037
0x00405040
0x004053d8
0x004053ea
0x004053ea
0x00405030
0x00000000
0x00405012
0x00404f44

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404DEB
GetDlgItem.USER32(?,00000408), ref: 00404DF8
GlobalAlloc.KERNEL32(00000040,?), ref: 00404E44
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404E5B
SetWindowLongW.USER32(?,000000FC,004053ED), ref: 00404E75
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E89
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404E9D
SendMessageW.USER32(?,00001109,00000002), ref: 00404EB2
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404EBE
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404ED0
DeleteObject.GDI32(00000110), ref: 00404ED5
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404F00
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404F0C
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FA7
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404FD7

Part of subcall function 0040439C: SendMessageW.USER32(00000028,?,00000001,004041C7), ref: 004043AA

SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FEB
GetWindowLongW.USER32(?,000000F0), ref: 00405019
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405027
ShowWindow.USER32(?,00000005), ref: 00405037
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405138
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040519A
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004051AF
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004051D3
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051F6
ImageList_Destroy.COMCTL32(?), ref: 0040520B
GlobalFree.KERNEL32(?), ref: 0040521B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405294
SendMessageW.USER32(?,00001102,?,?), ref: 0040533D
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040534C
InvalidateRect.USER32(?,00000000,00000001), ref: 00405376
ShowWindow.USER32(?,00000000), ref: 004053C4
GetDlgItem.USER32(?,000003FE), ref: 004053CF
ShowWindow.USER32(00000000), ref: 004053D6

Strings

M, xrefs: 00404F8F
, xrefs: 004053AE
N, xrefs: 00405073

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 5598e06cb67788476fc8c7d334527adddce2bdc5635884aaeb3921699d952b74
Instruction ID: d580a4fcaa5169941c29ca465f5867fc490570c71858173d192e260bc12e7e27
Opcode Fuzzy Hash: 5598e06cb67788476fc8c7d334527adddce2bdc5635884aaeb3921699d952b74
Instruction Fuzzy Hash: 9C127A70D00609EFDB20DFA5CD45AAEBBB5FB84314F10817AEA10BA2E1C7798941DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403E8E Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00403E8E(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				struct HWND__* _t51;
				signed int _t70;
				struct HWND__* _t76;
				signed int _t89;
				struct HWND__* _t94;
				signed int _t102;
				int _t106;
				signed int _t118;
				signed int _t119;
				int _t120;
				signed int _t125;
				struct HWND__* _t128;
				struct HWND__* _t129;
				int _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t118 = _a8;
				if(_t118 == 0x110 || _t118 == 0x408) {
					_t37 = _a12;
					_t128 = _a4;
					__eflags = _t118 - 0x110;
					 *0x42d250 = _t37;
					if(_t118 == 0x110) {
						 *0x434f08 = _t128;
						 *0x42d264 = GetDlgItem(_t128, 1);
						_t94 = GetDlgItem(_t128, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x42b230 = _t94;
						E00404367(_t128);
						SetClassLongW(_t128, 0xfffffff2,  *0x433ee8);
						 *0x433ecc = E0040140B(4);
						_t37 = 1;
						__eflags = 1;
						 *0x42d250 = 1;
					}
					_t125 =  *0x40a368; // 0x0
					_t136 = 0;
					_t133 = (_t125 << 6) +  *0x434f40;
					__eflags = _t125;
					if(_t125 < 0) {
						L34:
						E004043B3(0x40b);
						while(1) {
							_t39 =  *0x42d250;
							 *0x40a368 =  *0x40a368 + _t39;
							_t133 = _t133 + (_t39 << 6);
							_t41 =  *0x40a368; // 0x0
							__eflags = _t41 -  *0x434f44;
							if(_t41 ==  *0x434f44) {
								E0040140B(1);
							}
							__eflags =  *0x433ecc - _t136;
							if( *0x433ecc != _t136) {
								break;
							}
							__eflags =  *0x40a368 -  *0x434f44; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t119 =  *(_t133 + 0x14);
							E0040644E(_t119, _t128, _t133, 0x445000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E00404367(_t128);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E00404367(_t128);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E00404367(_t128);
							_t51 = GetDlgItem(_t128, 3);
							__eflags =  *0x434fac - _t136;
							_v32 = _t51;
							if( *0x434fac != _t136) {
								_t119 = _t119 & 0x0000fefd | 0x00000004;
								__eflags = _t119;
							}
							ShowWindow(_t51, _t119 & 0x00000008); // executed
							EnableWindow( *(_t137 + 0x30), _t119 & 0x00000100); // executed
							E00404389(_t119 & 0x00000002);
							_t120 = _t119 & 0x00000004;
							EnableWindow( *0x42b230, _t120);
							__eflags = _t120 - _t136;
							if(_t120 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t128, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x38), 0xf4, _t136, 1);
							__eflags =  *0x434fac - _t136;
							if( *0x434fac == _t136) {
								_push( *0x42d264);
							} else {
								SendMessageW(_t128, 0x401, 2, _t136);
								_push( *0x42b230);
							}
							E0040439C();
							E00406411(0x42d268, E00403E6F());
							E0040644E(0x42d268, _t128, _t133,  &(0x42d268[lstrlenW(0x42d268)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t128, 0x42d268); // executed
							_push(_t136);
							_t70 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t70;
							if(_t70 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x433ed8); // executed
									 *0x42c240 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L58;
									}
									_t76 = CreateDialogParamW( *0x434f00,  *_t133 +  *0x433ee0 & 0x0000ffff, _t128,  *( *(_t133 + 4) * 4 + "&E@"), _t133); // executed
									__eflags = _t76 - _t136;
									 *0x433ed8 = _t76;
									if(_t76 == _t136) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E00404367(_t76);
									GetWindowRect(GetDlgItem(_t128, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t128, _t137 + 0x10);
									SetWindowPos( *0x433ed8, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x433ecc - _t136;
									if( *0x433ecc != _t136) {
										goto L61;
									}
									ShowWindow( *0x433ed8, 8);
									E004043B3(0x405);
									goto L58;
								}
								__eflags =  *0x434fac - _t136;
								if( *0x434fac != _t136) {
									goto L61;
								}
								__eflags =  *0x434fa0 - _t136;
								if( *0x434fa0 != _t136) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x433ed8);
						 *0x434f08 = _t136;
						EndDialog(_t128,  *0x42ba38);
						goto L58;
					} else {
						__eflags = _t37 - 1;
						if(_t37 != 1) {
							L33:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t89 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t89;
						if(_t89 == 0) {
							goto L33;
						}
						SendMessageW( *0x433ed8, 0x40f, 0, 1);
						__eflags =  *0x433ecc;
						return 0 |  *0x433ecc == 0x00000000;
					}
				} else {
					_t128 = _a4;
					_t136 = 0;
					if(_t118 == 0x47) {
						SetWindowPos( *0x42d248, _t128, 0, 0, 0, 0, 0x13);
					}
					if(_t118 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42d248,  ~(_a12 - 1) & _t118);
					}
					if(_t118 != 0x40d) {
						__eflags = _t118 - 0x11;
						if(_t118 != 0x11) {
							__eflags = _t118 - 0x111;
							if(_t118 != 0x111) {
								L26:
								return E004043CE(_t118, _a12, _a16);
							}
							_t135 = _a12 & 0x0000ffff;
							_t129 = GetDlgItem(_t128, _t135);
							__eflags = _t129 - _t136;
							if(_t129 == _t136) {
								L13:
								__eflags = _t135 - 1;
								if(_t135 != 1) {
									__eflags = _t135 - 3;
									if(_t135 != 3) {
										_t130 = 2;
										__eflags = _t135 - _t130;
										if(_t135 != _t130) {
											L25:
											SendMessageW( *0x433ed8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x434fac - _t136;
										if( *0x434fac == _t136) {
											_t102 = E0040140B(3);
											__eflags = _t102;
											if(_t102 != 0) {
												goto L26;
											}
											 *0x42ba38 = 1;
											L21:
											_push(0x78);
											L22:
											E00404340();
											goto L26;
										}
										E0040140B(_t130);
										 *0x42ba38 = _t130;
										goto L21;
									}
									__eflags =  *0x40a368 - _t136; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t135);
								goto L22;
							}
							SendMessageW(_t129, 0xf3, _t136, _t136);
							_t106 = IsWindowEnabled(_t129);
							__eflags = _t106;
							if(_t106 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongW(_t128, _t136, _t136);
						return 1;
					} else {
						DestroyWindow( *0x433ed8);
						 *0x433ed8 = _a12;
						L58:
						if( *0x42f268 == _t136 &&  *0x433ed8 != _t136) {
							ShowWindow(_t128, 0xa);
							 *0x42f268 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x00403e97
0x00403ea0
0x00403fe1
0x00403fe5
0x00403fe9
0x00403feb
0x00403ff0
0x00403ffb
0x00404006
0x0040400b
0x0040400d
0x0040400f
0x00404012
0x00404017
0x00404025
0x00404032
0x00404039
0x00404039
0x0040403a
0x0040403a
0x0040403f
0x00404045
0x0040404c
0x00404052
0x00404054
0x00404094
0x00404099
0x0040409e
0x0040409e
0x004040a3
0x004040ac
0x004040ae
0x004040b3
0x004040b9
0x004040bd
0x004040bd
0x004040c2
0x004040c8
0x00000000
0x00000000
0x004040d3
0x004040d9
0x00000000
0x00000000
0x004040e2
0x004040ea
0x004040ef
0x004040f2
0x004040f8
0x004040fd
0x00404100
0x00404106
0x0040410b
0x0040410e
0x00404114
0x0040411c
0x00404122
0x00404128
0x0040412c
0x00404133
0x00404133
0x00404133
0x0040413d
0x0040414f
0x0040415b
0x00404160
0x0040416a
0x00404170
0x00404172
0x00404177
0x00404174
0x00404174
0x00404174
0x00404187
0x0040419f
0x004041a1
0x004041a7
0x004041bc
0x004041a9
0x004041b2
0x004041b4
0x004041b4
0x004041c2
0x004041d3
0x004041e9
0x004041f0
0x004041f6
0x004041fa
0x004041ff
0x00404201
0x00000000
0x00404207
0x00404207
0x00404209
0x00000000
0x00000000
0x0040420f
0x00404213
0x00404238
0x0040423e
0x00404244
0x00404246
0x00000000
0x00000000
0x0040426c
0x00404272
0x00404274
0x00404279
0x00000000
0x00000000
0x0040427f
0x00404282
0x00404285
0x0040429c
0x004042a8
0x004042c1
0x004042c7
0x004042cb
0x004042d0
0x004042d6
0x00000000
0x00000000
0x004042e0
0x004042eb
0x00000000
0x004042eb
0x00404215
0x0040421b
0x00000000
0x00000000
0x00404221
0x00404227
0x00000000
0x00000000
0x00000000
0x0040422d
0x00404201
0x004042f8
0x00404304
0x0040430b
0x00000000
0x00404056
0x00404056
0x00404059
0x0040408c
0x0040408c
0x0040408e
0x00000000
0x00000000
0x00000000
0x0040408e
0x0040405b
0x0040405f
0x00404064
0x00404066
0x00000000
0x00000000
0x00404076
0x0040407e
0x00000000
0x00404084
0x00403eb2
0x00403eb2
0x00403eb6
0x00403ebb
0x00403eca
0x00403eca
0x00403ed3
0x00403edc
0x00403ee7
0x00403ee7
0x00403ef3
0x00403f0f
0x00403f12
0x00403f25
0x00403f2b
0x00403fce
0x00000000
0x00403fd7
0x00403f31
0x00403f3e
0x00403f40
0x00403f42
0x00403f61
0x00403f61
0x00403f64
0x00403f69
0x00403f6c
0x00403f7c
0x00403f7d
0x00403f7f
0x00403fb5
0x00403fc8
0x00000000
0x00403fc8
0x00403f81
0x00403f87
0x00403fa0
0x00403fa5
0x00403fa7
0x00000000
0x00000000
0x00403fa9
0x00403f95
0x00403f95
0x00403f97
0x00403f97
0x00000000
0x00403f97
0x00403f8a
0x00403f8f
0x00000000
0x00403f8f
0x00403f6e
0x00403f74
0x00000000
0x00000000
0x00403f76
0x00000000
0x00403f76
0x00403f66
0x00000000
0x00403f66
0x00403f4c
0x00403f53
0x00403f59
0x00403f5b
0x00000000
0x00000000
0x00000000
0x00403f5b
0x00403f17
0x00000000
0x00403ef5
0x00403efb
0x00403f05
0x00404311
0x00404317
0x00404324
0x0040432a
0x0040432a
0x00404334
0x00000000
0x00404334
0x00403ef3

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403ECA
ShowWindow.USER32(?), ref: 00403EE7
DestroyWindow.USER32 ref: 00403EFB
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403F17
GetDlgItem.USER32(?,?), ref: 00403F38
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F4C
IsWindowEnabled.USER32(00000000), ref: 00403F53
GetDlgItem.USER32(?,00000001), ref: 00404001
GetDlgItem.USER32(?,00000002), ref: 0040400B
SetClassLongW.USER32(?,000000F2,?), ref: 00404025
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404076
GetDlgItem.USER32(?,00000003), ref: 0040411C
ShowWindow.USER32(00000000,?), ref: 0040413D
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040414F
EnableWindow.USER32(?,?), ref: 0040416A
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404180
EnableMenuItem.USER32(00000000), ref: 00404187
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040419F
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004041B2
lstrlenW.KERNEL32(0042D268,?,0042D268,00000000), ref: 004041DC
SetWindowTextW.USER32(?,0042D268), ref: 004041F0
ShowWindow.USER32(?,0000000A), ref: 00404324

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 107ad6bdab59df7c6dc1e53992544a2f2aa45a341ad300a22c315677171673b9
Instruction ID: cb6f0490afd218b95da4ce8f8645ed9f2a2dc6dad26b5163c80864a666f03042
Opcode Fuzzy Hash: 107ad6bdab59df7c6dc1e53992544a2f2aa45a341ad300a22c315677171673b9
Instruction Fuzzy Hash: 40C1AFB1600305EFDB206F61EE85E2B7A68FB85706B54053EFA81B11F0CB799841DB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00403AE0 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403AE0(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x434f14;
				_t22 = E00406806(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x42d268;
					L"1033" = 0x30;
					 *0x442002 = 0x78;
					 *0x442004 = 0;
					E004062DF(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x42d268, 0);
					__eflags =  *0x42d268;
					if(__eflags == 0) {
						E004062DF(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x42d268, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E00406358(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403DB6(_t78, _t90);
				_t86 = L"C:\\Users\\Arthur\\AppData\\Roaming\\Shoved";
				 *0x434fa0 =  *0x434f1c & 0x00000020;
				 *0x434fbc = 0x10000;
				if(E00405DEE(_t90, L"C:\\Users\\Arthur\\AppData\\Roaming\\Shoved") != 0) {
					L16:
					if(E00405DEE(_t98, _t86) == 0) {
						E0040644E(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118))); // executed
					}
					_t30 = LoadImageW( *0x434f00, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x433ee8 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403DB6(_t78, __eflags);
							__eflags =  *0x434fc0;
							if( *0x434fc0 != 0) {
								_t33 = E0040554C(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x433ecc;
								if( *0x433ecc == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42d248, 5); // executed
							_t39 = E00406796("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E00406796("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x433ea0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x433ea0);
								 *0x433ec4 = _t87;
								RegisterClassW(0x433ea0);
							}
							_t44 = DialogBoxParamW( *0x434f00,  *0x433ee0 + 0x00000069 & 0x0000ffff, 0, E00403E8E, 0); // executed
							E00403A30(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x434f00;
						 *0x433ea4 = E00401000;
						 *0x433eb0 =  *0x434f00;
						 *0x433eb4 = _t30;
						 *0x433ec4 = 0x40a380;
						if(RegisterClassW(0x433ea0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x42d248 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x434f00, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x432ea0;
					E004062DF(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x434f58 + _t78 * 2,  *0x434f58 +  *(_t82 + 0x4c) * 2, 0x432ea0, 0);
					_t63 =  *0x432ea0; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x432ea2;
						 *((short*)(E00405D13(0x432ea2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406411(_t86, E00405CE6(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405D32(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403ae6
0x00403aef
0x00403af6
0x00403af8
0x00403b0c
0x00403b1e
0x00403b27
0x00403b30
0x00403b37
0x00403b3c
0x00403b43
0x00403b56
0x00403b56
0x00403b61
0x00403afa
0x00403b05
0x00403b05
0x00403b66
0x00403b70
0x00403b79
0x00403b7e
0x00403b8f
0x00403c21
0x00403c29
0x00403c32
0x00403c32
0x00403c48
0x00403c4e
0x00403c5c
0x00403cdd
0x00403ce5
0x00403cef
0x00403cf4
0x00403cfa
0x00403d84
0x00403d89
0x00403d8b
0x00403da7
0x00000000
0x00403da7
0x00403d8d
0x00403d93
0x00403d9b
0x00403d9b
0x00000000
0x00403d93
0x00403d08
0x00403d13
0x00403d18
0x00403d1a
0x00403d21
0x00403d21
0x00403d2c
0x00403d34
0x00403d36
0x00403d38
0x00403d41
0x00403d44
0x00403d4a
0x00403d4a
0x00403d69
0x00403d7a
0x00000000
0x00403d7f
0x00403ce7
0x00403ce9
0x00000000
0x00403c5e
0x00403c5e
0x00403c6a
0x00403c74
0x00403c7a
0x00403c7f
0x00403c8e
0x00403dac
0x00403dac
0x00000000
0x00403dac
0x00403c9d
0x00403cd8
0x00000000
0x00403cd8
0x00403b95
0x00403b95
0x00403b98
0x00403b9a
0x00000000
0x00000000
0x00403ba8
0x00403bba
0x00403bbf
0x00403bc8
0x00000000
0x00000000
0x00403bce
0x00403bd0
0x00403bdd
0x00403bdd
0x00403be6
0x00403bec
0x00403c14
0x00403c1c
0x00000000
0x00403bfe
0x00403bff
0x00403c08
0x00403c0e
0x00403c0f
0x00000000
0x00403c0f
0x00403c0a
0x00403c0c
0x00000000
0x00000000
0x00000000
0x00403c0c
0x00403bec

APIs

Part of subcall function 00406806: GetModuleHandleA.KERNEL32(?,00000020,?,00403537,0000000B), ref: 00406818
Part of subcall function 00406806: GetProcAddress.KERNEL32(00000000,?), ref: 00406833

lstrcatW.KERNEL32(1033,0042D268), ref: 00403B61
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Shoved,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,75423420), ref: 00403BE1
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Shoved,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 00403BF4
GetFileAttributesW.KERNEL32(Call), ref: 00403BFF
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Shoved), ref: 00403C48

Part of subcall function 00406358: wsprintfW.USER32 ref: 00406365

RegisterClassW.USER32(00433EA0), ref: 00403C85
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C9D
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CD2
ShowWindow.USER32(00000005,00000000), ref: 00403D08
GetClassInfoW.USER32(00000000,RichEdit20W,00433EA0), ref: 00403D34
GetClassInfoW.USER32(00000000,RichEdit,00433EA0), ref: 00403D41
RegisterClassW.USER32(00433EA0), ref: 00403D4A
DialogBoxParamW.USER32(?,00000000,00403E8E,00000000), ref: 00403D69

Strings

RichEdit, xrefs: 00403D3B
RichEd32, xrefs: 00403D1C
.DEFAULT\Control Panel\International, xrefs: 00403B4C
RichEd20, xrefs: 00403D0E
C:\Users\user\AppData\Roaming\Shoved, xrefs: 00403B70, 00403B78, 00403C1B, 00403C21, 00403C31
"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe", xrefs: 00403AE4
Call, xrefs: 00403BA8, 00403BB1, 00403BBF, 00403C0E, 00403C14
1033, xrefs: 00403B00, 00403B5C
RichEdit20W, xrefs: 00403D2C, 00403D32
.exe, xrefs: 00403BEE
C:\Users\user\AppData\Local\Temp\, xrefs: 00403AE5
Control Panel\Desktop\ResourceLocale, xrefs: 00403B14
_Nb, xrefs: 00403C64, 00403CCC

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Shoved$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-3499326829
Opcode ID: 431378757b75bd2c66e5e870ba5a75b2eb037ba1df85b121b0fccf1d7af94065
Instruction ID: ef062d508cd4fc62497976b4bc03dd7eae2cd9e8a178e807e7972486bae2ade7
Opcode Fuzzy Hash: 431378757b75bd2c66e5e870ba5a75b2eb037ba1df85b121b0fccf1d7af94065
Instruction Fuzzy Hash: 9A61B8711447006EE320AF66AE46F2B3A6CEBC5B4AF40453FF941B61E1DB7D9901CA2D

Uniqueness

Uniqueness Score: -1.00%

Function 00403015 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E00403015(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				long _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				long _t70;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				void* _t85;
				signed int _t87;
				void* _t89;
				long _t90;
				long _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = L"C:\\Users\\Arthur\\Desktop\\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe";
				 *0x434f10 = _t43 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\Arthur\\Desktop\\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe", 0x400);
				_t89 = E00405F07(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				_t92 = L"C:\\Users\\Arthur\\Desktop";
				E00406411(L"C:\\Users\\Arthur\\Desktop", _t91);
				E00406411(L"CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe", E00405D32(_t92));
				_t50 = GetFileSize(_t89, 0);
				 *0x42aa24 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402FB1(1);
					if( *0x434f18 == _t82) {
						goto L29;
					}
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E0040347D( *0x434f18 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E0040324C(); // executed
						if(_t57 == _v24) {
							 *0x434f14 = _t94;
							 *0x434f1c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x434f20 =  *0x434f20 + 1;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405EC2(0x434f40, _t94 + 4, 0x40);
							return 0;
						}
						goto L29;
					}
					E0040347D( *0x41ea18);
					if(E00403467( &_a4, 4) == 0 || _v12 != _a4) {
						goto L29;
					} else {
						goto L28;
					}
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x434f18) & 0x00007e00) + 0x200;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						if(E00403467(0x416a18, _t90) == 0) {
							E00402FB1(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x434f18 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402FB1(0);
							}
							goto L20;
						}
						E00405EC2( &_v44, 0x416a18, 0x1c);
						_t77 = _v44;
						if((_t77 & 0xfffffff0) == 0 && _v40 == 0xdeadbeef && _v28 == 0x74736e49 && _v32 == 0x74666f73 && _v36 == 0x6c6c754e) {
							_a4 = _a4 | _t77;
							_t87 =  *0x41ea18; // 0x37c9e
							 *0x434fc0 =  *0x434fc0 | _a4 & 0x00000002;
							_t80 = _v20;
							 *0x434f18 = _t87;
							if(_t80 > _t93) {
								goto L29;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v8 = _v8 + 1;
								_t24 = _t80 - 4; // 0x40a2dc
								_t93 = _t24;
								if(_t90 > _t93) {
									_t90 = _t93;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t93 <  *0x42aa24) {
							_v12 = E004068F3(_v12, 0x416a18, _t90);
						}
						 *0x41ea18 =  *0x41ea18 + _t90;
						_t93 = _t93 - _t90;
					} while (_t93 != 0);
					_t82 = 0;
					goto L24;
				}
			}

0x0040301d
0x00403020
0x00403023
0x00403026
0x0040302c
0x0040303d
0x00403042
0x00403055
0x0040305a
0x0040305d
0x00403063
0x00000000
0x00403065
0x00403070
0x00403076
0x00403087
0x0040308e
0x00403096
0x0040309b
0x0040309d
0x00403188
0x0040318a
0x00403196
0x00000000
0x00000000
0x0040319b
0x004031bf
0x004031c4
0x004031ca
0x004031d5
0x004031da
0x004031dd
0x004031de
0x004031df
0x004031e1
0x004031e9
0x00403200
0x00403208
0x0040320d
0x0040320f
0x0040320f
0x00403217
0x00403217
0x0040321a
0x0040321b
0x0040321b
0x0040321e
0x00403220
0x00403220
0x0040322a
0x00403230
0x0040323e
0x00000000
0x00403243
0x00000000
0x004031e9
0x004031a3
0x004031b5
0x00000000
0x00000000
0x00000000
0x00000000
0x004030a3
0x004030a8
0x004030ad
0x004030b1
0x004030b8
0x004030bf
0x004030c1
0x004030c1
0x004030cc
0x004031f4
0x004031eb
0x00000000
0x004031eb
0x004030d9
0x00403159
0x0040315d
0x00403162
0x00000000
0x00403159
0x004030e2
0x004030e7
0x004030ef
0x00403115
0x0040311b
0x00403124
0x0040312a
0x0040312f
0x00403135
0x00000000
0x00000000
0x0040313f
0x00403147
0x0040314a
0x0040314a
0x0040314f
0x00403151
0x00403151
0x00000000
0x00000000
0x00000000
0x00000000
0x0040313f
0x00403163
0x00403169
0x00403175
0x00403175
0x00403178
0x0040317e
0x0040317e
0x00403186
0x00000000
0x00403186

APIs

GetTickCount.KERNEL32 ref: 00403026
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe,00000400,?,00000007,00000009,0000000B), ref: 00403042

Part of subcall function 00405F07: GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405F0B
Part of subcall function 00405F07: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F2D

GetFileSize.KERNEL32(00000000,00000000,CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe,C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 0040308E
GlobalAlloc.KERNELBASE(00000040,0000000B,?,00000007,00000009,0000000B), ref: 004031C4

Strings

"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe", xrefs: 00403015
Null, xrefs: 0040310C
CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe, xrefs: 00403082
Error launching installer, xrefs: 00403065
Inst, xrefs: 004030FA
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004031EB
C:\Users\user\AppData\Local\Temp\, xrefs: 0040301C
C:\Users\user\Desktop, xrefs: 00403070, 00403075, 0040307B
C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe, xrefs: 0040302C, 0040303B, 0040304F, 0040306F
soft, xrefs: 00403103

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe$CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-4032366077
Opcode ID: a52360a1b04fecb28cdb34ea46c0a5e0142df37db4d5eb2ecb020a06199e7e0c
Instruction ID: 352fdba277142773567f3d30b5bba7b1c47688a28dd7517ec43723b707c69b17
Opcode Fuzzy Hash: a52360a1b04fecb28cdb34ea46c0a5e0142df37db4d5eb2ecb020a06199e7e0c
Instruction Fuzzy Hash: CF51D331904204ABDB109FA5DD85B9E7EACEB48356F24803BF910BA2D1C77C9F418B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040644E Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E0040644E(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t43;
				WCHAR* _t44;
				signed char _t46;
				signed int _t47;
				signed int _t48;
				short _t58;
				short _t60;
				short _t62;
				void* _t70;
				signed int _t76;
				void* _t82;
				signed char _t83;
				short _t86;
				signed int _t96;
				void* _t102;
				short _t103;
				signed int _t106;
				signed int _t108;
				void* _t109;
				WCHAR* _t110;
				void* _t112;

				_t109 = __esi;
				_t102 = __edi;
				_t70 = __ebx;
				_t43 = _a8;
				if(_t43 < 0) {
					_t43 =  *( *0x433edc - 4 + _t43 * 4);
				}
				_push(_t70);
				_push(_t109);
				_push(_t102);
				_t96 =  *0x434f58 + _t43 * 2;
				_t44 = 0x432ea0;
				_t110 = 0x432ea0;
				if(_a4 >= 0x432ea0 && _a4 - 0x432ea0 >> 1 < 0x800) {
					_t110 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t103 =  *_t96;
					if(_t103 == 0) {
						break;
					}
					__eflags = (_t110 - _t44 & 0xfffffffe) - 0x800;
					if((_t110 - _t44 & 0xfffffffe) >= 0x800) {
						break;
					}
					_t82 = 2;
					_t96 = _t96 + _t82;
					__eflags = _t103 - 4;
					_a8 = _t96;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t110 = _t103;
							_t110 = _t110 + _t82;
							__eflags = _t110;
						} else {
							 *_t110 =  *_t96;
							_t110 = _t110 + _t82;
							_t96 = _t96 + _t82;
						}
						continue;
					}
					_t83 =  *((intOrPtr*)(_t96 + 1));
					_t46 =  *_t96;
					_t47 = _t46 & 0x000000ff;
					_v8 = (_t83 & 0x0000007f) << 0x00000007 | _t46 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t47 | 0x00008000;
					_v24 = _t47;
					_t76 = _t83 & 0x000000ff;
					_v16 = _t76;
					__eflags = _t103 - 2;
					_v20 = _t76 | 0x00008000;
					if(_t103 != 2) {
						__eflags = _t103 - 3;
						if(_t103 != 3) {
							__eflags = _t103 - 1;
							if(_t103 == 1) {
								__eflags = (_t47 | 0xffffffff) - _v8;
								E0040644E(_t76, _t103, _t110, _t110, (_t47 | 0xffffffff) - _v8);
							}
							L43:
							_t48 = lstrlenW(_t110);
							_t96 = _a8;
							_t110 =  &(_t110[_t48]);
							_t44 = 0x432ea0;
							continue;
						}
						_t106 = _v8;
						__eflags = _t106 - 0x1d;
						if(_t106 != 0x1d) {
							__eflags = (_t106 << 0xb) + 0x436000;
							E00406411(_t110, (_t106 << 0xb) + 0x436000);
						} else {
							E00406358(_t110,  *0x434f08);
						}
						__eflags = _t106 + 0xffffffeb - 7;
						if(_t106 + 0xffffffeb < 7) {
							L34:
							E004066C0(_t110);
						}
						goto L43;
					}
					_t86 =  *0x434f0c;
					__eflags = _t86;
					_t108 = 2;
					if(_t86 >= 0) {
						L13:
						_v8 = 1;
						L14:
						__eflags =  *0x434fa4;
						if( *0x434fa4 != 0) {
							_t108 = 4;
						}
						__eflags = _t47;
						if(__eflags >= 0) {
							__eflags = _t47 - 0x25;
							if(_t47 != 0x25) {
								__eflags = _t47 - 0x24;
								if(_t47 == 0x24) {
									GetWindowsDirectoryW(_t110, 0x400);
									_t108 = 0;
								}
								while(1) {
									__eflags = _t108;
									if(_t108 == 0) {
										goto L30;
									}
									_t58 =  *0x434f04;
									_t108 = _t108 - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										L26:
										_t60 = SHGetSpecialFolderLocation( *0x434f08,  *(_t112 + _t108 * 4 - 0x18),  &_v12);
										__eflags = _t60;
										if(_t60 != 0) {
											L28:
											 *_t110 =  *_t110 & 0x00000000;
											__eflags =  *_t110;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v12, _t110);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t60;
										if(_t60 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L26;
									}
									_t62 =  *_t58( *0x434f08,  *(_t112 + _t108 * 4 - 0x18), 0, 0, _t110); // executed
									__eflags = _t62;
									if(_t62 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryW(_t110, 0x400);
							goto L30;
						} else {
							E004062DF( *0x434f58, __eflags, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x434f58 + (_t47 & 0x0000003f) * 2, _t110, _t47 & 0x00000040);
							__eflags =  *_t110;
							if( *_t110 != 0) {
								L32:
								__eflags = _t76 - 0x1a;
								if(_t76 == 0x1a) {
									lstrcatW(_t110, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L34;
							}
							E0040644E(_t76, _t108, _t110, _t110, _t76);
							L30:
							__eflags =  *_t110;
							if( *_t110 == 0) {
								goto L34;
							}
							_t76 = _v16;
							goto L32;
						}
					}
					__eflags = _t86 - 0x5a04;
					if(_t86 == 0x5a04) {
						goto L13;
					}
					__eflags = _t76 - 0x23;
					if(_t76 == 0x23) {
						goto L13;
					}
					__eflags = _t76 - 0x2e;
					if(_t76 == 0x2e) {
						goto L13;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L14;
					}
				}
				 *_t110 =  *_t110 & 0x00000000;
				if(_a4 == 0) {
					return _t44;
				}
				return E00406411(_a4, _t44);
			}

0x0040644e
0x0040644e
0x0040644e
0x00406454
0x00406459
0x0040646a
0x0040646a
0x00406472
0x00406473
0x00406474
0x00406475
0x00406478
0x00406480
0x00406482
0x0040649b
0x0040649e
0x0040649e
0x0040669a
0x0040669a
0x004066a0
0x00000000
0x00000000
0x004064ae
0x004064b4
0x00000000
0x00000000
0x004064bc
0x004064bd
0x004064bf
0x004064c3
0x004064c6
0x00406687
0x00406695
0x00406698
0x00406698
0x00406689
0x0040668c
0x0040668f
0x00406691
0x00406691
0x00000000
0x00406687
0x004064cc
0x004064cf
0x004064de
0x004064e5
0x004064ef
0x004064f3
0x004064f6
0x004064f9
0x004064fe
0x00406503
0x00406507
0x0040650a
0x0040662a
0x0040662e
0x00406661
0x00406665
0x0040666a
0x0040666f
0x0040666f
0x00406674
0x00406675
0x0040667a
0x0040667d
0x00406680
0x00000000
0x00406680
0x00406630
0x00406633
0x00406636
0x0040664b
0x00406652
0x00406638
0x0040663f
0x0040663f
0x0040665a
0x0040665d
0x00406622
0x00406623
0x00406623
0x00000000
0x0040665d
0x00406510
0x00406518
0x0040651a
0x0040651b
0x00406534
0x00406534
0x0040653b
0x0040653b
0x00406542
0x00406546
0x00406546
0x00406547
0x00406549
0x00406584
0x00406587
0x00406597
0x0040659a
0x004065a2
0x004065a8
0x004065a8
0x00406605
0x00406605
0x00406607
0x00000000
0x00000000
0x004065ac
0x004065b3
0x004065b4
0x004065b6
0x004065d0
0x004065de
0x004065e4
0x004065e6
0x00406601
0x00406601
0x00406601
0x00000000
0x00406601
0x004065ec
0x004065f7
0x004065fd
0x004065ff
0x00000000
0x00000000
0x00000000
0x004065ff
0x004065b8
0x004065bb
0x00000000
0x00000000
0x004065ca
0x004065cc
0x004065ce
0x00000000
0x00000000
0x00000000
0x004065ce
0x00000000
0x00406605
0x0040658f
0x00000000
0x0040654b
0x00406569
0x0040656e
0x00406572
0x00406612
0x00406612
0x00406615
0x0040661d
0x0040661d
0x00000000
0x00406615
0x0040657a
0x00406609
0x00406609
0x0040660d
0x00000000
0x00000000
0x0040660f
0x00000000
0x0040660f
0x00406549
0x0040651d
0x00406522
0x00000000
0x00000000
0x00406524
0x00406527
0x00000000
0x00000000
0x00406529
0x0040652c
0x00000000
0x0040652e
0x0040652e
0x00000000
0x0040652e
0x0040652c
0x004066a6
0x004066b1
0x004066bd
0x004066bd
0x00000000

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040658F
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,0042C248,?,004054B0,0042C248,00000000), ref: 004065A2
SHGetSpecialFolderLocation.SHELL32(004054B0,00425A20,00000000,0042C248,?,004054B0,0042C248,00000000), ref: 004065DE
SHGetPathFromIDListW.SHELL32(00425A20,Call), ref: 004065EC
CoTaskMemFree.OLE32(00425A20), ref: 004065F7
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040661D
lstrlenW.KERNEL32(Call,00000000,0042C248,?,004054B0,0042C248,00000000), ref: 00406675

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040655F
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406617
Call, xrefs: 00406478, 00406553, 0040655A, 0040655E, 00406578, 00406579, 0040658E, 004065A1, 004065BD, 004065E8, 0040661C, 00406622, 0040663E, 00406651, 0040666E, 00406674, 00406680, 004066B3

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1230650788
Opcode ID: d2ae35223b5679837e7cae1169c661c9243fab95fc342e3086787ca7bf20af92
Instruction ID: cd0f296135d024e5542a1133132ccafb23cc3a0c8fe84acec88ebf75cbd5934e
Opcode Fuzzy Hash: d2ae35223b5679837e7cae1169c661c9243fab95fc342e3086787ca7bf20af92
Instruction Fuzzy Hash: 9C614471A00111AADF208F54DD41BBE37A5AF44314F26853FE943B62D0EB3E5AA2CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040324C Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E0040324C(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				short _v152;
				void* _t65;
				void* _t69;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x422a20;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E0040347D( *0x434f78 + _t62);
				}
				if(E00403467( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E00403467(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E00403467(0x41ea20, _t98) == 0) {
								goto L41;
							}
							_t69 = E00405FB9(_a8, 0x41ea20, _t98); // executed
							if(_t69 == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40d384 =  *0x40d384 & 0x00000000;
					 *0x40d380 =  *0x40d380 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40ce68 = 8;
					 *0x416a10 = 0x40ea08;
					 *0x416a0c = 0x40ea08;
					 *0x416a08 = 0x416a08;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E00403467(0x41ea20, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40ce58 = 0x41ea20;
						 *0x40ce5c = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40ce60 = _t95;
							 *0x40ce64 = _v12;
							_t75 = E00406961(0x40ce58);
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x40ce60; // 0x425a20
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x434fd4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v152, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E00405479(0,  &_v152);
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x40ce60; // 0x425a20
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E00405FB9(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x00403257
0x0040325b
0x0040325e
0x00403263
0x00403265
0x00403265
0x0040326c
0x00403270
0x00403275
0x00403277
0x00403277
0x0040327e
0x00403283
0x0040328e
0x0040328e
0x004032a0
0x00403455
0x00403455
0x00000000
0x004032a6
0x004032aa
0x00403402
0x00403445
0x00403447
0x00403447
0x00403453
0x0040345a
0x0040345d
0x00000000
0x00000000
0x00000000
0x00000000
0x00403453
0x00403407
0x00000000
0x00000000
0x00403409
0x0040340c
0x0040340f
0x00403412
0x00403414
0x00403414
0x00403424
0x00000000
0x00000000
0x0040342b
0x00403432
0x004033fc
0x004033fc
0x00403457
0x00403457
0x00000000
0x00403457
0x00403434
0x00403437
0x0040343e
0x00000000
0x00000000
0x00000000
0x00403440
0x00000000
0x0040340c
0x004032b6
0x004032b8
0x004032bf
0x004032c6
0x004032c6
0x004032cd
0x004032d5
0x004032df
0x004032e4
0x004032ec
0x004032f6
0x004032f9
0x00000000
0x00000000
0x00000000
0x00000000
0x004032ff
0x004032ff
0x004032ff
0x00403307
0x00403309
0x00403309
0x0040331a
0x00000000
0x00000000
0x00403320
0x00403323
0x00403329
0x0040332f
0x0040332f
0x0040333a
0x00403340
0x00403345
0x0040334c
0x0040334f
0x00000000
0x00000000
0x00403355
0x0040335b
0x0040335d
0x00403366
0x00403368
0x00403399
0x0040339f
0x004033ab
0x004033b0
0x004033b0
0x004033b5
0x004033f0
0x00000000
0x00000000
0x00000000
0x004033b7
0x004033bb
0x004033d2
0x004033d7
0x004033da
0x004033dd
0x004033e0
0x004033e4
0x00000000
0x00000000
0x00000000
0x004033ea
0x004033c4
0x004033cb
0x00000000
0x00000000
0x004033cd
0x00000000
0x004033cd
0x004033b5
0x004033f8
0x00000000
0x004033f8
0x00000000
0x004032ff

APIs

GetTickCount.KERNEL32 ref: 004032B6
GetTickCount.KERNEL32 ref: 0040335D
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00403386
wsprintfW.USER32 ref: 00403399

Strings

*B, xrefs: 00403277
ZB, xrefs: 0040333A, 00403355, 004033D2
A, xrefs: 00403416
... %d%%, xrefs: 00403393
A, xrefs: 0040330C

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: *B$ ZB$ A$ A$... %d%%
API String ID: 551687249-3856725213
Opcode ID: 6aa008098f4ef09d38d5c59ecde741492560208fda71d4d747c9693988f45b69
Instruction ID: 934ec796fb5923f126773143cacc3683187fa16e161fba292e3b1b9e9ada072f
Opcode Fuzzy Hash: 6aa008098f4ef09d38d5c59ecde741492560208fda71d4d747c9693988f45b69
Instruction Fuzzy Hash: 44518C71D00219DBCB11DF65EA84B9E7FA8AF01756F10817BEC10BB2C1C7789A40CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402D3E(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405D5D( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405CE6(E00406411(_t81, L"C:\\Users\\Arthur\\AppData\\Roaming\\Shoved\\Factorist")), ??);
				} else {
					E00406411();
				}
				E004066C0(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E0040676F(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405EE2(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00405F07(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E00405479(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x434fa8;
						goto L32;
					} else {
						E00406411("C:\Users\Arthur\AppData\Local\Temp\nsdCB34.tmp", _t83);
						E00406411(_t83, _t81);
						E0040644E(_t77, _t81, _t83, "C:\Users\Arthur\AppData\Local\Temp\nsdCB34.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x1c)));
						E00406411(_t83, "C:\Users\Arthur\AppData\Local\Temp\nsdCB34.tmp");
						_t64 = E00405A77("C:\Users\Arthur\AppData\Local\Temp\nsdCB34.tmp\System.dll",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x434fa8 =  &( *0x434fa8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E00405479();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E00405479(0xffffffea,  *(_t86 - 8));
				 *0x434fd4 =  *0x434fd4 + 1;
				_t45 = E0040324C( *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x434fd4 =  *0x434fd4 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E0040644E(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E0040644E(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405A77();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x00402925
0x00402925
0x00402bc2
0x00402bc5
0x00402bc5
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402bcb
0x00402bcb
0x00402bcb
0x00401867
0x00401867
0x00401868
0x00401493
0x00402395
0x00402395
0x00402395
0x00401865
0x0040185e
0x00402bcd
0x00402bd1
0x00402bd1
0x00401892
0x00401897
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x00402390
0x00000000
0x00402390
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Shoved\Factorist,?,?,00000031), ref: 004017D5

Part of subcall function 00406411: lstrcpynW.KERNEL32(?,?,00000400,00403596,00433F00,NSIS Error,?,00000007,00000009,0000000B), ref: 0040641E

Part of subcall function 00405479: lstrlenW.KERNEL32(0042C248,00000000,00425A20,754223A0,?,?,?,?,?,?,?,?,?,004033B0,00000000,?), ref: 004054B1
Part of subcall function 00405479: lstrlenW.KERNEL32(004033B0,0042C248,00000000,00425A20,754223A0,?,?,?,?,?,?,?,?,?,004033B0,00000000), ref: 004054C1
Part of subcall function 00405479: lstrcatW.KERNEL32(0042C248,004033B0), ref: 004054D4
Part of subcall function 00405479: SetWindowTextW.USER32(0042C248,0042C248), ref: 004054E6
Part of subcall function 00405479: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040550C
Part of subcall function 00405479: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405526
Part of subcall function 00405479: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405534

Strings

C:\Users\user\AppData\Local\Temp\nsdCB34.tmp\System.dll, xrefs: 00401835, 00401851
C:\Users\user\AppData\Roaming\Shoved\Factorist, xrefs: 0040179E
Call, xrefs: 0040178D, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nsdCB34.tmp, xrefs: 00401821, 0040183F

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsdCB34.tmp$C:\Users\user\AppData\Local\Temp\nsdCB34.tmp\System.dll$C:\Users\user\AppData\Roaming\Shoved\Factorist$Call
API String ID: 1941528284-3313329688
Opcode ID: 898ce4c5b6941fe7d419b72eda9361d5450072f2bf0dde35a2139be17a2a5618
Instruction ID: 3db4763bd34d6378758f0dea6881e25fdbecc032a5989a9cd586940b12637d70
Opcode Fuzzy Hash: 898ce4c5b6941fe7d419b72eda9361d5450072f2bf0dde35a2139be17a2a5618
Instruction Fuzzy Hash: 13419471500118BACF10BFA5CD85DAE7A79EF45368B20423FF512B21E1DB3C89919A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00405948 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405948(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405953
0x00405957
0x0040595a
0x00405960
0x00405964
0x00405968
0x00405970
0x00405977
0x0040597d
0x00405984
0x0040598b
0x00405993
0x00405995
0x00000000
0x00405995
0x0040599f
0x004059a6
0x004059bc
0x00000000
0x00000000
0x00000000
0x004059be
0x004059c2

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040598B
GetLastError.KERNEL32 ref: 0040599F
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004059B4
GetLastError.KERNEL32 ref: 004059BE

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040596E
C:\Users\user\Desktop, xrefs: 00405948

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-26219170
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 2a6702a12d34049f0ed6173726a665453ef4396ebd7eb618d4b77e108423b323
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: 720108B1C10219EADF019BA4D948BEFBFB8EF04314F00803AD544B6180D77896488BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406796 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406796(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x004067ad
0x004067b6
0x004067b8
0x004067b8
0x004067bc
0x004067cf
0x004067c9
0x004067c9
0x004067c9
0x004067e8
0x004067fc
0x00406803

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004067AD
wsprintfW.USER32 ref: 004067E8
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004067FC

Strings

UXTHEME, xrefs: 0040679F
\, xrefs: 004067BE
%s%S.dll, xrefs: 004067E2

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: 2cc1ede9ae180511fd9dc47da010e879a2503ad1dada0433f9440106b5f2728e
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: 86F09670510119A7DB24BF64DE4DF9B366CAB00709F11447AA646F21D0EB7C9A68CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405F36 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405F36(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a57c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00405f3c
0x00405f42
0x00405f43
0x00405f43
0x00405f48
0x00405f49
0x00405f4c
0x00405f51
0x00405f54
0x00405f5e
0x00405f6b
0x00405f6f
0x00405f77
0x00000000
0x00000000
0x00405f7b
0x00000000
0x00405f7d
0x00405f7d
0x00405f7d
0x00405f80
0x00405f83
0x00405f83
0x00405f86
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405F54
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe",004034C3,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F), ref: 00405F6F

Strings

"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe", xrefs: 00405F36
nsa, xrefs: 00405F43
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F3B

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3620698671
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: 6280ba3094977af7574bcd42248b285f756f81412eced5037130b5adcb3d4edb
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: 55F03676B00204BFDB10CF55DD05E9FB7ADEB95750F10803AEE44F7150E6B499548B58

Uniqueness

Uniqueness Score: -1.00%

Function 00402E41 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00402E41(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E0040627E(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8); // executed
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402E41(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406806(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402e4c
0x00402e55
0x00402e5e
0x00402e6a
0x00402e73
0x00402e7d
0x00402ea2
0x00402ea8
0x00402ead
0x00402eae
0x00402ede
0x00402eb7
0x00402eb9
0x00402f09
0x00402f0c
0x00000000
0x00402f12
0x00402ec8
0x00402ecd
0x00402ecf
0x00000000
0x00000000
0x00402ed7
0x00402edc
0x00402edd
0x00402edd
0x00402eea
0x00402ef2
0x00402ef9
0x00000000
0x00402f22
0x00000000
0x00402f01
0x00402e8d
0x00402ea0
0x00000000
0x00000000
0x00000000
0x00402ea0
0x00402f28

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402E95
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402EE1
RegCloseKey.ADVAPI32(?,?,?), ref: 00402EEA
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F01
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F0C

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 0ef7066dde05a2ca5f9e50454b412eec226e379908bdbcc4328f96335d0522a1
Instruction ID: 81522b48e592499502658fb4677f1b0f70c545d6b701466da39e5ccb8a756ba0
Opcode Fuzzy Hash: 0ef7066dde05a2ca5f9e50454b412eec226e379908bdbcc4328f96335d0522a1
Instruction Fuzzy Hash: 0F215A72500109BBEF129F90CE89EEF7A7DEB54344F110076B945B11A0E7B48E54AAA8

Uniqueness

Uniqueness Score: -1.00%

Function 73841777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E73841777(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v136;
				struct HINSTANCE__* _t37;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x7384506c = _a8;
				 *0x73845070 = _a16;
				 *0x73845074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x73845048, E738415B1);
				_push(1); // executed
				_t37 = E73841B5F(); // executed
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E7384239E(_t54);
					}
					_push(_t54);
					E738423E0(_t67);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_push(_t54);
								_t37 = E738425B5();
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x1018; // 0x1018
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E738415C6(_t54,  &_v136);
								 *(_t54 + 0x1034) =  *(_t54 + 0x1034) & 0x00000000;
								_t18 = _t54 + 0x1018; // 0x1018
								_t72 = _t18;
								_push(_t54);
								 *((intOrPtr*)(_t54 + 0x1020)) = _t42;
								 *_t72 = 4;
								E738425B5();
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							_push(_t54);
							E738425B5();
							_t37 = GlobalFree(E73841272(E738415B4(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E73842578(_t54);
							if(( *(_t54 + 0x1010) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x1008);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x1010) & 0x00000020) != 0) {
								_t37 = E7384153D( *0x73845068);
							}
						}
						if(( *(_t54 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t54);
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E73842D83(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E73842AF8(_t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E73842770(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x73841777
0x73841777
0x73841777
0x73841784
0x7384178c
0x73841799
0x738417a7
0x738417aa
0x738417ac
0x738417b1
0x738417b6
0x738418d8
0x738418d8
0x738417bc
0x738417c0
0x738417c3
0x738417c8
0x738417c9
0x738417ca
0x738417d0
0x738417d6
0x73841806
0x7384180d
0x73841831
0x7384187e
0x7384187f
0x73841833
0x73841833
0x73841834
0x7384183d
0x7384183e
0x73841848
0x7384184b
0x73841850
0x73841857
0x73841857
0x7384185d
0x7384185e
0x73841864
0x7384186a
0x73841877
0x73841878
0x7384187b
0x7384180f
0x7384180f
0x73841810
0x73841825
0x73841825
0x73841889
0x7384188c
0x73841899
0x738418a0
0x738418a8
0x738418ab
0x738418ab
0x738418a8
0x738418b8
0x738418c0
0x738418c5
0x738418b8
0x738418cd
0x00000000
0x738418cf
0x00000000
0x738418d0
0x738418cd
0x738417da
0x738417dd
0x738417fb
0x00000000
0x00000000
0x738417fe
0x73841803
0x73841803
0x73841805
0x00000000
0x73841805
0x738417df
0x738417e0
0x738417e8
0x738417e9
0x00000000
0x738417e9
0x738417e2
0x738417e3
0x738417f1
0x00000000
0x738417f1
0x738417e6
0x00000000
0x00000000
0x00000000
0x738417e6

APIs

Part of subcall function 73841B5F: GlobalFree.KERNEL32(?), ref: 73841DD4
Part of subcall function 73841B5F: GlobalFree.KERNEL32(?), ref: 73841DD9
Part of subcall function 73841B5F: GlobalFree.KERNEL32(?), ref: 73841DDE

GlobalFree.KERNEL32(00000000), ref: 73841825
FreeLibrary.KERNEL32(?), ref: 738418AB
GlobalFree.KERNEL32(00000000), ref: 738418D0

Part of subcall function 7384239E: GlobalAlloc.KERNEL32(00000040,?), ref: 738423CF

Part of subcall function 73842770: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,738417F6,00000000), ref: 73842840

Part of subcall function 738415C6: wsprintfW.USER32 ref: 738415F4

Strings

, xrefs: 738418B1

Memory Dump Source

Source File: 00000002.00000002.110047313209.0000000073841000.00000020.00000001.01000000.00000004.sdmp, Offset: 73840000, based on PE: true

Associated: 00000002.00000002.110047212499.0000000073840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.110047373977.0000000073844000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.110047427575.0000000073846000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_73840000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: ff8889ca35d0cce4c71df9e5adf122ae3c415d69792dc75a25bfbe1947031005
Instruction ID: 79864a1533c0bd42c6ea2d90257f1a2c7398bdac15812c1e7a650a6a5559563e
Opcode Fuzzy Hash: ff8889ca35d0cce4c71df9e5adf122ae3c415d69792dc75a25bfbe1947031005
Instruction Fuzzy Hash: C141A57150030C9BDB119FF4D985B9537BEBB04350F38A165ED0B9ADC6EB788084C760

Uniqueness

Uniqueness Score: -1.00%

Function 00402482 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00402482(void* __eax, int __ebx, intOrPtr __edx, void* __eflags) {
				void* _t20;
				void* _t21;
				int _t24;
				long _t25;
				int _t30;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;

				_t42 = __eflags;
				_t33 = __edx;
				_t30 = __ebx;
				_t37 =  *((intOrPtr*)(_t39 - 0x20));
				_t34 = __eax;
				 *(_t39 - 0x10) =  *(_t39 - 0x1c);
				 *(_t39 - 0x44) = E00402D3E(2);
				_t20 = E00402D3E(0x11);
				 *(_t39 - 4) = 1;
				_t21 = E00402DCE(_t42, _t34, _t20, 2); // executed
				 *(_t39 + 8) = _t21;
				if(_t21 != __ebx) {
					_t24 = 0;
					if(_t37 == 1) {
						E00402D3E(0x23);
						_t24 = lstrlenW(0x40b5f0) + _t29 + 2;
					}
					if(_t37 == 4) {
						 *0x40b5f0 = E00402D1C(3);
						 *((intOrPtr*)(_t39 - 0x38)) = _t33;
						_t24 = _t37;
					}
					if(_t37 == 3) {
						_t24 = E0040324C( *((intOrPtr*)(_t39 - 0x24)), _t30, 0x40b5f0, 0x1800); // executed
					}
					_t25 = RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x44), _t30,  *(_t39 - 0x10), 0x40b5f0, _t24); // executed
					if(_t25 == 0) {
						 *(_t39 - 4) = _t30;
					}
					_push( *(_t39 + 8));
					RegCloseKey(); // executed
				}
				 *0x434fa8 =  *0x434fa8 +  *(_t39 - 4);
				return 0;
			}

0x00402482
0x00402482
0x00402482
0x00402482
0x00402485
0x0040248c
0x00402496
0x00402499
0x004024a2
0x004024a9
0x004024b0
0x004024b3
0x004024b9
0x004024c3
0x004024c7
0x004024d2
0x004024d2
0x004024d9
0x004024e3
0x004024e9
0x004024ec
0x004024ec
0x004024f0
0x004024fc
0x004024fc
0x0040250d
0x00402515
0x00402517
0x00402517
0x0040251a
0x004025f5
0x004025f5
0x00402bc5
0x00402bd1

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsdCB34.tmp,00000023,00000011,00000002), ref: 004024CD
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsdCB34.tmp,00000000,00000011,00000002), ref: 0040250D
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsdCB34.tmp,00000000,00000011,00000002), ref: 004025F5

Strings

C:\Users\user\AppData\Local\Temp\nsdCB34.tmp, xrefs: 004024BE, 004024CC, 004024E3, 004024F7, 00402502

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsdCB34.tmp
API String ID: 2655323295-3649449580
Opcode ID: 9e720649662cdc413bd8d4d136e207e08986e5d50d4fc5c41021c63d7149cc75
Instruction ID: 7edbd774ff12736b5c68cca40ff53a8b2e2340a941a441eef078c8e93cf21856
Opcode Fuzzy Hash: 9e720649662cdc413bd8d4d136e207e08986e5d50d4fc5c41021c63d7149cc75
Instruction Fuzzy Hash: 1C11AF71E00108BEDB00AFA5CE49AAEBBB8EF44314F20443AF504B71D1D7B89D409A68

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402D3E(0xfffffff0);
				_t17 = E00405D91(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405D13(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E004059C5( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E004059E2(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405948( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406411(L"C:\\Users\\Arthur\\AppData\\Roaming\\Shoved\\Factorist",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x004022e9
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402bc5
0x00402bd1

APIs

Part of subcall function 00405D91: CharNextW.USER32(?,?,0042FA70,?,00405E05,0042FA70,0042FA70, 4Bu,?,C:\Users\user\AppData\Local\Temp\,00405B43,?,75423420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D9F
Part of subcall function 00405D91: CharNextW.USER32(00000000), ref: 00405DA4
Part of subcall function 00405D91: CharNextW.USER32(00000000), ref: 00405DBC

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405948: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040598B

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Shoved\Factorist,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Roaming\Shoved\Factorist, xrefs: 00401640

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Shoved\Factorist
API String ID: 1892508949-4086653928
Opcode ID: 8bd5528b3ed13611c2729177aa216aa5dfd0a4f92ec19a6671f3c1d709377d7f
Instruction ID: d42e9ae115e382ed64a017e661d14a8570f8e1ce7a364987760287960e16c3b9
Opcode Fuzzy Hash: 8bd5528b3ed13611c2729177aa216aa5dfd0a4f92ec19a6671f3c1d709377d7f
Instruction Fuzzy Hash: B411DD31504110EBCF206FA5CD4199F3BB0EF25369B28493BEA51B22F1DA3E49819A5E

Uniqueness

Uniqueness Score: -1.00%

Function 004053ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004053ED(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t9;
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42d254 != _t16) {
							_push(_t16);
							_push(6);
							 *0x42d254 = _t16;
							E00404DA2();
						}
						L11:
						_t9 = CallWindowProcW( *0x42d25c, _a4, _t15, _a12, _t16); // executed
						return _t9;
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404D22(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004043B3(0x413);
				return 0;
			}

0x004053f1
0x004053fb
0x00405417
0x00405439
0x0040543c
0x00405442
0x0040544c
0x0040544d
0x0040544f
0x00405455
0x00405455
0x0040545f
0x0040546d
0x00000000
0x0040546d
0x00405424
0x0040545c
0x0040545c
0x00000000
0x0040545c
0x00405430
0x00405432
0x00000000
0x00405432
0x00405401
0x00000000
0x00000000
0x00405408
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 0040541C
CallWindowProcW.USER32(?,?,?,?), ref: 0040546D

Part of subcall function 004043B3: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043C5

Strings

, xrefs: 004053FD

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 26e100c8e936244900aacf90f380f9ed614629df6b7f9272593e4765ff02ca63
Instruction ID: 5278ea034fccd8c5818adddfb220a11f4cbf18c481ac084eeec191c980f5e464
Opcode Fuzzy Hash: 26e100c8e936244900aacf90f380f9ed614629df6b7f9272593e4765ff02ca63
Instruction Fuzzy Hash: F9012C71200609AFDF216F11DD80BDB3B66EB84756F504036FB01752E2C77A8C92DA6E

Uniqueness

Uniqueness Score: -1.00%

Function 004062DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004062DF(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E0040627E(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x004062ed
0x004062ef
0x00406307
0x0040630c
0x00406311
0x0040634f
0x0040634f
0x00406313
0x00406325
0x00406330
0x00406336
0x00406341
0x00000000
0x00000000
0x00406341
0x00406355

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,0042C248,00000000,?,?,Call,?,?,0040656E,80000002), ref: 00406325
RegCloseKey.ADVAPI32(?,?,0040656E,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,0042C248), ref: 00406330

Strings

Call, xrefs: 004062E6

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: 844154995e22508991f9c2085a3ddc533437a0a8a5a4e2329c4a16b7f523fd8f
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: CF017172500209EBDF218F55CD05EDB3BA9EB54394F05803AFD5592150E738D964DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004059FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004059FA(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x430270->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x430270,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405a03
0x00405a23
0x00405a2b
0x00405a30
0x00000000
0x00405a36
0x00405a3a

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,Error launching installer), ref: 00405A23
CloseHandle.KERNEL32(?), ref: 00405A30

Strings

Error launching installer, xrefs: 00405A0D

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
Instruction ID: 9b609aa4dbda1b40da6c9694c56aee9f908f129f2491f8ac19b90d9f5f8e4f4b
Opcode Fuzzy Hash: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
Instruction Fuzzy Hash: 19E0B6B4600209BFEB109FA4EE49F7B7AACEB04708F004565BD50F6191DBB8EC158A7C

Uniqueness

Uniqueness Score: -1.00%

Function 004020D0 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E004020D0(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				WCHAR* _t35;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x434fd8");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x434fa8 =  *0x434fa8 +  *(_t39 - 4);
					return 0;
				}
				_t35 = E00402D3E(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x44)) = E00402D3E(1);
				if( *((intOrPtr*)(_t39 - 0x20)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t35, _t32, 8); // executed
					_t47 = _t23 - _t32;
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t36 = E00406875(_t47,  *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x44)));
					if(_t36 == _t32) {
						E00405479(0xfffffff7,  *((intOrPtr*)(_t39 - 0x44)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x28)) == _t32) {
							 *_t36( *((intOrPtr*)(_t39 - 8)), 0x400, _t37, 0x40ce50, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x28)));
							if( *_t36() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x24)) == _t32 && E00403A80( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t35); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x004020d0
0x004020d0
0x004020d5
0x004020dc
0x0040219b
0x004022e9
0x004022e9
0x00402bc2
0x00402bc5
0x00402bd1
0x00402bd1
0x004020eb
0x004020f5
0x004020f8
0x00402108
0x0040210c
0x00402112
0x00402114
0x00402117
0x00402194
0x00000000
0x00402194
0x00402119
0x00402124
0x00402128
0x00402168
0x0040212a
0x0040212d
0x00402130
0x0040215c
0x00402132
0x00402135
0x0040213e
0x00402140
0x00402140
0x0040213e
0x00402130
0x00402170
0x00402189
0x00402189
0x00000000
0x00402170
0x004020fb
0x00402103
0x00402106
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 004020FB

Part of subcall function 00405479: lstrlenW.KERNEL32(0042C248,00000000,00425A20,754223A0,?,?,?,?,?,?,?,?,?,004033B0,00000000,?), ref: 004054B1
Part of subcall function 00405479: lstrlenW.KERNEL32(004033B0,0042C248,00000000,00425A20,754223A0,?,?,?,?,?,?,?,?,?,004033B0,00000000), ref: 004054C1
Part of subcall function 00405479: lstrcatW.KERNEL32(0042C248,004033B0), ref: 004054D4
Part of subcall function 00405479: SetWindowTextW.USER32(0042C248,0042C248), ref: 004054E6
Part of subcall function 00405479: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040550C
Part of subcall function 00405479: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405526
Part of subcall function 00405479: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405534

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 0040210C
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402189

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 78ecc952e10d997ac4934020b2af859247c5bfa8e95875e99b3b14e24fd3f8e7
Instruction ID: ec066b6349dd7fa10fed5d852794e64c7c96c86c32cb5d354c2886168094fa20
Opcode Fuzzy Hash: 78ecc952e10d997ac4934020b2af859247c5bfa8e95875e99b3b14e24fd3f8e7
Instruction Fuzzy Hash: A7219931500104EBCF10AFA5CE49A9E7A71AF44354F34413BF515B51E0CBBD9D829A1D

Uniqueness

Uniqueness Score: -1.00%

Function 00402596 Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402596(int* __ebx, intOrPtr __edx, short* __edi) {
				void* _t9;
				int _t10;
				long _t13;
				int* _t16;
				intOrPtr _t21;
				short* _t22;
				void* _t24;
				void* _t26;
				void* _t29;

				_t22 = __edi;
				_t21 = __edx;
				_t16 = __ebx;
				_t9 = E00402D7E(_t29, 0x20019); // executed
				_t24 = _t9;
				_t10 = E00402D1C(3);
				 *((intOrPtr*)(_t26 - 0x10)) = _t21;
				 *__edi = __ebx;
				if(_t24 == __ebx) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				} else {
					 *(_t26 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t26 - 0x20)) == __ebx) {
						_t13 = RegEnumValueW(_t24, _t10, __edi, _t26 + 8, __ebx, __ebx, __ebx, __ebx); // executed
						__eflags = _t13;
						if(_t13 != 0) {
							 *((intOrPtr*)(_t26 - 4)) = 1;
						}
					} else {
						RegEnumKeyW(_t24, _t10, __edi, 0x3ff);
					}
					_t22[0x3ff] = _t16;
					_push(_t24); // executed
					RegCloseKey(); // executed
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x00402596
0x00402596
0x00402596
0x0040259b
0x004025a2
0x004025a4
0x004025ac
0x004025af
0x004025b2
0x00402925
0x004025b8
0x004025c0
0x004025c3
0x004025dc
0x004025e2
0x004025e4
0x004025e6
0x004025e6
0x004025c5
0x004025c9
0x004025c9
0x004025ed
0x004025f4
0x004025f5
0x004025f5
0x00402bc5
0x00402bd1

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025C9
RegEnumValueW.KERNELBASE(00000000,00000000,?,?), ref: 004025DC
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsdCB34.tmp,00000000,00000011,00000002), ref: 004025F5

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 7e2c7bfb651a1333adc8038a86be957ed4d1f5f45db318ed8e83b607926505dd
Instruction ID: a8e4f27cd85b524b938bc80bb312ff0c07efa3365ef466736b2b8963d993c2c8
Opcode Fuzzy Hash: 7e2c7bfb651a1333adc8038a86be957ed4d1f5f45db318ed8e83b607926505dd
Instruction Fuzzy Hash: 92017C71A11504BBEB149FA49E48AAFB77CEF40348F10403AF501B61C0D7B85E40866D

Uniqueness

Uniqueness Score: -1.00%

Function 00402522 Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402522(int* __ebx, char* __edi) {
				void* _t17;
				short* _t18;
				void* _t35;
				void* _t37;
				void* _t40;

				_t33 = __edi;
				_t27 = __ebx;
				_t17 = E00402D7E(_t40, 0x20019); // executed
				_t35 = _t17;
				_t18 = E00402D3E(0x33);
				 *__edi = __ebx;
				if(_t35 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x10) = 0x800;
					if(RegQueryValueExW(_t35, _t18, __ebx, _t37 + 8, __edi, _t37 - 0x10) != 0) {
						L7:
						 *_t33 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x20) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x20) == __ebx;
							E00406358(__edi,  *__edi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x20);
								_t33[0x7fe] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t35); // executed
					RegCloseKey(); // executed
				}
				 *0x434fa8 =  *0x434fa8 +  *(_t37 - 4);
				return 0;
			}

0x00402522
0x00402522
0x00402527
0x0040252e
0x00402530
0x00402537
0x0040253a
0x00402925
0x00402540
0x00402543
0x0040255e
0x0040258e
0x0040258e
0x00402591
0x00402560
0x00402564
0x0040257d
0x00402584
0x00402587
0x00402566
0x00402569
0x00402574
0x004025ed
0x00000000
0x00000000
0x00000000
0x00402569
0x00402564
0x004025f4
0x004025f5
0x004025f5
0x00402bc5
0x00402bd1

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402553
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsdCB34.tmp,00000000,00000011,00000002), ref: 004025F5

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 3b8b1e0f684718fab1855b03e1fec85b6eef462078d4d3cdd57d81b9b6cfbe6e
Instruction ID: af493c066ab36ea8406690c3d62a07c4fb2ed7115def6bf4d18b774961f6c260
Opcode Fuzzy Hash: 3b8b1e0f684718fab1855b03e1fec85b6eef462078d4d3cdd57d81b9b6cfbe6e
Instruction Fuzzy Hash: CD116A71910209EBCF14DFA4CA589AEB774FF04354B20843BE402B62C0D3B88A44DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x434f50;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x433eec =  *0x433eec + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x433eec, 0x7530,  *0x433ed4), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c5196716ed2294a5b6683282f685902d4e4d655c798d26bf32279206d375a943
Instruction ID: f4b073df4371d13d5e47470e1508f1e4354d1df05d26164fcbedf483487d3525
Opcode Fuzzy Hash: c5196716ed2294a5b6683282f685902d4e4d655c798d26bf32279206d375a943
Instruction Fuzzy Hash: 4D01F4316242209FE7094B389D05B6A3698E710319F14823FF855F65F1EA78DC029B4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040242C Relevance: 3.0, APIs: 2, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040242C(void* __ebx) {
				long _t7;
				void* _t10;
				void* _t14;
				long _t18;
				intOrPtr _t20;
				void* _t22;
				void* _t23;

				_t14 = __ebx;
				_t26 =  *(_t23 - 0x20) - __ebx;
				_t20 =  *((intOrPtr*)(_t23 - 0x2c));
				if( *(_t23 - 0x20) != __ebx) {
					_t7 = E00402DFC(_t20, E00402D3E(0x22),  *(_t23 - 0x20) >> 1); // executed
					_t18 = _t7;
					goto L4;
				} else {
					_t10 = E00402D7E(_t26, 2); // executed
					_t22 = _t10;
					if(_t22 == __ebx) {
						L6:
						 *((intOrPtr*)(_t23 - 4)) = 1;
					} else {
						_t18 = RegDeleteValueW(_t22, E00402D3E(0x33));
						RegCloseKey(_t22);
						L4:
						if(_t18 != _t14) {
							goto L6;
						}
					}
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t23 - 4));
				return 0;
			}

0x0040242c
0x0040242c
0x0040242f
0x00402432
0x0040246e
0x00402473
0x00000000
0x00402434
0x00402436
0x0040243b
0x0040243f
0x00402925
0x00402925
0x00402445
0x00402455
0x00402457
0x00402475
0x00402477
0x00000000
0x0040247d
0x00402477
0x0040243f
0x00402bc5
0x00402bd1

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040244E
RegCloseKey.ADVAPI32(00000000), ref: 00402457

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 047f31a594ad1d9cf841833c20fb6c4a455a6b04475d38f7d1b8b40705fc536e
Instruction ID: 85a5e790261a6a1b6dedd729f081e1fb82c2b0bf937f90b5091167455713ef2b
Opcode Fuzzy Hash: 047f31a594ad1d9cf841833c20fb6c4a455a6b04475d38f7d1b8b40705fc536e
Instruction Fuzzy Hash: 5AF06232A00120ABDB10AFA89A4DAAE73A5AF44314F16043FE651B71C1DAFC5D01563D

Uniqueness

Uniqueness Score: -1.00%

Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: ba2a3c5e5c5e776cdf5630d67b2c53ff1ecd8db0fb1778bda333e84ab02891b0
Instruction ID: 5d2b838fc97348560faaf82546316e7c29db3ee13ca796b15ebd5141c346d58e
Opcode Fuzzy Hash: ba2a3c5e5c5e776cdf5630d67b2c53ff1ecd8db0fb1778bda333e84ab02891b0
Instruction Fuzzy Hash: 6FE09A32A042009FD704EFA4AE484AEB3B4EB90325B20097FE401F20C1CBB85C008A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00406806 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406806(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E00406796(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x0040680e
0x00406811
0x00406818
0x00406820
0x0040682c
0x00000000
0x00406833
0x00406823
0x0040682a
0x00000000
0x0040683b
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403537,0000000B), ref: 00406818
GetProcAddress.KERNEL32(00000000,?), ref: 00406833

Part of subcall function 00406796: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004067AD
Part of subcall function 00406796: wsprintfW.USER32 ref: 004067E8
Part of subcall function 00406796: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004067FC

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 04b739db586b670126c7119b566f03dd1efc4ec82adb23a6bbf3e60323b3d7ce
Instruction ID: c5f632ab0fd527bf8e68b4786b10832766149758e6d8e51d9ba55f9b7eb13659
Opcode Fuzzy Hash: 04b739db586b670126c7119b566f03dd1efc4ec82adb23a6bbf3e60323b3d7ce
Instruction Fuzzy Hash: 30E0863350421056E211AA746E44C7B77A89F99750307843EF956F2080D738DC359679

Uniqueness

Uniqueness Score: -1.00%

Function 00405F07 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405F07(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405f0b
0x00405f18
0x00405f2d
0x00405f33

APIs

GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405F0B
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F2D

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405EE2 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405EE2(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405ee7
0x00405eed
0x00405ef2
0x00405efb
0x00405efb
0x00405f04

APIs

GetFileAttributesW.KERNELBASE(?,?,00405AE7,?,?,00000000,00405CBD,?,?,?,?), ref: 00405EE7
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405EFB

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: 11a24c4abb36edafbee48cc994cb64d758a4bce1ebd63d049f972be52462095a
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: C7D0C9725045316BC2102728AF0889BBB55EB643717054A35F9A5A22B0CB314C528A98

Uniqueness

Uniqueness Score: -1.00%

Function 004059C5 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004059C5(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x004059cb
0x004059d3
0x00000000
0x004059d9
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,004034B8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 004059CB
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004059D9

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 1e5fcd6d8aa83e7c3539c134ce858d200345c8ad9b438ef6e258ac5dd368824a
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: 27C04C71204541EEE6505B20AE09B177A909B50751F26843A6147F01A0DA388455E93D

Uniqueness

Uniqueness Score: -1.00%

Function 02B90CBD Relevance: 1.7, APIs: 1, Instructions: 169COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 02B90CC3

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: ce1694924cc270a28cdc805b4c9f82340aaf18b76c76916485e9388a3103fc8a
Instruction ID: c5c62daabd100ea409b12df08a500db8855f8c7dbb238b2908a3b02dd7c5a84f
Opcode Fuzzy Hash: ce1694924cc270a28cdc805b4c9f82340aaf18b76c76916485e9388a3103fc8a
Instruction Fuzzy Hash: 04514776965382CFCB2AEF34C4842DA7BB1EF46360F184DADC8808B953D334954ADB41

Uniqueness

Uniqueness Score: -1.00%

Function 73842AF8 Relevance: 1.6, APIs: 1, Instructions: 143
fileCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E73842AF8(intOrPtr _a4) {
				signed int _v8;
				void* _t28;
				void* _t29;
				int _t33;
				void* _t37;
				void* _t40;
				void* _t45;
				void* _t49;
				signed int _t56;
				void* _t61;
				void* _t69;
				intOrPtr _t70;
				signed int _t75;
				intOrPtr _t77;
				intOrPtr _t78;
				void* _t79;
				void* _t85;
				void* _t86;
				void* _t87;
				void* _t88;
				intOrPtr _t91;
				intOrPtr _t92;

				if( *0x73845050 != 0 && E73842A3B(_a4) == 0) {
					 *0x73845054 = _t91;
					if( *0x7384504c != 0) {
						_t91 =  *0x7384504c;
					} else {
						E73842A35();
						L73843020();
						 *0x7384504c = _t91;
					}
				}
				_t28 = E73842A69(_a4);
				_t92 = _t91 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E73842A5D();
					_t70 = _a4;
					_t77 =  *0x73845058;
					 *((intOrPtr*)(_t29 + _t70)) = _t77;
					 *0x73845058 = _t70;
					E73842A57();
					_t33 = ReadFile(??, ??, ??, ??, ??); // executed
					 *0x73845034 = _t33;
					 *0x73845038 = _t77;
					if( *0x73845050 != 0 && E73842A3B( *0x73845058) == 0) {
						 *0x7384504c = _t92;
						_t92 =  *0x73845054;
					}
					_t78 =  *0x73845058;
					_a4 = _t78;
					 *0x73845058 =  *((intOrPtr*)(E73842A5D() + _t78));
					_t37 = E73842A49(_t78);
					_pop(_t79);
					if(_t37 != 0) {
						_t40 = E73842A69(_t79);
						if(_t40 > 0) {
							_push(_t40);
							_push(E73842A74() + _a4 + _v8);
							_push(E73842A7E());
							if( *0x73845050 <= 0 || E73842A3B(_a4) != 0) {
								_pop(_t86);
								_pop(_t45);
								__eflags =  *((intOrPtr*)(_t86 + _t45)) - 2;
								if(__eflags == 0) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t87);
								_pop(_t49);
								 *0x7384504c =  *0x7384504c +  *(_t87 + _t49) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					_t105 =  *0x73845058;
					if( *0x73845058 == 0) {
						 *0x7384504c = 0;
					}
					E73842AA2(_t105, _a4,  *0x73845034,  *0x73845038);
					return _a4;
				}
				_push(E73842A74() + _a4);
				_t56 = E73842A7A();
				_v8 = _t56;
				_t75 = _t28;
				_push(_t67 + _t56 * _t75);
				_t69 = E73842A86();
				_t85 = E73842A82();
				_t88 = E73842A7E();
				_t61 = _t75;
				if( *((intOrPtr*)(_t88 + _t61)) == 2) {
					_push( *((intOrPtr*)(_t69 + _t61)));
				}
				_push( *((intOrPtr*)(_t85 + _t61)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x73842b08
0x73842b19
0x73842b26
0x73842b3a
0x73842b28
0x73842b28
0x73842b2d
0x73842b32
0x73842b32
0x73842b26
0x73842b43
0x73842b48
0x73842b4e
0x73842b92
0x73842b92
0x73842b97
0x73842b9c
0x73842ba2
0x73842ba4
0x73842baa
0x73842bb7
0x73842bb9
0x73842bbe
0x73842bcb
0x73842bde
0x73842be4
0x73842bea
0x73842beb
0x73842bf1
0x73842bfd
0x73842c03
0x73842c0b
0x73842c0c
0x73842c0f
0x73842c1a
0x73842c1c
0x73842c28
0x73842c2e
0x73842c36
0x73842c62
0x73842c63
0x73842c65
0x73842c69
0x73842c69
0x73842c70
0x73842c46
0x73842c46
0x73842c47
0x73842c55
0x73842c5e
0x73842c5e
0x73842c36
0x73842c1a
0x73842c72
0x73842c79
0x73842c7b
0x73842c7b
0x73842c94
0x73842ca2
0x73842ca2
0x73842b59
0x73842b5a
0x73842b5f
0x73842b63
0x73842b68
0x73842b7c
0x73842b7d
0x73842b7e
0x73842b80
0x73842b85
0x73842b87
0x73842b87
0x73842b8a
0x73842b90
0x00000000

APIs

ReadFile.KERNELBASE(00000000), ref: 73842BB7

Memory Dump Source

Source File: 00000002.00000002.110047313209.0000000073841000.00000020.00000001.01000000.00000004.sdmp, Offset: 73840000, based on PE: true

Associated: 00000002.00000002.110047212499.0000000073840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.110047373977.0000000073844000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.110047427575.0000000073846000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_73840000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 59382bdda6a062710532ef578819d90167025cb9d27a1167d89c737784ddc0dc
Instruction ID: 96fa31f0c6a9254b864f2dd2e8e5e1ef93a27a04fb1311ba3ee957b1df4bb9a8
Opcode Fuzzy Hash: 59382bdda6a062710532ef578819d90167025cb9d27a1167d89c737784ddc0dc
Instruction Fuzzy Hash: F5417CB640860CEFEB20EFE9D981B5D777BEB44354F30DA26ED0986950CB399490CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02BA9896 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(00000001,02BA9CE4,DDA5C074,00000000), ref: 02BA9949

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 127dc533d372a61d40fbb857d83d759fa4a793359d249e537cd2df996a4fb2f4
Instruction ID: 4357e8d37f6c325dd05fec1ef41ebe075666e7a7fc7c481c3f82c011c6c4b04a
Opcode Fuzzy Hash: 127dc533d372a61d40fbb857d83d759fa4a793359d249e537cd2df996a4fb2f4
Instruction Fuzzy Hash: 23F01D71608A49DFDB299E7489A43DA37A2BFD9304F50846ACA4ACF604D734A944DB11

Uniqueness

Uniqueness Score: -1.00%

Function 004023AA Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004023AA(int __eax, WCHAR* __ebx) {
				WCHAR* _t11;
				WCHAR* _t13;
				void* _t17;
				int _t21;

				_t11 = __ebx;
				_t5 = __eax;
				_t13 = 0;
				if(__eax != __ebx) {
					__eax = E00402D3E(__ebx);
				}
				if( *((intOrPtr*)(_t17 - 0x2c)) != _t11) {
					_t13 = E00402D3E(0x11);
				}
				if( *((intOrPtr*)(_t17 - 0x20)) != _t11) {
					_t11 = E00402D3E(0x22);
				}
				_t5 = WritePrivateProfileStringW(0, _t13, _t11, E00402D3E(0xffffffcd)); // executed
				_t21 = _t5;
				if(_t21 == 0) {
					 *((intOrPtr*)(_t17 - 4)) = 1;
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x004023aa
0x004023aa
0x004023ac
0x004023b0
0x004023b3
0x004023b8
0x004023bd
0x004023c6
0x004023c6
0x004023cb
0x004023d4
0x004023d4
0x004023e1
0x004015b4
0x004015b6
0x00402925
0x00402925
0x00402bc5
0x00402bd1

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023E1

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 84911039e741b8054182bf8c56606a22799472c4c6cd86ceafd7de9864a58810
Instruction ID: 2036f094aef4cf8fcdd3ce51ebd23e93268b82f075a1b79732874c3119e34eec
Opcode Fuzzy Hash: 84911039e741b8054182bf8c56606a22799472c4c6cd86ceafd7de9864a58810
Instruction Fuzzy Hash: 30E086319001246ADB303AF15E8DEBF21586F44345B14093FFA12B62C2DAFC0C42467D

Uniqueness

Uniqueness Score: -1.00%

Function 004062AC Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062AC(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406203(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExW(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004062b6
0x004062bf
0x004062d5
0x00000000
0x004062d5
0x004062c3
0x00000000

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402DEF,00000000,?,?), ref: 004062D5

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 33f0ef72135594440bd39ae1090de480165a05d63dfabbbeebd316e266d8c237
Instruction ID: 3317d7e482e8079663a6db4a97809581e22c1b07b88153a27e00a08cc0e2c803
Opcode Fuzzy Hash: 33f0ef72135594440bd39ae1090de480165a05d63dfabbbeebd316e266d8c237
Instruction Fuzzy Hash: 52E0ECB2020109BEEF19AF90DD1ADBB371DEB04350F01492EF916E4091E6B5A930AA74

Uniqueness

Uniqueness Score: -1.00%

Function 00405F8A Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F8A(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405f8e
0x00405f9e
0x00405fa6
0x00000000
0x00405fad
0x00000000
0x00405faf

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040347A,00000000,00000000,0040329E,?,00000004,00000000,00000000,00000000), ref: 00405F9E

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: f93b0abb86e743badb4163669300e0f642a0e5fa5e5e92c65fa389833edf0ca2
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: D7E08C3220121AEBEF11AE618C04EEBBB6CFF01360F004832F910E6240D238E8218BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405FB9 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405FB9(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405fbd
0x00405fcd
0x00405fd5
0x00000000
0x00405fdc
0x00000000
0x00405fde

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403430,000000FF,0041EA20,?,0041EA20,?,?,00000004,00000000), ref: 00405FCD

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: c6b158df49e6f5968e08b93a39371abef257cf80c9060b8b5a86bf4d0676d75d
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 1FE0EC3225065AABDF109E669C04EEB7B6CEB053A0F004837FA55E3190D635E821DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 738429DF Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x73845048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x7384505c, 4, 0x40, 0x7384504c); // executed
					 *0x7384505c = 0xc2;
					 *0x7384504c = 0;
					 *0x73845054 = 0;
					 *0x73845068 = 0;
					 *0x73845058 = 0;
					 *0x73845050 = 0;
					 *0x73845060 = 0;
					 *0x7384505e = 0;
				}
				return 1;
			}

0x738429e8
0x738429ed
0x738429fd
0x73842a05
0x73842a0c
0x73842a11
0x73842a16
0x73842a1b
0x73842a20
0x73842a25
0x73842a2a
0x73842a2a
0x73842a32

APIs

VirtualProtect.KERNELBASE(7384505C,00000004,00000040,7384504C), ref: 738429FD

Memory Dump Source

Source File: 00000002.00000002.110047313209.0000000073841000.00000020.00000001.01000000.00000004.sdmp, Offset: 73840000, based on PE: true

Associated: 00000002.00000002.110047212499.0000000073840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.110047373977.0000000073844000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.110047427575.0000000073846000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_73840000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3ddff12e731b8901ef9660ba9bf17d577078cfb697691a25e71e8736f109c578
Instruction ID: 55766228130bdfd86fb2fda37815e8308231e7a2e73bb106d85bd1aa1da9f82b
Opcode Fuzzy Hash: 3ddff12e731b8901ef9660ba9bf17d577078cfb697691a25e71e8736f109c578
Instruction Fuzzy Hash: 5CF0A5FA504A88DEC360EF6A844470DBBE1B709304B34472AED9CD6A41E3744044CF91

Uniqueness

Uniqueness Score: -1.00%

Function 004023EC Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004023EC(short __ebx) {
				short _t7;
				WCHAR* _t8;
				WCHAR* _t17;
				void* _t21;
				void* _t24;

				_t7 =  *0x40a010; // 0xa
				 *(_t21 + 8) = _t7;
				_t8 = E00402D3E(1);
				 *(_t21 - 0x10) = E00402D3E(0x12);
				GetPrivateProfileStringW(_t8,  *(_t21 - 0x10), _t21 + 8, _t17, 0x3ff, E00402D3E(0xffffffdd)); // executed
				_t24 =  *_t17 - 0xa;
				if(_t24 == 0) {
					 *((intOrPtr*)(_t21 - 4)) = 1;
					 *_t17 = __ebx;
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x004023ec
0x004023f3
0x004023f6
0x00402406
0x0040241d
0x00402423
0x00401751
0x004028f3
0x004028fa
0x004028fa
0x00402bc5
0x00402bd1

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040241D

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: f55628d4b7fc1c3702899dee1337003f381c7036a296fbc4314416ebe8ce5134
Instruction ID: 84a3be15b77accaad8f92e5f77cb7225a0a8ac318d6267ea73d07213f2db240d
Opcode Fuzzy Hash: f55628d4b7fc1c3702899dee1337003f381c7036a296fbc4314416ebe8ce5134
Instruction Fuzzy Hash: D3E04F30800219AADB00AFA0CE09EAE3769BF00300F10093AF520BB0D1E7FC89409749

Uniqueness

Uniqueness Score: -1.00%

Function 0040627E Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040627E(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406203(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExW(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00406288
0x0040628f
0x004062a2
0x00000000
0x004062a2
0x00406293
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,0042C248,?,?,0040630C,0042C248,00000000,?,?,Call,?), ref: 004062A2

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
Instruction ID: 30c71471ac55a0486040fafebf39dce1c160f5eedd86b0188f7d98683811911a
Opcode Fuzzy Hash: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
Instruction Fuzzy Hash: 45D0123254020DBBEF11AF90ED01FAB375DAB08351F01442AFE16A4091D775D530A724

Uniqueness

Uniqueness Score: -1.00%

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015A3() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402D3E(0xfffffff0),  *(_t11 - 0x2c)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015ae
0x004015b4
0x004015b6
0x00402925
0x00402925
0x00402bc5
0x00402bd1

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 6b1ab73fd8eff285d918823dc1170c24360cfb5c9671e6d3e0b8c01c80aedfbb
Instruction ID: a93de1ea602b80332484b308aebd2b3b1e31a5c4c7fa674852030dd18b7254c5
Opcode Fuzzy Hash: 6b1ab73fd8eff285d918823dc1170c24360cfb5c9671e6d3e0b8c01c80aedfbb
Instruction Fuzzy Hash: AAD01772B041049BCB00DFA9AA48A9E73B0EF64328B308537D121F21D0D6F899419A29

Uniqueness

Uniqueness Score: -1.00%

Function 0040347D Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040347D(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x0040348b
0x00403491

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,004031DA,?,?,00000007,00000009,0000000B), ref: 0040348B

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00405A3D Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A3D(struct _SHELLEXECUTEINFOW* _a4) {
				struct _SHELLEXECUTEINFOW* _t4;
				int _t5;

				_t4 = _a4;
				_t4->lpIDList = _t4->lpIDList & 0x00000000;
				_t4->cbSize = 0x3c; // executed
				_t5 = ShellExecuteExW(_t4); // executed
				return _t5;
			}

0x00405a3d
0x00405a42
0x00405a46
0x00405a4c
0x00405a52

APIs

ShellExecuteExW.SHELL32(?), ref: 00405A4C

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
Instruction ID: 155326c85e208380d9db810c36285a9e1b4200be200639c8195ffcf147e959ee
Opcode Fuzzy Hash: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
Instruction Fuzzy Hash: BEC092B2000200EFE301CF80CB09F067BE8AF54306F028068E185DA060C7788840CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0040439C Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040439C(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x434f08, 0x28, _a4, 1); // executed
				return _t2;
			}

0x004043aa
0x004043b0

APIs

SendMessageW.USER32(00000028,?,00000001,004041C7), ref: 004043AA

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ea04ea026f55595d688d74c1d87789f1c1942be7a89ca5b988cfd0b6025de892
Instruction ID: f9270ce27bc2d5d500308faa7c43699bdd9cec228278350af1c7ef3a72e6c056
Opcode Fuzzy Hash: ea04ea026f55595d688d74c1d87789f1c1942be7a89ca5b988cfd0b6025de892
Instruction Fuzzy Hash: 4FB01235181A00FBDE514B00DE09F857E62F7E4701F058038F341240F0CBB200A4DB08

Uniqueness

Uniqueness Score: -1.00%

Function 02B989B1 Relevance: 1.4, APIs: 1, Instructions: 118sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 02B989BA

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 226cbf64b1cabe500dea9e2fbe4e4f0f6b8f6cc61282894b59b693b194e605c9
Instruction ID: ea97840329fbde171465408571fa7bfb974447e97b56697dfa03caa7688a5b2d
Opcode Fuzzy Hash: 226cbf64b1cabe500dea9e2fbe4e4f0f6b8f6cc61282894b59b693b194e605c9
Instruction Fuzzy Hash: BF319D33504285DBCB198F7888452DBBF62DF87224F158BE9C6F18F6A6E31181978782

Uniqueness

Uniqueness Score: -1.00%

Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401FA4(void* __ecx) {
				void* _t9;
				intOrPtr _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t17 = __ecx;
				_t19 = E00402D3E(_t15);
				E00405479(0xffffffeb, _t7);
				_t9 = E004059FA(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E004068B1(_t17, _t20);
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E00406358( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401fa4
0x00401faa
0x00401faf
0x00401fb5
0x00401fba
0x00401fbe
0x00402925
0x00401fc4
0x00401fc7
0x00401fca
0x00401fd2
0x00401fe1
0x00401fe3
0x00401fe3
0x00401fd4
0x00401fd8
0x00401fd8
0x00401fd2
0x00401fea
0x00401feb
0x00401feb
0x00402bc5
0x00402bd1

APIs

Part of subcall function 00405479: lstrlenW.KERNEL32(0042C248,00000000,00425A20,754223A0,?,?,?,?,?,?,?,?,?,004033B0,00000000,?), ref: 004054B1
Part of subcall function 00405479: lstrlenW.KERNEL32(004033B0,0042C248,00000000,00425A20,754223A0,?,?,?,?,?,?,?,?,?,004033B0,00000000), ref: 004054C1
Part of subcall function 00405479: lstrcatW.KERNEL32(0042C248,004033B0), ref: 004054D4
Part of subcall function 00405479: SetWindowTextW.USER32(0042C248,0042C248), ref: 004054E6
Part of subcall function 00405479: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040550C
Part of subcall function 00405479: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405526
Part of subcall function 00405479: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405534

Part of subcall function 004059FA: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,Error launching installer), ref: 00405A23
Part of subcall function 004059FA: CloseHandle.KERNEL32(?), ref: 00405A30

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB

Part of subcall function 004068B1: WaitForSingleObject.KERNEL32(?,00000064), ref: 004068C2
Part of subcall function 004068B1: GetExitCodeProcess.KERNEL32(?,?), ref: 004068E4

Part of subcall function 00406358: wsprintfW.USER32 ref: 00406365

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 2c7cace8b40396dc1007721c752aece60cf73a9644ca7ded5cab49998381d192
Instruction ID: 70f87f17d48a981753e2349e7fd5e29e0bd5cf5a9d75e43b79cc9d2baa006ef6
Opcode Fuzzy Hash: 2c7cace8b40396dc1007721c752aece60cf73a9644ca7ded5cab49998381d192
Instruction Fuzzy Hash: 05F09632905111EBCB10AFA589849DE72B4DF00314B25453BE552B31D0C7BC0D419A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D7(intOrPtr __edx) {
				long _t3;
				void* _t7;
				intOrPtr _t10;
				void* _t13;

				_t10 = __edx;
				_t3 = E00402D1C(_t7);
				 *((intOrPtr*)(_t13 - 0x10)) = _t10;
				if(_t3 <= 1) {
					_t3 = 1;
				}
				Sleep(_t3); // executed
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t13 - 4));
				return 0;
			}

0x004014d7
0x004014d8
0x004014e1
0x004014e4
0x004014e8
0x004014e8
0x004014ea
0x00402bc5
0x00402bd1

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f5bdca1a155d9e49db802200bf92d6fca10bad1793e20f26dfe4708f9af3b7d1
Instruction ID: 48b894a6b6243f55f811ea40c192212472d129cd546c7318a3a4cbaf3ee199e0
Opcode Fuzzy Hash: f5bdca1a155d9e49db802200bf92d6fca10bad1793e20f26dfe4708f9af3b7d1
Instruction Fuzzy Hash: EFD05E73A201009BC700DFB8BE8545E73B8EA903293304837D442E20D1E6B898418628

Uniqueness

Uniqueness Score: -1.00%

Function 7384121B Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E7384121B() {
				void* _t3;

				_t3 = GlobalAlloc(0x40,  *0x7384506c +  *0x7384506c); // executed
				return _t3;
			}

0x73841225
0x7384122b

APIs

GlobalAlloc.KERNELBASE(00000040,?,7384123B,?,738412DF,00000019,738411BE,-000000A0), ref: 73841225

Memory Dump Source

Source File: 00000002.00000002.110047313209.0000000073841000.00000020.00000001.01000000.00000004.sdmp, Offset: 73840000, based on PE: true

Associated: 00000002.00000002.110047212499.0000000073840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.110047373977.0000000073844000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.110047427575.0000000073846000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_73840000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: cc346668995ec5e24c4924da615c802c7e90f42c051394375f294b1147bc3eef
Instruction ID: 99ad9082bce915e50f5aacf05abfde7f86081dcb44e5d055aecf0a23e630a0a7
Opcode Fuzzy Hash: cc346668995ec5e24c4924da615c802c7e90f42c051394375f294b1147bc3eef
Instruction Fuzzy Hash: B5B012B6A00400DFEE40EF65CC06F383254F700301F184000FA08C1580C3304C10C534

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004055B8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004055B8(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x433ee4;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E0040554C, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E0040644E(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x42d268;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x433ecc == _t156) {
							ShowWindow( *0x434f08, 8);
							if( *0x434fac == _t156) {
								E00405479( *((intOrPtr*)( *0x42c240 + 0x34)), _t156);
							}
							E00404340(_t171);
							goto L25;
						}
						 *0x42ba38 = 2;
						E00404340(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E004043CE(_a8, _a12, _a16);
						}
						ShowWindow( *0x433ed0, _t156);
						ShowWindow(_t169, 8);
						E0040439C(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x434f14;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x433ed0 = GetDlgItem(_a4, 0x403);
				 *0x433ec8 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x433ee4 = _t134;
				_v8 = _t134;
				E0040439C( *0x433ed0);
				 *0x433ed4 = E00404CF5(4);
				 *0x433eec = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404367(_a4);
				if(( *0x434f1c & 0x00000003) != 0) {
					ShowWindow( *0x433ed0, _t156);
					if(( *0x434f1c & 0x00000002) != 0) {
						 *0x433ed0 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E0040439C( *0x433ec8);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x434f1c & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x004055c0
0x004055c6
0x004055d0
0x004055d3
0x00405769
0x0040578d
0x0040578d
0x004057a0
0x004057be
0x004057c0
0x004057c8
0x0040581e
0x00405822
0x00000000
0x00000000
0x00405824
0x0040582a
0x00000000
0x00000000
0x00405834
0x0040583c
0x0040583f
0x00405941
0x00000000
0x00405941
0x0040584e
0x00405859
0x00405862
0x0040586d
0x00405870
0x00405879
0x0040587f
0x00405882
0x00405882
0x0040589a
0x004058a3
0x004058a6
0x004058ad
0x004058b4
0x004058bc
0x004058bc
0x004058d3
0x004058d3
0x004058da
0x004058e0
0x004058ec
0x004058f3
0x004058fc
0x004058fe
0x00405901
0x00405910
0x00405913
0x00405919
0x0040591a
0x00405920
0x00405921
0x00405922
0x0040592a
0x00405935
0x0040593b
0x0040593b
0x00000000
0x0040589a
0x004057d0
0x00405800
0x00405808
0x00405813
0x00405813
0x00405819
0x00000000
0x00405819
0x004057d4
0x004057de
0x00000000
0x004057a2
0x004057a8
0x004057e3
0x00000000
0x004057ec
0x004057b1
0x004057b6
0x004057b9
0x00000000
0x004057b9
0x004057a0
0x004055d9
0x004055dd
0x004055e5
0x004055e9
0x004055ec
0x004055ef
0x004055f2
0x004055f5
0x004055f6
0x004055f7
0x00405610
0x00405613
0x0040561d
0x0040562c
0x00405634
0x0040563c
0x00405641
0x00405644
0x00405650
0x00405659
0x00405662
0x00405684
0x0040568a
0x0040569b
0x004056a0
0x004056ae
0x004056bc
0x004056bc
0x004056c1
0x004056cf
0x004056cf
0x004056d4
0x004056d7
0x004056dc
0x004056e8
0x004056f1
0x004056fe
0x0040570d
0x00405700
0x00405705
0x00405705
0x00405719
0x00405719
0x0040572d
0x00405736
0x0040573f
0x0040574f
0x0040575b
0x0040575b
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 00405616
GetDlgItem.USER32(?,000003EE), ref: 00405625
GetClientRect.USER32(?,?), ref: 00405662
GetSystemMetrics.USER32(00000002), ref: 00405669
SendMessageW.USER32(?,00001061,00000000,?), ref: 0040568A
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040569B
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004056AE
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004056BC
SendMessageW.USER32(?,00001024,00000000,?), ref: 004056CF
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056F1
ShowWindow.USER32(?,00000008), ref: 00405705
GetDlgItem.USER32(?,000003EC), ref: 00405726
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405736
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040574F
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040575B
GetDlgItem.USER32(?,000003F8), ref: 00405634

Part of subcall function 0040439C: SendMessageW.USER32(00000028,?,00000001,004041C7), ref: 004043AA

GetDlgItem.USER32(?,000003EC), ref: 00405778
CreateThread.KERNEL32(00000000,00000000,Function_0000554C,00000000), ref: 00405786
CloseHandle.KERNEL32(00000000), ref: 0040578D
ShowWindow.USER32(00000000), ref: 004057B1
ShowWindow.USER32(?,00000008), ref: 004057B6
ShowWindow.USER32(00000008), ref: 00405800
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405834
CreatePopupMenu.USER32 ref: 00405845
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405859
GetWindowRect.USER32(?,?), ref: 00405879
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405892
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058CA
OpenClipboard.USER32(00000000), ref: 004058DA
EmptyClipboard.USER32 ref: 004058E0
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058EC
GlobalLock.KERNEL32(00000000), ref: 004058F6
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040590A
GlobalUnlock.KERNEL32(00000000), ref: 0040592A
SetClipboardData.USER32(0000000D,00000000), ref: 00405935
CloseClipboard.USER32 ref: 0040593B

Strings

{, xrefs: 0040581E

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 8f25bff0f06489f7a1a8ce70ca033e140048c00b36b59f282442a9f3d67c4887
Instruction ID: ef42e6e7ad26681d1de71b6013131fdd69d98400fc0f56e042e978cac442fd71
Opcode Fuzzy Hash: 8f25bff0f06489f7a1a8ce70ca033e140048c00b36b59f282442a9f3d67c4887
Instruction Fuzzy Hash: 45B138B1900608FFDB11AFA0DE85AAE7B79FB44355F00803AFA41B61A0CB755E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00404858 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404858(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42c240;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x436000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405A5B(0x3fb, _t146);
					E004066C0(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405A5B(0x3fb, _t146);
							if(E00405DEE(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406411(0x42b238, _t146);
							_t87 = E00406806(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406411(0x42b238, _t146);
								_t89 = E00405D91(0x42b238);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x42b238,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x42b238) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x42b238,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405D32(0x42b238);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x42b238) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404CF5(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x433edc + 0x10)) != _t158) {
									E00404CDD(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x42b228);
									} else {
										E00404C14(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x434fc4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E00404389(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42d258 == _t158) {
									E004047B1();
								}
								 *0x42d258 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x42d268;
							_v60 = E00404BAE;
							_v56 = _t146;
							_v68 = E0040644E(_t146, 0x42d268, _t167, 0x42ba40, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405CE6(_t146);
								_t125 =  *((intOrPtr*)( *0x434f14 + 0x11c));
								if( *((intOrPtr*)( *0x434f14 + 0x11c)) != 0 && _t146 == L"C:\\Users\\Arthur\\AppData\\Roaming\\Shoved") {
									E0040644E(_t146, 0x42d268, _t167, 0, _t125);
									if(lstrcmpiW(0x432ea0, 0x42d268) != 0) {
										lstrcatW(_t146, 0x432ea0);
									}
								}
								 *0x42d258 =  *0x42d258 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405D5D(_t146) != 0 && E00405D91(_t146) == 0) {
						E00405CE6(_t146);
					}
					 *0x433ed8 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404367(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404367(_t167);
					E0040439C(_t166);
					_t138 = E00406806(8);
					if(_t138 == 0) {
						L53:
						return E004043CE(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x00404858
0x0040485e
0x00404864
0x00404871
0x0040487f
0x00404882
0x0040488a
0x00404890
0x00404890
0x0040489c
0x0040489f
0x0040490d
0x00404914
0x004049eb
0x004049f2
0x00404a01
0x00404a01
0x00404a05
0x00404a0f
0x00404a1c
0x00404a1e
0x00404a1e
0x00404a2c
0x00404a33
0x00404a3a
0x00404a3d
0x00404a79
0x00404a7b
0x00404a81
0x00404a86
0x00404a8a
0x00404a8c
0x00404a8c
0x00404aa8
0x00000000
0x00404aaa
0x00404aad
0x00404abb
0x00404ac1
0x00404ac2
0x00404ac5
0x00404ac8
0x00000000
0x00404ac8
0x00404a3f
0x00404a41
0x00404a45
0x00000000
0x00000000
0x00000000
0x00000000
0x00404a47
0x00404a47
0x00404a54
0x00404a59
0x00000000
0x00000000
0x00404a5d
0x00404a5f
0x00404a5f
0x00404a68
0x00404a6a
0x00404a6f
0x00404a72
0x00404a77
0x00000000
0x00000000
0x00000000
0x00000000
0x00404a77
0x00404ad4
0x00404ade
0x00404ae1
0x00404ae4
0x00404aeb
0x00404aeb
0x00404aed
0x00404aed
0x00404af2
0x00404af4
0x00404afc
0x00404b03
0x00404b05
0x00404b10
0x00404b10
0x00404b05
0x00404b20
0x00404b2a
0x00404b32
0x00404b4d
0x00404b34
0x00404b3d
0x00404b3d
0x00404b32
0x00404b52
0x00404b57
0x00404b5c
0x00404b65
0x00404b65
0x00404b6e
0x00404b70
0x00404b70
0x00404b7c
0x00404b84
0x00404b8e
0x00404b8e
0x00404b93
0x00000000
0x00404b93
0x00404a3d
0x004049f4
0x004049fb
0x00000000
0x00000000
0x00000000
0x004049fb
0x0040491a
0x00404923
0x0040493d
0x00404942
0x0040494c
0x00404953
0x0040495f
0x00404962
0x00404965
0x0040496c
0x00404974
0x00404977
0x0040497b
0x00404982
0x0040498a
0x004049e4
0x0040498c
0x0040498d
0x00404994
0x0040499e
0x004049a6
0x004049b3
0x004049c7
0x004049cb
0x004049cb
0x004049c7
0x004049d0
0x004049dd
0x004049dd
0x0040498a
0x00000000
0x00404942
0x00404930
0x00000000
0x00000000
0x00404936
0x00000000
0x004048a1
0x004048ae
0x004048b7
0x004048c4
0x004048c4
0x004048cb
0x004048d1
0x004048da
0x004048dd
0x004048e0
0x004048e8
0x004048eb
0x004048ee
0x004048f4
0x004048fb
0x00404902
0x00404b99
0x00404bab
0x00404908
0x0040490b
0x00000000
0x0040490b
0x00404902

APIs

GetDlgItem.USER32(?,000003FB), ref: 004048A7
SetWindowTextW.USER32(00000000,?), ref: 004048D1
SHBrowseForFolderW.SHELL32(?), ref: 00404982
CoTaskMemFree.OLE32(00000000), ref: 0040498D
lstrcmpiW.KERNEL32(Call,0042D268,00000000,?,?), ref: 004049BF
lstrcatW.KERNEL32(?,Call), ref: 004049CB
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049DD

Part of subcall function 00405A5B: GetDlgItemTextW.USER32(?,?,00000400,00404A14), ref: 00405A6E

Part of subcall function 004066C0: CharNextW.USER32(?,*?|<>/":,00000000,00000000,75423420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe",004034A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 00406723
Part of subcall function 004066C0: CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406732
Part of subcall function 004066C0: CharNextW.USER32(?,00000000,75423420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe",004034A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 00406737
Part of subcall function 004066C0: CharPrevW.USER32(?,?,75423420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe",004034A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 0040674A

GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 00404AA0
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404ABB

Part of subcall function 00404C14: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CB5
Part of subcall function 00404C14: wsprintfW.USER32 ref: 00404CBE
Part of subcall function 00404C14: SetDlgItemTextW.USER32(?,0042D268), ref: 00404CD1

Strings

Call, xrefs: 004049B9, 004049BE, 004049C9
C:\Users\user\AppData\Roaming\Shoved, xrefs: 004049A8
A, xrefs: 0040497B

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Shoved$Call
API String ID: 2624150263-3777947816
Opcode ID: 853e4702587f22a3b0095dfd1c3f762452952fa67d6f0456fc7ffaafa7f78d96
Instruction ID: 0d1333b798dde08b2b35772059431d035751c92a28532a026af6b574b599a32b
Opcode Fuzzy Hash: 853e4702587f22a3b0095dfd1c3f762452952fa67d6f0456fc7ffaafa7f78d96
Instruction Fuzzy Hash: 56A15EF1A00209ABDB11AFA5CD45AAFB7B8EF84314F10843BF601B62D1D77C99418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 73841B5F Relevance: 20.1, APIs: 13, Instructions: 597
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E73841B5F() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				WCHAR* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				WCHAR* _t208;
				signed int _t211;
				void* _t213;
				void* _t215;
				WCHAR* _t217;
				void* _t225;
				struct HINSTANCE__* _t226;
				struct HINSTANCE__* _t227;
				struct HINSTANCE__* _t229;
				signed short _t231;
				struct HINSTANCE__* _t234;
				struct HINSTANCE__* _t236;
				void* _t237;
				intOrPtr* _t238;
				void* _t249;
				signed char _t250;
				signed int _t251;
				struct HINSTANCE__* _t257;
				void* _t258;
				signed int _t260;
				signed int _t261;
				signed short* _t264;
				signed int _t269;
				signed int _t272;
				signed int _t274;
				void* _t277;
				void* _t281;
				struct HINSTANCE__* _t283;
				signed int _t286;
				void _t287;
				signed int _t288;
				signed int _t300;
				signed int _t301;
				signed short _t304;
				void* _t305;
				signed int _t309;
				signed int _t312;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed short* _t321;
				WCHAR* _t322;
				WCHAR* _t324;
				WCHAR* _t325;
				struct HINSTANCE__* _t326;
				void* _t328;
				signed int _t331;
				void* _t332;

				_t283 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t332 = 0;
				_v52 = 0;
				_v44 = 0;
				_t208 = E7384121B();
				_v24 = _t208;
				_v28 = _t208;
				_v48 = E7384121B();
				_t321 = E73841243();
				_v56 = _t321;
				_v12 = _t321;
				while(1) {
					_t211 = _v32;
					_v60 = _t211;
					if(_t211 != _t283 && _t332 == _t283) {
						break;
					}
					_t286 =  *_t321 & 0x0000ffff;
					_t213 = _t286 - _t283;
					if(_t213 == 0) {
						_t37 =  &_v32;
						 *_t37 = _v32 | 0xffffffff;
						__eflags =  *_t37;
						L20:
						_t215 = _v60 - _t283;
						if(_t215 == 0) {
							__eflags = _t332 - _t283;
							 *_v28 = _t283;
							if(_t332 == _t283) {
								_t332 = GlobalAlloc(0x40, 0x1ca4);
								 *(_t332 + 0x1010) = _t283;
								 *(_t332 + 0x1014) = _t283;
							}
							_t287 = _v36;
							_t47 = _t332 + 8; // 0x8
							_t217 = _t47;
							_t48 = _t332 + 0x808; // 0x808
							_t322 = _t48;
							 *_t332 = _t287;
							_t288 = _t287 - _t283;
							__eflags = _t288;
							 *_t217 = _t283;
							 *_t322 = _t283;
							 *(_t332 + 0x1008) = _t283;
							 *(_t332 + 0x100c) = _t283;
							 *(_t332 + 4) = _t283;
							if(_t288 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L42;
								}
								_t328 = 0;
								GlobalFree(_t332);
								_t332 = E73841311(_v24);
								__eflags = _t332 - _t283;
								if(_t332 == _t283) {
									goto L42;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t249 =  *(_t332 + 0x1ca0);
									__eflags = _t249 - _t283;
									if(_t249 == _t283) {
										break;
									}
									_t328 = _t332;
									_t332 = _t249;
									__eflags = _t332 - _t283;
									if(_t332 != _t283) {
										continue;
									}
									break;
								}
								__eflags = _t328 - _t283;
								if(_t328 != _t283) {
									 *(_t328 + 0x1ca0) = _t283;
								}
								_t250 =  *(_t332 + 0x1010);
								__eflags = _t250 & 0x00000008;
								if((_t250 & 0x00000008) == 0) {
									_t251 = _t250 | 0x00000002;
									__eflags = _t251;
									 *(_t332 + 0x1010) = _t251;
								} else {
									_t332 = E7384158F(_t332);
									 *(_t332 + 0x1010) =  *(_t332 + 0x1010) & 0xfffffff5;
								}
								goto L42;
							} else {
								_t300 = _t288 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									L31:
									lstrcpyW(_t217, _v48);
									L32:
									lstrcpyW(_t322, _v24);
									goto L42;
								}
								_t301 = _t300 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									goto L32;
								}
								__eflags = _t301 != 1;
								if(_t301 != 1) {
									goto L42;
								}
								goto L31;
							}
						} else {
							if(_t215 == 1) {
								_t257 = _v16;
								if(_v40 == _t283) {
									_t257 = _t257 - 1;
								}
								 *(_t332 + 0x1014) = _t257;
							}
							L42:
							_v12 = _v12 + 2;
							_v28 = _v24;
							L59:
							if(_v32 != 0xffffffff) {
								_t321 = _v12;
								continue;
							}
							break;
						}
					}
					_t258 = _t213 - 0x23;
					if(_t258 == 0) {
						__eflags = _t321 - _v56;
						if(_t321 <= _v56) {
							L17:
							__eflags = _v44 - _t283;
							if(_v44 != _t283) {
								L43:
								_t260 = _v32 - _t283;
								__eflags = _t260;
								if(_t260 == 0) {
									_t261 = _t286;
									while(1) {
										__eflags = _t261 - 0x22;
										if(_t261 != 0x22) {
											break;
										}
										_t321 =  &(_t321[1]);
										__eflags = _v44 - _t283;
										_v12 = _t321;
										if(_v44 == _t283) {
											_v44 = 1;
											L162:
											_v28 =  &(_v28[0]);
											 *_v28 =  *_t321;
											L58:
											_t331 =  &(_t321[1]);
											__eflags = _t331;
											_v12 = _t331;
											goto L59;
										}
										_t261 =  *_t321 & 0x0000ffff;
										_v44 = _t283;
									}
									__eflags = _t261 - 0x2a;
									if(_t261 == 0x2a) {
										_v36 = 2;
										L57:
										_t321 = _v12;
										_v28 = _v24;
										_t283 = 0;
										__eflags = 0;
										goto L58;
									}
									__eflags = _t261 - 0x2d;
									if(_t261 == 0x2d) {
										L151:
										_t304 =  *_t321;
										__eflags = _t304 - 0x2d;
										if(_t304 != 0x2d) {
											L154:
											_t264 =  &(_t321[1]);
											__eflags =  *_t264 - 0x3a;
											if( *_t264 != 0x3a) {
												goto L162;
											}
											__eflags = _t304 - 0x2d;
											if(_t304 == 0x2d) {
												goto L162;
											}
											_v36 = 1;
											L157:
											_v12 = _t264;
											__eflags = _v28 - _v24;
											if(_v28 <= _v24) {
												 *_v48 = _t283;
											} else {
												 *_v28 = _t283;
												lstrcpyW(_v48, _v24);
											}
											goto L57;
										}
										_t264 =  &(_t321[1]);
										__eflags =  *_t264 - 0x3e;
										if( *_t264 != 0x3e) {
											goto L154;
										}
										_v36 = 3;
										goto L157;
									}
									__eflags = _t261 - 0x3a;
									if(_t261 != 0x3a) {
										goto L162;
									}
									goto L151;
								}
								_t269 = _t260 - 1;
								__eflags = _t269;
								if(_t269 == 0) {
									L80:
									_t305 = _t286 + 0xffffffde;
									__eflags = _t305 - 0x55;
									if(_t305 > 0x55) {
										goto L57;
									}
									switch( *((intOrPtr*)(( *(_t305 + 0x73842348) & 0x000000ff) * 4 +  &M738422BC))) {
										case 0:
											__ecx = _v24;
											__edi = _v12;
											while(1) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												L131:
												__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
												if( *((intOrPtr*)(__edi + 2)) != __dx) {
													L136:
													 *__ecx =  *__ecx & 0x00000000;
													__eax = E7384122C(_v24);
													__ebx = __eax;
													goto L97;
												}
												L132:
												__eflags = __ax;
												if(__ax == 0) {
													goto L136;
												}
												__eflags = __ax - __dx;
												if(__ax == __dx) {
													__edi = __edi + 1;
													__edi = __edi + 1;
													__eflags = __edi;
												}
												__ax =  *__edi;
												 *__ecx =  *__edi;
												__ecx = __ecx + 1;
												__ecx = __ecx + 1;
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												goto L131;
											}
										case 1:
											_v8 = 1;
											goto L57;
										case 2:
											_v8 = _v8 | 0xffffffff;
											goto L57;
										case 3:
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v16 = _v16 + 1;
											goto L85;
										case 4:
											__eflags = _v20;
											if(_v20 != 0) {
												goto L57;
											}
											_v12 = _v12 - 2;
											__ebx = E7384121B();
											 &_v12 = E73841AE6( &_v12);
											__eax = E73841470(__edx, __eax, __edx, __ebx);
											goto L97;
										case 5:
											L105:
											_v20 = _v20 + 1;
											goto L57;
										case 6:
											_push(7);
											goto L123;
										case 7:
											_push(0x19);
											goto L143;
										case 8:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L107;
										case 9:
											_push(0x15);
											goto L143;
										case 0xa:
											_push(0x16);
											goto L143;
										case 0xb:
											_push(0x18);
											goto L143;
										case 0xc:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L118;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L109;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L111;
										case 0xf:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L122;
										case 0x10:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L113;
										case 0x11:
											_push(3);
											goto L123;
										case 0x12:
											_push(0x17);
											L143:
											_pop(__ebx);
											goto L98;
										case 0x13:
											__eax =  &_v12;
											__eax = E73841AE6( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											__eflags = __ebx - 0xb;
											if(__ebx < 0xb) {
												__ebx = __ebx + 0xa;
											}
											goto L97;
										case 0x14:
											__ebx = 0xffffffff;
											goto L98;
										case 0x15:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L116;
										case 0x16:
											__ecx = 0;
											__eflags = 0;
											goto L91;
										case 0x17:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L120;
										case 0x18:
											_t271 =  *(_t332 + 0x1014);
											__eflags = _t271 - _v16;
											if(_t271 > _v16) {
												_v16 = _t271;
											}
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v36 - 3 = _t271 - (_v36 == 3);
											if(_t271 != _v36 == 3) {
												L85:
												_v40 = 1;
											}
											goto L57;
										case 0x19:
											L107:
											__ecx = 0;
											_v8 = 2;
											__ecx = 1;
											goto L91;
										case 0x1a:
											L118:
											_push(5);
											goto L123;
										case 0x1b:
											L109:
											__ecx = 0;
											_v8 = 3;
											__ecx = 1;
											goto L91;
										case 0x1c:
											L111:
											__ecx = 0;
											__ecx = 1;
											goto L91;
										case 0x1d:
											L122:
											_push(6);
											goto L123;
										case 0x1e:
											L113:
											_push(2);
											goto L123;
										case 0x1f:
											__eax =  &_v12;
											__eax = E73841AE6( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											goto L97;
										case 0x20:
											L116:
											_v52 = _v52 + 1;
											_push(4);
											_pop(__ecx);
											goto L91;
										case 0x21:
											L120:
											_push(4);
											L123:
											_pop(__ecx);
											L91:
											__edi = _v16;
											__edx =  *(0x7384405c + __ecx * 4);
											__eax =  ~__eax;
											asm("sbb eax, eax");
											_v40 = 1;
											__edi = _v16 << 5;
											__eax = __eax & 0x00008000;
											__edi = (_v16 << 5) + __esi;
											__eax = __eax | __ecx;
											__eflags = _v8;
											 *(__edi + 0x1018) = __eax;
											if(_v8 < 0) {
												L93:
												__edx = 0;
												__edx = 1;
												__eflags = 1;
												L94:
												__eflags = _v8 - 1;
												 *(__edi + 0x1028) = __edx;
												if(_v8 == 1) {
													__eax =  &_v12;
													__eax = E73841AE6( &_v12);
													__eax = __eax + 1;
													__eflags = __eax;
													_v8 = __eax;
												}
												__eax = _v8;
												 *((intOrPtr*)(__edi + 0x101c)) = _v8;
												_t136 = _v16 + 0x81; // 0x81
												_t136 = _t136 << 5;
												__eax = 0;
												__eflags = 0;
												 *((intOrPtr*)((_t136 << 5) + __esi)) = 0;
												 *((intOrPtr*)(__edi + 0x1030)) = 0;
												 *((intOrPtr*)(__edi + 0x102c)) = 0;
												L97:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L57;
												}
												L98:
												__eflags = _v20;
												_v40 = 1;
												if(_v20 != 0) {
													L103:
													__eflags = _v20 - 1;
													if(_v20 == 1) {
														__eax = _v16;
														__eax = _v16 << 5;
														__eflags = __eax;
														 *(__eax + __esi + 0x102c) = __ebx;
													}
													goto L105;
												}
												_v16 = _v16 << 5;
												_t144 = __esi + 0x1030; // 0x1030
												__edi = (_v16 << 5) + _t144;
												__eax =  *__edi;
												__eflags = __eax - 0xffffffff;
												if(__eax <= 0xffffffff) {
													L101:
													__eax = GlobalFree(__eax);
													L102:
													 *__edi = __ebx;
													goto L103;
												}
												__eflags = __eax - 0x19;
												if(__eax <= 0x19) {
													goto L102;
												}
												goto L101;
											}
											__eflags = __edx;
											if(__edx > 0) {
												goto L94;
											}
											goto L93;
										case 0x22:
											goto L57;
									}
								}
								_t272 = _t269 - 1;
								__eflags = _t272;
								if(_t272 == 0) {
									_v16 = _t283;
									goto L80;
								}
								__eflags = _t272 != 1;
								if(_t272 != 1) {
									goto L162;
								}
								__eflags = _t286 - 0x6e;
								if(__eflags > 0) {
									_t309 = _t286 - 0x72;
									__eflags = _t309;
									if(_t309 == 0) {
										_push(4);
										L74:
										_pop(_t274);
										L75:
										__eflags = _v8 - 1;
										if(_v8 != 1) {
											_t96 = _t332 + 0x1010;
											 *_t96 =  *(_t332 + 0x1010) &  !_t274;
											__eflags =  *_t96;
										} else {
											 *(_t332 + 0x1010) =  *(_t332 + 0x1010) | _t274;
										}
										_v8 = 1;
										goto L57;
									}
									_t312 = _t309 - 1;
									__eflags = _t312;
									if(_t312 == 0) {
										_push(0x10);
										goto L74;
									}
									__eflags = _t312 != 0;
									if(_t312 != 0) {
										goto L57;
									}
									_push(0x40);
									goto L74;
								}
								if(__eflags == 0) {
									_push(8);
									goto L74;
								}
								_t315 = _t286 - 0x21;
								__eflags = _t315;
								if(_t315 == 0) {
									_v8 =  ~_v8;
									goto L57;
								}
								_t316 = _t315 - 0x11;
								__eflags = _t316;
								if(_t316 == 0) {
									_t274 = 0x100;
									goto L75;
								}
								_t317 = _t316 - 0x31;
								__eflags = _t317;
								if(_t317 == 0) {
									_t274 = 1;
									goto L75;
								}
								__eflags = _t317 != 0;
								if(_t317 != 0) {
									goto L57;
								}
								_push(0x20);
								goto L74;
							} else {
								_v32 = _t283;
								_v36 = _t283;
								goto L20;
							}
						}
						__eflags =  *((short*)(_t321 - 2)) - 0x3a;
						if( *((short*)(_t321 - 2)) != 0x3a) {
							goto L17;
						}
						__eflags = _v32 - _t283;
						if(_v32 == _t283) {
							goto L43;
						}
						goto L17;
					}
					_t277 = _t258 - 5;
					if(_t277 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							__eflags = _v36 - 3;
							_v32 = 1;
							_v8 = _t283;
							_v20 = _t283;
							_v16 = (0 | _v36 == 0x00000003) + 1;
							_v40 = _t283;
							goto L20;
						}
					}
					_t281 = _t277 - 1;
					if(_t281 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							_v32 = 2;
							_v8 = _t283;
							_v20 = _t283;
							goto L20;
						}
					}
					if(_t281 != 0x16) {
						goto L43;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L20;
					}
				}
				GlobalFree(_v56);
				GlobalFree(_v24);
				GlobalFree(_v48);
				if(_t332 == _t283 ||  *(_t332 + 0x100c) != _t283) {
					L182:
					return _t332;
				} else {
					_t225 =  *_t332 - 1;
					if(_t225 == 0) {
						_t187 = _t332 + 8; // 0x8
						_t324 = _t187;
						__eflags =  *_t324 - _t283;
						if( *_t324 != _t283) {
							_t226 = GetModuleHandleW(_t324);
							__eflags = _t226 - _t283;
							 *(_t332 + 0x1008) = _t226;
							if(_t226 != _t283) {
								L171:
								_t192 = _t332 + 0x808; // 0x808
								_t325 = _t192;
								_t227 = E7384161D( *(_t332 + 0x1008), _t325);
								__eflags = _t227 - _t283;
								 *(_t332 + 0x100c) = _t227;
								if(_t227 == _t283) {
									__eflags =  *_t325 - 0x23;
									if( *_t325 == 0x23) {
										_t195 = _t332 + 0x80a; // 0x80a
										_t231 = E73841311(_t195);
										__eflags = _t231 - _t283;
										if(_t231 != _t283) {
											__eflags = _t231 & 0xffff0000;
											if((_t231 & 0xffff0000) == 0) {
												 *(_t332 + 0x100c) = GetProcAddress( *(_t332 + 0x1008), _t231 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v52 - _t283;
								if(_v52 != _t283) {
									L178:
									_t325[lstrlenW(_t325)] = 0x57;
									_t229 = E7384161D( *(_t332 + 0x1008), _t325);
									__eflags = _t229 - _t283;
									if(_t229 != _t283) {
										L166:
										 *(_t332 + 0x100c) = _t229;
										goto L182;
									}
									__eflags =  *(_t332 + 0x100c) - _t283;
									L180:
									if(__eflags != 0) {
										goto L182;
									}
									L181:
									_t206 = _t332 + 4;
									 *_t206 =  *(_t332 + 4) | 0xffffffff;
									__eflags =  *_t206;
									goto L182;
								} else {
									__eflags =  *(_t332 + 0x100c) - _t283;
									if( *(_t332 + 0x100c) != _t283) {
										goto L182;
									}
									goto L178;
								}
							}
							_t234 = LoadLibraryW(_t324);
							__eflags = _t234 - _t283;
							 *(_t332 + 0x1008) = _t234;
							if(_t234 == _t283) {
								goto L181;
							}
							goto L171;
						}
						_t188 = _t332 + 0x808; // 0x808
						_t236 = E73841311(_t188);
						 *(_t332 + 0x100c) = _t236;
						__eflags = _t236 - _t283;
						goto L180;
					}
					_t237 = _t225 - 1;
					if(_t237 == 0) {
						_t185 = _t332 + 0x808; // 0x808
						_t238 = _t185;
						__eflags =  *_t238 - _t283;
						if( *_t238 == _t283) {
							goto L182;
						}
						_t229 = E73841311(_t238);
						L165:
						goto L166;
					}
					if(_t237 != 1) {
						goto L182;
					}
					_t81 = _t332 + 8; // 0x8
					_t284 = _t81;
					_t326 = E73841311(_t81);
					 *(_t332 + 0x1008) = _t326;
					if(_t326 == 0) {
						goto L181;
					}
					 *(_t332 + 0x104c) =  *(_t332 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1050)) = E7384122C(_t284);
					 *(_t332 + 0x103c) =  *(_t332 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1048)) = 1;
					 *((intOrPtr*)(_t332 + 0x1038)) = 1;
					_t90 = _t332 + 0x808; // 0x808
					_t229 =  *(_t326->i + E73841311(_t90) * 4);
					goto L165;
				}
			}

0x73841b67
0x73841b6a
0x73841b6d
0x73841b70
0x73841b73
0x73841b76
0x73841b79
0x73841b7b
0x73841b7e
0x73841b81
0x73841b86
0x73841b89
0x73841b91
0x73841b99
0x73841b9b
0x73841b9e
0x73841ba6
0x73841ba6
0x73841bab
0x73841bae
0x00000000
0x00000000
0x73841bbb
0x73841bc0
0x73841bc2
0x73841c54
0x73841c54
0x73841c54
0x73841c58
0x73841c5b
0x73841c5d
0x73841c7f
0x73841c81
0x73841c84
0x73841c93
0x73841c95
0x73841c9b
0x73841c9b
0x73841ca1
0x73841ca4
0x73841ca4
0x73841ca7
0x73841ca7
0x73841cad
0x73841caf
0x73841caf
0x73841cb1
0x73841cb4
0x73841cb7
0x73841cbd
0x73841cc3
0x73841cc6
0x73841cea
0x73841ced
0x00000000
0x00000000
0x73841cf0
0x73841cf2
0x73841d00
0x73841d03
0x73841d05
0x00000000
0x00000000
0x00000000
0x00000000
0x73841d07
0x73841d07
0x73841d07
0x73841d0d
0x73841d0f
0x00000000
0x00000000
0x73841d11
0x73841d13
0x73841d15
0x73841d17
0x00000000
0x00000000
0x00000000
0x73841d17
0x73841d19
0x73841d1b
0x73841d1d
0x73841d1d
0x73841d23
0x73841d29
0x73841d2b
0x73841d3f
0x73841d3f
0x73841d41
0x73841d2d
0x73841d33
0x73841d36
0x73841d36
0x00000000
0x73841cc8
0x73841cc8
0x73841cc8
0x73841cc9
0x73841cd1
0x73841cd5
0x73841cdb
0x73841cdf
0x00000000
0x73841cdf
0x73841ccb
0x73841ccb
0x73841ccc
0x00000000
0x00000000
0x73841cce
0x73841ccf
0x00000000
0x00000000
0x00000000
0x73841ccf
0x73841c5f
0x73841c60
0x73841c69
0x73841c6c
0x73841c79
0x73841c79
0x73841c6e
0x73841c6e
0x73841d47
0x73841d4a
0x73841d4e
0x73841dc1
0x73841dc5
0x73841ba3
0x00000000
0x73841ba3
0x00000000
0x73841dc5
0x73841c5d
0x73841bc8
0x73841bcb
0x73841c2e
0x73841c31
0x73841c43
0x73841c43
0x73841c46
0x73841d53
0x73841d56
0x73841d56
0x73841d58
0x7384210e
0x73842126
0x73842126
0x73842129
0x00000000
0x00000000
0x73842113
0x73842114
0x73842117
0x7384211a
0x738421a4
0x738421ab
0x738421b1
0x738421b5
0x73841dbc
0x73841dbd
0x73841dbd
0x73841dbe
0x00000000
0x73841dbe
0x73842120
0x73842123
0x73842123
0x7384212b
0x7384212e
0x73842198
0x73841db1
0x73841db4
0x73841db7
0x73841dba
0x73841dba
0x00000000
0x73841dba
0x73842130
0x73842133
0x7384213a
0x7384213a
0x7384213d
0x73842141
0x73842155
0x73842155
0x73842158
0x7384215c
0x00000000
0x00000000
0x7384215e
0x73842162
0x00000000
0x00000000
0x73842164
0x7384216b
0x7384216b
0x73842171
0x73842174
0x73842190
0x73842176
0x7384217f
0x73842182
0x73842182
0x00000000
0x73842174
0x73842143
0x73842146
0x7384214a
0x00000000
0x00000000
0x7384214c
0x00000000
0x7384214c
0x73842135
0x73842138
0x00000000
0x00000000
0x00000000
0x73842138
0x73841d5e
0x73841d5e
0x73841d5f
0x73841ea9
0x73841ea9
0x73841eb0
0x73841eb3
0x00000000
0x00000000
0x73841ec0
0x00000000
0x738420ab
0x738420ae
0x738420b1
0x738420b1
0x738420b2
0x738420b3
0x738420b6
0x738420b9
0x738420bc
0x00000000
0x00000000
0x738420be
0x738420be
0x738420c2
0x738420da
0x738420dd
0x738420e1
0x738420e7
0x00000000
0x738420e7
0x738420c4
0x738420c4
0x738420c7
0x00000000
0x00000000
0x738420c9
0x738420cc
0x738420ce
0x738420cf
0x738420cf
0x738420cf
0x738420d0
0x738420d3
0x738420d6
0x738420d7
0x738420b1
0x738420b2
0x738420b3
0x738420b6
0x738420b9
0x738420bc
0x00000000
0x00000000
0x00000000
0x738420bc
0x00000000
0x73841f07
0x00000000
0x00000000
0x73841f13
0x00000000
0x00000000
0x73841efa
0x73841efe
0x73841f02
0x00000000
0x00000000
0x7384207c
0x73842080
0x00000000
0x00000000
0x73842086
0x7384208f
0x73842096
0x7384209e
0x00000000
0x00000000
0x73841fe3
0x73841fe3
0x00000000
0x00000000
0x73841f1c
0x00000000
0x00000000
0x73842106
0x00000000
0x00000000
0x73841feb
0x73841fed
0x73841fed
0x00000000
0x00000000
0x738420f6
0x00000000
0x00000000
0x738420fa
0x00000000
0x00000000
0x73842102
0x00000000
0x00000000
0x73842033
0x73842035
0x73842035
0x00000000
0x00000000
0x73841ffd
0x73841fff
0x73841fff
0x00000000
0x00000000
0x7384200f
0x73842011
0x73842011
0x00000000
0x00000000
0x73842041
0x73842043
0x73842043
0x00000000
0x00000000
0x7384201a
0x7384201c
0x7384201c
0x00000000
0x00000000
0x73842021
0x00000000
0x00000000
0x738420fe
0x73842108
0x73842108
0x00000000
0x00000000
0x7384204c
0x73842050
0x73842055
0x73842058
0x73842059
0x7384205c
0x73842062
0x73842062
0x00000000
0x00000000
0x738420ee
0x00000000
0x00000000
0x73842025
0x73842027
0x73842027
0x00000000
0x00000000
0x73841f23
0x73841f23
0x00000000
0x00000000
0x7384203a
0x7384203c
0x7384203c
0x00000000
0x00000000
0x73841ec7
0x73841ecd
0x73841ed0
0x73841ed2
0x73841ed2
0x73841ed5
0x73841ed9
0x73841ee6
0x73841ee8
0x73841eee
0x73841eee
0x73841eee
0x00000000
0x00000000
0x73841fee
0x73841fee
0x73841ff0
0x73841ff7
0x00000000
0x00000000
0x73842036
0x73842036
0x00000000
0x00000000
0x73842000
0x73842000
0x73842002
0x73842009
0x00000000
0x00000000
0x73842012
0x73842012
0x73842014
0x00000000
0x00000000
0x73842044
0x73842044
0x00000000
0x00000000
0x7384201d
0x7384201d
0x00000000
0x00000000
0x7384206a
0x7384206e
0x73842073
0x73842076
0x00000000
0x00000000
0x73842028
0x73842028
0x7384202b
0x7384202d
0x00000000
0x00000000
0x7384203d
0x7384203d
0x73842046
0x73842046
0x73841f25
0x73841f25
0x73841f28
0x73841f2f
0x73841f31
0x73841f33
0x73841f3a
0x73841f3d
0x73841f42
0x73841f44
0x73841f46
0x73841f4a
0x73841f50
0x73841f56
0x73841f56
0x73841f58
0x73841f58
0x73841f59
0x73841f59
0x73841f5d
0x73841f63
0x73841f65
0x73841f69
0x73841f6e
0x73841f6e
0x73841f70
0x73841f70
0x73841f73
0x73841f76
0x73841f7f
0x73841f85
0x73841f88
0x73841f88
0x73841f8a
0x73841f8d
0x73841f93
0x73841f99
0x73841f99
0x73841f9b
0x00000000
0x00000000
0x73841fa1
0x73841fa1
0x73841fa5
0x73841fac
0x73841fd0
0x73841fd0
0x73841fd4
0x73841fd6
0x73841fd9
0x73841fd9
0x73841fdc
0x73841fdc
0x00000000
0x73841fd4
0x73841fb1
0x73841fb4
0x73841fb4
0x73841fbb
0x73841fbd
0x73841fc0
0x73841fc7
0x73841fc8
0x73841fce
0x73841fce
0x00000000
0x73841fce
0x73841fc2
0x73841fc5
0x00000000
0x00000000
0x00000000
0x73841fc5
0x73841f52
0x73841f54
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x73841ec0
0x73841d65
0x73841d65
0x73841d66
0x73841ea6
0x00000000
0x73841ea6
0x73841d6c
0x73841d6d
0x00000000
0x00000000
0x73841d73
0x73841d76
0x73841e6b
0x73841e6b
0x73841e6e
0x73841e83
0x73841e85
0x73841e85
0x73841e86
0x73841e89
0x73841e8c
0x73841e98
0x73841e98
0x73841e98
0x73841e8e
0x73841e8e
0x73841e8e
0x73841e9e
0x00000000
0x73841e9e
0x73841e70
0x73841e70
0x73841e71
0x73841e7f
0x00000000
0x73841e7f
0x73841e74
0x73841e75
0x00000000
0x00000000
0x73841e7b
0x00000000
0x73841e7b
0x73841d7c
0x73841e67
0x00000000
0x73841e67
0x73841d82
0x73841d82
0x73841d85
0x73841dae
0x00000000
0x73841dae
0x73841d87
0x73841d87
0x73841d8a
0x73841da4
0x00000000
0x73841da4
0x73841d8c
0x73841d8c
0x73841d8f
0x73841d9e
0x00000000
0x73841d9e
0x73841d92
0x73841d93
0x00000000
0x00000000
0x73841d95
0x00000000
0x73841c4c
0x73841c4c
0x73841c4f
0x00000000
0x73841c4f
0x73841c46
0x73841c33
0x73841c38
0x00000000
0x00000000
0x73841c3a
0x73841c3d
0x00000000
0x00000000
0x00000000
0x73841c3d
0x73841bcd
0x73841bd0
0x73841c06
0x73841c09
0x00000000
0x73841c0f
0x73841c11
0x73841c15
0x73841c1c
0x73841c23
0x73841c26
0x73841c29
0x00000000
0x73841c29
0x73841c09
0x73841bd2
0x73841bd3
0x73841bee
0x73841bf1
0x00000000
0x73841bf7
0x73841bf7
0x73841bfe
0x73841c01
0x00000000
0x73841c01
0x73841bf1
0x73841bd8
0x00000000
0x73841bde
0x73841bde
0x73841be5
0x00000000
0x73841be5
0x73841bd8
0x73841dd4
0x73841dd9
0x73841dde
0x73841de2
0x738422b5
0x738422bb
0x73841df4
0x73841df6
0x73841df7
0x738421de
0x738421de
0x738421e1
0x738421e4
0x73842201
0x73842207
0x73842209
0x7384220f
0x73842226
0x73842226
0x73842226
0x73842233
0x73842239
0x7384223c
0x73842242
0x73842244
0x73842248
0x7384224a
0x73842251
0x73842256
0x73842259
0x7384225b
0x73842260
0x73842272
0x73842272
0x73842260
0x73842259
0x73842248
0x73842278
0x7384227b
0x73842285
0x7384228d
0x7384229a
0x738422a0
0x738422a3
0x738421d3
0x738421d3
0x00000000
0x738421d3
0x738422a9
0x738422af
0x738422af
0x00000000
0x00000000
0x738422b1
0x738422b1
0x738422b1
0x738422b1
0x00000000
0x7384227d
0x7384227d
0x73842283
0x00000000
0x00000000
0x00000000
0x73842283
0x7384227b
0x73842212
0x73842218
0x7384221a
0x73842220
0x00000000
0x00000000
0x00000000
0x73842220
0x738421e6
0x738421ed
0x738421f3
0x738421f9
0x00000000
0x738421f9
0x73841dfd
0x73841dfe
0x738421bd
0x738421bd
0x738421c3
0x738421c6
0x00000000
0x00000000
0x738421cd
0x738421d2
0x00000000
0x738421d2
0x73841e05
0x00000000
0x00000000
0x73841e0b
0x73841e0b
0x73841e14
0x73841e19
0x73841e1f
0x00000000
0x00000000
0x73841e25
0x73841e32
0x73841e38
0x73841e42
0x73841e48
0x73841e50
0x73841e60
0x00000000
0x73841e60

APIs

Part of subcall function 7384121B: GlobalAlloc.KERNELBASE(00000040,?,7384123B,?,738412DF,00000019,738411BE,-000000A0), ref: 73841225

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 73841C8D
lstrcpyW.KERNEL32(00000008,?), ref: 73841CD5
lstrcpyW.KERNEL32(00000808,?), ref: 73841CDF
GlobalFree.KERNEL32(00000000), ref: 73841CF2
GlobalFree.KERNEL32(?), ref: 73841DD4
GlobalFree.KERNEL32(?), ref: 73841DD9
GlobalFree.KERNEL32(?), ref: 73841DDE
GlobalFree.KERNEL32(00000000), ref: 73841FC8
lstrcpyW.KERNEL32(?,?), ref: 73842182
GetModuleHandleW.KERNEL32(00000008), ref: 73842201
LoadLibraryW.KERNEL32(00000008), ref: 73842212
GetProcAddress.KERNEL32(?,?), ref: 7384226C
lstrlenW.KERNEL32(00000808), ref: 73842286

Memory Dump Source

Source File: 00000002.00000002.110047313209.0000000073841000.00000020.00000001.01000000.00000004.sdmp, Offset: 73840000, based on PE: true

Associated: 00000002.00000002.110047212499.0000000073840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.110047373977.0000000073844000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.110047427575.0000000073846000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_73840000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 475ffde14c330525b59b54e319403470c62feeb298a1d605104c9beb82608d46
Instruction ID: 162e0c35d716c26f19ff9a74b56b3b06355d58e6cdce398bf88e9e8e8f1bffcd
Opcode Fuzzy Hash: 475ffde14c330525b59b54e319403470c62feeb298a1d605104c9beb82608d46
Instruction Fuzzy Hash: 35229A71D0430EDBDB11CFE4C9817EDB7B6FB08315F24A52AD266A3A84E7749681CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02BA8C76 Relevance: 4.2, Strings: 3, Instructions: 474COMMON

Download Yara Rule

Strings

/x&, xrefs: 02BA910D
sfvH, xrefs: 02BA8E2D
:$:i, xrefs: 02BA8D78

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID: :$:i$sfvH$/x&
API String ID: 0-1702144063
Opcode ID: d2ccceb32383ebc522edb4d4487c8538a403b8d44ad970ef2374d2a19beba232
Instruction ID: 91f7359141a6a6ed4bbf6de4bd760579ae90c4cb5673fadbe15df9e3f2d3323f
Opcode Fuzzy Hash: d2ccceb32383ebc522edb4d4487c8538a403b8d44ad970ef2374d2a19beba232
Instruction Fuzzy Hash: 40B1567216DA582FB20CCA28EC9B9B623DEEB87530364915FE0C7C7157F4A66C4342A5

Uniqueness

Uniqueness Score: -1.00%

Function 004021A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004021A2(void* __eflags) {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402D3E(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402D3E(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402D3E(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402D3E(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402D3E(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405D5D( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402D3E(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4085f0, _t83, 1, 0x4085e0, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x408600, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\Arthur\\AppData\\Roaming\\Shoved\\Factorist");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x004021ab
0x004021b5
0x004021bf
0x004021c9
0x004021d4
0x004021d7
0x004021f1
0x004021f4
0x004021fa
0x004021fd
0x00402207
0x0040220b
0x0040220b
0x00402210
0x00402221
0x00402229
0x004022e0
0x004022e0
0x004022e7
0x0040222f
0x0040222f
0x0040223e
0x00402242
0x00402245
0x0040224b
0x00402259
0x0040225c
0x0040225e
0x00402269
0x00402269
0x0040226e
0x00402270
0x00402277
0x00402277
0x0040227a
0x00402283
0x00402286
0x0040228c
0x0040228e
0x00402298
0x00402298
0x0040229b
0x004022a4
0x004022a7
0x004022b0
0x004022b6
0x004022b8
0x004022c6
0x004022c6
0x004022c9
0x004022cf
0x004022cf
0x004022d2
0x004022d8
0x004022de
0x004022f3
0x00000000
0x00000000
0x00000000
0x004022de
0x004022e9
0x00402bc5
0x00402bd1

APIs

CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402221

Strings

C:\Users\user\AppData\Roaming\Shoved\Factorist, xrefs: 00402261

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\Shoved\Factorist
API String ID: 542301482-4086653928
Opcode ID: 9d479c7c72b9213c6dfc702f82f35e79a053754e3cc1bdd00607558639033416
Instruction ID: 552a380bc1a798379165a166047c46cc7e7689cdd056a509842d4882e8d45c12
Opcode Fuzzy Hash: 9d479c7c72b9213c6dfc702f82f35e79a053754e3cc1bdd00607558639033416
Instruction Fuzzy Hash: 33410875A00208AFCF00DFE4C989A9E7BB6FF48314B20457AF515EB2D1DB799981CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02BA75B8 Relevance: 2.8, Strings: 2, Instructions: 269COMMON

Download Yara Rule

Strings

WC<, xrefs: 02BA78F7
K";, xrefs: 02BA7746

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID: K";$WC<
API String ID: 0-2809468191
Opcode ID: 61e07bf3f25f8f01150e401a205e4c7a5b55f534f5d29fdf48d07fea8f1751c1
Instruction ID: 8abd4b9620c5660a67f3ae609429b31787533d0e7ef483332a000b110a28529f
Opcode Fuzzy Hash: 61e07bf3f25f8f01150e401a205e4c7a5b55f534f5d29fdf48d07fea8f1751c1
Instruction Fuzzy Hash: B4B166B2A08346DFDB349E38CDA47DEB6A2EF94340F55452ECC5D9B604EB309A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B936F6 Relevance: 2.7, Strings: 2, Instructions: 211COMMON

Download Yara Rule

Strings

96Y, xrefs: 02B93A50
C(., xrefs: 02B937B8

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID: 96Y$C(.
API String ID: 0-1078259785
Opcode ID: 451f8e59a716aa1040b28cfe1e0d08bc5f71df15ba48e61244881485a916338e
Instruction ID: 4ba4336c882a6d801c32f757d3de1ba2de4110ca2e3d482746f6338d927f8657
Opcode Fuzzy Hash: 451f8e59a716aa1040b28cfe1e0d08bc5f71df15ba48e61244881485a916338e
Instruction Fuzzy Hash: 6B814771A04389DFDB349F24CCA87EB37A6EF95750F96021DDC8997240D3314981CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02BA76EE Relevance: 2.7, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

WC<, xrefs: 02BA78F7
K";, xrefs: 02BA7746

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID: K";$WC<
API String ID: 0-2809468191
Opcode ID: 5dd6ec061c5da83fa48748dfd308340cf522edd85edb7cafda7b72e4c4bbca05
Instruction ID: ae7b3c6d5b414926d9687817fcd254c0ed8c2628c9e9a809b37c35ddf3d28bdb
Opcode Fuzzy Hash: 5dd6ec061c5da83fa48748dfd308340cf522edd85edb7cafda7b72e4c4bbca05
Instruction Fuzzy Hash: 3B514872948346DBDF349E258AA53DEB7B3FF94340F56812ACC4D9B604D730AA81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02B90318 Relevance: 1.7, Strings: 1, Instructions: 420COMMON

Download Yara Rule

Strings

g"^, xrefs: 02BA9DD3

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID: g"^
API String ID: 0-1087598703
Opcode ID: 2cc9a0b806297f3d5ddb94e2b4054ffd952d308dc3d5eae6955d05a6e7481051
Instruction ID: 832e8ad4533261f9d9b43cd318550a05434c1ff0504477a9bbc979bcad0d52e0
Opcode Fuzzy Hash: 2cc9a0b806297f3d5ddb94e2b4054ffd952d308dc3d5eae6955d05a6e7481051
Instruction Fuzzy Hash: 2FD1DD765283468FCF689F34C5A47EA37B2EF56350F5484AECC89CB546DB328486CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00402902 Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00402902(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402D3E(2), _t21 - 0x2dc) != 0xffffffff) {
					E00406358( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E00406411();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x0040291a
0x00402935
0x00402940
0x00402941
0x00402a7b
0x0040291c
0x0040291f
0x00402922
0x00402925
0x00402925
0x00402bc5
0x00402bd1

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402911

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: f1f75f85ad8f91268d35bee39362f1624f539314e89723e4461874efd2ba877a
Instruction ID: 56039e75b3af19f60320d449630e93dfdbb15a7187211f692f50db0849c99601
Opcode Fuzzy Hash: f1f75f85ad8f91268d35bee39362f1624f539314e89723e4461874efd2ba877a
Instruction Fuzzy Hash: C8F08C71A04114AEC700DFA4DD499AEB378EF10328F70457BE511F31E0D7B89E119B29

Uniqueness

Uniqueness Score: -1.00%

Function 02B96355 Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

HO, xrefs: 02B965F4

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID: HO
API String ID: 0-2320997065
Opcode ID: 0ec0fc6e7eb2054afc722e651d8c51aaccf2388d098946313906d9452b860c5c
Instruction ID: 10d5fd3a30f9b2bbdce435434358db0be720f869c160d39b0ef6bf0e859ac3c8
Opcode Fuzzy Hash: 0ec0fc6e7eb2054afc722e651d8c51aaccf2388d098946313906d9452b860c5c
Instruction Fuzzy Hash: 68B1117520434A8FDF759E28C8947EA33A6FF5A354F94827ECC4A9F605C3354A82CB05

Uniqueness

Uniqueness Score: -1.00%

Function 02B96397 Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

HO, xrefs: 02B965F4

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID: HO
API String ID: 0-2320997065
Opcode ID: ac021f4b61fb1573066bf5b4b5cc7398d70858f26d3b4a2dde7e68c4617dbea8
Instruction ID: e36acf3b86b0eb7473d71ee471326b39654cda74cbedeb3bcb63d932f1d25639
Opcode Fuzzy Hash: ac021f4b61fb1573066bf5b4b5cc7398d70858f26d3b4a2dde7e68c4617dbea8
Instruction Fuzzy Hash: D6A1007560434A8FDF719E28C8943EA37A6FF5A354F94827ECC895B609C3350A87CB45

Uniqueness

Uniqueness Score: -1.00%

Function 02BA6334 Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

Cv, xrefs: 02BA65D0

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID: Cv
API String ID: 0-3224569217
Opcode ID: c1584271529568635d8d44b35f951cd161dbff9725d2d060c0b0b668c8cbf9bb
Instruction ID: 76d53c35ae1f8bf7e57a7e4e5704c2745910f590d739ff8e0ce9dc466ec4b0bc
Opcode Fuzzy Hash: c1584271529568635d8d44b35f951cd161dbff9725d2d060c0b0b668c8cbf9bb
Instruction Fuzzy Hash: D6812572945344DFEB2A4F74C9553E63BB1EF13358FA9029ECE865A6A1D3320943CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02BA9A9D Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

OQl, xrefs: 02BA9CCD

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID: OQl
API String ID: 0-1333550337
Opcode ID: b1edfa575193a8ccd54dcee54d362fb89a156b1c1a33edd4c87486549ebad050
Instruction ID: 34b808cdb5142cd26c4d1182f2958c4d8c8ac92a6273de18d0df56fb5e886f17
Opcode Fuzzy Hash: b1edfa575193a8ccd54dcee54d362fb89a156b1c1a33edd4c87486549ebad050
Instruction Fuzzy Hash: 485169362097864BDB2C5E3C8DF13EB77A39F52350F49816ECCCA8B699D3384486C652

Uniqueness

Uniqueness Score: -1.00%

Function 02B96138 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

>8v~, xrefs: 02B962F8

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID: >8v~
API String ID: 0-3574621933
Opcode ID: c7fa9b6484ce0dfc6f98ca6b7b11c18405f6114bd94f51dd58df69e8c9e489b3
Instruction ID: e64a33c4526e7ce7780d74041e3206ecd821fe4ea10cc1071305bdefb545981e
Opcode Fuzzy Hash: c7fa9b6484ce0dfc6f98ca6b7b11c18405f6114bd94f51dd58df69e8c9e489b3
Instruction Fuzzy Hash: 80513571104305DFCB689F28C8A57DA77F6BF163A0F8542AEDC868B1A1D3308885CF52

Uniqueness

Uniqueness Score: -1.00%

Function 02B96556 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

HO, xrefs: 02B965F4

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID: HO
API String ID: 0-2320997065
Opcode ID: a747f32b3405cef1970a5a0ea871e362764491d3a3f5dc640119d9c5e7e671b7
Instruction ID: 961da4ac6f916dfb6db3c3530552fb8c68ebdd3dd85fd460197874a98bc92c81
Opcode Fuzzy Hash: a747f32b3405cef1970a5a0ea871e362764491d3a3f5dc640119d9c5e7e671b7
Instruction Fuzzy Hash: B751F0792083428FDF719E78C9993EA3B61EF5A354F90457DCC9A5F90AC3350A878B06

Uniqueness

Uniqueness Score: -1.00%

Function 02BA7223 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

u-`X, xrefs: 02BA738B

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID: u-`X
API String ID: 0-1300097120
Opcode ID: 96fe427ed19c9c7209fd93bdf940398ad0d294c844fdbceddbcef8c2b35dd836
Instruction ID: 8db252136ef119647b4e27246b8b1f07200b49240ab29e14a5c13cef7db3d03e
Opcode Fuzzy Hash: 96fe427ed19c9c7209fd93bdf940398ad0d294c844fdbceddbcef8c2b35dd836
Instruction Fuzzy Hash: 28314435B093098FDB30EE78C9F47DAB3A6AF69350F85412ECE468B651DB309941CA02

Uniqueness

Uniqueness Score: -1.00%

Function 02B96176 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

>8v~, xrefs: 02B962F8

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID: >8v~
API String ID: 0-3574621933
Opcode ID: 40d6851dbaf50151401f09fd7112d31f4deb397b3100ccc3bc4553a2e86b4cfe
Instruction ID: 06f52d1df83ee961bc05136c5724e076062068fe02816645da6e55447d9a2a00
Opcode Fuzzy Hash: 40d6851dbaf50151401f09fd7112d31f4deb397b3100ccc3bc4553a2e86b4cfe
Instruction Fuzzy Hash: 693124315047429FCB589F35C8597DA77F2BF56390F8A80AECC858B262C3349A85CF92

Uniqueness

Uniqueness Score: -1.00%

Function 02B93F22 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

`, xrefs: 02B94011

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 5b04a4f6d2e17a1013155e3531b3ea55ddf1847b68bf13cf9c687092414bdaef
Instruction ID: c095003ef543c418853fdadbfe23f6ce805235f4a1125990b94d468eeaeb8093
Opcode Fuzzy Hash: 5b04a4f6d2e17a1013155e3531b3ea55ddf1847b68bf13cf9c687092414bdaef
Instruction Fuzzy Hash: 33316FB12007898BDF788E6A89B83EE71B6EF94310F99807ACC0D4B115D77446858E02

Uniqueness

Uniqueness Score: -1.00%

Function 02BA7D89 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 101b8b6efcc58e89af7736e3b2e48e285f4c2e80b17677a1a0e390e260defeb1
Instruction ID: f731ccc8013a5940809bcc0ab4ee60d417051104387d74a95ce4ddab4ca77668
Opcode Fuzzy Hash: 101b8b6efcc58e89af7736e3b2e48e285f4c2e80b17677a1a0e390e260defeb1
Instruction Fuzzy Hash: 94221A705083858EDF35DF3889A87D67BE2AF56360F8982AECCD94F296D3318546C712

Uniqueness

Uniqueness Score: -1.00%

Function 00406C81 Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00406C81(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E004073F0( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x4084d4; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x4084d4; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E00407458( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M004073B0))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E004073F0( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E004073F0( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x432e90;
												if( *0x432e90 != 0) {
													L22:
													_t412 =  *0x40a5e8; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a5ec; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x431d0c; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x431d08; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x431d10;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x432190;
													if(_t416 < 0x432190) {
														L15:
														__eflags = _t416 - 0x431f4c;
														_t438 = 8;
														if(_t416 > 0x431f4c) {
															__eflags = _t416 - 0x432110;
															if(_t416 >= 0x432110) {
																__eflags = _t416 - 0x432170;
																if(_t416 < 0x432170) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E00407458(0x431d10, 0x120, 0x101, 0x4084e8, 0x408528, 0x431d0c, 0x40a5e8, 0x432610, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x431d10, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x431d10 + _t440;
														E00407458(0x431d10, 0x1e, 0, 0x408568, 0x4085a4, 0x431d08, 0x40a5ec, 0x432610, _t448 - 8);
														 *0x432e90 =  *0x432e90 + 1;
														__eflags =  *0x432e90;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405EC2( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E004073F0( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E00407458( &(__esi[3]), __edi, 0x101, 0x4084e8, 0x408528, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E00407458(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x408568, 0x4085a4, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E004073F0( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x00406c81
0x00406c81
0x00406c81
0x00406c81
0x00406c81
0x00406c85
0x00000000
0x00000000
0x00406c8b
0x00406c8b
0x00406c8e
0x00406c91
0x00406c96
0x00406c98
0x00406c9b
0x00406c9e
0x00406ca1
0x00406ca1
0x00406ca4
0x00000000
0x00000000
0x00406ca6
0x00406ca6
0x00406ca9
0x00406cae
0x00406cb0
0x00406cb3
0x00406cb9
0x00406a18
0x00406a18
0x00406a1b
0x00406a21
0x00406a27
0x00406a30
0x00406a36
0x00406a39
0x00406a40
0x00406a45
0x00406a4b
0x00406a56
0x00406a56
0x00406cbf
0x00406cbf
0x00406cc9
0x00000000
0x00000000
0x00406ccf
0x00406ccf
0x00406cd3
0x00406cd6
0x00406cd6
0x00406cda
0x00406ce0
0x00406ce0
0x00406ce3
0x00406ce6
0x00406cec
0x00000000
0x00000000
0x00406cee
0x00406d10
0x00406d10
0x00406d13
0x00000000
0x00000000
0x00406cf0
0x00406cf4
0x00000000
0x00000000
0x00406cfa
0x00406cfa
0x00406cfd
0x00406d00
0x00406d05
0x00406d07
0x00406d0a
0x00406d0d
0x00406d0d
0x00406d15
0x00406d15
0x00406d1b
0x00406d1e
0x00406d21
0x00406d21
0x00406d28
0x00406d2c
0x00406d30
0x00406d33
0x00406d36
0x00406d3c
0x00406d41
0x00000000
0x00000000
0x00406d43
0x00406d57
0x00406d57
0x00406d5b
0x00000000
0x00000000
0x00406d45
0x00406d48
0x00406d48
0x00406d4f
0x00406d54
0x00406d54
0x00406d54
0x00406d5d
0x00406d5d
0x00406d60
0x00406d6e
0x00406d74
0x00406d79
0x00406d7f
0x00406d85
0x00406d8b
0x00406d92
0x00406da6
0x00406da6
0x00407375
0x00407375
0x00407375
0x0040737a
0x00000000
0x00000000
0x004069b2
0x004069b2
0x00000000
0x00406fad
0x00406fad
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00000000
0x00000000
0x00406fc0
0x00406fc0
0x00406fe5
0x00406fe5
0x00406fe5
0x00406fe7
0x00000000
0x00000000
0x00406fc5
0x00406fc5
0x00406fc9
0x00000000
0x00000000
0x00406fcf
0x00406fcf
0x00406fd2
0x00406fd5
0x00406fd8
0x00406fda
0x00406fdc
0x00406fdf
0x00406fe2
0x00406fe2
0x00406fe2
0x00406fe9
0x00406fe9
0x00406ff1
0x00406ff4
0x00406ff7
0x00406ffa
0x00406ffe
0x00407001
0x00407003
0x00407006
0x00407008
0x0040701c
0x0040701c
0x0040701f
0x00407039
0x00407039
0x0040703c
0x00000000
0x00000000
0x00407042
0x00407042
0x00407045
0x00000000
0x00000000
0x0040704b
0x0040704b
0x00000000
0x0040704b
0x00407021
0x00407024
0x0040702b
0x0040702e
0x00000000
0x0040702e
0x0040700a
0x0040700e
0x00407011
0x00000000
0x00000000
0x00407056
0x00407056
0x0040707b
0x0040707b
0x0040707b
0x0040707d
0x00000000
0x00000000
0x0040705b
0x0040705b
0x0040705f
0x00000000
0x00000000
0x00407065
0x00407065
0x00407068
0x0040706b
0x0040706e
0x00407070
0x00407072
0x00407075
0x00407078
0x00407078
0x00407078
0x0040707f
0x00407087
0x0040708a
0x0040708d
0x0040708f
0x00407092
0x00407092
0x00407094
0x00407098
0x0040709b
0x0040709e
0x004070a1
0x00000000
0x00000000
0x004070a7
0x004070a7
0x004070cc
0x004070cc
0x004070cc
0x004070ce
0x00000000
0x00000000
0x004070ac
0x004070ac
0x004070b0
0x00000000
0x00000000
0x004070b6
0x004070b6
0x004070b9
0x004070bc
0x004070bf
0x004070c1
0x004070c3
0x004070c6
0x004070c9
0x004070c9
0x004070c9
0x004070d0
0x004070d0
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e5
0x004070e8
0x004070ea
0x004070ed
0x004070f0
0x0040710a
0x0040710a
0x0040710d
0x00000000
0x00000000
0x00407113
0x00407113
0x00407116
0x0040711d
0x00000000
0x0040711d
0x004070f2
0x004070f5
0x004070fc
0x004070ff
0x00000000
0x00000000
0x00407125
0x00407125
0x0040714a
0x0040714a
0x0040714a
0x0040714c
0x00000000
0x00000000
0x0040712a
0x0040712a
0x0040712e
0x00000000
0x00000000
0x00407134
0x00407134
0x00407137
0x0040713a
0x0040713d
0x0040713f
0x00407141
0x00407144
0x00407147
0x00407147
0x00407147
0x0040714e
0x00407156
0x00407159
0x0040715c
0x0040715e
0x00407161
0x00407161
0x00407163
0x00000000
0x00000000
0x00407169
0x00407169
0x0040716c
0x00407171
0x00407173
0x00407179
0x0040717b
0x00407190
0x00407192
0x00407192
0x0040717d
0x00407183
0x00407185
0x00407187
0x00407187
0x00407194
0x00407198
0x0040719b
0x004071a1
0x004071a1
0x004071a4
0x004071a4
0x004071a4
0x004071a6
0x00000000
0x00000000
0x004071ac
0x004071ac
0x004071b2
0x004071b4
0x004071d9
0x004071dc
0x004071e2
0x004071e7
0x004071ed
0x004071f3
0x004071f5
0x004071f8
0x00407201
0x00407207
0x00407207
0x004071fa
0x004071fc
0x004071fe
0x004071fe
0x00407209
0x0040720f
0x00407211
0x00407214
0x00407216
0x0040721c
0x0040721e
0x00407220
0x00407222
0x00407224
0x00407227
0x00407230
0x00407233
0x00407233
0x00407229
0x00407229
0x0040722c
0x0040722c
0x00407227
0x0040721e
0x00407235
0x00407237
0x00000000
0x00000000
0x00000000
0x00000000
0x00407237
0x004071b6
0x004071b6
0x004071bc
0x004071c2
0x004071c4
0x00000000
0x00000000
0x004071c6
0x004071c6
0x004071c8
0x004071ca
0x004071d3
0x004071d3
0x004071cc
0x004071cc
0x004071cf
0x004071cf
0x004071d5
0x004071d7
0x00000000
0x00000000
0x0040723d
0x0040723d
0x00407242
0x00407244
0x00407245
0x00407246
0x00407247
0x0040724d
0x00407250
0x00407253
0x00407256
0x00407258
0x0040725e
0x0040725e
0x00407261
0x00407261
0x00407261
0x00407261
0x0040726a
0x00000000
0x00000000
0x0040726f
0x0040726f
0x00407272
0x00407275
0x00407277
0x0040730e
0x0040730e
0x00407311
0x00407313
0x00407314
0x00407315
0x00407318
0x00000000
0x00407318
0x0040727d
0x0040727d
0x00407283
0x00407285
0x004072aa
0x004072ad
0x004072b3
0x004072b8
0x004072be
0x004072c4
0x004072c6
0x004072c9
0x004072d2
0x004072d8
0x004072d8
0x004072cb
0x004072cd
0x004072cf
0x004072cf
0x004072da
0x004072e0
0x004072e2
0x004072e5
0x004072e7
0x004072ed
0x004072ef
0x004072f1
0x004072f3
0x004072f5
0x004072f8
0x00407301
0x00407304
0x00407304
0x004072fa
0x004072fa
0x004072fd
0x004072fd
0x004072f8
0x004072ef
0x00407306
0x00407308
0x00000000
0x00000000
0x00000000
0x00000000
0x00407308
0x00407287
0x00407287
0x0040728d
0x00407293
0x00407295
0x00000000
0x00000000
0x00407297
0x00407297
0x00407299
0x0040729b
0x004072a2
0x004072a2
0x004072a4
0x0040729d
0x0040729d
0x0040729f
0x0040729f
0x004072a6
0x004072a8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407320
0x00407320
0x00407323
0x00407325
0x00407328
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x00000000
0x00000000
0x00000000
0x004069d9
0x004069bd
0x00000000
0x004069c3
0x004069c6
0x004069d0
0x004069d3
0x004069d6
0x00000000
0x004069d6
0x004069bd
0x004069e1
0x004069e4
0x004069e8
0x004069f2
0x004069fc
0x004069ff
0x00406a05
0x00406b39
0x00406b3b
0x00406b41
0x00406b44
0x00406b47
0x00000000
0x00406b47
0x00406a0b
0x00406a0b
0x00406a0c
0x00406a64
0x00406a64
0x00406a6b
0x00406b11
0x00406b11
0x00406b16
0x00406b19
0x00406b1e
0x00406b21
0x00406b26
0x00406b29
0x00406b2e
0x00406b31
0x00406b31
0x00000000
0x00406a71
0x00406a71
0x00406a71
0x00406a71
0x00406a75
0x00406a75
0x00406a97
0x00406a9a
0x00406a9c
0x00406a9f
0x00406aa4
0x00406a7a
0x00406a7a
0x00406a7f
0x00406a81
0x00406a83
0x00406a88
0x00406a8e
0x00406a93
0x00406a95
0x00406a95
0x00406a8a
0x00406a8a
0x00406a8a
0x00406a88
0x00000000
0x00406aa6
0x00406ad3
0x00406ad8
0x00406ada
0x00406adb
0x00406add
0x00406ade
0x00406ade
0x00406ade
0x00406b06
0x00406b0b
0x00406b0b
0x00000000
0x00406b0b
0x00406aa4
0x00406a6b
0x00406a0e
0x00406a0e
0x00406a0f
0x00406a59
0x00000000
0x00406a59
0x00406a11
0x00406a12
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b6e
0x00406b6e
0x00406b6e
0x00406b71
0x00000000
0x00000000
0x00406b4e
0x00406b4e
0x00406b52
0x00000000
0x00000000
0x00406b58
0x00406b58
0x00406b5b
0x00406b5e
0x00406b63
0x00406b65
0x00406b68
0x00406b6b
0x00406b6b
0x00406b6b
0x00406b73
0x00406b73
0x00406b76
0x00406b78
0x00406b7d
0x00406b80
0x00406b82
0x00406b85
0x00000000
0x00000000
0x00406b8b
0x00406b8b
0x00406b8d
0x00000000
0x00000000
0x00406b93
0x00406b93
0x00406b97
0x00000000
0x00000000
0x00406b9d
0x00406b9d
0x00406ba0
0x00406ba2
0x00406c40
0x00406c40
0x00406c43
0x00406c45
0x00406c45
0x00406c48
0x00406c4b
0x00406c4d
0x00406c4f
0x00406c51
0x00406c51
0x00406c5a
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6b
0x00406c6b
0x00406c6b
0x00406c6e
0x00406c74
0x00406c74
0x00406c7a
0x00406c7a
0x00406c7a
0x00000000
0x00406c6e
0x00406ba8
0x00406ba8
0x00406bae
0x00406bb1
0x00406bb3
0x00406bde
0x00406be1
0x00406be7
0x00406bec
0x00406bf2
0x00406bf8
0x00406bfa
0x00406bfd
0x00406c06
0x00406c0c
0x00406c0c
0x00406bff
0x00406c01
0x00406c03
0x00406c03
0x00406c0e
0x00406c14
0x00406c17
0x00406c19
0x00406c1b
0x00406c21
0x00406c23
0x00406c25
0x00406c28
0x00406c31
0x00406c31
0x00406c33
0x00406c2a
0x00406c2a
0x00406c2d
0x00406c2d
0x00406c35
0x00406c35
0x00406c23
0x00406c38
0x00406c3a
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c3a
0x00406bb5
0x00406bb5
0x00406bbb
0x00406bc1
0x00406bc3
0x00000000
0x00000000
0x00406bc5
0x00406bc5
0x00406bc7
0x00406bc9
0x00406bcc
0x00406bd3
0x00406bd3
0x00406bd5
0x00406bce
0x00406bce
0x00406bd0
0x00406bd0
0x00406bd7
0x00406bd9
0x00406bdc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ce0
0x00406ce3
0x00406ce6
0x00406cec
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ec3
0x00406ec3
0x00406ec3
0x00406ec6
0x00406ec9
0x00406ecb
0x00406ece
0x00406ed4
0x00406edb
0x00406edd
0x00000000
0x00000000
0x00406db1
0x00406db1
0x00406dd9
0x00406dd9
0x00406dd9
0x00406ddb
0x00000000
0x00000000
0x00406db9
0x00406db9
0x00406dbd
0x00000000
0x00000000
0x00406dc3
0x00406dc3
0x00406dc6
0x00406dc9
0x00406dcc
0x00406dce
0x00406dd0
0x00406dd3
0x00406dd6
0x00406dd6
0x00406dd6
0x00406ddd
0x00406ddd
0x00406de5
0x00406de8
0x00406dee
0x00406df1
0x00406df5
0x00406df9
0x00406dfc
0x00406dff
0x00406e17
0x00406e17
0x00406e1a
0x00406e28
0x00406e2b
0x00406e1c
0x00406e1c
0x00406e1e
0x00406e25
0x00406e25
0x00406e54
0x00406e54
0x00406e54
0x00406e57
0x00406e59
0x00000000
0x00000000
0x00406e34
0x00406e34
0x00406e38
0x00000000
0x00000000
0x00406e3e
0x00406e3e
0x00406e41
0x00406e44
0x00406e47
0x00406e49
0x00406e4b
0x00406e4e
0x00406e51
0x00406e51
0x00406e51
0x00406e5b
0x00406e5b
0x00406e5d
0x00406e5f
0x00406e6a
0x00406e6d
0x00406e70
0x00406e72
0x00406e74
0x00406e76
0x00406e79
0x00406e7c
0x00406e81
0x00406e84
0x00406e87
0x00406e8a
0x00406e91
0x00406e94
0x00406e96
0x00000000
0x00000000
0x00406e9c
0x00406e9c
0x00406ea0
0x00406eb1
0x00406eb1
0x00406eb1
0x00406eb3
0x00406eb3
0x00406eb7
0x00406eb7
0x00406eb7
0x00406eb9
0x00406eba
0x00406ebd
0x00406ebd
0x00406ebd
0x00406ec0
0x00000000
0x00406ec0
0x00406ea2
0x00406ea2
0x00406ea5
0x00000000
0x00000000
0x00406eab
0x00406eab
0x00000000
0x00406eab
0x00406e01
0x00406e01
0x00406e03
0x00406e05
0x00406e08
0x00406e0b
0x00406e0f
0x00406e0f
0x00406ee3
0x00406ee3
0x00406ee6
0x00406eed
0x00406ef1
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efe
0x00406f01
0x00406f03
0x00406f04
0x00406f07
0x00406f12
0x00406f15
0x00406f2c
0x00406f31
0x00406f38
0x00406f3d
0x00406f41
0x00406f43
0x00406f43
0x00406f43
0x00406f46
0x00406f48
0x00000000
0x00406f4e
0x00406f4e
0x00406f52
0x00406f5d
0x00406f70
0x00406f75
0x00406f7a
0x00406f7c
0x00000000
0x00000000
0x00406f82
0x00406f82
0x00406f85
0x00406f87
0x00406f95
0x00406f95
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa7
0x00406faa
0x00000000
0x00406faa
0x00406f89
0x00406f89
0x00406f8f
0x00000000
0x00000000
0x00000000
0x00406f8f
0x00000000
0x00000000
0x00000000
0x0040732e
0x0040732e
0x00407334
0x0040733a
0x0040733f
0x00407345
0x0040734b
0x0040734d
0x00407350
0x00407359
0x0040735f
0x0040735f
0x00407352
0x00407354
0x00407356
0x00407356
0x00407361
0x00407363
0x00407366
0x004073a1
0x004073a1
0x00000000
0x00407368
0x00407368
0x00407368
0x0040736e
0x00407371
0x00407373
0x004073a8
0x004073aa
0x00000000
0x004073aa
0x00000000
0x00407373
0x00000000
0x004069b2
0x00407380
0x00000000
0x00407380
0x00406d94
0x00406d96
0x00000000
0x00000000
0x00406d98
0x00406d98
0x00406d9b
0x00000000
0x00406d9b
0x00406ce0
0x00406ca1
0x00407385
0x00407388
0x0040738a
0x00407393
0x00407399
0x00000000

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
Instruction ID: 1f017aaef81dd0f0ed7cb9892c5a428a4034ef251f890bfd5ca3fce11066bb94
Opcode Fuzzy Hash: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
Instruction Fuzzy Hash: 8FE1AA71A04709DFDB24CF58C880BAEB7F5EB45305F15842EE896AB2D1D738AA91CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00407458 Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00407458(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x432190 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x432190;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x432190 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x00407463
0x0040746b
0x0040746f
0x00407471
0x00407474
0x00407476
0x00407476
0x00407478
0x0040747f
0x00407481
0x00407481
0x00407487
0x0040749c
0x004074a4
0x004074a6
0x004074a8
0x004074ab
0x004074ac
0x004074ac
0x004074b2
0x00000000
0x00000000
0x004074b4
0x004074b7
0x00000000
0x00000000
0x00000000
0x004074b7
0x004074bb
0x004074be
0x004074c0
0x004074c0
0x004074c3
0x004074c9
0x004074ca
0x00000000
0x00000000
0x00000000
0x004074ca
0x004074cf
0x004074d2
0x004074d4
0x004074d4
0x004074da
0x004074dc
0x004074ed
0x004074e0
0x004074e4
0x00407789
0x00000000
0x00407789
0x004074ea
0x004074eb
0x004074eb
0x004074f3
0x004074f6
0x004074fa
0x004074fc
0x004074fe
0x00407501
0x00000000
0x00000000
0x00407509
0x0040750f
0x00407511
0x00407513
0x00407514
0x00407529
0x00407529
0x0040752c
0x0040752e
0x0040752e
0x00407530
0x00407535
0x00407537
0x0040753e
0x00407540
0x00407548
0x00407548
0x0040754a
0x0040754b
0x0040755a
0x0040755e
0x00407562
0x00407565
0x00407568
0x0040756d
0x00407570
0x00407576
0x0040757d
0x00407583
0x0040777c
0x0040777c
0x00407781
0x00407790
0x00000000
0x00000000
0x00000000
0x00407781
0x00407590
0x00407593
0x00407596
0x00407599
0x0040759d
0x00000000
0x00000000
0x004075a8
0x004075ab
0x004075ac
0x004075ae
0x004075b4
0x004075b7
0x00000000
0x00000000
0x004075bd
0x004075be
0x004075c1
0x004075c4
0x004075c7
0x004075cd
0x004075cf
0x004075cf
0x004075d7
0x004075db
0x004075e0
0x00407605
0x0040760b
0x0040760d
0x0040760f
0x00407612
0x0040761b
0x00000000
0x00000000
0x004075e2
0x004075e2
0x004075eb
0x004075ef
0x00000000
0x00000000
0x00407600
0x00407600
0x00407603
0x00000000
0x00000000
0x004075f3
0x004075f6
0x004075f8
0x004075fc
0x00000000
0x00000000
0x004075fe
0x004075fe
0x00000000
0x00407600
0x00407624
0x0040762a
0x00407634
0x00407636
0x0040763b
0x0040763d
0x00407673
0x0040763f
0x0040763f
0x00407642
0x00407645
0x0040764f
0x00407652
0x00407659
0x00407664
0x0040766b
0x0040766b
0x00407675
0x00407678
0x0040767a
0x00407680
0x00407680
0x00407689
0x0040768c
0x00407691
0x004076a0
0x004076a8
0x004076ad
0x004076d1
0x004076d9
0x004076dd
0x004076e3
0x004076af
0x004076bd
0x004076c0
0x004076c6
0x004076c6
0x004076e7
0x004076a2
0x004076a2
0x004076a2
0x004076f8
0x004076fc
0x00407708
0x00407703
0x00407706
0x00407706
0x00407710
0x00407715
0x0040771d
0x00407719
0x0040771b
0x0040771b
0x00407723
0x00407725
0x0040772c
0x00407736
0x00407740
0x0040775c
0x00407760
0x004075a5
0x004075ab
0x004075ac
0x004075ae
0x004075b4
0x004075b7
0x00000000
0x00000000
0x00000000
0x004075b7
0x00000000
0x00000000
0x00000000
0x00000000
0x00407742
0x00407742
0x00407742
0x00407747
0x00407750
0x00407759
0x00000000
0x00407759
0x00407766
0x00407766
0x00407769
0x00407770
0x00407773
0x00000000
0x00407596
0x00407516
0x00407518
0x00407518
0x0040751c
0x0040751f
0x00407520
0x00407520
0x00000000
0x00407518
0x0040748c
0x00407492
0x00000000

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction ID: 4c948e8094d30857df7bb037d19ad889c7f26ef399dade94ff28b4422ea0219f
Opcode Fuzzy Hash: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction Fuzzy Hash: A4C15931E042199BCF14CF68D8905EEBBB2BF88354F25866AD85677380D738B942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02B9310D Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa6337decd2af860c302ec75d2637364554b3c58851361525d17f5be6e4a11c
Instruction ID: 3c109b8bd3ed943d999e859b9212c075092a53e619ec5c501ffe7f447b5fd9c1
Opcode Fuzzy Hash: 9fa6337decd2af860c302ec75d2637364554b3c58851361525d17f5be6e4a11c
Instruction Fuzzy Hash: 2D9144726043598FDF34DE28CC953DA37E3EF96360F9A816ACC498B256D3318A428B51

Uniqueness

Uniqueness Score: -1.00%

Function 02B93153 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e3f88968bc61b59c9828ef09a4d6e490b9de0d6714a59def9e2535dcf0777e5
Instruction ID: 026e7c691de70ca981d91b228340d86eb6f62819e6d1f2996f903c9378eb28d0
Opcode Fuzzy Hash: 8e3f88968bc61b59c9828ef09a4d6e490b9de0d6714a59def9e2535dcf0777e5
Instruction Fuzzy Hash: F9814A716053498FDF34DE39CD953DA37A3EF96350F55816ACC898F64AD3318A428B40

Uniqueness

Uniqueness Score: -1.00%

Function 02B93123 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b1fa97d76d8f097ede0daa563ad99a5df703a4ee2458cd27f0d1e447a72f398
Instruction ID: 5a41ce203a436b9effe68ce8287e3966c78cb4d7a56ed9436aa2dbded8afed7e
Opcode Fuzzy Hash: 1b1fa97d76d8f097ede0daa563ad99a5df703a4ee2458cd27f0d1e447a72f398
Instruction Fuzzy Hash: 498136716043598FDF34DE29CD953DA37E3EF9A360F9A816ACC498B255D3308A42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02B943EE Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 251ea0c7487bbed75cd5f01b0923cfc47c1cb018d9ccb09aa2d54186b85d56a4
Instruction ID: eb6496b221f7affc83ba86ee4c5c833f8a439d8e3d5a8fe0f94d2024ea089c90
Opcode Fuzzy Hash: 251ea0c7487bbed75cd5f01b0923cfc47c1cb018d9ccb09aa2d54186b85d56a4
Instruction Fuzzy Hash: 2B710275A083559FDF34EE6888A52EE7BA2AF99300FC5442EDCCA87210C3305AC5CB43

Uniqueness

Uniqueness Score: -1.00%

Function 02B9333A Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2a2e279e8794d7342b52742836a5952be7aa3f9772fc1d39db0b156ee8487b
Instruction ID: 5835d4818de8e8a71ade1e3fdf49e1b9168a8ef778d93c007373788119cb37c7
Opcode Fuzzy Hash: ed2a2e279e8794d7342b52742836a5952be7aa3f9772fc1d39db0b156ee8487b
Instruction Fuzzy Hash: 28614572A043858FDF309E78CD953DA3BA2EF56350F99416ECC898B64AD3305A45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02BA88D2 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b605302f264a1de9bbc7c18f24db3f29faf9b3a3e2015dd933888209fabfbbc0
Instruction ID: 2698203b62a7527114b59e491eb1ebb2cccb1d7a193531b3a47dadb0aba10356
Opcode Fuzzy Hash: b605302f264a1de9bbc7c18f24db3f29faf9b3a3e2015dd933888209fabfbbc0
Instruction Fuzzy Hash: E85100B6D14342CFEB328EA8C9053E6BB72EF93720F9541A2C9496F650D3748981CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02B93ACC Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d806f9cd3fb6225b099aa412262842bbeb326d5a9d0b5efc9943db5601958d
Instruction ID: 7013374148167629871f8fa44b51fb02d4ae1f90dadcf6e94fa8ce5630402ed5
Opcode Fuzzy Hash: a5d806f9cd3fb6225b099aa412262842bbeb326d5a9d0b5efc9943db5601958d
Instruction Fuzzy Hash: 3751E072A083498BDB34AF3989A47DB73B6BF95350F96446DDC89C7210E7348984CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02B92593 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad423c79dafbfc23378c66cf8f734e2542bd887a63470d87582c009a594e5071
Instruction ID: dd855af6010e635daea4485b3eb450fb416532917603de8da550a30fde5791e5
Opcode Fuzzy Hash: ad423c79dafbfc23378c66cf8f734e2542bd887a63470d87582c009a594e5071
Instruction Fuzzy Hash: CB419E3186435A9FCB2A9E6498497D63B90EF06314F581AFECD504F8A3D761848BCBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02B96BFD Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f151b656f49d41f14f2ca4ad6fc4e8bfa895263dade631db585974d9b25d33
Instruction ID: d3a373f711bf1fc566a1712f27b599cbd928e67ebf9002fa9ee0384df57ecc3e
Opcode Fuzzy Hash: 35f151b656f49d41f14f2ca4ad6fc4e8bfa895263dade631db585974d9b25d33
Instruction Fuzzy Hash: A951F775600B888FDF708E2AC9D47D7B7EAAF94784F95052ACD4D5B204C734EA42CB15

Uniqueness

Uniqueness Score: -1.00%

Function 02B96B99 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e07113de382f25dd41ef949a8ec270a64032754b9eeefe0a411bd80382865fda
Instruction ID: 86cd1871c45b1ad4f1b73c89d2ca1a7ab590cb1f9d2f6150c65d4cb46246abc9
Opcode Fuzzy Hash: e07113de382f25dd41ef949a8ec270a64032754b9eeefe0a411bd80382865fda
Instruction Fuzzy Hash: D8512535600B849FDF708E2AC9E47E6B7EAEF94784F95052ACD895B204CB34E642CB15

Uniqueness

Uniqueness Score: -1.00%

Function 02B96BF6 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5677786888d7cd7cc0ae6590e004b2134406f2066979fe0a18a4e25751a58747
Instruction ID: 4f0d889f5f2dd5806c34fc77ea09a3e4879ae3d4d63800d0e986e69a98530916
Opcode Fuzzy Hash: 5677786888d7cd7cc0ae6590e004b2134406f2066979fe0a18a4e25751a58747
Instruction Fuzzy Hash: BB512871500B889FDF308E2AC9E47D6B7EAAF94780F99452ACD4D4B204C734E643CB14

Uniqueness

Uniqueness Score: -1.00%

Function 02BA596B Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a41fbdb66939f531d8c6a757107ac4df3a55ed8f07b1cb96407d417ab23a830
Instruction ID: 69ccfd07433a65abcf1782304a3cd56343066f41a4bdd88cd34c9698b5dfe463
Opcode Fuzzy Hash: 7a41fbdb66939f531d8c6a757107ac4df3a55ed8f07b1cb96407d417ab23a830
Instruction Fuzzy Hash: 364155B29083849FC7264F34C8152CA7FB1EF57320BAA45D9D5A09F663E3314A6ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B96BE2 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6297cf5ee8a441c8622fc92591298c518a1126f8ead256c15ea748eb9e29e168
Instruction ID: 2606edc57e0b2d6c769abbafb8b0cb252028fc98f9e24329523d7c112d3c5d0b
Opcode Fuzzy Hash: 6297cf5ee8a441c8622fc92591298c518a1126f8ead256c15ea748eb9e29e168
Instruction Fuzzy Hash: 5A511771500B848FEF708E2AC9A47E6B7EAEF90784F99452ACC4D5B204D734EA42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02B934E5 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3486c9d008cda838621eb7c560df4f0c6b992fafcdcdeee4e6d15e8120a17ba0
Instruction ID: 3f46f17c5b7e1ea4e2464414aecb3caceb86d9dd7e443d250d9756a5254cee72
Opcode Fuzzy Hash: 3486c9d008cda838621eb7c560df4f0c6b992fafcdcdeee4e6d15e8120a17ba0
Instruction Fuzzy Hash: 2941F071A083559BCF74AF258C967EB3BB2FF89390F06401DEC8967220D7319945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02BA709F Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0c455ec7be9b1cc4876cae70cb3565d4020d1ec593bfb6b003b14cb7c5d02e
Instruction ID: 6a41b6098b30ed0e6384ed609cca9a4c801bb81f37f28cc4f91d56d30050a54c
Opcode Fuzzy Hash: dc0c455ec7be9b1cc4876cae70cb3565d4020d1ec593bfb6b003b14cb7c5d02e
Instruction Fuzzy Hash: 6431D039708B029EDB3059BC8CE53D72792AB46320FC4076AC9E5CB2C5D72984CA9F47

Uniqueness

Uniqueness Score: -1.00%

Function 02BA5C89 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 079e5903e44809cd2a783396c749b26d719b05a8858562f07be31b9743ba5968
Instruction ID: 7f5e4320fc0838ad40cb5c79ea91681a66b688b1bb802ef169e6b490a62996c2
Opcode Fuzzy Hash: 079e5903e44809cd2a783396c749b26d719b05a8858562f07be31b9743ba5968
Instruction Fuzzy Hash: 8331BF7464934ACFDF34AF7988B47EE77A6AF42390F85442D9CC99B240DB3049858F12

Uniqueness

Uniqueness Score: -1.00%

Function 02BA844B Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ffc35d149364d36e8a9bdb04ae49c2f2a10e41ca9bfca99b438fdf371b38f74
Instruction ID: 4b8ada20bb3af56eb2f43d918757574503086680146c18757a191da6a7ab1a1c
Opcode Fuzzy Hash: 4ffc35d149364d36e8a9bdb04ae49c2f2a10e41ca9bfca99b438fdf371b38f74
Instruction Fuzzy Hash: 10313B719042D45BCF39DE7888B93EE36939F15710F85417FC85ACBA84EB354582CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02BA851B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 953a59f222ae7f87e842e5c6b58d078ec0fbc8bbc79609ab0091b17f8de686e3
Instruction ID: 92e19ff6537cd57e2113bcc779570c1cfb20397b92f25601db3b52ebfabc162c
Opcode Fuzzy Hash: 953a59f222ae7f87e842e5c6b58d078ec0fbc8bbc79609ab0091b17f8de686e3
Instruction Fuzzy Hash: 752129319042C54BCF35DE78C8A87DDBB92AF15710F8442AFC8AA8B9C5D7744582CB16

Uniqueness

Uniqueness Score: -1.00%

Function 02BA7BE0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2cc8d42bae88909258d7383e6418987a7f315a7bb23f614f19e68daffaeac3
Instruction ID: 415075f4864a2acc924ebefe0d1f74ed7a87f395a075498251789ac0f62a7eff
Opcode Fuzzy Hash: dd2cc8d42bae88909258d7383e6418987a7f315a7bb23f614f19e68daffaeac3
Instruction Fuzzy Hash: 5B21E731604385DBDF782E398D653FFB7B2AF81250F56843EDC8A9B550DB3049869B42

Uniqueness

Uniqueness Score: -1.00%

Function 02B974BF Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ac808170ad4f898761e091c78d2667ee032599add6eeb408b12a82ab2cfa222
Instruction ID: 595d0a2dc40b29f3b8bffa88946f8df47ef7a2db27bb332a62636b51fdce60ee
Opcode Fuzzy Hash: 6ac808170ad4f898761e091c78d2667ee032599add6eeb408b12a82ab2cfa222
Instruction Fuzzy Hash: FD01993285C2C14FD71686B495296CBBFB9DF47224F6C88D5C4C5CB407C1158863C784

Uniqueness

Uniqueness Score: -1.00%

Function 02B93EA8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cce86c2ce0817a0f1a656ced2dad462a09e6b32f8e9757aec3c39f5f08f35f1
Instruction ID: 33f40d28d3eeee2755365a33ab3da979a43d105e5d603db2709c47bd0c7dbdb6
Opcode Fuzzy Hash: 8cce86c2ce0817a0f1a656ced2dad462a09e6b32f8e9757aec3c39f5f08f35f1
Instruction Fuzzy Hash: 40C02B5746405B0D0FB117F83388039048707811203304BFC388E81D0FDC828EC50811

Uniqueness

Uniqueness Score: -1.00%

Function 02BA6918 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b90000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00404526 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404526(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42b234 =  *0x42b234 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E004043CE(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x432ea0;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E004047D5(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x434f08, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x434f08, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42b234 != 0) {
						goto L27;
					} else {
						_t116 =  *0x42c240 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00404389(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004047B1();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x433edc - 4 + _t75 * 4);
				}
				_t76 =  *0x434f58 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E004044D7;
				if(_t110 != 2) {
					_v8 = E0040449D;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E00404367(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E00404367(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00404389( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E0040439C(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x434f14 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x42b234 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x42b234 = 0;
				return 0;
			}

0x00404538
0x00404665
0x004046c2
0x004046c6
0x00404793
0x00404795
0x00404795
0x0040479b
0x0040479b
0x0040479e
0x00000000
0x004047a5
0x004046d4
0x004046da
0x004046e4
0x004046ef
0x004046f2
0x004046f5
0x00404700
0x00404703
0x0040470a
0x00404717
0x00404728
0x0040472e
0x00404736
0x00404744
0x0040474a
0x0040474a
0x0040470a
0x00404754
0x00000000
0x0040475f
0x00404763
0x00404773
0x00404773
0x00404779
0x00404785
0x00404785
0x00000000
0x00404789
0x00404754
0x00404670
0x00000000
0x00404682
0x00404687
0x0040468d
0x00000000
0x00000000
0x004046b6
0x004046b8
0x004046bd
0x00000000
0x004046bd
0x00404670
0x0040453e
0x00404541
0x00404546
0x00404557
0x00404557
0x0040455f
0x00404562
0x00404566
0x00404569
0x0040456d
0x00404570
0x00404573
0x00404576
0x0040457d
0x0040457f
0x0040457f
0x00404589
0x00404596
0x004045a0
0x004045a5
0x004045a8
0x004045ad
0x004045c4
0x004045cb
0x004045de
0x004045e1
0x004045f5
0x004045fc
0x00404601
0x00404606
0x00404606
0x00404614
0x00404622
0x00404634
0x00404639
0x00404649
0x0040464b
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004045C4
GetDlgItem.USER32(?,000003E8), ref: 004045D8
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045F5
GetSysColor.USER32(?), ref: 00404606
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404614
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404622
lstrlenW.KERNEL32(?), ref: 00404627
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404634
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404649
GetDlgItem.USER32(?,0000040A), ref: 004046A2
SendMessageW.USER32(00000000), ref: 004046A9
GetDlgItem.USER32(?,000003E8), ref: 004046D4
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404717
LoadCursorW.USER32(00000000,00007F02), ref: 00404725
SetCursor.USER32(00000000), ref: 00404728
LoadCursorW.USER32(00000000,00007F00), ref: 00404741
SetCursor.USER32(00000000), ref: 00404744
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404773
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404785

Strings

Call, xrefs: 00404703
N, xrefs: 004046C2

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: 3e7f1d81aaa2c81caad56aadef940d4d94f2f382e64dbbb27fd2036abddb4608
Instruction ID: bc177dfd6b6b6103f733ab6784bbaef7ca361af311f51bfa08924dfc74b84e38
Opcode Fuzzy Hash: 3e7f1d81aaa2c81caad56aadef940d4d94f2f382e64dbbb27fd2036abddb4608
Instruction Fuzzy Hash: 79618EB1A00209FFDB109F60DD85AAA7B69FB85314F00843AFA15B72D1D778AD51CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x434f14;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x433f00, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x434f08;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: b27a2b551f63a02a5ae57bcc50d46a19120317da1eaca0d31fe5953092f3d4ab
Instruction ID: eaab19ccb9cda740c31967da28403833e1322962c0e6ee158e4036cb66a51054
Opcode Fuzzy Hash: b27a2b551f63a02a5ae57bcc50d46a19120317da1eaca0d31fe5953092f3d4ab
Instruction Fuzzy Hash: ED418B71800209AFCF058FA5CE459AF7FB9FF44315F04802AF991AA1A0C738AA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040605D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040605D(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x430908 = 0x55004e;
				 *0x43090c = 0x4c;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameW( *(_t52 + 0x1c), 0x431108, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x430508, "%ls=%ls\r\n", 0x430908, 0x431108);
						_t53 = _t52 + 0x10;
						E0040644E(_t37, 0x400, 0x431108, 0x431108,  *((intOrPtr*)( *0x434f14 + 0x128)));
						_t12 = E00405F07(0x431108, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405F8A(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405E6C(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405E6C(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405EC2(_t24 + _t46, 0x430508, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405FB9(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405F07(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x430908, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x0040605d
0x00406066
0x0040606d
0x00406077
0x0040608b
0x004060b3
0x004060be
0x004060c2
0x004060e2
0x004060e9
0x004060f3
0x00406100
0x00406105
0x0040610a
0x0040610e
0x0040611d
0x0040611f
0x0040612c
0x00406130
0x004061cb
0x00000000
0x00406146
0x00406153
0x00406177
0x0040617b
0x0040619a
0x0040619e
0x0040619e
0x004061a0
0x004061a9
0x004061b4
0x004061bf
0x004061c5
0x00000000
0x004061c5
0x0040617d
0x00406180
0x0040618b
0x00406187
0x00406189
0x0040618a
0x0040618a
0x00406192
0x00406194
0x00000000
0x00406194
0x0040615e
0x00406164
0x00000000
0x00406164
0x00406130
0x0040610e
0x0040608d
0x00406098
0x004060a1
0x004060a5
0x00000000
0x00000000
0x004060a5
0x004061d6

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061F8,?,?), ref: 00406098
GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004060A1

Part of subcall function 00405E6C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406151,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7C
Part of subcall function 00405E6C: lstrlenA.KERNEL32(00000000,?,00000000,00406151,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EAE

GetShortPathNameW.KERNEL32(?,00431108,00000400), ref: 004060BE
wsprintfA.USER32 ref: 004060DC
GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 00406117
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406126
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040615E
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004061B4
GlobalFree.KERNEL32(00000000), ref: 004061C5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061CC

Part of subcall function 00405F07: GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405F0B
Part of subcall function 00405F07: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F2D

Strings

[Rename], xrefs: 00406146, 00406158
%ls=%ls, xrefs: 004060D2

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 9b519c14120aa80628a1efb59fa06e72263f7c501841ac8fb024acedf13bc814
Instruction ID: d46549913b6b20842cf1787bef5cc60fb31ae9cbf3b8bb231415db86ef2d3bba
Opcode Fuzzy Hash: 9b519c14120aa80628a1efb59fa06e72263f7c501841ac8fb024acedf13bc814
Instruction Fuzzy Hash: 9D3135712017157BD2206B218D48F6B3A5CDF45754F15003AFE82FA2C3DA3CE9218ABD

Uniqueness

Uniqueness Score: -1.00%

Function 004066C0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004066C0(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405D5D(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405D13(L"*?|<>/\":", _t5))) == 0) {
							E00405EC2(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004066c2
0x004066cb
0x004066e2
0x004066e2
0x004066e9
0x004066f5
0x004066f5
0x004066f8
0x004066fb
0x00406700
0x00406702
0x0040670b
0x0040670f
0x0040672c
0x00406734
0x00406734
0x00406739
0x0040673b
0x0040673e
0x00406743
0x00406744
0x00406748
0x00406748
0x00406749
0x00406750
0x00406752
0x00406759
0x00000000
0x00000000
0x00406761
0x00406767
0x00000000
0x00000000
0x00000000
0x00406767
0x0040676c

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,75423420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe",004034A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 00406723
CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406732
CharNextW.USER32(?,00000000,75423420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe",004034A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 00406737
CharPrevW.USER32(?,?,75423420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe",004034A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 0040674A

Strings

"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe", xrefs: 004066C0
*?|<>/":, xrefs: 00406712
C:\Users\user\AppData\Local\Temp\, xrefs: 004066C1

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2338164302
Opcode ID: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
Instruction ID: 9627fccf098e727a5900f08bdddf05a21b4f43d755832024a56349c67539c63f
Opcode Fuzzy Hash: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
Instruction Fuzzy Hash: F2110D1580061295DB303B548C84A7B62F8EF5879CF52843FED96732C0E77D8C9286BD

Uniqueness

Uniqueness Score: -1.00%

Function 004043CE Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004043CE(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x004043e0
0x00404496
0x00000000
0x00404496
0x004043f1
0x004043f5
0x00000000
0x0040440f
0x0040440f
0x00404418
0x00000000
0x00000000
0x0040441a
0x00404426
0x00404429
0x00404429
0x0040442f
0x00404435
0x00404435
0x00404441
0x00404447
0x0040444e
0x00404451
0x00404454
0x00404456
0x00404456
0x0040445e
0x00404464
0x00404464
0x0040446e
0x00404473
0x00404476
0x0040447b
0x0040447e
0x0040447e
0x0040448e
0x0040448e
0x00000000
0x00404491

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004043EB
GetSysColor.USER32(00000000), ref: 00404429
SetTextColor.GDI32(?,00000000), ref: 00404435
SetBkMode.GDI32(?,?), ref: 00404441
GetSysColor.USER32(?), ref: 00404454
SetBkColor.GDI32(?,?), ref: 00404464
DeleteObject.GDI32(?), ref: 0040447E
CreateBrushIndirect.GDI32(?), ref: 00404488

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
Instruction ID: dd0feedb065fecc26b382c70af4fe1a3d395924493241b124500faa7aa9dc668
Opcode Fuzzy Hash: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
Instruction Fuzzy Hash: 7C2174B15007059BCB30DF78DA08B5BBBF8AF81714B05892EE992B26E1D734E904DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004026E4 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004026E4(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D1C(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x434fa8 =  *0x434fa8 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E00406371(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E00405FE8( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E00405F8A( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E00406358( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004026e4
0x004026e6
0x004026e9
0x004026eb
0x004026ee
0x004026f3
0x004026f7
0x004026fa
0x004026fd
0x00402bc2
0x00402bc5
0x00402703
0x00402703
0x0040270a
0x0040270c
0x0040270c
0x00402712
0x00402876
0x00402876
0x00402879
0x0040287e
0x004015b6
0x00402925
0x00402925
0x00000000
0x00402718
0x00402719
0x00402724
0x00402727
0x00402733
0x00402737
0x004027cf
0x004027e7
0x004027f7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040273d
0x0040273d
0x00402740
0x00402741
0x00402744
0x00402749
0x00402750
0x00402758
0x00000000
0x0040275e
0x0040275e
0x00402763
0x00000000
0x00402769
0x00402769
0x00402771
0x00402774
0x00402777
0x00402832
0x00402839
0x0040277d
0x00402783
0x0040278f
0x004027f9
0x004027f9
0x00402791
0x00402791
0x00402794
0x00402796
0x00402796
0x00402796
0x00402799
0x0040279e
0x004027a1
0x00000000
0x00000000
0x004027a3
0x004027a6
0x004027b4
0x004027ba
0x004027c8
0x00000000
0x004027ca
0x00000000
0x004027ca
0x00000000
0x004027c8
0x00402796
0x004027fc
0x004027ff
0x00000000
0x00402801
0x00402806
0x00402847
0x00402869
0x00402870
0x00402855
0x00402855
0x00402858
0x0040285b
0x0040285e
0x0040285e
0x00000000
0x0040280f
0x0040280f
0x00402812
0x00402815
0x0040281b
0x0040281f
0x00402822
0x00000000
0x00000000
0x00000000
0x00000000
0x00402822
0x00402806
0x004027ff
0x00402777
0x00402763
0x00402758
0x00000000
0x00402824
0x00402824
0x00402827
0x00402830
0x00000000
0x00402727
0x00402712
0x00402bcb
0x00402bd1

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402750
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 0040278B
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027AE
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027C4

Part of subcall function 00405FE8: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405FFE

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402870

Strings

9, xrefs: 00402733

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 939078a54e4475671e6551d3fd19772fabc7f31a6bf9158e4a480f344115c940
Instruction ID: fc85df120a24998764995467ff6edc9a451c04e372c05a6abf1f77cf4653f2d7
Opcode Fuzzy Hash: 939078a54e4475671e6551d3fd19772fabc7f31a6bf9158e4a480f344115c940
Instruction Fuzzy Hash: 5C51F975D00219ABDF20DF95CA89AAEBB79FF04344F10817BE501B62D0E7B49D828B58

Uniqueness

Uniqueness Score: -1.00%

Function 00405479 Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405479(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x433ee4;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x434fd4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E0040644E(_t38, 0, 0x42c248, 0x42c248, _a4);
					}
					_t27 = lstrlenW(0x42c248);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x433ec8, 0x42c248);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42c248;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x42c248[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x42c248, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x0040547f
0x00405489
0x0040548e
0x00405494
0x0040549f
0x004054a2
0x004054a5
0x004054ab
0x004054ab
0x004054b1
0x004054b9
0x004054bc
0x004054d9
0x004054dd
0x004054e6
0x004054e6
0x004054f0
0x004054f9
0x00405505
0x0040550c
0x00405510
0x00405513
0x00405526
0x00405534
0x00405534
0x00405538
0x0040553a
0x0040553d
0x00000000
0x0040553d
0x004054be
0x004054c6
0x004054ce
0x004054d4
0x00000000
0x004054d4
0x004054ce
0x004054bc
0x00405549

APIs

lstrlenW.KERNEL32(0042C248,00000000,00425A20,754223A0,?,?,?,?,?,?,?,?,?,004033B0,00000000,?), ref: 004054B1
lstrlenW.KERNEL32(004033B0,0042C248,00000000,00425A20,754223A0,?,?,?,?,?,?,?,?,?,004033B0,00000000), ref: 004054C1
lstrcatW.KERNEL32(0042C248,004033B0), ref: 004054D4
SetWindowTextW.USER32(0042C248,0042C248), ref: 004054E6
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040550C
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405526
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405534

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 595c87a6c684e3cc3ecfa7d9121cf0e7c522785301409aa9d6fada1dea414851
Instruction ID: 1ccddca99fa11d5427df38f31253403cabd393798f33362a1a37d4b4032a7ea7
Opcode Fuzzy Hash: 595c87a6c684e3cc3ecfa7d9121cf0e7c522785301409aa9d6fada1dea414851
Instruction Fuzzy Hash: 42219A71900518BBCB219F95DD85ACFBFB9EF45354F10803AF904B22A0C7798A908FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404D22 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404D22(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404d30
0x00404d3d
0x00404d43
0x00404d81
0x00404d81
0x00404d90
0x00404d97
0x00000000
0x00404d99
0x00404d45
0x00404d54
0x00404d5c
0x00404d5f
0x00404d71
0x00404d77
0x00404d7e
0x00000000
0x00404d7e
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D3D
GetMessagePos.USER32 ref: 00404D45
ScreenToClient.USER32(?,?), ref: 00404D5F
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D71
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D97

Strings

f, xrefs: 00404D73

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 7205eec21020573454be23e67ac2b5f41aa1c09cc3aa20a5ad054807a565c042
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 63014C71900219BADB00DBA4DD85BFEBBBCAF54B11F10012BBA50F61C0D7B49A058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D1C(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf0->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce00 = E00402D1C(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce07 = 1;
				 *0x40ce04 = _t15 & 0x00000001;
				 *0x40ce05 = _t15 & 0x00000002;
				 *0x40ce06 = _t15 & 0x00000004;
				E0040644E(_t9, _t31, _t33, "Tahoma",  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf0);
				_push(_t18);
				_push(_t31);
				E00406358();
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e4e
0x00401e59
0x00401e5b
0x00401e68
0x00401e7f
0x00401e84
0x00401e91
0x00401e96
0x00401e9a
0x00401ea5
0x00401eac
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ed3
0x00402630
0x0040156d
0x00402b08
0x00402bc5
0x00402bd1

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84
CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED3

Strings

Tahoma, xrefs: 00401EB9

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Tahoma
API String ID: 3808545654-3580928618
Opcode ID: ff5e119c1dfec186f1bc31a23d162186e9d3ca2dfc2df7b145d176ccd9f6b251
Instruction ID: 39ccdc2dc8d2035913c0323839c6798354fd507b9908b2fcb43e3dcb67b0f82d
Opcode Fuzzy Hash: ff5e119c1dfec186f1bc31a23d162186e9d3ca2dfc2df7b145d176ccd9f6b251
Instruction Fuzzy Hash: C6019271904240EFE7005BB0EE4AB9A3FB4BB15300F208A3AF141B75E2C6B904458BED

Uniqueness

Uniqueness Score: -1.00%

Function 00402F2B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F2B(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x41ea18; // 0x37c9e
					_t11 =  *0x42aa24;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402f3b
0x00402f49
0x00402f4f
0x00402f4f
0x00402f5d
0x00402f5f
0x00402f65
0x00402f6c
0x00402f6e
0x00402f6e
0x00402f84
0x00402f94
0x00402fa6
0x00402fa6
0x00402fae

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402F49
MulDiv.KERNEL32(00037C9E,00000064,?), ref: 00402F74
wsprintfW.USER32 ref: 00402F84
SetWindowTextW.USER32(?,?), ref: 00402F94
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402FA6

Strings

verifying installer: %d%%, xrefs: 00402F7E

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 5b1bc627dd36a5102c32c12b14091c8dec43231046f13c1edcd0296a8f8e997f
Instruction ID: 5483d255828af9cef8fcdd630f22e0c0956a10275527037d70a62c30cec8c61f
Opcode Fuzzy Hash: 5b1bc627dd36a5102c32c12b14091c8dec43231046f13c1edcd0296a8f8e997f
Instruction Fuzzy Hash: 29014471640209BBEF209F60DE49FEA3B79FB04344F008039FA06A51D0DBB995559F58

Uniqueness

Uniqueness Score: -1.00%

Function 738425B5 Relevance: 9.1, APIs: 6, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E738425B5() {
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t39;
				void* _t40;
				void* _t43;
				intOrPtr _t44;
				void* _t45;

				_t40 = E7384121B();
				_t24 =  *((intOrPtr*)(_t45 + 0x18));
				_t44 =  *((intOrPtr*)(_t24 + 0x1014));
				_t43 = (_t44 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) >= 0) {
					}
					_t39 =  *(_t43 - 8) & 0x000000ff;
					if(_t39 <= 7) {
						switch( *((intOrPtr*)(_t39 * 4 +  &M738426E4))) {
							case 0:
								 *_t40 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									 *(__esp + 0x10) = __ecx;
									__ecx =  *(0x7384407c + __edx * 4);
									__edx =  *(__esp + 0x10);
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x7384409c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E73841470(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__ecx =  *0x7384506c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(__ebx, __ebx,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x7384506c;
								 *((short*)(__edi + __eax * 2 - 2)) = __bx;
								goto L17;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x7384506c);
								goto L17;
							case 5:
								_push( *0x7384506c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfW(__edi, 0x73845000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x18)))) != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E738412E1(_t27 - 1, _t40);
								goto L26;
							}
						} else {
							E73841272(_t40);
							L26:
						}
					}
					_t44 = _t44 - 1;
					_t43 = _t43 - 0x20;
				} while (_t44 >= 0);
				return GlobalFree(_t40);
			}

0x738425bf
0x738425c1
0x738425c5
0x738425d4
0x738425d8
0x738425dd
0x738425dd
0x738425e5
0x738425ec
0x738425f2
0x00000000
0x738425f9
0x00000000
0x00000000
0x73842601
0x73842605
0x73842608
0x7384260c
0x73842613
0x73842617
0x7384261d
0x7384261f
0x73842621
0x73842621
0x73842628
0x00000000
0x00000000
0x73842631
0x00000000
0x00000000
0x73842638
0x7384263e
0x73842648
0x7384264e
0x73842653
0x00000000
0x00000000
0x73842674
0x00000000
0x00000000
0x7384265a
0x73842660
0x73842661
0x73842663
0x00000000
0x00000000
0x7384267c
0x7384267e
0x73842684
0x7384268a
0x7384268a
0x00000000
0x00000000
0x738425f2
0x7384268d
0x7384268d
0x73842692
0x738426a3
0x738426a3
0x738426a9
0x738426ae
0x738426b3
0x738426bf
0x738426c4
0x00000000
0x738426c9
0x738426b5
0x738426b6
0x738426ca
0x738426ca
0x738426b3
0x738426cb
0x738426cc
0x738426cf
0x738426e3

APIs

Part of subcall function 7384121B: GlobalAlloc.KERNELBASE(00000040,?,7384123B,?,738412DF,00000019,738411BE,-000000A0), ref: 73841225

GlobalFree.KERNEL32(?), ref: 738426A3
GlobalFree.KERNEL32(00000000), ref: 738426D8

Memory Dump Source

Source File: 00000002.00000002.110047313209.0000000073841000.00000020.00000001.01000000.00000004.sdmp, Offset: 73840000, based on PE: true

Associated: 00000002.00000002.110047212499.0000000073840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.110047373977.0000000073844000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.110047427575.0000000073846000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_73840000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: d5cb6a4577bc350cb36c89343facb96fefdcab6d3b39e4035896c62b89755ffb
Instruction ID: 854ca58980d3f548651cfd6fed2979453957a561aad0dbe6ffc4b37793528313
Opcode Fuzzy Hash: d5cb6a4577bc350cb36c89343facb96fefdcab6d3b39e4035896c62b89755ffb
Instruction Fuzzy Hash: FC31BC7220851DEFD716AFE6CC85F2A77BBEB853003285229F605C3E50D7309814CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00402947 Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402947(int __ebx, void* __eflags) {
				void* _t26;
				long _t31;
				int _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0x38)) = 0xfffffd66;
				_t50 = E00402D3E(0xfffffff0);
				 *(_t56 - 0x40) = _t23;
				if(E00405D5D(_t50) == 0) {
					E00402D3E(0xffffffed);
				}
				E00405EE2(_t50);
				_t26 = E00405F07(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x434f18;
					 *(_t56 - 0x44) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E0040347D(_t45);
						E00403467(_t49,  *(_t56 - 0x44));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x28));
						 *(_t56 - 0x10) = _t54;
						if(_t54 != _t45) {
							E0040324C( *((intOrPtr*)(_t56 - 0x2c)), _t45, _t54,  *(_t56 - 0x28));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x3c) =  *_t54;
								E00405EC2( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x3c);
							}
							GlobalFree( *(_t56 - 0x10));
						}
						E00405FB9( *(_t56 + 8), _t49,  *(_t56 - 0x44));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0x38)) = E0040324C(0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0x38)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileW( *(_t56 - 0x40));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x00402947
0x00402949
0x00402955
0x00402958
0x00402962
0x00402966
0x00402966
0x0040296c
0x00402979
0x00402981
0x00402984
0x0040298a
0x00402998
0x0040299d
0x004029a1
0x004029a4
0x004029ad
0x004029b9
0x004029bd
0x004029c0
0x004029ca
0x004029e9
0x004029d1
0x004029d6
0x004029de
0x004029e1
0x004029e6
0x004029e6
0x004029f0
0x004029f0
0x004029fd
0x00402a03
0x00402a15
0x00402a15
0x00402a1b
0x00402a1b
0x00402a26
0x00402a27
0x00402a2b
0x00402a2f
0x00402a35
0x00402a35
0x00402a3c
0x004022e9
0x00402bc5
0x00402bd1

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 0040299B
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029B7
GlobalFree.KERNEL32(?), ref: 004029F0
GlobalFree.KERNEL32(00000000), ref: 00402A03
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402A1B
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402A2F

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: a5ba4848feea4339aca0bd9ed9ef3b7077546e738993ad0ee054be50b6b812c9
Instruction ID: 6d3b5365c2144e4253305efdfeae8c7c86b7c4bf3cccdf3f9a106f7510f1e1f6
Opcode Fuzzy Hash: a5ba4848feea4339aca0bd9ed9ef3b7077546e738993ad0ee054be50b6b812c9
Instruction Fuzzy Hash: 6121BD71800124BBCF216FA9DE49D9F7E79EF05364F10023AF560762E1CB784D419BA8

Uniqueness

Uniqueness Score: -1.00%

Function 738423E0 Relevance: 7.6, APIs: 5, Instructions: 135
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E738423E0(void* __edx) {
				void* _t37;
				signed int _t38;
				void* _t39;
				void* _t41;
				signed char* _t42;
				signed char* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[0x18];
					if(_t52 == 0) {
						goto L9;
					}
					_t41 = 0x1a;
					if(_t52 == _t41) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[0x18] = _t41;
							goto L12;
						} else {
							_t37 = E738412BA(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t37 = E73841243();
						L11:
						_t52 = _t37;
						L12:
						_t13 =  &(_t51[8]); // 0x1020
						_t42 = _t13;
						if(_t51[4] >= 0) {
						}
						_t38 =  *_t51 & 0x000000ff;
						_t51[0x1c] = 0;
						if(_t38 > 7) {
							L27:
							_t39 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t39;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t38 * 4 +  &M73842558))) {
								case 0:
									 *_t42 = 0;
									goto L27;
								case 1:
									__eax = E73841311(__ebp);
									goto L21;
								case 2:
									 *__edi = E73841311(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x7384506c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x7384506c, __eax,  *0x7384506c, 0, 0);
									goto L27;
								case 4:
									__eax = E7384122C(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if( *__ebp != __cx) {
										__eax = E73841311(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x7384506c =  *0x73845074 + ( *(__esi + 0x18) - 1) *  *0x7384506c * 2 + 0x18;
									 *__ebx =  *0x73845074 + ( *(__esi + 0x18) - 1) *  *0x7384506c * 2 + 0x18;
									asm("cdq");
									__eax = E73841470(__edx,  *0x73845074 + ( *(__esi + 0x18) - 1) *  *0x7384506c * 2 + 0x18, __edx,  *0x73845074 + ( *(__esi + 0x18) - 1) *  *0x7384506c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t37 = E7384122C(0x73845044);
					goto L10;
				}
			}

0x738423f4
0x738423f8
0x73842403
0x73842403
0x7384240a
0x7384240f
0x00000000
0x00000000
0x73842413
0x73842416
0x00000000
0x00000000
0x7384241b
0x73842426
0x73842436
0x00000000
0x7384242d
0x7384242f
0x73842445
0x00000000
0x73842445
0x7384241d
0x7384241d
0x73842446
0x73842446
0x73842448
0x7384244c
0x7384244c
0x7384244f
0x7384244f
0x73842457
0x7384245f
0x73842462
0x73842521
0x73842522
0x7384252d
0x73842557
0x73842557
0x7384253d
0x73842549
0x7384253f
0x7384253f
0x7384253f
0x00000000
0x73842468
0x73842468
0x00000000
0x7384246f
0x00000000
0x00000000
0x73842477
0x00000000
0x00000000
0x73842485
0x73842487
0x00000000
0x00000000
0x738424a8
0x738424ae
0x738424b1
0x738424b3
0x738424c3
0x00000000
0x00000000
0x73842490
0x73842495
0x73842498
0x73842499
0x00000000
0x00000000
0x738424cf
0x738424d5
0x738424d6
0x738424d9
0x738424da
0x738424dc
0x00000000
0x00000000
0x738424e8
0x738424eb
0x738424f7
0x738424f9
0x00000000
0x00000000
0x73842505
0x73842511
0x73842514
0x73842516
0x73842519
0x00000000
0x00000000
0x73842468
0x73842462
0x7384243b
0x73842440
0x00000000
0x73842440

APIs

GlobalFree.KERNEL32(00000000), ref: 73842522

Part of subcall function 7384122C: lstrcpynW.KERNEL32(00000000,?,738412DF,00000019,738411BE,-000000A0), ref: 7384123C

GlobalAlloc.KERNEL32(00000040), ref: 738424A8
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 738424C3

Memory Dump Source

Source File: 00000002.00000002.110047313209.0000000073841000.00000020.00000001.01000000.00000004.sdmp, Offset: 73840000, based on PE: true

Associated: 00000002.00000002.110047212499.0000000073840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.110047373977.0000000073844000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.110047427575.0000000073846000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_73840000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: e8d1be20ecf89201cb59a8aa1f37f8035836462b698b8763dff31dd5805f50f7
Instruction ID: 15cf422598f5aec45b6ae3859db7d8dfcf056be44f4d37fca16b2afc7ea7e77e
Opcode Fuzzy Hash: e8d1be20ecf89201cb59a8aa1f37f8035836462b698b8763dff31dd5805f50f7
Instruction Fuzzy Hash: 2741C0B110870DDFD355EFE9E840B2A77BAFB48310B24991DE94A87D81D730A544CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D1C(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402D3E(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x434f00,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E00406358();
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d81
0x00401d85
0x00401d9a
0x00401d87
0x00401d89
0x00401d8f
0x00401d8f
0x00401da0
0x00401da3
0x00401dad
0x00401db0
0x00401db8
0x00401dc9
0x00401dcc
0x00401dd7
0x00401dce
0x00401dd0
0x00401dd0
0x00401ddb
0x00401de5
0x00401e0c
0x00401e1b
0x00401e29
0x00401e31
0x00401e39
0x00401e39
0x00401e42
0x00401e48
0x00402b08
0x00402b08
0x00402bc5
0x00402bd1

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32(?,?), ref: 00401DE5
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 5af5b17495f11576261f65d9e5f109aee1feef29f3286c425d9ce226ac00a781
Instruction ID: ee10c8015a3e92cf614b22ba24180aec604fe5fe026a1179c0e7be4a3fdf0cdb
Opcode Fuzzy Hash: 5af5b17495f11576261f65d9e5f109aee1feef29f3286c425d9ce226ac00a781
Instruction Fuzzy Hash: E621F672900119AFCB05DFA4DE45AEEBBB5EF08314F14003AFA45F62A0C7789D51DB98

Uniqueness

Uniqueness Score: -1.00%

Function 7384161D Relevance: 7.5, APIs: 5, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E7384161D(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x73841637
0x73841643
0x73841650
0x73841657
0x73841660
0x7384166c

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,73842238,?,00000808), ref: 73841635
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,73842238,?,00000808), ref: 7384163C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,73842238,?,00000808), ref: 73841650
GetProcAddress.KERNEL32(73842238,00000000), ref: 73841657
GlobalFree.KERNEL32(00000000), ref: 73841660

Memory Dump Source

Source File: 00000002.00000002.110047313209.0000000073841000.00000020.00000001.01000000.00000004.sdmp, Offset: 73840000, based on PE: true

Associated: 00000002.00000002.110047212499.0000000073840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.110047373977.0000000073844000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.110047427575.0000000073846000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_73840000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: a1c6c374870a53b7bf2a916b9d1368d686b384cd1a01c8ab70eaed3866946f77
Instruction ID: f5342ccd125ab9c85482b7f9b5a67b37583351d2d4e31cd8cbebe94e19b1a884
Opcode Fuzzy Hash: a1c6c374870a53b7bf2a916b9d1368d686b384cd1a01c8ab70eaed3866946f77
Instruction Fuzzy Hash: 78F01C73206538BBD6202AA78C4CD9BBE9CEF8B2F5B250211F62C9219086724C11D7F1

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D1C(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D1C(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402D3E(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402D3E(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402D3E();
					_t32 = E00402D3E();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D1C();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D1C(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E00406358();
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c43
0x00401c45
0x00401c4c
0x00401c4f
0x00401c52
0x00401c5c
0x00401c60
0x00401c63
0x00401c6c
0x00401c6c
0x00401c6f
0x00401c73
0x00401c7c
0x00401c7c
0x00401c7f
0x00401c83
0x00401c85
0x00401cda
0x00401cdc
0x00401ce7
0x00401cf1
0x00401cf4
0x00401cf4
0x00401cfd
0x00000000
0x00401c87
0x00401c8e
0x00401c90
0x00401c93
0x00401c99
0x00401ca0
0x00401ca3
0x00401ccb
0x00401d03
0x00401d03
0x00401ca5
0x00401cb3
0x00401cbb
0x00401cbe
0x00401cbe
0x00401ca3
0x00401d06
0x00401d09
0x00401d0f
0x00402b08
0x00402b08
0x00402bc5
0x00402bd1

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: fbb483b0c38b2c52992a6a5b7edafa52747ff059505c006a33bc3772956b04e9
Instruction ID: 0f37489a7ff55aa34ce709233052591c61f0789b3923deb1f93634f017c8c928
Opcode Fuzzy Hash: fbb483b0c38b2c52992a6a5b7edafa52747ff059505c006a33bc3772956b04e9
Instruction Fuzzy Hash: E821AD7195420AAEEF05AFB4D94AAEE7BB0EF44304F10453EF601B61D1D7B84941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404C14 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404C14(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E0040644E(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E0040644E(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E0040644E(_t44, _t50, 0x42d268, 0x42d268, _a8);
				wsprintfW(_t34 + lstrlenW(0x42d268) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x433ed8, _a4, 0x42d268);
			}

0x00404c1d
0x00404c22
0x00404c2a
0x00404c2b
0x00404c38
0x00404c40
0x00404c41
0x00404c43
0x00404c45
0x00404c47
0x00404c4a
0x00404c4a
0x00404c51
0x00404c57
0x00404c57
0x00404c5e
0x00404c65
0x00404c68
0x00404c6b
0x00404c6b
0x00404c6f
0x00404c7f
0x00404c81
0x00404c84
0x00404c2d
0x00404c2d
0x00404c34
0x00404c34
0x00404c8c
0x00404c97
0x00404cad
0x00404cbe
0x00404cda

APIs

lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CB5
wsprintfW.USER32 ref: 00404CBE
SetDlgItemTextW.USER32(?,0042D268), ref: 00404CD1

Strings

%u.%u%s%s, xrefs: 00404C9F

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 0de71dd1f65287a19c767322f40b6e95ae33ee85482e893f5b2d92d4d5838e0a
Instruction ID: 33068f1a2098bbc59acf923d0b26dc9f7285eb9428391dcb76f0b5068863668e
Opcode Fuzzy Hash: 0de71dd1f65287a19c767322f40b6e95ae33ee85482e893f5b2d92d4d5838e0a
Instruction Fuzzy Hash: 6A11EB73A041283BEB00656D9D46E9E329C9B85334F264237FA25F31D1E978C82182EC

Uniqueness

Uniqueness Score: -1.00%

Function 00405DEE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405DEE(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E00406411(0x42fa70, _a4);
				_t21 = E00405D91(0x42fa70);
				if(_t21 != 0) {
					E004066C0(_t21);
					if(( *0x434f1c & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x42fa70 >> 1;
						while(1) {
							_t11 = lstrlenW(0x42fa70);
							_push(0x42fa70);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E0040676F();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405D32(0x42fa70);
								continue;
							} else {
								goto L1;
							}
						}
						E00405CE6();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405dfa
0x00405e05
0x00405e09
0x00405e10
0x00405e1c
0x00405e2c
0x00405e2e
0x00405e46
0x00405e47
0x00405e4e
0x00405e4f
0x00000000
0x00000000
0x00405e32
0x00405e39
0x00405e41
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e39
0x00405e51
0x00000000
0x00405e65
0x00405e1e
0x00405e24
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e24
0x00405e0b
0x00000000

APIs

Part of subcall function 00406411: lstrcpynW.KERNEL32(?,?,00000400,00403596,00433F00,NSIS Error,?,00000007,00000009,0000000B), ref: 0040641E

Part of subcall function 00405D91: CharNextW.USER32(?,?,0042FA70,?,00405E05,0042FA70,0042FA70, 4Bu,?,C:\Users\user\AppData\Local\Temp\,00405B43,?,75423420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D9F
Part of subcall function 00405D91: CharNextW.USER32(00000000), ref: 00405DA4
Part of subcall function 00405D91: CharNextW.USER32(00000000), ref: 00405DBC

lstrlenW.KERNEL32(0042FA70,00000000,0042FA70,0042FA70, 4Bu,?,C:\Users\user\AppData\Local\Temp\,00405B43,?,75423420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E47
GetFileAttributesW.KERNEL32(0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,00000000,0042FA70,0042FA70, 4Bu,?,C:\Users\user\AppData\Local\Temp\,00405B43,?,75423420,C:\Users\user\AppData\Local\Temp\), ref: 00405E57

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DEE
4Bu, xrefs: 00405DF0

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 4Bu$C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3777427936
Opcode ID: d647ba489e44e4c384e8f234fc99267bc74e37b9af3ba258ec0477dc6db0c33a
Instruction ID: 87735b5e832f2f8e04389b482ed260ad6458a913df04a2d72dce2697f876d431
Opcode Fuzzy Hash: d647ba489e44e4c384e8f234fc99267bc74e37b9af3ba258ec0477dc6db0c33a
Instruction Fuzzy Hash: A5F0F435104D2216C63233369D09AAF1548CE82364759453BF8D1B22D1DB3C8B838CED

Uniqueness

Uniqueness Score: -1.00%

Function 00405CE6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405CE6(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405ce7
0x00405cf4
0x00405cf5
0x00405d00
0x00405d08
0x00405d08
0x00405d10

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034B2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 00405CEC
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034B2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 00405CF6
lstrcatW.KERNEL32(?,0040A014), ref: 00405D08

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405CE6

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
Instruction ID: e2e9208f063340fd7176cb3713d1db1a131c248cac7d4947b15e4777b480a213
Opcode Fuzzy Hash: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
Instruction Fuzzy Hash: 4FD0A771101A306AC1117B84AC05DDF669CAE85300381403BF201B30A4C77C1D5187FD

Uniqueness

Uniqueness Score: -1.00%

Function 00402636 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00402636(void* __ebx, void* __edx, intOrPtr* __edi) {
				signed int _t14;
				int _t17;
				void* _t24;
				intOrPtr* _t29;
				void* _t31;
				signed int _t32;
				void* _t35;
				void* _t40;
				signed int _t42;

				_t29 = __edi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x28);
				_t40 = __edx - 0x38;
				 *(_t35 - 0x10) = _t14;
				_t27 = 0 | _t40 == 0x00000000;
				_t32 = _t40 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402D3E(0x11)) + _t16;
					} else {
						E00402D3E(0x21);
						E00406433("C:\Users\Arthur\AppData\Local\Temp\nsdCB34.tmp", "C:\Users\Arthur\AppData\Local\Temp\nsdCB34.tmp\System.dll", 0x400);
						_t17 = lstrlenA("C:\Users\Arthur\AppData\Local\Temp\nsdCB34.tmp\System.dll");
					}
				} else {
					E00402D1C(1);
					 *0x40adf0 = __ax;
					 *((intOrPtr*)(__ebp - 0x44)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t29 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t31 = E00406371(_t27, _t29);
					if((_t32 |  *(_t35 - 0x10)) != 0 ||  *((intOrPtr*)(_t35 - 0x24)) == _t24 || E00405FE8(_t31, _t31) >= 0) {
						_t14 = E00405FB9(_t31, "C:\Users\Arthur\AppData\Local\Temp\nsdCB34.tmp\System.dll",  *(_t35 + 8));
						_t42 = _t14;
						if(_t42 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00402636
0x00402636
0x00402636
0x0040263b
0x0040263e
0x00402641
0x00402646
0x00402648
0x00402668
0x004026a2
0x0040266a
0x0040266c
0x00402680
0x0040268d
0x0040268d
0x0040264a
0x0040264c
0x00402651
0x0040265f
0x00402662
0x004026a7
0x004026aa
0x00402925
0x00402925
0x004026b0
0x004026b9
0x004026bb
0x004026da
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x004026bb
0x00402bc5
0x00402bd1

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsdCB34.tmp\System.dll), ref: 0040268D

Strings

C:\Users\user\AppData\Local\Temp\nsdCB34.tmp\System.dll, xrefs: 00402651, 00402676, 00402688, 004026D4
C:\Users\user\AppData\Local\Temp\nsdCB34.tmp, xrefs: 0040267B

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsdCB34.tmp$C:\Users\user\AppData\Local\Temp\nsdCB34.tmp\System.dll
API String ID: 1659193697-2541662869
Opcode ID: 9f91aca178a37e6ed0b54cb78eabbee860e101ef043324f56c33086d30ece071
Instruction ID: 2f8f56cab2ec293de193d712fca88bf9bcdcc229c68306483e13e7e6ef2e3e02
Opcode Fuzzy Hash: 9f91aca178a37e6ed0b54cb78eabbee860e101ef043324f56c33086d30ece071
Instruction Fuzzy Hash: AD11E772A00205ABCB10AFB18F4AAAF77719F44748F25043FE402B71C1EAFD8891565E

Uniqueness

Uniqueness Score: -1.00%

Function 00402FB1 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402FB1(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					if( *0x42aa20 == 0) {
						_t2 = GetTickCount();
						if(_t2 >  *0x434f10) {
							_t3 = CreateDialogParamW( *0x434f00, 0x6f, 0, E00402F2B, 0);
							 *0x42aa20 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406842(0);
					}
				} else {
					_t6 =  *0x42aa20;
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x42aa20 = 0;
					return _t6;
				}
			}

0x00402fb8
0x00402fd8
0x00402fe2
0x00402fee
0x00402fff
0x00403008
0x00000000
0x0040300d
0x00403014
0x00402fda
0x00402fe1
0x00402fe1
0x00402fba
0x00402fba
0x00402fc1
0x00402fc4
0x00402fc4
0x00402fca
0x00402fd1
0x00402fd1

APIs

DestroyWindow.USER32(?,00000000,0040318F,00000001,?,00000007,00000009,0000000B), ref: 00402FC4
GetTickCount.KERNEL32 ref: 00402FE2
CreateDialogParamW.USER32(0000006F,00000000,00402F2B,00000000), ref: 00402FFF
ShowWindow.USER32(00000000,00000005,?,00000007,00000009,0000000B), ref: 0040300D

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: e942aba91c3d4d0b77748caef32317d1a3e8dc78421a0242562119172c6ce506
Instruction ID: d33bc14a5fcc1787285ca97da28f022d839d2e13e88132ee71d9f244d0d7cdfd
Opcode Fuzzy Hash: e942aba91c3d4d0b77748caef32317d1a3e8dc78421a0242562119172c6ce506
Instruction Fuzzy Hash: 4AF05E3160AA21ABC6216F10FF0DA8B7B64BB48B41741487AF842B15E9DB740CA1DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00403A4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403A4B() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x42b22c;
				_t3 = E00403A30(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x42b22c =  *0x42b22c & 0x00000000;
				return _t3;
			}

0x00403a4c
0x00403a54
0x00403a5b
0x00403a5e
0x00403a5e
0x00403a60
0x00403a65
0x00403a6c
0x00403a72
0x00403a76
0x00403a77
0x00403a7f

APIs

FreeLibrary.KERNEL32(?,75423420,00000000,C:\Users\user\AppData\Local\Temp\,00403A23,00403839,00000007,?,00000007,00000009,0000000B), ref: 00403A65
GlobalFree.KERNEL32(?), ref: 00403A6C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403A4B

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
Instruction ID: 631b6d606f958dd3b9f901d17eba749f6bbdc97bd5f3e27fdad90cb16f3fbd8e
Opcode Fuzzy Hash: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
Instruction Fuzzy Hash: 1CE0EC3261212097C7219F55BE08B6E7768AF48B22F06146AE9C5BB2608B745D424FD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405D32 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405D32(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405d33
0x00405d3d
0x00405d40
0x00405d46
0x00405d47
0x00405d48
0x00405d50
0x00000000
0x00000000
0x00000000
0x00405d50
0x00405d52
0x00405d5a

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe,C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405D38
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe,C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405D48

Strings

C:\Users\user\Desktop, xrefs: 00405D32

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
Instruction ID: cdcea1fdb6b733c318131938d2018cbcd3f5257763d90021158e822df2c29c6c
Opcode Fuzzy Hash: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
Instruction Fuzzy Hash: FCD05EB24009209AC3126704DC0999F67A8FF5130078A842BF541AA1A4D7785C818AAC

Uniqueness

Uniqueness Score: -1.00%

Function 738410E1 Relevance: 5.1, APIs: 4, Instructions: 104
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E738410E1(signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v0;
				void* _t17;
				signed int _t19;
				void* _t20;
				void* _t24;
				void* _t26;
				void* _t30;
				void* _t36;
				void* _t38;
				void* _t39;
				signed int _t41;
				void* _t42;
				void* _t51;
				void* _t52;
				signed short* _t54;
				void* _t56;
				void* _t59;
				void* _t61;

				 *0x7384506c = _a8;
				 *0x73845070 = _a16;
				 *0x73845074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x73845048, E738415B1, _t51, _t56);
				_t41 =  *0x7384506c +  *0x7384506c * 4 << 3;
				_t17 = E73841243();
				_v0 = _t17;
				_t52 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_t17);
				} else {
					do {
						_t19 =  *_t52 & 0x0000ffff;
						_t42 = 2;
						_t54 = _t52 + _t42;
						_t61 = _t19 - 0x6c;
						if(_t61 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t52 = _t54 + _t42;
								_t24 = E73841272(E738412BA(( *_t54 & 0x0000ffff) - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t26 = _t20 - _t42;
							if(_t26 == 0) {
								L10:
								_t52 =  &(_t54[1]);
								_t24 = E738412E1(( *_t54 & 0x0000ffff) - 0x30, E73841243());
								goto L13;
							}
							L7:
							if(_t26 == 1) {
								_t30 = GlobalAlloc(0x40, _t41 + 4);
								 *_t30 =  *0x73845040;
								 *0x73845040 = _t30;
								E73841563(_t30 + 4,  *0x73845074, _t41);
								_t59 = _t59 + 0xc;
							}
							goto L14;
						}
						if(_t61 == 0) {
							L17:
							_t33 =  *0x73845040;
							if( *0x73845040 != 0) {
								E73841563( *0x73845074, _t33 + 4, _t41);
								_t59 = _t59 + 0xc;
								_t36 =  *0x73845040;
								GlobalFree(_t36);
								 *0x73845040 =  *_t36;
							}
							goto L14;
						}
						_t38 = _t19 - 0x4c;
						if(_t38 == 0) {
							goto L17;
						}
						_t39 = _t38 - 4;
						if(_t39 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L12;
						}
						_t26 = _t39 - _t42;
						if(_t26 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t52 != 0);
					_t17 = _v0;
					goto L16;
				}
			}

0x738410e6
0x738410f0
0x738410ff
0x7384110e
0x73841119
0x7384111c
0x7384112b
0x7384112f
0x73841131
0x738411d8
0x738411de
0x73841137
0x73841138
0x73841138
0x7384113d
0x7384113e
0x73841140
0x73841143
0x7384120d
0x73841210
0x738411b0
0x738411b6
0x738411bf
0x738411c4
0x738411c7
0x00000000
0x738411c7
0x73841212
0x73841214
0x73841196
0x7384119d
0x738411a5
0x00000000
0x738411a5
0x73841161
0x73841162
0x7384116a
0x73841177
0x7384117f
0x73841188
0x7384118d
0x7384118d
0x00000000
0x73841162
0x73841149
0x738411df
0x738411df
0x738411e6
0x738411f3
0x738411f8
0x738411fb
0x73841203
0x73841205
0x73841205
0x00000000
0x738411e6
0x7384114f
0x73841152
0x00000000
0x00000000
0x73841158
0x7384115b
0x738411ac
0x00000000
0x738411ac
0x7384115d
0x7384115f
0x73841192
0x00000000
0x73841192
0x00000000
0x738411c9
0x738411c9
0x738411d3
0x00000000
0x738411d7

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 7384116A
GlobalFree.KERNEL32(00000000), ref: 738411C7
GlobalFree.KERNEL32(00000000), ref: 738411D9
GlobalFree.KERNEL32(?), ref: 73841203

Memory Dump Source

Source File: 00000002.00000002.110047313209.0000000073841000.00000020.00000001.01000000.00000004.sdmp, Offset: 73840000, based on PE: true

Associated: 00000002.00000002.110047212499.0000000073840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.110047373977.0000000073844000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.110047427575.0000000073846000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_73840000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: ab6604ac884f29587b45095d0d05582464d8587c1225174ccce220aadbf17ea0
Instruction ID: 7f17c54310d9081bcb85ce79e666b3a59df0ac9d9a95853128fc0e57288d0439
Opcode Fuzzy Hash: ab6604ac884f29587b45095d0d05582464d8587c1225174ccce220aadbf17ea0
Instruction Fuzzy Hash: 9231C4B65002199FE300DFF9C945B2A77FAEB45710734621AED4AD7E54E734D801C760

Uniqueness

Uniqueness Score: -1.00%

Function 00405E6C Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E6C(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405e7c
0x00405e7e
0x00405e81
0x00405ead
0x00405e86
0x00405e8f
0x00405e94
0x00405e9f
0x00405ea2
0x00405ebe
0x00405ea4
0x00405eab
0x00000000
0x00405eab
0x00405eb7
0x00405ebb
0x00405ebb
0x00405eb5
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406151,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7C
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E94
CharNextA.USER32(00000000,?,00000000,00406151,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EA5
lstrlenA.KERNEL32(00000000,?,00000000,00406151,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EAE

Memory Dump Source

Source File: 00000002.00000002.110028781461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.110028753518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028828377.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110028860530.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029004585.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029034888.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029059697.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029104135.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029130257.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.110029155686.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: 346f7042b660fb70b52ae74c1c6e121eab6bc84344666f805f11c7930e864ff2
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: A8F06231505418FFD7029BA5DE0099FBBA8EF56250B2540AAE880F7250D674EF019BA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\0f40a9a4-7ba9-4798-b98b-f18214009bbd.e7219a3a-5edb-4393-8e4b-a78a641e7e36.down_meta

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\0f40a9a4-7ba9-4798-b98b-f18214009bbd.up_meta_secure

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\3843bffb-4eef-4da1-af04-618c0facc656.down_data

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\3843bffb-4eef-4da1-af04-618c0facc656.e7219a3a-5edb-4393-8e4b-a78a641e7e36.down_meta

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\3843bffb-4eef-4da1-af04-618c0facc656.up_meta_secure

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\4aa5b1fb-1301-4194-8203-1cbb67304ae7.down_data

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\4aa5b1fb-1301-4194-8203-1cbb67304ae7.e160842f-d7d2-487c-becb-ff7f735e3216.down_meta

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\4aa5b1fb-1301-4194-8203-1cbb67304ae7.up_meta_secure

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\585053d0-ba98-49e5-b1a4-c6f5d9974c26.efb8d39c-14d5-4f68-9688-1978db758a90.down_meta

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\585053d0-ba98-49e5-b1a4-c6f5d9974c26.up_meta_secure

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\8086b025-ce16-4435-9cc3-d2a0f33fe026.down_data

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\8086b025-ce16-4435-9cc3-d2a0f33fe026.efb8d39c-14d5-4f68-9688-1978db758a90.down_meta

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\8086b025-ce16-4435-9cc3-d2a0f33fe026.up_meta_secure

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\8d48d2a6-6a56-420d-bb18-5dfe26c1259c.c22ac765-aa10-4c35-8f7c-a01d4239152c.down_meta

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\8d48d2a6-6a56-420d-bb18-5dfe26c1259c.up_meta_secure

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\aa790838-db48-4eec-9b8a-be8242eb173a.56802ae0-e7ec-49c1-9ab4-e41cf1ffbd66.down_meta

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\aa790838-db48-4eec-9b8a-be8242eb173a.down_data

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\aa790838-db48-4eec-9b8a-be8242eb173a.up_meta_secure

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\b554ff5d-428f-46a5-8fa9-db35cc2cdf59.e160842f-d7d2-487c-becb-ff7f735e3216.down_meta

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\b554ff5d-428f-46a5-8fa9-db35cc2cdf59.up_meta_secure

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\dd6a1354-220a-435c-9960-7f2e2f731c6f.5e70bb71-9767-4cfd-9295-d09782f797ca.down_meta

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\dd6a1354-220a-435c-9960-7f2e2f731c6f.up_meta_secure

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\e9594213-9e57-49dd-91fb-0ee2aae6c086.56802ae0-e7ec-49c1-9ab4-e41cf1ffbd66.down_meta

Windows Analysis Report
CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe