Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
shipping_documents.exe

Overview

General Information

Sample Name:shipping_documents.exe
Analysis ID:830622
MD5:5ec19c18eff49f78ce02e2cf1831c37d
SHA1:9d7261d0e2558dd6bd26373c4e2421ad83af6b19
SHA256:ee9c3569905a2a2b5141982928e9205a99170189dab43f8626102e1a6dddbe4e
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for dropped file
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • shipping_documents.exe (PID: 64 cmdline: C:\Users\user\Desktop\shipping_documents.exe MD5: 5EC19C18EFF49F78CE02E2CF1831C37D)
    • schtasks.exe (PID: 6132 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp3F0C.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • vOqVEnqC.exe (PID: 1248 cmdline: C:\Users\user\AppData\Roaming\vOqVEnqC.exe MD5: 5EC19C18EFF49F78CE02E2CF1831C37D)
    • schtasks.exe (PID: 4436 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp243C.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • vOqVEnqC.exe (PID: 1324 cmdline: {path} MD5: 5EC19C18EFF49F78CE02E2CF1831C37D)
  • LIhMQ.exe (PID: 244 cmdline: "C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe" MD5: 5EC19C18EFF49F78CE02E2CF1831C37D)
    • schtasks.exe (PID: 5968 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmpE4E1.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • LIhMQ.exe (PID: 4544 cmdline: {path} MD5: 5EC19C18EFF49F78CE02E2CF1831C37D)
    • LIhMQ.exe (PID: 2280 cmdline: {path} MD5: 5EC19C18EFF49F78CE02E2CF1831C37D)
  • LIhMQ.exe (PID: 2852 cmdline: "C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe" MD5: 5EC19C18EFF49F78CE02E2CF1831C37D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.clipjoint.co.nz", "Username": "clipjoint@clipjoint.co.nz", "Password": "melandloz64"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.590317910.0000000002E49000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000006.00000002.579676048.0000000000430000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
    • 0x1f7c:$a13: get_DnsResolver
    • 0x71d:$a20: get_LastAccessed
    • 0x824:$a33: get_Clipboard
    • 0x832:$a34: get_Keyboard
    • 0x1b97:$a35: get_ShiftKeyDown
    • 0x1ba8:$a36: get_AltKeyDown
    • 0x83f:$a37: get_Password
    • 0x132f:$a38: get_PasswordHash
    00000005.00000002.573256271.0000000004446000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.573256271.0000000004446000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000005.00000002.573256271.0000000004446000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
        • 0x30c8c:$a13: get_DnsResolver
        • 0x650ac:$a13: get_DnsResolver
        • 0x2f42d:$a20: get_LastAccessed
        • 0x6384d:$a20: get_LastAccessed
        • 0x3161e:$a27: set_InternalServerPort
        • 0x65a3e:$a27: set_InternalServerPort
        • 0x3193b:$a30: set_GuidMasterKey
        • 0x65d5b:$a30: set_GuidMasterKey
        • 0x2f534:$a33: get_Clipboard
        • 0x63954:$a33: get_Clipboard
        • 0x2f542:$a34: get_Keyboard
        • 0x63962:$a34: get_Keyboard
        • 0x308a7:$a35: get_ShiftKeyDown
        • 0x64cc7:$a35: get_ShiftKeyDown
        • 0x308b8:$a36: get_AltKeyDown
        • 0x64cd8:$a36: get_AltKeyDown
        • 0x2f54f:$a37: get_Password
        • 0x6396f:$a37: get_Password
        • 0x3003f:$a38: get_PasswordHash
        • 0x6445f:$a38: get_PasswordHash
        • 0x31089:$a39: get_DefaultCredentials
        Click to see the 26 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.vOqVEnqC.exe.4446b10.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          5.2.vOqVEnqC.exe.4446b10.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            5.2.vOqVEnqC.exe.4446b10.3.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
            • 0x30c63:$s10: logins
            • 0x306bf:$s11: credential
            • 0x2cc24:$g1: get_Clipboard
            • 0x2cc32:$g2: get_Keyboard
            • 0x2cc3f:$g3: get_Password
            • 0x2df87:$g4: get_CtrlKeyDown
            • 0x2df97:$g5: get_ShiftKeyDown
            • 0x2dfa8:$g6: get_AltKeyDown
            5.2.vOqVEnqC.exe.4446b10.3.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
            • 0x2e37c:$a13: get_DnsResolver
            • 0x2cb1d:$a20: get_LastAccessed
            • 0x2ed0e:$a27: set_InternalServerPort
            • 0x2f02b:$a30: set_GuidMasterKey
            • 0x2cc24:$a33: get_Clipboard
            • 0x2cc32:$a34: get_Keyboard
            • 0x2df97:$a35: get_ShiftKeyDown
            • 0x2dfa8:$a36: get_AltKeyDown
            • 0x2cc3f:$a37: get_Password
            • 0x2d72f:$a38: get_PasswordHash
            • 0x2e779:$a39: get_DefaultCredentials
            5.2.vOqVEnqC.exe.4446b10.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 12 entries

              Sigma Signatures

              Persistence and Installation Behavior

              barindex
              Sigma detected: Scheduled temp file as task from temp location
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp3F0C.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp3F0C.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\shipping_documents.exe, ParentImage: C:\Users\user\Desktop\shipping_documents.exe, ParentProcessId: 64, ParentProcessName: shipping_documents.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp3F0C.tmp, ProcessId: 6132, ProcessName: schtasks.exe

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: shipping_documents.exeReversingLabs: Detection: 53%
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeReversingLabs: Detection: 53%
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeReversingLabs: Detection: 53%
              Machine Learning detection for sample
              Source: shipping_documents.exeJoe Sandbox ML: detected
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeJoe Sandbox ML: detected
              Source: 5.2.vOqVEnqC.exe.4446b10.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.clipjoint.co.nz", "Username": "clipjoint@clipjoint.co.nz", "Password": "melandloz64"}
              Source: shipping_documents.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: shipping_documents.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: i2QOV.pdbx" source: shipping_documents.exe, vOqVEnqC.exe.0.dr, LIhMQ.exe.6.dr
              Source: Binary string: i2QOV.pdb source: shipping_documents.exe, vOqVEnqC.exe.0.dr, LIhMQ.exe.6.dr
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0746F728
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h5_2_0791F5C8
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h5_2_0791FE40
              Source: Joe Sandbox ViewIP Address: 27.54.86.236 27.54.86.236
              Source: global trafficTCP traffic: 192.168.2.5:49699 -> 27.54.86.236:587
              Source: global trafficTCP traffic: 192.168.2.5:49699 -> 27.54.86.236:587
              Source: shipping_documents.exe, 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
              Source: vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://MFxeXD.com
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
              Source: shipping_documents.exe, 00000006.00000002.590317910.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000003102000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.00000000031AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.clipjoint.co.nz
              Source: shipping_documents.exe, 00000000.00000002.368254562.00000000075F1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000005.00000002.518134460.0000000003222000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: shipping_documents.exe, 00000000.00000002.350966478.0000000001117000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
              Source: shipping_documents.exe, 00000000.00000002.350966478.0000000001117000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comceF
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmp, shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: shipping_documents.exe, 00000000.00000003.304079093.000000000111D000.00000004.00000020.00020000.00000000.sdmp, shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: shipping_documents.exe, 00000000.00000003.304079093.000000000111D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comcagE
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: vOqVEnqC.exe, 00000011.00000002.593114242.000000000315F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://RGpFrRyIJy6rRTyqEb.net
              Source: shipping_documents.exe, 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
              Source: shipping_documents.exe, 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%mail.clipjoint.co.nzclipjoint
              Source: shipping_documents.exe, 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
              Source: unknownDNS traffic detected: queries for: mail.clipjoint.co.nz

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Users\user\Desktop\shipping_documents.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\shipping_documents.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
              Source: shipping_documents.exe, 00000000.00000002.349816544.0000000000C38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
              Source: C:\Users\user\Desktop\shipping_documents.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWindow created: window name: CLIPBRDWNDCLASS

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Modifies the hosts file
              Source: C:\Users\user\Desktop\shipping_documents.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 5.2.vOqVEnqC.exe.4446b10.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 5.2.vOqVEnqC.exe.4446b10.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 5.2.vOqVEnqC.exe.4446b10.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 5.2.vOqVEnqC.exe.4446b10.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 0.2.shipping_documents.exe.39e5ac0.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 0.2.shipping_documents.exe.39e5ac0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 0.2.shipping_documents.exe.39e5ac0.3.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 0.2.shipping_documents.exe.39e5ac0.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 0.2.shipping_documents.exe.39e5ac0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 00000006.00000002.579676048.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 00000005.00000002.573256271.0000000004446000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: Process Memory Space: shipping_documents.exe PID: 64, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: Process Memory Space: vOqVEnqC.exe PID: 1248, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: Process Memory Space: shipping_documents.exe PID: 1544, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: shipping_documents.exe
              Source: shipping_documents.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: 5.2.vOqVEnqC.exe.4446b10.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 5.2.vOqVEnqC.exe.4446b10.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 5.2.vOqVEnqC.exe.4446b10.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 5.2.vOqVEnqC.exe.4446b10.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 0.2.shipping_documents.exe.39e5ac0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 0.2.shipping_documents.exe.39e5ac0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 0.2.shipping_documents.exe.39e5ac0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 0.2.shipping_documents.exe.39e5ac0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 0.2.shipping_documents.exe.39e5ac0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 00000006.00000002.579676048.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 00000005.00000002.573256271.0000000004446000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: Process Memory Space: shipping_documents.exe PID: 64, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: Process Memory Space: vOqVEnqC.exe PID: 1248, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: Process Memory Space: shipping_documents.exe PID: 1544, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_00BCC5040_2_00BCC504
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_00BCE7F80_2_00BCE7F8
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_00BCE7E80_2_00BCE7E8
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_0746BD700_2_0746BD70
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07467CA80_2_07467CA8
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_074600400_2_07460040
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_074678100_2_07467810
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07466F600_2_07466F60
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07469F180_2_07469F18
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07467F180_2_07467F18
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07466F240_2_07466F24
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07467F280_2_07467F28
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07462FA80_2_07462FA8
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07462FB80_2_07462FB8
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_074636000_2_07463600
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_074636100_2_07463610
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07461E280_2_07461E28
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07461E380_2_07461E38
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_074634200_2_07463420
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_074634300_2_07463430
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07467C970_2_07467C97
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07468BCF0_2_07468BCF
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07468BE00_2_07468BE0
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_074613920_2_07461392
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_074613A00_2_074613A0
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_0746BA800_2_0746BA80
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_074641C30_2_074641C3
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_074641C80_2_074641C8
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_074631900_2_07463190
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_074631A00_2_074631A0
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_074600060_2_07460006
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_074678020_2_07467802
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_0746C0180_2_0746C018
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_02F3E7F85_2_02F3E7F8
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_02F3E7E85_2_02F3E7E8
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_02F3C5045_2_02F3C504
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07917CA85_2_07917CA8
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_0791BCE05_2_0791BCE0
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_079100405_2_07910040
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_0791BF885_2_0791BF88
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07912FB85_2_07912FB8
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07912FA85_2_07912FA8
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07919F185_2_07919F18
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07917F185_2_07917F18
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07916F245_2_07916F24
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07917F285_2_07917F28
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07916F605_2_07916F60
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_079136105_2_07913610
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_079136005_2_07913600
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07911E385_2_07911E38
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07911E285_2_07911E28
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07917C975_2_07917C97
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_079134305_2_07913430
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_079134205_2_07913420
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_079113925_2_07911392
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_079113A05_2_079113A0
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07918BCF5_2_07918BCF
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07918BE05_2_07918BE0
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_079131905_2_07913190
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_079131A05_2_079131A0
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_079141C85_2_079141C8
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_0791B9F05_2_0791B9F0
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_079141185_2_07914118
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_079178105_2_07917810
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_079178025_2_07917802
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_079100065_2_07910006
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_0118F6E06_2_0118F6E0
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_0118FA286_2_0118FA28
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062A8A846_2_062A8A84
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062AA3286_2_062AA328
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062A30026_2_062A3002
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062A80606_2_062A8060
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062A00406_2_062A0040
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062A61B06_2_062A61B0
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062AB2886_2_062AB288
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062AB2F06_2_062AB2F0
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062AA3276_2_062AA327
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062AE8DA6_2_062AE8DA
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_0656DEC86_2_0656DEC8
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_0656C8186_2_0656C818
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_0656ACF86_2_0656ACF8
              Source: shipping_documents.exe, 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename159a3513-189a-4a39-a83d-9c07ca495265.exe4 vs shipping_documents.exe
              Source: shipping_documents.exe, 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs shipping_documents.exe
              Source: shipping_documents.exe, 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamei2QOV.exe: vs shipping_documents.exe
              Source: shipping_documents.exe, 00000000.00000002.349816544.0000000000C38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs shipping_documents.exe
              Source: shipping_documents.exe, 00000000.00000002.368254562.00000000075F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename159a3513-189a-4a39-a83d-9c07ca495265.exe4 vs shipping_documents.exe
              Source: shipping_documents.exe, 00000000.00000000.299936176.0000000000574000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamei2QOV.exe: vs shipping_documents.exe
              Source: shipping_documents.exe, 00000000.00000002.362172177.00000000048D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs shipping_documents.exe
              Source: shipping_documents.exe, 00000006.00000002.581226304.00000000009E8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs shipping_documents.exe
              Source: shipping_documents.exeBinary or memory string: OriginalFilenamei2QOV.exe: vs shipping_documents.exe
              Source: shipping_documents.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: vOqVEnqC.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: LIhMQ.exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: shipping_documents.exeReversingLabs: Detection: 53%
              Source: C:\Users\user\Desktop\shipping_documents.exeFile read: C:\Users\user\Desktop\shipping_documents.exeJump to behavior
              Source: shipping_documents.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\shipping_documents.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\shipping_documents.exe C:\Users\user\Desktop\shipping_documents.exe
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp3F0C.tmp
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Users\user\Desktop\shipping_documents.exe {path}
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Users\user\Desktop\shipping_documents.exe {path}
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\vOqVEnqC.exe C:\Users\user\AppData\Roaming\vOqVEnqC.exe
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Users\user\Desktop\shipping_documents.exe {path}
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe "C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe "C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe"
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmpE4E1.tmp
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe {path}
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe {path}
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp243C.tmp
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess created: C:\Users\user\AppData\Roaming\vOqVEnqC.exe {path}
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp3F0C.tmpJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Users\user\Desktop\shipping_documents.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Users\user\Desktop\shipping_documents.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Users\user\Desktop\shipping_documents.exe {path}Jump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp243C.tmpJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess created: C:\Users\user\AppData\Roaming\vOqVEnqC.exe {path}Jump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmpE4E1.tmpJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe {path}Jump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\shipping_documents.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\shipping_documents.exeFile created: C:\Users\user\AppData\Roaming\vOqVEnqC.exeJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3F0C.tmpJump to behavior
              Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@25/10@3/1
              Source: C:\Users\user\Desktop\shipping_documents.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: shipping_documents.exe, 00000006.00000002.590317910.0000000002DFF000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.00000000030AB000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.000000000315A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: shipping_documents.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\shipping_documents.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6124:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5860:120:WilError_01
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeMutant created: \Sessions\1\BaseNamedObjects\KEXpxe
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:472:120:WilError_01
              Source: shipping_documents.exeString found in binary or memory: WPlease check that the folder and files are in this location. If not, please uninstal and re-install the program. If this issue continues, please contact technical support.9\BlueSkyGlobal\UpdateImages\/Please insert your USB.
              Source: C:\Users\user\Desktop\shipping_documents.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\Desktop\shipping_documents.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: shipping_documents.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: shipping_documents.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: shipping_documents.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: i2QOV.pdbx" source: shipping_documents.exe, vOqVEnqC.exe.0.dr, LIhMQ.exe.6.dr
              Source: Binary string: i2QOV.pdb source: shipping_documents.exe, vOqVEnqC.exe.0.dr, LIhMQ.exe.6.dr
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07461390 pushad ; iretd 0_2_07461391
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07911390 pushad ; iretd 5_2_07911391
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062A581A push FFFFFF8Bh; retf 6_2_062A581C
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062A78D5 push eax; retf 6_2_062A78D7
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062A71FD push cs; retf 8B05h6_2_062A724E
              Source: initial sampleStatic PE information: section name: .text entropy: 7.446877411021773
              Source: initial sampleStatic PE information: section name: .text entropy: 7.446877411021773
              Source: initial sampleStatic PE information: section name: .text entropy: 7.446877411021773
              Source: C:\Users\user\Desktop\shipping_documents.exeFile created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeJump to dropped file
              Source: C:\Users\user\Desktop\shipping_documents.exeFile created: C:\Users\user\AppData\Roaming\vOqVEnqC.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp3F0C.tmp
              Source: C:\Users\user\Desktop\shipping_documents.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run LIhMQJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run LIhMQJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)
              Source: C:\Users\user\Desktop\shipping_documents.exeFile opened: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeFile opened: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe:Zone.Identifier read attributes | delete
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: shipping_documents.exe PID: 64, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vOqVEnqC.exe PID: 1248, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: LIhMQ.exe PID: 244, type: MEMORYSTR
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: shipping_documents.exe, 00000000.00000002.368254562.00000000078E1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000005.00000002.518134460.0000000003222000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: shipping_documents.exe, 00000000.00000002.368254562.00000000078E1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000005.00000002.518134460.0000000003222000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\shipping_documents.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\shipping_documents.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\Desktop\shipping_documents.exe TID: 5880Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe TID: 4968Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exe TID: 5800Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exe TID: 4012Thread sleep count: 9742 > 30Jump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe TID: 5928Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe TID: 5044Thread sleep time: -2767011611056431s >= -30000s
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe TID: 3804Thread sleep count: 9448 > 30
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe TID: 5364Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe TID: 5416Thread sleep count: 5854 > 30
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\shipping_documents.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\shipping_documents.exeWindow / User API: threadDelayed 9742Jump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWindow / User API: threadDelayed 9448
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeWindow / User API: threadDelayed 5854
              Source: C:\Users\user\Desktop\shipping_documents.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\shipping_documents.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeThread delayed: delay time: 922337203685477
              Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
              Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
              Source: LIhMQ.exe, 0000000E.00000002.637583427.0000000006D1F000.00000004.00000020.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000003.549988407.0000000006D14000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
              Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
              Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
              Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
              Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: vOqVEnqC.exe, 00000011.00000002.634694904.0000000006570000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062A2508 LdrInitializeThunk,6_2_062A2508
              Source: C:\Users\user\Desktop\shipping_documents.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Modifies the hosts file
              Source: C:\Users\user\Desktop\shipping_documents.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\shipping_documents.exeMemory written: C:\Users\user\Desktop\shipping_documents.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeMemory written: C:\Users\user\AppData\Roaming\vOqVEnqC.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeMemory written: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp3F0C.tmpJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Users\user\Desktop\shipping_documents.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Users\user\Desktop\shipping_documents.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Users\user\Desktop\shipping_documents.exe {path}Jump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp243C.tmpJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess created: C:\Users\user\AppData\Roaming\vOqVEnqC.exe {path}Jump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmpE4E1.tmpJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe {path}Jump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Users\user\Desktop\shipping_documents.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeQueries volume information: C:\Users\user\AppData\Roaming\vOqVEnqC.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Users\user\Desktop\shipping_documents.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeQueries volume information: C:\Users\user\AppData\Roaming\vOqVEnqC.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Modifies the hosts file
              Source: C:\Users\user\Desktop\shipping_documents.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 5.2.vOqVEnqC.exe.4446b10.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.vOqVEnqC.exe.4446b10.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.shipping_documents.exe.39e5ac0.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.shipping_documents.exe.39e5ac0.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.573256271.0000000004446000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.590317910.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.591331951.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.593114242.000000000315F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: shipping_documents.exe PID: 64, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vOqVEnqC.exe PID: 1248, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: shipping_documents.exe PID: 1544, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: LIhMQ.exe PID: 2280, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vOqVEnqC.exe PID: 1324, type: MEMORYSTR
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Users\user\Desktop\shipping_documents.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Users\user\Desktop\shipping_documents.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Source: Yara matchFile source: 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: shipping_documents.exe PID: 1544, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: LIhMQ.exe PID: 2280, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vOqVEnqC.exe PID: 1324, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 5.2.vOqVEnqC.exe.4446b10.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.vOqVEnqC.exe.4446b10.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.shipping_documents.exe.39e5ac0.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.shipping_documents.exe.39e5ac0.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.573256271.0000000004446000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.590317910.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.591331951.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.593114242.000000000315F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: shipping_documents.exe PID: 64, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vOqVEnqC.exe PID: 1248, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: shipping_documents.exe PID: 1544, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: LIhMQ.exe PID: 2280, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vOqVEnqC.exe PID: 1324, type: MEMORYSTR

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts211
              Windows Management Instrumentation              		1
              Scheduled Task/Job              		111
              Process Injection              		1
              File and Directory Permissions Modification              		2
              OS Credential Dumping              		1
              File and Directory Discovery              		Remote Services1
              Archive Collected Data              		Exfiltration Over Other Network Medium1
              Encrypted Channel              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default Accounts2
              Command and Scripting Interpreter              		1
              Registry Run Keys / Startup Folder              		1
              Scheduled Task/Job              		1
              Disable or Modify Tools              		111
              Input Capture              		114
              System Information Discovery              		Remote Desktop Protocol2
              Data from Local System              		Exfiltration Over Bluetooth1
              Non-Standard Port              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain Accounts1
              Scheduled Task/Job              		Logon Script (Windows)1
              Registry Run Keys / Startup Folder              		3
              Obfuscated Files or Information              		1
              Credentials in Registry              		311
              Security Software Discovery              		SMB/Windows Admin Shares1
              Email Collection              		Automated Exfiltration1
              Non-Application Layer Protocol              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
              Software Packing              		NTDS1
              Process Discovery              		Distributed Component Object Model111
              Input Capture              		Scheduled Transfer11
              Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Masquerading              		LSA Secrets131
              Virtualization/Sandbox Evasion              		SSH1
              Clipboard Data              		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common131
              Virtualization/Sandbox Evasion              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items111
              Process Injection              		DCSync1
              Remote System Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
              Hidden Files and Directories              		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830622 Sample: shipping_documents.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 57 mail.clipjoint.co.nz 2->57 61 Malicious sample detected (through community Yara rule) 2->61 63 Sigma detected: Scheduled temp file as task from temp location 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 5 other signatures 2->67 8 shipping_documents.exe 6 2->8         started        12 LIhMQ.exe 5 2->12         started        14 vOqVEnqC.exe 5 2->14         started        16 LIhMQ.exe 2->16         started        signatures3 process4 file5 51 C:\Users\user\AppData\Roaming\vOqVEnqC.exe, PE32 8->51 dropped 53 C:\Users\user\AppData\Local\...\tmp3F0C.tmp, XML 8->53 dropped 55 C:\Users\user\...\shipping_documents.exe.log, ASCII 8->55 dropped 83 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->83 85 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->85 87 Uses schtasks.exe or at.exe to add and modify task schedules 8->87 18 shipping_documents.exe 2 5 8->18         started        23 schtasks.exe 1 8->23         started        25 shipping_documents.exe 8->25         started        27 shipping_documents.exe 8->27         started        89 Multi AV Scanner detection for dropped file 12->89 91 Machine Learning detection for dropped file 12->91 93 Injects a PE file into a foreign processes 12->93 29 LIhMQ.exe 12->29         started        31 schtasks.exe 12->31         started        33 LIhMQ.exe 12->33         started        35 vOqVEnqC.exe 14->35         started        37 schtasks.exe 14->37         started        signatures6 process7 dnsIp8 59 mail.clipjoint.co.nz 27.54.86.236, 587 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 18->59 45 C:\Users\user\AppData\Roaming\...\LIhMQ.exe, PE32 18->45 dropped 47 C:\Windows\System32\drivers\etc\hosts, ASCII 18->47 dropped 49 C:\Users\user\...\LIhMQ.exe:Zone.Identifier, ASCII 18->49 dropped 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->69 71 Tries to steal Mail credentials (via file / registry access) 18->71 73 Modifies the hosts file 18->73 39 conhost.exe 23->39         started        75 Tries to harvest and steal ftp login credentials 29->75 77 Tries to harvest and steal browser information (history, passwords, etc) 29->77 79 Installs a global keyboard hook 29->79 41 conhost.exe 31->41         started        81 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->81 43 conhost.exe 37->43         started        file9 signatures10 process11

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              shipping_documents.exe54%ReversingLabsWin32.Trojan.Leonem
              shipping_documents.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\vOqVEnqC.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe54%ReversingLabsWin32.Trojan.Leonem
              C:\Users\user\AppData\Roaming\vOqVEnqC.exe54%ReversingLabsWin32.Trojan.Leonem

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.fontbureau.coma0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
              http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              https://api.ipify.org%0%URL Reputationsafe
              http://www.sajatypeworks.comcagE0%Avira URL Cloudsafe
              http://www.fontbureau.comceF0%Avira URL Cloudsafe
              https://api.ipify.org%mail.clipjoint.co.nzclipjoint0%Avira URL Cloudsafe
              http://MFxeXD.com0%Avira URL Cloudsafe
              https://RGpFrRyIJy6rRTyqEb.net0%Avira URL Cloudsafe
              http://mail.clipjoint.co.nz0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              mail.clipjoint.co.nz
              		27.54.86.236
              		truefalse
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://127.0.0.1:HTTP/1.1shipping_documents.exe, 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.apache.org/licenses/LICENSE-2.0shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.comshipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersGshipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheshipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comceFshipping_documents.exe, 00000000.00000002.350966478.0000000001117000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers?shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://mail.clipjoint.co.nzshipping_documents.exe, 00000006.00000002.590317910.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000003102000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.00000000031AA000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwshipping_documents.exe, 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://MFxeXD.comvOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.tiro.comshipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersshipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.goodfont.co.krshipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comashipping_documents.exe, 00000000.00000002.350966478.0000000001117000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comlshipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comshipping_documents.exe, 00000000.00000003.304079093.000000000111D000.00000004.00000020.00020000.00000000.sdmp, shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDshipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNshipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/cTheshipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmshipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comshipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cnshipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlshipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.sajatypeworks.comcagEshipping_documents.exe, 00000000.00000003.304079093.000000000111D000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmp, shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://api.ipify.org%mail.clipjoint.co.nzclipjointshipping_documents.exe, 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://DynDns.comDynDNSnamejidpasswordPsi/PsivOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseshipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fonts.comshipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krshipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseshipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnshipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameshipping_documents.exe, 00000000.00000002.368254562.00000000075F1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000005.00000002.518134460.0000000003222000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sakkal.comshipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.ipify.org%shipping_documents.exe, 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		low
                                      https://RGpFrRyIJy6rRTyqEb.netvOqVEnqC.exe, 00000011.00000002.593114242.000000000315F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      27.54.86.236
                                      		mail.clipjoint.co.nzAustralia
                                      		38719DREAMSCAPE-AS-APDreamscapeNetworksLimitedAUfalse

                                      General Information

                                      Joe Sandbox Version:37.0.0 Beryl
                                      Analysis ID:830622
                                      Start date and time:2023-03-20 14:50:16 +01:00
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 12m 14s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:19
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample file name:shipping_documents.exe
                                      Detection:MAL
                                      Classification:mal100.troj.adwa.spyw.evad.winEXE@25/10@3/1
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HDC Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 94%
                                      • Number of executed functions: 88
                                      • Number of non-executed functions: 26
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                                      • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • VT rate limit hit for: shipping_documents.exe

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      14:51:23API Interceptor636x Sleep call for process: shipping_documents.exe modified
                                      14:51:33Task SchedulerRun new task: vOqVEnqC path: C:\Users\user\AppData\Roaming\vOqVEnqC.exe
                                      14:51:38AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run LIhMQ C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                                      14:51:48AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run LIhMQ C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                                      14:51:59API Interceptor85x Sleep call for process: vOqVEnqC.exe modified
                                      14:52:01API Interceptor268x Sleep call for process: LIhMQ.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      27.54.86.236sale order.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                        SOA.exeGet hashmaliciousAgentTeslaBrowse
                                          M70iwGlFIB.exeGet hashmaliciousAgentTesla, RHADAMANTHYSBrowse
                                            ZRjKZBWSk7.exeGet hashmaliciousRHADAMANTHYSBrowse
                                              PO#198945.exeGet hashmaliciousAgentTeslaBrowse
                                                Revised Order.exeGet hashmaliciousAgentTeslaBrowse
                                                  Revised Order.exeGet hashmaliciousAgentTeslaBrowse
                                                    AWB 907853880911 PRE-ALRET.xlsGet hashmaliciousAgentTeslaBrowse
                                                      file.exeGet hashmaliciousAgentTeslaBrowse
                                                        vbc.exeGet hashmaliciousAgentTeslaBrowse
                                                          PO 1000402812.docx.docGet hashmaliciousAgentTeslaBrowse
                                                            purchase order.exeGet hashmaliciousAgentTeslaBrowse
                                                              Revised Order.exeGet hashmaliciousAgentTeslaBrowse
                                                                Revised Order.exeGet hashmaliciousAgentTeslaBrowse
                                                                  SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                    SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                      statement of account.exeGet hashmaliciousAgentTeslaBrowse
                                                                        SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                          SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                            SOA.exeGet hashmaliciousAgentTeslaBrowse

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              mail.clipjoint.co.nzsale order.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                              • 27.54.86.236
                                                                              SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 27.54.86.236
                                                                              M70iwGlFIB.exeGet hashmaliciousAgentTesla, RHADAMANTHYSBrowse
                                                                              • 27.54.86.236
                                                                              ZRjKZBWSk7.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                              • 27.54.86.236
                                                                              PO#198945.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 27.54.86.236
                                                                              Revised Order.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 27.54.86.236
                                                                              Revised Order.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 27.54.86.236
                                                                              AWB 907853880911 PRE-ALRET.xlsGet hashmaliciousAgentTeslaBrowse
                                                                              • 27.54.86.236
                                                                              file.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 27.54.86.236
                                                                              vbc.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 27.54.86.236
                                                                              PO 1000402812.docx.docGet hashmaliciousAgentTeslaBrowse
                                                                              • 27.54.86.236
                                                                              purchase order.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 27.54.86.236
                                                                              Revised Order.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 27.54.86.236
                                                                              Revised Order.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 27.54.86.236
                                                                              SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 27.54.86.236
                                                                              SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 27.54.86.236
                                                                              statement of account.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 27.54.86.236
                                                                              SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 27.54.86.236
                                                                              SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 27.54.86.236
                                                                              SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 27.54.86.236

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU8846_0.oneGet hashmaliciousEmotetBrowse
                                                                              • 203.26.41.131
                                                                              click.wsfGet hashmaliciousEmotetBrowse
                                                                              • 203.26.41.131
                                                                              z2H8jaZbYg.elfGet hashmaliciousMirai, MoobotBrowse
                                                                              • 103.67.234.220
                                                                              https://www.starsmiles.com.au/Get hashmaliciousUnknownBrowse
                                                                              • 116.0.23.203
                                                                              Form - 16 Mar, 2023.oneGet hashmaliciousEmotetBrowse
                                                                              • 203.26.41.131
                                                                              https://midcoastsupplies.com.auGet hashmaliciousUnknownBrowse
                                                                              • 27.54.81.161
                                                                              https://midcoastsupplies.com.auGet hashmaliciousUnknownBrowse
                                                                              • 27.54.81.161
                                                                              #Ud83d#Udce7#U2122 Completed Signed Agreements.shtmlGet hashmaliciousHTMLPhisherBrowse
                                                                              • 122.201.127.25
                                                                              MBQ24253060297767042_202303161424.oneGet hashmaliciousEmotetBrowse
                                                                              • 203.26.41.131
                                                                              iMedPub_LTD_4.oneGet hashmaliciousEmotetBrowse
                                                                              • 203.26.41.131
                                                                              iMedPub_LTD_6.oneGet hashmaliciousEmotetBrowse
                                                                              • 203.26.41.131
                                                                              INNOVINC.oneGet hashmaliciousEmotetBrowse
                                                                              • 203.26.41.131
                                                                              Insight_Medical_Publishing_2.oneGet hashmaliciousEmotetBrowse
                                                                              • 203.26.41.131
                                                                              Insight_Medical_Publishing_1.oneGet hashmaliciousEmotetBrowse
                                                                              • 203.26.41.131
                                                                              Insight_Medical_Publishing_3.oneGet hashmaliciousEmotetBrowse
                                                                              • 203.26.41.131
                                                                              Insight_Medical_Publishing_4.oneGet hashmaliciousEmotetBrowse
                                                                              • 203.26.41.131
                                                                              OMICS_Online_1.oneGet hashmaliciousEmotetBrowse
                                                                              • 203.26.41.131
                                                                              Insight_Medical_Publishing.oneGet hashmaliciousEmotetBrowse
                                                                              • 203.26.41.131
                                                                              Omics_Journal.oneGet hashmaliciousEmotetBrowse
                                                                              • 203.26.41.131
                                                                              OMICS.oneGet hashmaliciousEmotetBrowse
                                                                              • 203.26.41.131

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LIhMQ.exe.log

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1216
                                                                              Entropy (8bit):5.355304211458859
                                                                              Encrypted:false
                                                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                              MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                              SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                              SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                              SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                              Malicious:false
                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\shipping_documents.exe.log

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\shipping_documents.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1216
                                                                              Entropy (8bit):5.355304211458859
                                                                              Encrypted:false
                                                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                              MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                              SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                              SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                              SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                              Malicious:true
                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vOqVEnqC.exe.log

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Roaming\vOqVEnqC.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1216
                                                                              Entropy (8bit):5.355304211458859
                                                                              Encrypted:false
                                                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                              MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                              SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                              SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                              SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                              Malicious:false
                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                              C:\Users\user\AppData\Local\Temp\tmp243C.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Roaming\vOqVEnqC.exe
                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1645
                                                                              Entropy (8bit):5.175101949501581
                                                                              Encrypted:false
                                                                              SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBgtn:cbhC7ZlNQF/rydbz9I3YODOLNdq34
                                                                              MD5:05EA33F3DB79C3F55A592AE8F55D0506
                                                                              SHA1:AB8FA39F7158848903BF0AE858C64F43F5201B1C
                                                                              SHA-256:1937CC368B67A85D6E2A5CA35515A03024BFD8708B3D259A99198F30EB2497E5
                                                                              SHA-512:9F1625115EE2AD779A926A2F583F5EBB3673F428F7AB1CBEB24B4B66502E21CF282633FBB685038D3DF42CD9070BB2B22886CC4926E882AFFE08B46AC178E99F
                                                                              Malicious:false
                                                                              Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

                                                                              C:\Users\user\AppData\Local\Temp\tmp3F0C.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\shipping_documents.exe
                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1645
                                                                              Entropy (8bit):5.175101949501581
                                                                              Encrypted:false
                                                                              SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBgtn:cbhC7ZlNQF/rydbz9I3YODOLNdq34
                                                                              MD5:05EA33F3DB79C3F55A592AE8F55D0506
                                                                              SHA1:AB8FA39F7158848903BF0AE858C64F43F5201B1C
                                                                              SHA-256:1937CC368B67A85D6E2A5CA35515A03024BFD8708B3D259A99198F30EB2497E5
                                                                              SHA-512:9F1625115EE2AD779A926A2F583F5EBB3673F428F7AB1CBEB24B4B66502E21CF282633FBB685038D3DF42CD9070BB2B22886CC4926E882AFFE08B46AC178E99F
                                                                              Malicious:true
                                                                              Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

                                                                              C:\Users\user\AppData\Local\Temp\tmpE4E1.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1645
                                                                              Entropy (8bit):5.175101949501581
                                                                              Encrypted:false
                                                                              SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBgtn:cbhC7ZlNQF/rydbz9I3YODOLNdq34
                                                                              MD5:05EA33F3DB79C3F55A592AE8F55D0506
                                                                              SHA1:AB8FA39F7158848903BF0AE858C64F43F5201B1C
                                                                              SHA-256:1937CC368B67A85D6E2A5CA35515A03024BFD8708B3D259A99198F30EB2497E5
                                                                              SHA-512:9F1625115EE2AD779A926A2F583F5EBB3673F428F7AB1CBEB24B4B66502E21CF282633FBB685038D3DF42CD9070BB2B22886CC4926E882AFFE08B46AC178E99F
                                                                              Malicious:false
                                                                              Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

                                                                              C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\shipping_documents.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):986624
                                                                              Entropy (8bit):7.440346319495974
                                                                              Encrypted:false
                                                                              SSDEEP:24576:Jy0QhPJkBhdsXcq1YLTH3p3k4zwCeWdBBuIJC6gE:Jy0QhEvsXb18mOi6p
                                                                              MD5:5EC19C18EFF49F78CE02E2CF1831C37D
                                                                              SHA1:9D7261D0E2558DD6BD26373C4E2421AD83AF6B19
                                                                              SHA-256:EE9C3569905A2A2B5141982928E9205A99170189DAB43F8626102E1A6DDDBE4E
                                                                              SHA-512:B7A8A7B81BC259728206CEBC2D7C7530791FAD39F5CC2A4FE0BAD61AE582E3529ED5A2F01A6F48E78724C80132F717E05525DC170C0DA5F2F40153A905CDD688
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 54%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....W.d..............P.............."... ...@....@.. ....................................@.................................P"..K....@.......................`......."............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................."......H............"......m....=..............................................Z(....8.....(....8....*.&~.......*...~....*.b(....8......(....8.....*.....(....*&~.......*...~....*..0..........8A.......E....Z.../...8U...s......... .....9....&8....s.........8....*(....8....s......... .....9....& ....8....s.........8....s.........8.......0..$.......8......*.~....o......8....8....8.....0..$.......8....8....8......*.~....o......8.....0...........~....o......8....8....8......*..0..........

                                                                              C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe:Zone.Identifier

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\shipping_documents.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:modified
                                                                              Size (bytes):26
                                                                              Entropy (8bit):3.95006375643621
                                                                              Encrypted:false
                                                                              SSDEEP:3:ggPYV:rPYV
                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                              Malicious:true
                                                                              Preview:[ZoneTransfer]....ZoneId=0

                                                                              C:\Users\user\AppData\Roaming\vOqVEnqC.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\shipping_documents.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):986624
                                                                              Entropy (8bit):7.440346319495974
                                                                              Encrypted:false
                                                                              SSDEEP:24576:Jy0QhPJkBhdsXcq1YLTH3p3k4zwCeWdBBuIJC6gE:Jy0QhEvsXb18mOi6p
                                                                              MD5:5EC19C18EFF49F78CE02E2CF1831C37D
                                                                              SHA1:9D7261D0E2558DD6BD26373C4E2421AD83AF6B19
                                                                              SHA-256:EE9C3569905A2A2B5141982928E9205A99170189DAB43F8626102E1A6DDDBE4E
                                                                              SHA-512:B7A8A7B81BC259728206CEBC2D7C7530791FAD39F5CC2A4FE0BAD61AE582E3529ED5A2F01A6F48E78724C80132F717E05525DC170C0DA5F2F40153A905CDD688
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 54%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....W.d..............P.............."... ...@....@.. ....................................@.................................P"..K....@.......................`......."............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................."......H............"......m....=..............................................Z(....8.....(....8....*.&~.......*...~....*.b(....8......(....8.....*.....(....*&~.......*...~....*..0..........8A.......E....Z.../...8U...s......... .....9....&8....s.........8....*(....8....s......... .....9....& ....8....s.........8....s.........8.......0..$.......8......*.~....o......8....8....8.....0..$.......8....8....8......*.~....o......8.....0...........~....o......8....8....8......*..0..........

                                                                              C:\Windows\System32\drivers\etc\hosts

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\shipping_documents.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):835
                                                                              Entropy (8bit):4.694294591169137
                                                                              Encrypted:false
                                                                              SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                                                              MD5:6EB47C1CF858E25486E42440074917F2
                                                                              SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                                                              SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                                                              SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                                                              Malicious:true
                                                                              Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Entropy (8bit):7.440346319495974
                                                                              TrID:
                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                              • Windows Screen Saver (13104/52) 0.07%
                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                              File name:shipping_documents.exe
                                                                              File size:986624
                                                                              MD5:5ec19c18eff49f78ce02e2cf1831c37d
                                                                              SHA1:9d7261d0e2558dd6bd26373c4e2421ad83af6b19
                                                                              SHA256:ee9c3569905a2a2b5141982928e9205a99170189dab43f8626102e1a6dddbe4e
                                                                              SHA512:b7a8a7b81bc259728206cebc2d7c7530791fad39f5cc2a4fe0bad61ae582e3529ed5a2f01a6f48e78724c80132f717e05525dc170c0da5f2f40153a905cdd688
                                                                              SSDEEP:24576:Jy0QhPJkBhdsXcq1YLTH3p3k4zwCeWdBBuIJC6gE:Jy0QhEvsXb18mOi6p
                                                                              TLSH:A025AF7D3EAEB9D1F578F671DBD08222E6E39EC3BA16CD4A15C2034C4602757B88225D
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....W.d..............P.............."... ...@....@.. ....................................@................................

                                                                              File Icon

                                                                              Icon Hash:00828e8e8686b000

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x4f229e
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x641257E1 [Wed Mar 15 23:42:25 2023 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              jmp dword ptr [00402000h]
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xf22500x4b.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xf40000x5a8.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xf60000xc.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xf22080x1c.text
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x20000xf02a40xf0400False0.7817164330775234data7.446877411021773IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rsrc0xf40000x5a80x600False0.4251302083333333data4.099101583815506IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0xf60000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountry
                                                                              RT_VERSION0xf40a00x31cdata
                                                                              RT_MANIFEST0xf43bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                                              Imports

                                                                              DLLImport
                                                                              mscoree.dll_CorExeMain

                                                                              Network Behavior

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Mar 20, 2023 14:52:17.063770056 CET49699587192.168.2.527.54.86.236
                                                                              Mar 20, 2023 14:52:20.247996092 CET49699587192.168.2.527.54.86.236
                                                                              Mar 20, 2023 14:52:26.253586054 CET49699587192.168.2.527.54.86.236
                                                                              Mar 20, 2023 14:53:09.896615028 CET49700587192.168.2.527.54.86.236
                                                                              Mar 20, 2023 14:53:13.050473928 CET49700587192.168.2.527.54.86.236
                                                                              Mar 20, 2023 14:53:19.051973104 CET49700587192.168.2.527.54.86.236
                                                                              Mar 20, 2023 14:53:19.772902966 CET49701587192.168.2.527.54.86.236
                                                                              Mar 20, 2023 14:53:22.942941904 CET49701587192.168.2.527.54.86.236
                                                                              Mar 20, 2023 14:53:28.943428993 CET49701587192.168.2.527.54.86.236

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Mar 20, 2023 14:52:16.981396914 CET6084153192.168.2.58.8.8.8
                                                                              Mar 20, 2023 14:52:17.015774012 CET53608418.8.8.8192.168.2.5
                                                                              Mar 20, 2023 14:53:09.380139112 CET6189353192.168.2.58.8.8.8
                                                                              Mar 20, 2023 14:53:09.426786900 CET53618938.8.8.8192.168.2.5
                                                                              Mar 20, 2023 14:53:19.682809114 CET6064953192.168.2.58.8.8.8
                                                                              Mar 20, 2023 14:53:19.761465073 CET53606498.8.8.8192.168.2.5

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Mar 20, 2023 14:52:16.981396914 CET192.168.2.58.8.8.80x79b3Standard query (0)mail.clipjoint.co.nzA (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 14:53:09.380139112 CET192.168.2.58.8.8.80x8d08Standard query (0)mail.clipjoint.co.nzA (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 14:53:19.682809114 CET192.168.2.58.8.8.80x68a5Standard query (0)mail.clipjoint.co.nzA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Mar 20, 2023 14:52:17.015774012 CET8.8.8.8192.168.2.50x79b3No error (0)mail.clipjoint.co.nz27.54.86.236A (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 14:53:09.426786900 CET8.8.8.8192.168.2.50x8d08No error (0)mail.clipjoint.co.nz27.54.86.236A (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 14:53:19.761465073 CET8.8.8.8192.168.2.50x68a5No error (0)mail.clipjoint.co.nz27.54.86.236A (IP address)IN (0x0001)false

                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:14:51:12
                                                                              Start date:20/03/2023
                                                                              Path:C:\Users\user\Desktop\shipping_documents.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\shipping_documents.exe
                                                                              Imagebase:0x480000
                                                                              File size:986624 bytes
                                                                              MD5 hash:5EC19C18EFF49F78CE02E2CF1831C37D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                              Reputation:low

                                                                              General

                                                                              Target ID:1
                                                                              Start time:14:51:32
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp3F0C.tmp
                                                                              Imagebase:0x12f0000
                                                                              File size:185856 bytes
                                                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:2
                                                                              Start time:14:51:32
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7fcd70000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:3
                                                                              Start time:14:51:32
                                                                              Start date:20/03/2023
                                                                              Path:C:\Users\user\Desktop\shipping_documents.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:{path}
                                                                              Imagebase:0x2b0000
                                                                              File size:986624 bytes
                                                                              MD5 hash:5EC19C18EFF49F78CE02E2CF1831C37D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low

                                                                              General

                                                                              Target ID:4
                                                                              Start time:14:51:33
                                                                              Start date:20/03/2023
                                                                              Path:C:\Users\user\Desktop\shipping_documents.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:{path}
                                                                              Imagebase:0x320000
                                                                              File size:986624 bytes
                                                                              MD5 hash:5EC19C18EFF49F78CE02E2CF1831C37D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low

                                                                              General

                                                                              Target ID:5
                                                                              Start time:14:51:33
                                                                              Start date:20/03/2023
                                                                              Path:C:\Users\user\AppData\Roaming\vOqVEnqC.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\AppData\Roaming\vOqVEnqC.exe
                                                                              Imagebase:0xbf0000
                                                                              File size:986624 bytes
                                                                              MD5 hash:5EC19C18EFF49F78CE02E2CF1831C37D
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.573256271.0000000004446000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.573256271.0000000004446000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000005.00000002.573256271.0000000004446000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              • Detection: 54%, ReversingLabs
                                                                              Reputation:low

                                                                              General

                                                                              Target ID:6
                                                                              Start time:14:51:33
                                                                              Start date:20/03/2023
                                                                              Path:C:\Users\user\Desktop\shipping_documents.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:{path}
                                                                              Imagebase:0x760000
                                                                              File size:986624 bytes
                                                                              MD5 hash:5EC19C18EFF49F78CE02E2CF1831C37D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.590317910.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000006.00000002.579676048.0000000000430000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:low

                                                                              General

                                                                              Target ID:7
                                                                              Start time:14:51:47
                                                                              Start date:20/03/2023
                                                                              Path:C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe"
                                                                              Imagebase:0xc60000
                                                                              File size:986624 bytes
                                                                              MD5 hash:5EC19C18EFF49F78CE02E2CF1831C37D
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              • Detection: 54%, ReversingLabs
                                                                              Reputation:low

                                                                              General

                                                                              Target ID:8
                                                                              Start time:14:51:58
                                                                              Start date:20/03/2023
                                                                              Path:C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe"
                                                                              Imagebase:0xb90000
                                                                              File size:986624 bytes
                                                                              MD5 hash:5EC19C18EFF49F78CE02E2CF1831C37D
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Reputation:low

                                                                              General

                                                                              Target ID:11
                                                                              Start time:14:52:15
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmpE4E1.tmp
                                                                              Imagebase:0x12f0000
                                                                              File size:185856 bytes
                                                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:12
                                                                              Start time:14:52:15
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7fcd70000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:13
                                                                              Start time:14:52:16
                                                                              Start date:20/03/2023
                                                                              Path:C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:{path}
                                                                              Imagebase:0x10000
                                                                              File size:986624 bytes
                                                                              MD5 hash:5EC19C18EFF49F78CE02E2CF1831C37D
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low

                                                                              General

                                                                              Target ID:14
                                                                              Start time:14:52:16
                                                                              Start date:20/03/2023
                                                                              Path:C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:{path}
                                                                              Imagebase:0xa20000
                                                                              File size:986624 bytes
                                                                              MD5 hash:5EC19C18EFF49F78CE02E2CF1831C37D
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.591331951.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:low

                                                                              General

                                                                              Target ID:15
                                                                              Start time:14:52:33
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp243C.tmp
                                                                              Imagebase:0x12f0000
                                                                              File size:185856 bytes
                                                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:16
                                                                              Start time:14:52:33
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7fcd70000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:17
                                                                              Start time:14:52:35
                                                                              Start date:20/03/2023
                                                                              Path:C:\Users\user\AppData\Roaming\vOqVEnqC.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:{path}
                                                                              Imagebase:0x9f0000
                                                                              File size:986624 bytes
                                                                              MD5 hash:5EC19C18EFF49F78CE02E2CF1831C37D
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.593114242.000000000315F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:12.9%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:131
                                                                                Total number of Limit Nodes:8
                                                                                execution_graph 17218 74657a6 17219 746576f 17218->17219 17220 74657a9 17218->17220 17222 7466920 VirtualProtect 17219->17222 17223 7466918 VirtualProtect 17219->17223 17221 7465781 17222->17221 17223->17221 17126 7464a07 17130 7466920 17126->17130 17133 7466918 17126->17133 17127 7464a18 17131 7466968 VirtualProtect 17130->17131 17132 74669a2 17131->17132 17132->17127 17134 7466968 VirtualProtect 17133->17134 17135 74669a2 17134->17135 17135->17127 17140 bc66b8 17141 bc66d5 17140->17141 17144 bc5804 17141->17144 17143 bc66eb 17145 bc580f 17144->17145 17148 bc6750 17145->17148 17147 bc6be5 17147->17143 17149 bc675b 17148->17149 17152 bc6780 17149->17152 17151 bc6cc2 17151->17147 17153 bc678b 17152->17153 17156 bc67b0 17153->17156 17155 bc6dc2 17155->17151 17158 bc67bb 17156->17158 17157 bc751c 17157->17155 17158->17157 17160 bcb786 17158->17160 17161 bcb7a9 17160->17161 17162 bcb7cd 17161->17162 17165 bcb938 17161->17165 17169 bcb934 17161->17169 17162->17157 17166 bcb945 17165->17166 17167 bcb97f 17166->17167 17173 bca41c 17166->17173 17167->17162 17170 bcb945 17169->17170 17171 bcb97f 17170->17171 17172 bca41c 2 API calls 17170->17172 17171->17162 17172->17171 17175 bca427 17173->17175 17174 bcc678 17175->17174 17177 bcc238 17175->17177 17178 bcc243 17177->17178 17179 bc67b0 2 API calls 17178->17179 17180 bcc6e7 17179->17180 17184 bce450 17180->17184 17189 bce468 17180->17189 17181 bcc720 17181->17174 17186 bce45a 17184->17186 17185 bce4a5 17185->17181 17186->17185 17195 bce7b0 17186->17195 17198 bce7a1 17186->17198 17191 bce4e6 17189->17191 17192 bce499 17189->17192 17190 bce4a5 17190->17181 17191->17181 17192->17190 17193 bce7b0 2 API calls 17192->17193 17194 bce7a1 2 API calls 17192->17194 17193->17191 17194->17191 17196 bc9750 LoadLibraryExW GetModuleHandleW 17195->17196 17197 bce7b9 17196->17197 17197->17185 17199 bc9750 LoadLibraryExW GetModuleHandleW 17198->17199 17200 bce7b9 17198->17200 17199->17200 17200->17185 17201 bcbc78 DuplicateHandle 17202 bcbd0e 17201->17202 17228 bc9658 17232 bc973f 17228->17232 17240 bc9750 17228->17240 17229 bc9667 17233 bc9763 17232->17233 17234 bc977b 17233->17234 17248 bc99d8 17233->17248 17252 bc99c8 17233->17252 17234->17229 17235 bc9978 GetModuleHandleW 17237 bc99a5 17235->17237 17236 bc9773 17236->17234 17236->17235 17237->17229 17241 bc9763 17240->17241 17242 bc977b 17241->17242 17246 bc99d8 LoadLibraryExW 17241->17246 17247 bc99c8 LoadLibraryExW 17241->17247 17242->17229 17243 bc9978 GetModuleHandleW 17245 bc99a5 17243->17245 17244 bc9773 17244->17242 17244->17243 17245->17229 17246->17244 17247->17244 17249 bc99ec 17248->17249 17250 bc9a11 17249->17250 17256 bc8cf8 17249->17256 17250->17236 17253 bc99ec 17252->17253 17254 bc8cf8 LoadLibraryExW 17253->17254 17255 bc9a11 17253->17255 17254->17255 17255->17236 17257 bc9bb8 LoadLibraryExW 17256->17257 17259 bc9c31 17257->17259 17259->17250 17260 74643a1 17262 7464307 17260->17262 17261 7464338 17262->17261 17263 7466920 VirtualProtect 17262->17263 17264 7466918 VirtualProtect 17262->17264 17263->17262 17264->17262 17265 bcba50 GetCurrentProcess 17266 bcbaca GetCurrentThread 17265->17266 17267 bcbac3 17265->17267 17268 bcbb07 GetCurrentProcess 17266->17268 17269 bcbb00 17266->17269 17267->17266 17272 bcbb3d 17268->17272 17269->17268 17270 bcbb65 GetCurrentThreadId 17271 bcbb96 17270->17271 17272->17270 17273 746da28 17274 746da70 SetThreadContext 17273->17274 17276 746daae 17274->17276 17277 746dae8 17278 746db33 ReadProcessMemory 17277->17278 17279 746db76 17278->17279 17203 7464749 17205 7466920 VirtualProtect 17203->17205 17206 7466918 VirtualProtect 17203->17206 17204 7464763 17205->17204 17206->17204 17280 746df30 17281 746df71 ResumeThread 17280->17281 17282 746df9e 17281->17282 17211 746e598 17212 746e5be 17211->17212 17213 746e723 17211->17213 17212->17213 17215 746a848 17212->17215 17216 746e818 PostMessageW 17215->17216 17217 746e884 17216->17217 17217->17212 17283 746dd78 17284 746ddc3 WriteProcessMemory 17283->17284 17286 746de14 17284->17286 17287 746d6b8 17288 746d737 CreateProcessW 17287->17288 17290 746d820 17288->17290 17291 746dbb8 17292 746dbfb VirtualAllocEx 17291->17292 17293 746dc32 17292->17293

                                                                                Executed Functions

                                                                                Function 07467810 Relevance: .2, Instructions: 242COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3d7dc677bcc947c29ebadaf259b976a84ab78a24f7bcf1d9bb1030efa55596a9
                                                                                • Instruction ID: 1d4a70e857b6086fb0d899bb80fe88c97384975365d9d82d3a9119498399710d
                                                                                • Opcode Fuzzy Hash: 3d7dc677bcc947c29ebadaf259b976a84ab78a24f7bcf1d9bb1030efa55596a9
                                                                                • Instruction Fuzzy Hash: 8DA123B4E112198BDB04CFAAC5855EEFBF2BF89304F14C16AD405BB358E7349A42CB61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07467802 Relevance: .2, Instructions: 237COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 845af2addd033dba95cffe819e518bf7da6717a892d06c6bbf770d4e04c824e3
                                                                                • Instruction ID: 17e3a71978aac8eda2a95543c9d8499bbfce60df2d493e12af3b549a8312771d
                                                                                • Opcode Fuzzy Hash: 845af2addd033dba95cffe819e518bf7da6717a892d06c6bbf770d4e04c824e3
                                                                                • Instruction Fuzzy Hash: 5EA114B4E112198BDB04CFA9C5856EEFBF2FF89314F14816AD405BB358E7349A42CB61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0746BD70 Relevance: .2, Instructions: 172COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 08b2f4eee9d1742ff997e2b5b2c768468691e275c8fc2baf807050e35fa18817
                                                                                • Instruction ID: af9a55c3d5718f4e4608addaa3dda13bfd7eb3b10f463f2b1dec11b66b7fedbe
                                                                                • Opcode Fuzzy Hash: 08b2f4eee9d1742ff997e2b5b2c768468691e275c8fc2baf807050e35fa18817
                                                                                • Instruction Fuzzy Hash: C6612AF0D1A218DBDB08CFA9D5846DDFBB6EF8A300F24A42AD116FB254D7748942CB15
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07467C97 Relevance: .2, Instructions: 155COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: efe32b5055787384d87ecf7f04b8266b0f2ca7c019a15fefabaae0b0af0b0b1b
                                                                                • Instruction ID: 5109e946f730d23a6b6339667934aa30d2b9c6c7483808ac91f47ba8f8857d4e
                                                                                • Opcode Fuzzy Hash: efe32b5055787384d87ecf7f04b8266b0f2ca7c019a15fefabaae0b0af0b0b1b
                                                                                • Instruction Fuzzy Hash: BE5197B0E102198FCB05CFA9D484AEEFBF2AF89314F14C866D524B7345D7349A468FA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07467CA8 Relevance: .2, Instructions: 154COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d0f340d5a4e6d30b4501b8c0670dec625fbeae7cb116f0adcee08825959ed9cb
                                                                                • Instruction ID: 1339852238657c8642afe01a740c9b582704d3a35589da31c040e00166ddb2fc
                                                                                • Opcode Fuzzy Hash: d0f340d5a4e6d30b4501b8c0670dec625fbeae7cb116f0adcee08825959ed9cb
                                                                                • Instruction Fuzzy Hash: 05516BB4E112198FDB04CFA9D484AEEFBF2BB89314F14C42AD524B7345D7349A468FA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0746F728 Relevance: .1, Instructions: 93COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f822e56dbdfdca4f103f629b8e2af32a20aed85ea6e0dd849e8ad6ef3b72ac10
                                                                                • Instruction ID: e6ed1e62f7add4deccbd699f703a7fef4eee7cdc53100ecc2c8632a864e76c58
                                                                                • Opcode Fuzzy Hash: f822e56dbdfdca4f103f629b8e2af32a20aed85ea6e0dd849e8ad6ef3b72ac10
                                                                                • Instruction Fuzzy Hash: 9E3116B0D19219CFCB14CFA5E8487EDBAF5BB4A302F10A46AE485B3251C734594ACF66
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07460006 Relevance: .1, Instructions: 78COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2cf0ec4415767f8e81679e77e861a449d7a9ce28bc7d63b45c01f9a8156702f2
                                                                                • Instruction ID: e856e3781de979382b12caf9ece659356dc3a6edc7f8c691249ba18d3ca16e4c
                                                                                • Opcode Fuzzy Hash: 2cf0ec4415767f8e81679e77e861a449d7a9ce28bc7d63b45c01f9a8156702f2
                                                                                • Instruction Fuzzy Hash: F1316DB1D056548FD709CFA6C9442CABFF3EF85350F19C1AAC405A6265DA344945CB50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07460040 Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9b27962eb138ec77d7bfc9e488cd85bcb24a1a4253708dd746928a7996485520
                                                                                • Instruction ID: cdf9f789f6409d3e88748b8cbdfd10b3da65fb23d1c21fc71c294670860861a7
                                                                                • Opcode Fuzzy Hash: 9b27962eb138ec77d7bfc9e488cd85bcb24a1a4253708dd746928a7996485520
                                                                                • Instruction Fuzzy Hash: 1E21F971E016188BDB18CFAAD9446DEBBB7EFC9310F14C1AAE409A6364DB345A85CF40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BCBA41 Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32 ref: 00BCBAB0
                                                                                • GetCurrentThread.KERNEL32 ref: 00BCBAED
                                                                                • GetCurrentProcess.KERNEL32 ref: 00BCBB2A
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00BCBB83
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.349222944.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_bc0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: Current$ProcessThread
                                                                                • String ID:
                                                                                • API String ID: 2063062207-0
                                                                                • Opcode ID: 54a96ce4d23d7021ee76c141645daa660805620b71e02515707c1664cc1d0d64
                                                                                • Instruction ID: fc9d4998f5c4f3fae41a2b6dd06496edbe72044b0ceae71a468d76fa6832ff7f
                                                                                • Opcode Fuzzy Hash: 54a96ce4d23d7021ee76c141645daa660805620b71e02515707c1664cc1d0d64
                                                                                • Instruction Fuzzy Hash: 4B517AB19002498FDB00CFAAD988BDEBFF0EF49304F2484AEE059B7251C7745944CB65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BCBA50 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32 ref: 00BCBAB0
                                                                                • GetCurrentThread.KERNEL32 ref: 00BCBAED
                                                                                • GetCurrentProcess.KERNEL32 ref: 00BCBB2A
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00BCBB83
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.349222944.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_bc0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: Current$ProcessThread
                                                                                • String ID:
                                                                                • API String ID: 2063062207-0
                                                                                • Opcode ID: 00375885efeb3c3c5ed01b15a5289166156e1d367bd3dea6ab4feafb0b1093e6
                                                                                • Instruction ID: 453e461e9eaa4fd6925c4c64540c2dc605869a106139b32fd9126ca979a1b134
                                                                                • Opcode Fuzzy Hash: 00375885efeb3c3c5ed01b15a5289166156e1d367bd3dea6ab4feafb0b1093e6
                                                                                • Instruction Fuzzy Hash: 375147B19002498FDB14CFAAD588BDEBFF4EF48314F2484A9E019B7250CB746944CB65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BC9750 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 57 bc9750-bc9758 58 bc9763-bc9765 57->58 59 bc975e call bc8c90 57->59 60 bc977b-bc977f 58->60 61 bc9767 58->61 59->58 62 bc9781-bc978b 60->62 63 bc9793-bc97d4 60->63 113 bc976d call bc99d8 61->113 114 bc976d call bc99c8 61->114 62->63 68 bc97d6-bc97de 63->68 69 bc97e1-bc97ef 63->69 64 bc9773-bc9775 64->60 65 bc98b0-bc9970 64->65 106 bc9978-bc99a3 GetModuleHandleW 65->106 107 bc9972-bc9975 65->107 68->69 70 bc97f1-bc97f6 69->70 71 bc9813-bc9815 69->71 74 bc97f8-bc97ff call bc8c9c 70->74 75 bc9801 70->75 73 bc9818-bc981f 71->73 77 bc982c-bc9833 73->77 78 bc9821-bc9829 73->78 80 bc9803-bc9811 74->80 75->80 82 bc9835-bc983d 77->82 83 bc9840-bc9849 call bc8cac 77->83 78->77 80->73 82->83 88 bc984b-bc9853 83->88 89 bc9856-bc985b 83->89 88->89 90 bc985d-bc9864 89->90 91 bc9879-bc987d 89->91 90->91 92 bc9866-bc9876 call bc8cbc call bc8ccc 90->92 111 bc9880 call bc9ce0 91->111 112 bc9880 call bc9cb1 91->112 92->91 95 bc9883-bc9886 98 bc9888-bc98a6 95->98 99 bc98a9-bc98af 95->99 98->99 108 bc99ac-bc99c0 106->108 109 bc99a5-bc99ab 106->109 107->106 109->108 111->95 112->95 113->64 114->64
                                                                                APIs
                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00BC9996
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.349222944.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_bc0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID:
                                                                                • API String ID: 4139908857-0
                                                                                • Opcode ID: 2487a3f46b26478be5da2835b94c4386ef0ad8d940eae52ee28e0b6c06568ef8
                                                                                • Instruction ID: cddda0289ffb60281e3fed53fe44bc74dd8a2a56d0bd5f909178c9a7a9168d3c
                                                                                • Opcode Fuzzy Hash: 2487a3f46b26478be5da2835b94c4386ef0ad8d940eae52ee28e0b6c06568ef8
                                                                                • Instruction Fuzzy Hash: 53713670A00B058FE724DF2AD444B5ABBF1FF88340F10896EE48ADBA50DB75E905CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0746D6B8 Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 115 746d6b8-746d743 117 746d745-746d74b 115->117 118 746d74e-746d755 115->118 117->118 119 746d757-746d75d 118->119 120 746d760-746d776 118->120 119->120 121 746d781-746d81e CreateProcessW 120->121 122 746d778-746d77e 120->122 124 746d827-746d89b 121->124 125 746d820-746d826 121->125 122->121 133 746d8ad-746d8b4 124->133 134 746d89d-746d8a3 124->134 125->124 135 746d8b6-746d8c5 133->135 136 746d8cb 133->136 134->133 135->136
                                                                                APIs
                                                                                • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 0746D80B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID:
                                                                                • API String ID: 963392458-0
                                                                                • Opcode ID: 94d2208f35192c52665b7020a9c21267b3d6f10b1476fe54f17df819a7fc95e1
                                                                                • Instruction ID: abfd401b30f1b114aedc68daf8d7ae3288b8cafb68617c1450271cb4485d9bfc
                                                                                • Opcode Fuzzy Hash: 94d2208f35192c52665b7020a9c21267b3d6f10b1476fe54f17df819a7fc95e1
                                                                                • Instruction Fuzzy Hash: E65106B1E003199FDF14DF99C884BDEBBB5BF48310F1484AAE809A7210DB755A89CF61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0746DD78 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 143 746dd78-746ddc9 145 746ddcb-746ddd7 143->145 146 746ddd9-746de12 WriteProcessMemory 143->146 145->146 147 746de14-746de1a 146->147 148 746de1b-746de3c 146->148 147->148
                                                                                APIs
                                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0746DE05
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessWrite
                                                                                • String ID:
                                                                                • API String ID: 3559483778-0
                                                                                • Opcode ID: b1f581a3a84da3d4bff44cc195e0f8fb8e72a1e3b91bba033e6e0a3e66737334
                                                                                • Instruction ID: 40e4d1300422808dab5cff01b612c91e5f89ce3987abf9d3e8dae26c5fbf3444
                                                                                • Opcode Fuzzy Hash: b1f581a3a84da3d4bff44cc195e0f8fb8e72a1e3b91bba033e6e0a3e66737334
                                                                                • Instruction Fuzzy Hash: 5621E0B5E002599FCB10CF9AC984BDEBBF4FB48310F10842AE919A7750D778A954CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BCBC70 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 138 bcbc70-bcbd0c DuplicateHandle 139 bcbd0e-bcbd14 138->139 140 bcbd15-bcbd32 138->140 139->140
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BCBCFF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.349222944.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_bc0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: 4418f4e3348c3702a2ca7cff0a06ab4e98a8e7e472fe0b2ab6574d00f9f8a681
                                                                                • Instruction ID: 34cde57dad5a96839831ba1c718333590a4979d7c46495ac0cca24238a441bd3
                                                                                • Opcode Fuzzy Hash: 4418f4e3348c3702a2ca7cff0a06ab4e98a8e7e472fe0b2ab6574d00f9f8a681
                                                                                • Instruction Fuzzy Hash: 3521D2B59002099FDB10CFA9D984AEEBBF4FF48324F14846AE815A7210C378A945DF65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BCBC78 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 150 bcbc78-bcbd0c DuplicateHandle 151 bcbd0e-bcbd14 150->151 152 bcbd15-bcbd32 150->152 151->152
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BCBCFF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.349222944.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_bc0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: aa90fde762279e839657f0ef9e6fb66f3757e28fd888833cf85b52a490a55449
                                                                                • Instruction ID: abe2f3cb95e9c79bd55c025c18e511b0a41e1cfb0b0656ca9dc1bd025566b36c
                                                                                • Opcode Fuzzy Hash: aa90fde762279e839657f0ef9e6fb66f3757e28fd888833cf85b52a490a55449
                                                                                • Instruction Fuzzy Hash: CB21E4B59002099FDB10CF9AD984ADEBBF4EB48324F14842AE815A7310D378A944DFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0746DAE8 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 155 746dae8-746db74 ReadProcessMemory 157 746db76-746db7c 155->157 158 746db7d-746db9e 155->158 157->158
                                                                                APIs
                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0746DB67
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessRead
                                                                                • String ID:
                                                                                • API String ID: 1726664587-0
                                                                                • Opcode ID: 245aae1d6fb728ae01e7a090c22acf4f5d4f4e72358c698889f5914790d3bae6
                                                                                • Instruction ID: b97f25bf093456206cbf7700536d7042fad8835060411176fc4ab77ee37106ff
                                                                                • Opcode Fuzzy Hash: 245aae1d6fb728ae01e7a090c22acf4f5d4f4e72358c698889f5914790d3bae6
                                                                                • Instruction Fuzzy Hash: E221E2B5E00259DFCB10CF9AD984ADEBBF4FB48320F10842AE918A7250D378A544DFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0746DA28 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 160 746da28-746da74 162 746da76-746da7e 160->162 163 746da80-746daac SetThreadContext 160->163 162->163 164 746dab5-746dad6 163->164 165 746daae-746dab4 163->165 165->164
                                                                                APIs
                                                                                • SetThreadContext.KERNELBASE(?,00000000), ref: 0746DA9F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: ContextThread
                                                                                • String ID:
                                                                                • API String ID: 1591575202-0
                                                                                • Opcode ID: 09564f8240734a6d9ff9c581c7a3f0d4eb6990c3b14b42875dadce3f898a78cc
                                                                                • Instruction ID: d923332bc911ef5bb14da9f4b71864d870420915692ddfbc9b6256c8189b0691
                                                                                • Opcode Fuzzy Hash: 09564f8240734a6d9ff9c581c7a3f0d4eb6990c3b14b42875dadce3f898a78cc
                                                                                • Instruction Fuzzy Hash: 0921F7B1E0461A9FCB10CF9AC9847EEFBF4BB48710F14812AD418B7740D778A9448FA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07466918 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 182 7466918-74669a0 VirtualProtect 184 74669a2-74669a8 182->184 185 74669a9-74669ca 182->185 184->185
                                                                                APIs
                                                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 07466993
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 544645111-0
                                                                                • Opcode ID: 0247ec962a9b76e50f0c3adc86524005995a2a435568408fe139847bdaad6a6a
                                                                                • Instruction ID: 568868b8ed697ba2f7b43cb132e89981b1b36f9ef9403812af29a69657c4a305
                                                                                • Opcode Fuzzy Hash: 0247ec962a9b76e50f0c3adc86524005995a2a435568408fe139847bdaad6a6a
                                                                                • Instruction Fuzzy Hash: 072106B6D002099FCB10CF9AC984BDEBBF4FB48320F14842AE859A7240D378A544CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07466920 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 187 7466920-74669a0 VirtualProtect 189 74669a2-74669a8 187->189 190 74669a9-74669ca 187->190 189->190
                                                                                APIs
                                                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 07466993
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 544645111-0
                                                                                • Opcode ID: e2ab26bf0fc95b377b318d425a81b6b3e7726dcd30fffc86e94bae56741fdc12
                                                                                • Instruction ID: 6c4393ca910a7eba95cc0bc9c05e2db2f420e5ae02b3ad977bfb726b841b9437
                                                                                • Opcode Fuzzy Hash: e2ab26bf0fc95b377b318d425a81b6b3e7726dcd30fffc86e94bae56741fdc12
                                                                                • Instruction Fuzzy Hash: 9C2117B5D002099FCB10CF9AC984BDEFBF4FB48320F10842AE858A7240D378A544CFA6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BC8CF8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 167 bc8cf8-bc9bf8 169 bc9bfa-bc9bfd 167->169 170 bc9c00-bc9c2f LoadLibraryExW 167->170 169->170 171 bc9c38-bc9c55 170->171 172 bc9c31-bc9c37 170->172 172->171
                                                                                APIs
                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00BC9A11,00000800,00000000,00000000), ref: 00BC9C22
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.349222944.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_bc0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 7f8008e64ba4968c6b0943c954e98230cd875009b0167678a4519dc20015c042
                                                                                • Instruction ID: b6c623286804a99caa0eda219d6612e1a3ea91afc2e059bc853c315fb38fa099
                                                                                • Opcode Fuzzy Hash: 7f8008e64ba4968c6b0943c954e98230cd875009b0167678a4519dc20015c042
                                                                                • Instruction Fuzzy Hash: 5511D3B69002499FDB10CF9AD588BDEBBF4EB48710F14846ED415A7600C379A945CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BC9BB0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 175 bc9bb0-bc9bf8 176 bc9bfa-bc9bfd 175->176 177 bc9c00-bc9c2f LoadLibraryExW 175->177 176->177 178 bc9c38-bc9c55 177->178 179 bc9c31-bc9c37 177->179 179->178
                                                                                APIs
                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00BC9A11,00000800,00000000,00000000), ref: 00BC9C22
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.349222944.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_bc0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 38e8984286d2c45405efcc7b6bda438e40ccee351a04c0d822a97e2f6c1de27c
                                                                                • Instruction ID: 35b4be643e2bbbc0c05dc1e8d85a896ab2d3f931a54a7b3c6efbccf849941160
                                                                                • Opcode Fuzzy Hash: 38e8984286d2c45405efcc7b6bda438e40ccee351a04c0d822a97e2f6c1de27c
                                                                                • Instruction Fuzzy Hash: 2F21F4B6D002098FDB14CF9AD844ADEBBF4EB88320F11856ED415A7650C3789945CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0746DBB8 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0746DC23
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: ddc6a238f396d4e0df7478fd72fcf8bd122ce1db376f337efe0da631fab7cc18
                                                                                • Instruction ID: 9565d8e5b7e79be52c5803f30c58964e9521325d8d83a02e3119c531bee62dfb
                                                                                • Opcode Fuzzy Hash: ddc6a238f396d4e0df7478fd72fcf8bd122ce1db376f337efe0da631fab7cc18
                                                                                • Instruction Fuzzy Hash: 8011D2B59002499FCB10CF9AD984BDEBBF4EB48320F108419E519A7250C775A544CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0746A848 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 0746E875
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePost
                                                                                • String ID:
                                                                                • API String ID: 410705778-0
                                                                                • Opcode ID: beda22b3054cc349dac4010344df5f4898925a298df433a6f1d35d19abfa0665
                                                                                • Instruction ID: 3b785f784622b5a497ea0ec4e5685f1c279ed6f5cbb861b0f10280dbbc5faf5b
                                                                                • Opcode Fuzzy Hash: beda22b3054cc349dac4010344df5f4898925a298df433a6f1d35d19abfa0665
                                                                                • Instruction Fuzzy Hash: 7E11F5B9800259DFDB10CF9AC588BDEBBF8FB48724F10886AE455B7600C375A944CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BC9930 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00BC9996
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.349222944.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_bc0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID:
                                                                                • API String ID: 4139908857-0
                                                                                • Opcode ID: d33c8a7c36440fff5252d66980fde0cd4b38df4644958570bc0df6e4a4273de6
                                                                                • Instruction ID: e518bd5dfacd8e3e988470ff6fec6fcdcb9a42b2cadec1b735b4810250535f89
                                                                                • Opcode Fuzzy Hash: d33c8a7c36440fff5252d66980fde0cd4b38df4644958570bc0df6e4a4273de6
                                                                                • Instruction Fuzzy Hash: 1311FDB6C002498FDB10CF9AC448BDEBBF4EB88320F10846ED469B7600C3B9A545CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0746DF30 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: ResumeThread
                                                                                • String ID:
                                                                                • API String ID: 947044025-0
                                                                                • Opcode ID: 3b11f3ad94fc19661b17a175da9111b6b7b4d1a52b8e3f5c4befc48ac031cdf7
                                                                                • Instruction ID: 5d525fb6427d8137d0426889dc29e584c0673bb5bce7394cd2c9306c6a303589
                                                                                • Opcode Fuzzy Hash: 3b11f3ad94fc19661b17a175da9111b6b7b4d1a52b8e3f5c4befc48ac031cdf7
                                                                                • Instruction Fuzzy Hash: C11115B5D002498FCB10CF9AC588BDEBBF4EB48324F10841AD419B7340C775A544CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B2D3B4 Relevance: .1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.348817597.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_b2d000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 628eb9ff981519d0a556d97dc0930aa18a243fef7a244e8db7716ec001fd6e6d
                                                                                • Instruction ID: b3e0e7b8ebbedfcd0488f0b848c847f94ae52a148a5ca4df12ba0476a24ad4b6
                                                                                • Opcode Fuzzy Hash: 628eb9ff981519d0a556d97dc0930aa18a243fef7a244e8db7716ec001fd6e6d
                                                                                • Instruction Fuzzy Hash: 1421F5B1504240DFDB05EF14E9C0B16BFA5FB98324F24C6A9E8494B346C336E856D7A2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B2D4A0 Relevance: .1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.348817597.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_b2d000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0c7808c12c6ecbdbfb4ec8c606c1871d4d0e223f308e57d3f76413e6d1f1c485
                                                                                • Instruction ID: db837b25a7791144223e3d43bd28ef228ca8747f8aa46f7cded07ed5a393b74a
                                                                                • Opcode Fuzzy Hash: 0c7808c12c6ecbdbfb4ec8c606c1871d4d0e223f308e57d3f76413e6d1f1c485
                                                                                • Instruction Fuzzy Hash: 85212871504240DFDB05DF14E9C0B16BFA5FBA4324F24C6A9D8090B216C376E846D7A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B3D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.348864725.0000000000B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_b3d000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b8cf9f8fb44c38ca94517f24602bda5791e49c1841a04848474a302a969410df
                                                                                • Instruction ID: fc4dbc44a2960ab59d71217952693c54764f33441fceab09f0ea3cd39cbd5d0d
                                                                                • Opcode Fuzzy Hash: b8cf9f8fb44c38ca94517f24602bda5791e49c1841a04848474a302a969410df
                                                                                • Instruction Fuzzy Hash: 6A21F275604240EFDB05DF14E9C0B26BBA5FB84314F34CAADE8494B246C736E846DA61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B3D01C Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.348864725.0000000000B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_b3d000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9c013226473989a5e8f50352966e7b59b8288f738d044df8ff84e8a06fea660b
                                                                                • Instruction ID: ca7b0303343947cfeb824808b74f83c45da31d961d68d5f8ebc7088a495a8265
                                                                                • Opcode Fuzzy Hash: 9c013226473989a5e8f50352966e7b59b8288f738d044df8ff84e8a06fea660b
                                                                                • Instruction Fuzzy Hash: 3D213771504240DFCB18CF14E4D0B16BBA5FB84B14F30CAADD84A4B246C336D847DB61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B3D006 Relevance: .1, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.348864725.0000000000B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_b3d000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ebce3902383efd8bbd13317fa474f5b1254a5155c7463a4c49a8713382c0a0fe
                                                                                • Instruction ID: ccd2434b278ed4342f0212d176fdbfedb5b7c0ee57d5901a38a80f4e105350e9
                                                                                • Opcode Fuzzy Hash: ebce3902383efd8bbd13317fa474f5b1254a5155c7463a4c49a8713382c0a0fe
                                                                                • Instruction Fuzzy Hash: 6D2192755083809FCB06CF24D994B11BFB1EB46314F28C5EAD8458F257C33AD84ACB62
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B2D3AF Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.348817597.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_b2d000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                                                • Instruction ID: 34a45314dee535ca8113dbe95fd1981995bbf7d29d74992dee527f3aa4ac0886
                                                                                • Opcode Fuzzy Hash: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                                                • Instruction Fuzzy Hash: 2411B176504280CFDB16DF10D9C4B16BFB1FB94324F24C6A9D8494B616C33AE85ACBA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B2D49B Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.348817597.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_b2d000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                                                • Instruction ID: fa6c1e7868127430a45fa2e94a0950a28565528de783e1992c2a7c4a680980cb
                                                                                • Opcode Fuzzy Hash: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                                                • Instruction Fuzzy Hash: C211D376904280CFDB16CF14D5C4B16BFB1FB94324F24C6A9D8490B616C37AD856CBA2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00B3D1CF Relevance: .1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.348864725.0000000000B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_b3d000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f825cc49a36603e58b05d30dbcded4ff69a659c0c942629433790640a090c2f4
                                                                                • Instruction ID: 17544abd754128b3118eded795a3d3de2986edbb8b3a2d606d8472c0afaa1aab
                                                                                • Opcode Fuzzy Hash: f825cc49a36603e58b05d30dbcded4ff69a659c0c942629433790640a090c2f4
                                                                                • Instruction Fuzzy Hash: 84119D75904280DFDB16CF14D9C4B16FBB1FB84324F28C6ADD8494B656C33AD85ACB61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 074631A0 Relevance: 3.9, Strings: 3, Instructions: 173COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: D,K$D,K$D,K
                                                                                • API String ID: 0-963307994
                                                                                • Opcode ID: 584f5429d4eb4b65cc3ab72ecb25e22162393d6af7cfe45a905169f0934d2b32
                                                                                • Instruction ID: 7728eb863947db9b746c2a182631a191910fea916eccf4ed9be678f98b6373e4
                                                                                • Opcode Fuzzy Hash: 584f5429d4eb4b65cc3ab72ecb25e22162393d6af7cfe45a905169f0934d2b32
                                                                                • Instruction Fuzzy Hash: AB71F4B4E15249CFCB08CFA9C9854DEFBF2FB89310F24982AD405BB214D7349A428F65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07463190 Relevance: 3.9, Strings: 3, Instructions: 169COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: D,K$D,K$D,K
                                                                                • API String ID: 0-963307994
                                                                                • Opcode ID: 9b820a6d7358d5988d8249cfbaec2d2982deda3afb0bfb352e91cc12e9bf3aff
                                                                                • Instruction ID: 725332dc2484fa8ac648d2472172bd6402f1928ff388b0dc83757b6407d638b2
                                                                                • Opcode Fuzzy Hash: 9b820a6d7358d5988d8249cfbaec2d2982deda3afb0bfb352e91cc12e9bf3aff
                                                                                • Instruction Fuzzy Hash: 3071D4B4E156498FCB08CFA9C5855DEFBF2FF89310F24986AD405B7214D2349A428F65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07462FB8 Relevance: 2.6, Strings: 2, Instructions: 95COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: RBO$RBO
                                                                                • API String ID: 0-2542440281
                                                                                • Opcode ID: 41586c59da463b7f19c508fc3b15fb50c387bb5c10cca0dc16c827569fc9aca4
                                                                                • Instruction ID: 4fbd4ea4aa3c3b96b0b9db16d1b98487edaccf6f8b55814ce0cad5ad90c53a6a
                                                                                • Opcode Fuzzy Hash: 41586c59da463b7f19c508fc3b15fb50c387bb5c10cca0dc16c827569fc9aca4
                                                                                • Instruction Fuzzy Hash: 0041D2B0E1060ADBCB48DFAAC4855EEFBF2BF88300F14C46AC519A7248D7349A46CF55
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07462FA8 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: RBO$RBO
                                                                                • API String ID: 0-2542440281
                                                                                • Opcode ID: a992a90f4a842b66b3ff0333dc579d37303da6d8a23a3fec7daf88b40d18ea81
                                                                                • Instruction ID: b2868e16d538dc55755dae4d1605029c5f1c536e029a99a9c4062bd50b8383a7
                                                                                • Opcode Fuzzy Hash: a992a90f4a842b66b3ff0333dc579d37303da6d8a23a3fec7daf88b40d18ea81
                                                                                • Instruction Fuzzy Hash: D041E2B0E1064ADBCB08DFAAC4845EEFBF2FF89350F24C46AC515A7248D7349A468F55
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0746BA80 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: :-Dn
                                                                                • API String ID: 0-2958611508
                                                                                • Opcode ID: 2a9fc920d5559ff3d7e0c5677f53b6a3ace08a3b27c110ae6a37c2c1684aac01
                                                                                • Instruction ID: 8482230d6fe9bab183b571cb41f0332517233288672ab7d204579e82b3d4224b
                                                                                • Opcode Fuzzy Hash: 2a9fc920d5559ff3d7e0c5677f53b6a3ace08a3b27c110ae6a37c2c1684aac01
                                                                                • Instruction Fuzzy Hash: 7D7138B4E1520ACFCB05CFA6D5855EEBBB2EF89300F24942AD015F7248D7749942CF96
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0746C018 Relevance: 1.4, Strings: 1, Instructions: 151COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: d
                                                                                • API String ID: 0-2564639436
                                                                                • Opcode ID: ca8f4c16b5bf639d3e7a7060e3d015b7a691276170fba43506d5455d8749958b
                                                                                • Instruction ID: a44714402a72e29c980011276af454dc62554d24a5f1bb3397b9ae4b68877cee
                                                                                • Opcode Fuzzy Hash: ca8f4c16b5bf639d3e7a7060e3d015b7a691276170fba43506d5455d8749958b
                                                                                • Instruction Fuzzy Hash: 96612BB5E5462A8BDB28CF66C9447EAF7B2BFC9300F0085B6D509A7614EB305A818F51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 074613A0 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: gpRR
                                                                                • API String ID: 0-3735844856
                                                                                • Opcode ID: c8d686cdd1c41c637f9dc0404bdcddfc57be3e99dab2138673d8f6d48578bb39
                                                                                • Instruction ID: b99061d29950c756ee0dbdd6966f2488519662bdd03e7609a1f0daa546deca3f
                                                                                • Opcode Fuzzy Hash: c8d686cdd1c41c637f9dc0404bdcddfc57be3e99dab2138673d8f6d48578bb39
                                                                                • Instruction Fuzzy Hash: 534109B4E1561A8FCB04CF99C5849EEFBF1BB89310F14D52AD416A7264D3349A42CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07461392 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: gpRR
                                                                                • API String ID: 0-3735844856
                                                                                • Opcode ID: c437ced91d3adbb7e2506955c934c35aa1f8f9f344284ef014138acfd29725db
                                                                                • Instruction ID: cab4e9e920642a61da22881607fe9e11f3c2cf915c33f9c2da271ede2a17387f
                                                                                • Opcode Fuzzy Hash: c437ced91d3adbb7e2506955c934c35aa1f8f9f344284ef014138acfd29725db
                                                                                • Instruction Fuzzy Hash: 414129B4E152198BCB04CF99C9845EEFBF1BB89310F14D52AD416B7364D3349A42CF61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07463430 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 3_<
                                                                                • API String ID: 0-1201742200
                                                                                • Opcode ID: af9ee85cfd1a060c9099f5f6ea245ec22503f5ead5f24562efab67fc657bbfc2
                                                                                • Instruction ID: 03de469c3946c6f845d6a6a3b0e87c4cdf68e6121da06dc518e42c058c94e204
                                                                                • Opcode Fuzzy Hash: af9ee85cfd1a060c9099f5f6ea245ec22503f5ead5f24562efab67fc657bbfc2
                                                                                • Instruction Fuzzy Hash: 7E41F8B0E1525ADBDB04CFAAC9845EEFBF2AF89300F24C46AC905B7354D7349A418B95
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 074641C8 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: SohL
                                                                                • API String ID: 0-1765351257
                                                                                • Opcode ID: f54ed83868be3605e542689a501c5d9bcfe0d9a114425ec83bdd5ee09d15ca63
                                                                                • Instruction ID: 9568ae1ac6f35db340d65b1eae09c19384b3a4e2cf97a305c161e15c00a2c488
                                                                                • Opcode Fuzzy Hash: f54ed83868be3605e542689a501c5d9bcfe0d9a114425ec83bdd5ee09d15ca63
                                                                                • Instruction Fuzzy Hash: 4D4140B5E116188BDB18CF6B8D4529EFBF3BFC8300F14C1BA850DA6254DB3419868E11
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07463420 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 3_<
                                                                                • API String ID: 0-1201742200
                                                                                • Opcode ID: d62b50b3db07117dd1adf8edad8a875e063c3e30e5232a2f2c796148bf54668d
                                                                                • Instruction ID: 6c549ef8db2007e96ce602414afa27a47550a9a7e72216a31317a07647477029
                                                                                • Opcode Fuzzy Hash: d62b50b3db07117dd1adf8edad8a875e063c3e30e5232a2f2c796148bf54668d
                                                                                • Instruction Fuzzy Hash: 9E4139B0E1524ADBCB04CFA9C9804EEFBF2EF89310F24C46AC905B7354D7349A428B95
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 074641C3 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: SohL
                                                                                • API String ID: 0-1765351257
                                                                                • Opcode ID: 446bf0de0098392b497d357f0401797129b0351ba3c8e101fd170cfcc4e86a12
                                                                                • Instruction ID: 4296e867a9843e0cd808430196f730500e6e2c4afc20f6d4249687eebb9fc34d
                                                                                • Opcode Fuzzy Hash: 446bf0de0098392b497d357f0401797129b0351ba3c8e101fd170cfcc4e86a12
                                                                                • Instruction Fuzzy Hash: D5414EB5E016588BEB18CF6B8D4578EFAF3BFC8300F14C1BA950CA6254EB3419858F11
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BCE7F8 Relevance: .3, Instructions: 315COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.349222944.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_bc0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a67a1a2b5029e5cd6ab82c9d7e42857f5fa67ea83271aac5a48f8f294e46bf0c
                                                                                • Instruction ID: 2c9413210a4c5ad34993a2f1daf893a1be98256d9d52a935a1c9c5b069d21b6f
                                                                                • Opcode Fuzzy Hash: a67a1a2b5029e5cd6ab82c9d7e42857f5fa67ea83271aac5a48f8f294e46bf0c
                                                                                • Instruction Fuzzy Hash: 6F12A6F1491F46CBE732CF65EE981893BA1B745328F90430AD2651BAF1DBB8114ACF58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BCC504 Relevance: .3, Instructions: 265COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.349222944.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_bc0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6161d3a80f27d5b8385d34bd3e3f67213168b443179a90d74a0cacafd05a4b1b
                                                                                • Instruction ID: 8eaf7759abee5d55a15379c295ec05aa584de22431e44c9ff161f2388fbb10db
                                                                                • Opcode Fuzzy Hash: 6161d3a80f27d5b8385d34bd3e3f67213168b443179a90d74a0cacafd05a4b1b
                                                                                • Instruction Fuzzy Hash: 4EA15D36E002198FCF15DFA5C844A9EBBF2FF94300B1585BAE915AB221EB71E945CF50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BCE7E8 Relevance: .2, Instructions: 221COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.349222944.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_bc0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8afd8830a7b0721d0ca32bed73ac41f795d635144c4c8d589a8a7245bc4a2092
                                                                                • Instruction ID: 07220d54cb8522cdd8dba02f7166635b27195f6e5c19959ec2f35d41e0034c48
                                                                                • Opcode Fuzzy Hash: 8afd8830a7b0721d0ca32bed73ac41f795d635144c4c8d589a8a7245bc4a2092
                                                                                • Instruction Fuzzy Hash: FAC11AB1891F46CBE722DF65EE981893BB1BB45324F51430AD1616B6F0DFB8204ACF58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07469F18 Relevance: .2, Instructions: 189COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1c48f09015071e62cef324350c6e0d9bb15bc36029d87098b8b7ebf7f4806c85
                                                                                • Instruction ID: 55e3667574d3ca3a6bb4a6ef2f04c22da98c342978cfc972cafba8b7b842788d
                                                                                • Opcode Fuzzy Hash: 1c48f09015071e62cef324350c6e0d9bb15bc36029d87098b8b7ebf7f4806c85
                                                                                • Instruction Fuzzy Hash: F98106B4E11619CFCB18CF69D984ADEFBB2BF89300F1084AAD509A7360DB309A41CF11
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07461E38 Relevance: .2, Instructions: 168COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6c541fc79082e4221688005826af275928de7faece2ed10f1c52aa07e67a5242
                                                                                • Instruction ID: 10e9176ba109ba5b3308cb60f66c836ce14eb790de48eb7525c039f06073c25e
                                                                                • Opcode Fuzzy Hash: 6c541fc79082e4221688005826af275928de7faece2ed10f1c52aa07e67a5242
                                                                                • Instruction Fuzzy Hash: BA71B074E11219DFCB08CFA9D58499EFBF1FF89310F148956E419AB220D734AA41CF51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07461E28 Relevance: .2, Instructions: 164COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ea1808486a7e673dcc7e4f63876f628ff64253c7658710462dee4c58bcc1d253
                                                                                • Instruction ID: 35c826f37d41bba9835020701bef16c2b644f425f83a52650856cb18c93f4c54
                                                                                • Opcode Fuzzy Hash: ea1808486a7e673dcc7e4f63876f628ff64253c7658710462dee4c58bcc1d253
                                                                                • Instruction Fuzzy Hash: 1771D174E11209DFCB48CFA9D58499EFBF1FF89310F14896AE519AB220D734AA41CF51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07466F24 Relevance: .1, Instructions: 81COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e4a3edbb8c0fbf3f587bb713b1d4211b682e7481d063166633d69d6f10fa0266
                                                                                • Instruction ID: 997c0c8b9b7f9ac0ee4e3a0929a3ec67476efed02003dc27655c3486944364d6
                                                                                • Opcode Fuzzy Hash: e4a3edbb8c0fbf3f587bb713b1d4211b682e7481d063166633d69d6f10fa0266
                                                                                • Instruction Fuzzy Hash: 742175B5E116148BDB18CFAAD9816DEFBF3EBC8310F14C176D504A7354D73046028B52
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07466F60 Relevance: .1, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4904da8cc168778cc0b775de73321009cce2dffae20206166b45e411c3e46340
                                                                                • Instruction ID: d3110ba7d928978b45a83ddc1e24611557a17462a946882308da6ecb694992c4
                                                                                • Opcode Fuzzy Hash: 4904da8cc168778cc0b775de73321009cce2dffae20206166b45e411c3e46340
                                                                                • Instruction Fuzzy Hash: C52147B1E116198BDB18CFAAE9406DEFBF7BFC8310F14C13AD408A7254EB305A018B91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07468BE0 Relevance: .1, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cd450f3e5e27ff252bb5153fa4a2af3cc0606b09ea7cc70125399dd2f348f403
                                                                                • Instruction ID: 693d2dca633135fca4713e0d724fdfa72e7df4ba3f261e17875d31d703fce6fe
                                                                                • Opcode Fuzzy Hash: cd450f3e5e27ff252bb5153fa4a2af3cc0606b09ea7cc70125399dd2f348f403
                                                                                • Instruction Fuzzy Hash: 032127B1E116198BEB08CFAAD9446DEFBF7AFC9210F14C03AD508B7254DB305A418B51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07467F28 Relevance: .1, Instructions: 60COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b7476e15de27040d7281c543ecf57ea2d854bc95332f7a47726b119981d01e43
                                                                                • Instruction ID: 247930adca613b46a16c7de3b8243015e7b7c704e9c31a8f949187dce86193f3
                                                                                • Opcode Fuzzy Hash: b7476e15de27040d7281c543ecf57ea2d854bc95332f7a47726b119981d01e43
                                                                                • Instruction Fuzzy Hash: 0C1129B1E116199BEB18CFAAD9446EEFBF7BBC8300F14C07AD508A7254DB305A418F51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07468BCF Relevance: .1, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 628b06c637de674dd301e81ca9021dac61a795a689ee511ef4970b13fd69d78d
                                                                                • Instruction ID: 38de72a0897dc3325bbf02553b340fb5646f57fc8292f7a3352dba4bcda14ee7
                                                                                • Opcode Fuzzy Hash: 628b06c637de674dd301e81ca9021dac61a795a689ee511ef4970b13fd69d78d
                                                                                • Instruction Fuzzy Hash: 85210BB0E116599FDB08CFAAD94069EFBF7AFC9200F18C07AD408AA255DB3059458B51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07463610 Relevance: .1, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6c2ab3b1d9d2a9f24f8e133d5bafb87c6d277369c2df2ec0e7034529aa238f85
                                                                                • Instruction ID: 266301ab3efc7e3e78cecc5b26217f7b6e2677a84e30a0fcde305bb749450b90
                                                                                • Opcode Fuzzy Hash: 6c2ab3b1d9d2a9f24f8e133d5bafb87c6d277369c2df2ec0e7034529aa238f85
                                                                                • Instruction Fuzzy Hash: 6D11EFB1E116589BEB18CFABD9446DEFBF7AFC8300F14C076C908A6264EB3406568F51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07467F18 Relevance: .1, Instructions: 57COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5e5dc04b8df3a9952ba3a072f87104028635f137ee29ad9cc59ff401e9d4c179
                                                                                • Instruction ID: eeca28bdf674245786a0b48be88cdab9cfff8a30d8a97e83a955f6c940727d28
                                                                                • Opcode Fuzzy Hash: 5e5dc04b8df3a9952ba3a072f87104028635f137ee29ad9cc59ff401e9d4c179
                                                                                • Instruction Fuzzy Hash: 1E112CB1E116199BEB58CF6AD94169EFBF7AFC8300F14C07AD408AA255DB305A428F51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07463600 Relevance: .1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.367621183.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7460000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c76544fd57796fde754cfde3cfd4ceaac11fc0570df6c54f61098a473bf7821a
                                                                                • Instruction ID: be156b8dde67645048d5ce61a84e20c18ce0e6d2cae2a8d1e82e42e8834b9854
                                                                                • Opcode Fuzzy Hash: c76544fd57796fde754cfde3cfd4ceaac11fc0570df6c54f61098a473bf7821a
                                                                                • Instruction Fuzzy Hash: 0811BFB1E116549BEB58CFABCD4429EFBF3AFC8300F18C476C418A6264EB3445468F51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Execution Graph

                                                                                Execution Coverage:11.2%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:131
                                                                                Total number of Limit Nodes:6
                                                                                execution_graph 18372 791dbd0 18374 791dc1b WriteProcessMemory 18372->18374 18375 791dc6c 18374->18375 18474 2f3ba50 GetCurrentProcess 18475 2f3bac3 18474->18475 18476 2f3baca GetCurrentThread 18474->18476 18475->18476 18477 2f3bb00 18476->18477 18478 2f3bb07 GetCurrentProcess 18476->18478 18477->18478 18479 2f3bb3d 18478->18479 18480 2f3bb65 GetCurrentThreadId 18479->18480 18481 2f3bb96 18480->18481 18376 7915355 18380 7916920 18376->18380 18383 7916918 18376->18383 18377 7915371 18381 7916968 VirtualProtect 18380->18381 18382 79169a2 18381->18382 18382->18377 18384 7916920 VirtualProtect 18383->18384 18386 79169a2 18384->18386 18386->18377 18387 791d998 18388 791d9e0 SetThreadContext 18387->18388 18390 791da1e 18388->18390 18391 791da58 18392 791daa3 ReadProcessMemory 18391->18392 18393 791dae6 18392->18393 18482 791e438 18483 791e5c3 18482->18483 18485 791e45e 18482->18485 18485->18483 18486 791a7b8 18485->18486 18487 791e6b8 PostMessageW 18486->18487 18488 791e724 18487->18488 18488->18485 18394 2f366b8 18395 2f366d5 18394->18395 18398 2f35804 18395->18398 18397 2f366eb 18399 2f3580f 18398->18399 18402 2f36750 18399->18402 18401 2f36be5 18401->18397 18403 2f3675b 18402->18403 18406 2f36780 18403->18406 18405 2f36cc2 18405->18401 18407 2f3678b 18406->18407 18410 2f367b0 18407->18410 18409 2f36dc2 18409->18405 18412 2f367bb 18410->18412 18411 2f3751c 18411->18409 18412->18411 18414 2f3b77b 18412->18414 18415 2f3b750 18414->18415 18416 2f3b786 18414->18416 18415->18411 18417 2f3b7cd 18416->18417 18420 2f3b938 18416->18420 18424 2f3b928 18416->18424 18417->18411 18422 2f3b945 18420->18422 18421 2f3b97f 18421->18417 18422->18421 18428 2f3a41c 18422->18428 18425 2f3b938 18424->18425 18426 2f3b97f 18425->18426 18427 2f3a41c 2 API calls 18425->18427 18426->18417 18427->18426 18429 2f3a427 18428->18429 18431 2f3c678 18429->18431 18432 2f3c238 18429->18432 18431->18431 18433 2f3c243 18432->18433 18434 2f367b0 2 API calls 18433->18434 18435 2f3c6e7 18434->18435 18439 2f3e468 18435->18439 18445 2f3e450 18435->18445 18436 2f3c720 18436->18431 18441 2f3e499 18439->18441 18442 2f3e4e6 18439->18442 18440 2f3e4a5 18440->18436 18441->18440 18450 2f3e7a1 18441->18450 18454 2f3e7b0 18441->18454 18442->18436 18446 2f3e45a 18445->18446 18447 2f3e4a5 18446->18447 18448 2f3e7a1 2 API calls 18446->18448 18449 2f3e7b0 2 API calls 18446->18449 18447->18436 18448->18447 18449->18447 18451 2f3e7b0 18450->18451 18452 2f39750 LoadLibraryExW GetModuleHandleW 18451->18452 18453 2f3e7b9 18452->18453 18453->18442 18455 2f39750 LoadLibraryExW GetModuleHandleW 18454->18455 18456 2f3e7b9 18455->18456 18456->18442 18457 2f3bc78 DuplicateHandle 18458 2f3bd0e 18457->18458 18489 2f39658 18493 2f39750 18489->18493 18501 2f3973f 18489->18501 18490 2f39667 18494 2f39763 18493->18494 18495 2f3977b 18494->18495 18509 2f399d8 18494->18509 18513 2f399c8 18494->18513 18495->18490 18496 2f39773 18496->18495 18497 2f39978 GetModuleHandleW 18496->18497 18498 2f399a5 18497->18498 18498->18490 18502 2f39763 18501->18502 18503 2f3977b 18502->18503 18507 2f399d8 LoadLibraryExW 18502->18507 18508 2f399c8 LoadLibraryExW 18502->18508 18503->18490 18504 2f39773 18504->18503 18505 2f39978 GetModuleHandleW 18504->18505 18506 2f399a5 18505->18506 18506->18490 18507->18504 18508->18504 18510 2f399ec 18509->18510 18511 2f39a11 18510->18511 18517 2f38cf8 18510->18517 18511->18496 18514 2f399d8 18513->18514 18515 2f38cf8 LoadLibraryExW 18514->18515 18516 2f39a11 18514->18516 18515->18516 18516->18496 18518 2f39bb8 LoadLibraryExW 18517->18518 18520 2f39c31 18518->18520 18520->18511 18521 7914361 18523 7916920 VirtualProtect 18521->18523 18524 7916918 VirtualProtect 18521->18524 18522 7914307 18523->18522 18524->18522 18525 7914de5 18526 7914df6 18525->18526 18527 7916920 VirtualProtect 18525->18527 18528 7916918 VirtualProtect 18525->18528 18527->18526 18528->18526 18529 79157a6 18530 79157a9 18529->18530 18531 791576f 18529->18531 18531->18529 18532 7916920 VirtualProtect 18531->18532 18533 7916918 VirtualProtect 18531->18533 18532->18531 18533->18531 18471 791dd88 18472 791ddc9 ResumeThread 18471->18472 18473 791ddf6 18472->18473 18534 791db28 18535 791db6b VirtualAllocEx 18534->18535 18536 791dba2 18535->18536 18537 791d628 18538 791d6a7 CreateProcessW 18537->18538 18540 791d790 18538->18540

                                                                                Executed Functions

                                                                                Function 02F3BA41 Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32 ref: 02F3BAB0
                                                                                • GetCurrentThread.KERNEL32 ref: 02F3BAED
                                                                                • GetCurrentProcess.KERNEL32 ref: 02F3BB2A
                                                                                • GetCurrentThreadId.KERNEL32 ref: 02F3BB83
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.510628436.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_2f30000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID: Current$ProcessThread
                                                                                • String ID:
                                                                                • API String ID: 2063062207-0
                                                                                • Opcode ID: bb8990023911880b380e68148448f50be40f774849e58d92c84881b3db212712
                                                                                • Instruction ID: b91aa8e7b8b867acc1dc54e5d852d95915c08f092882b2c437a172c3313f94c5
                                                                                • Opcode Fuzzy Hash: bb8990023911880b380e68148448f50be40f774849e58d92c84881b3db212712
                                                                                • Instruction Fuzzy Hash: 585147B0D012498FDB10CFAAD588BDEBBF0BF88308F24846AD559A7350C774A984CF65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02F3BA50 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32 ref: 02F3BAB0
                                                                                • GetCurrentThread.KERNEL32 ref: 02F3BAED
                                                                                • GetCurrentProcess.KERNEL32 ref: 02F3BB2A
                                                                                • GetCurrentThreadId.KERNEL32 ref: 02F3BB83
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.510628436.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_2f30000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID: Current$ProcessThread
                                                                                • String ID:
                                                                                • API String ID: 2063062207-0
                                                                                • Opcode ID: 0d6134ced12c9cb99e5aefbc246be38de0cbab2aef4b4065a9e3ee5f48eb1fbb
                                                                                • Instruction ID: bfa4a6eba428faed502132123dd755b625d892c6c0d1b9378c3d8dab610e80dd
                                                                                • Opcode Fuzzy Hash: 0d6134ced12c9cb99e5aefbc246be38de0cbab2aef4b4065a9e3ee5f48eb1fbb
                                                                                • Instruction Fuzzy Hash: 285146B0D012498FDB14CFAAD588BDEBBF0BF88308F20846AE559B7750C7749984CB65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02F39750 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 58 2f39750-2f39765 call 2f38c90 61 2f39767 58->61 62 2f3977b-2f3977f 58->62 112 2f3976d call 2f399d8 61->112 113 2f3976d call 2f399c8 61->113 63 2f39793-2f397d4 62->63 64 2f39781-2f3978b 62->64 69 2f397e1-2f397ef 63->69 70 2f397d6-2f397de 63->70 64->63 65 2f39773-2f39775 65->62 66 2f398b0-2f39970 65->66 107 2f39972-2f39975 66->107 108 2f39978-2f399a3 GetModuleHandleW 66->108 72 2f39813-2f39815 69->72 73 2f397f1-2f397f6 69->73 70->69 74 2f39818-2f3981f 72->74 75 2f39801 73->75 76 2f397f8-2f397ff call 2f38c9c 73->76 78 2f39821-2f39829 74->78 79 2f3982c-2f39833 74->79 77 2f39803-2f39811 75->77 76->77 77->74 78->79 83 2f39840-2f39849 call 2f38cac 79->83 84 2f39835-2f3983d 79->84 89 2f39856-2f3985b 83->89 90 2f3984b-2f39853 83->90 84->83 91 2f39879-2f3987d 89->91 92 2f3985d-2f39864 89->92 90->89 114 2f39880 call 2f39cb2 91->114 115 2f39880 call 2f39ce0 91->115 92->91 94 2f39866-2f39876 call 2f38cbc call 2f38ccc 92->94 94->91 95 2f39883-2f39886 99 2f398a9-2f398af 95->99 100 2f39888-2f398a6 95->100 100->99 107->108 109 2f399a5-2f399ab 108->109 110 2f399ac-2f399c0 108->110 109->110 112->65 113->65 114->95 115->95
                                                                                APIs
                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 02F39996
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.510628436.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_2f30000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID:
                                                                                • API String ID: 4139908857-0
                                                                                • Opcode ID: 16770a66aefce6bd771195c832e8d276360c3934da1cacf7370d04e857285fe4
                                                                                • Instruction ID: ef7016cf3584c9b104eb4d758649900e081276a37b4f1c9ee1cffc2c2c1d493d
                                                                                • Opcode Fuzzy Hash: 16770a66aefce6bd771195c832e8d276360c3934da1cacf7370d04e857285fe4
                                                                                • Instruction Fuzzy Hash: 55711370A01B059FD725DF2AC444B9ABBF1BF88384F00892DD58ADBA50D7B5E845CF91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0791D628 Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 116 791d628-791d6b3 118 791d6b5-791d6bb 116->118 119 791d6be-791d6c5 116->119 118->119 120 791d6d0-791d6e6 119->120 121 791d6c7-791d6cd 119->121 122 791d6f1-791d78e CreateProcessW 120->122 123 791d6e8-791d6ee 120->123 121->120 125 791d790-791d796 122->125 126 791d797-791d80b 122->126 123->122 125->126 134 791d81d-791d824 126->134 135 791d80d-791d813 126->135 136 791d826-791d835 134->136 137 791d83b 134->137 135->134 136->137
                                                                                APIs
                                                                                • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 0791D77B
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.578954850.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7910000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID:
                                                                                • API String ID: 963392458-0
                                                                                • Opcode ID: fd8a3b1899cc61abbe49a96bb66655a7c7e92559104006d93a91f39cfb6c5c3a
                                                                                • Instruction ID: 4e34e1f6fb30046fb5bda921e1ae201060b0998cf8429260a7825d2d8a6dc631
                                                                                • Opcode Fuzzy Hash: fd8a3b1899cc61abbe49a96bb66655a7c7e92559104006d93a91f39cfb6c5c3a
                                                                                • Instruction Fuzzy Hash: D85105B190072DDFDB60DF99C884BDDBBB5BF48314F14809AE809A7210DB759A98CF61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02F3BC70 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 139 2f3bc70-2f3bc74 140 2f3bc78-2f3bd0c DuplicateHandle 139->140 141 2f3bd15-2f3bd32 140->141 142 2f3bd0e-2f3bd14 140->142 142->141
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02F3BCFF
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.510628436.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_2f30000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: a88ea01cbda7b8b3de4016bd8115754baaef506df253b6b34675863a270438c6
                                                                                • Instruction ID: c1ee0663399b4fa9b2a90912971982df20b121dbb49c399ac4db270b59166c31
                                                                                • Opcode Fuzzy Hash: a88ea01cbda7b8b3de4016bd8115754baaef506df253b6b34675863a270438c6
                                                                                • Instruction Fuzzy Hash: 7A2125B19002499FDB10CFAAD884ADEBFF4FB48314F14846AE855A3310C374A944CFA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0791DBD0 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 145 791dbd0-791dc21 147 791dc31-791dc6a WriteProcessMemory 145->147 148 791dc23-791dc2f 145->148 149 791dc73-791dc94 147->149 150 791dc6c-791dc72 147->150 148->147 150->149
                                                                                APIs
                                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0791DC5D
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.578954850.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7910000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessWrite
                                                                                • String ID:
                                                                                • API String ID: 3559483778-0
                                                                                • Opcode ID: 351fd5638aab55c7fa1387bd70f7bcd8e84a3f3bddd5b46c6cadfd1b493ffa5f
                                                                                • Instruction ID: 7d4cfd786c3af8b2271f264623aa7b8bf31c4e3b0a02bc1ce806a91f0c8b87df
                                                                                • Opcode Fuzzy Hash: 351fd5638aab55c7fa1387bd70f7bcd8e84a3f3bddd5b46c6cadfd1b493ffa5f
                                                                                • Instruction Fuzzy Hash: B02125B1A003599FCB10CF9AC885BDEBBF4FF48310F10842AE819A7240D374A954CFA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02F3BC78 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 152 2f3bc78-2f3bd0c DuplicateHandle 153 2f3bd15-2f3bd32 152->153 154 2f3bd0e-2f3bd14 152->154 154->153
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02F3BCFF
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.510628436.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_2f30000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: 3b4da1c5836b1b8b6ece5e441f764b4a7e978354e43506b16b1f58035e78f461
                                                                                • Instruction ID: 35504ee7751ebc20413f23139563609a459b31f51875af132c94ae3de23b2a73
                                                                                • Opcode Fuzzy Hash: 3b4da1c5836b1b8b6ece5e441f764b4a7e978354e43506b16b1f58035e78f461
                                                                                • Instruction Fuzzy Hash: 9A21E2B5D002099FDB10CFAAD984ADEBBF8FB48324F14841AE915A7310D378A944DFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0791DA58 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 157 791da58-791dae4 ReadProcessMemory 159 791dae6-791daec 157->159 160 791daed-791db0e 157->160 159->160
                                                                                APIs
                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0791DAD7
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.578954850.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7910000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessRead
                                                                                • String ID:
                                                                                • API String ID: 1726664587-0
                                                                                • Opcode ID: 20e3b61437f623c700a4f64b69b2e26fbfc5c48adc0b4fb1bb25f973ba91fd12
                                                                                • Instruction ID: 735990dc5ce702a919a294959af33a2ef4fa6d40a3a0a9085d1921e5dad8a3e1
                                                                                • Opcode Fuzzy Hash: 20e3b61437f623c700a4f64b69b2e26fbfc5c48adc0b4fb1bb25f973ba91fd12
                                                                                • Instruction Fuzzy Hash: 2E21EFB19002599FCB10CF9AD984BDEBBF4FB48320F10842AE919A7250D378A954DFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0791D998 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 168 791d998-791d9e4 170 791d9f0-791da1c SetThreadContext 168->170 171 791d9e6-791d9ee 168->171 172 791da25-791da46 170->172 173 791da1e-791da24 170->173 171->170 173->172
                                                                                APIs
                                                                                • SetThreadContext.KERNELBASE(?,00000000), ref: 0791DA0F
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.578954850.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7910000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID: ContextThread
                                                                                • String ID:
                                                                                • API String ID: 1591575202-0
                                                                                • Opcode ID: 879878568d4521045b40509ca179e6b17826d586001b03743f9f2eb09eee9f19
                                                                                • Instruction ID: 0d925e8c990a80bdb850c0243e8bbe94287673633f8df8d8d85df2bfa3d6e1b9
                                                                                • Opcode Fuzzy Hash: 879878568d4521045b40509ca179e6b17826d586001b03743f9f2eb09eee9f19
                                                                                • Instruction Fuzzy Hash: 8A21F7B1D0061A9FCB10CF9AC9857DEFBF8BB48714F148129D419B7640D774A9548FA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07916918 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 162 7916918-79169a0 VirtualProtect 165 79169a2-79169a8 162->165 166 79169a9-79169ca 162->166 165->166
                                                                                APIs
                                                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 07916993
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.578954850.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7910000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID: ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 544645111-0
                                                                                • Opcode ID: 27c30af690ee6f0898a26739b13ce2f2b81b439d6e1ab1afc9178c337418b9b5
                                                                                • Instruction ID: 21787ece6a2c28b4b3c438d66afaf58e7a7b806990a638f89071358f369ea94c
                                                                                • Opcode Fuzzy Hash: 27c30af690ee6f0898a26739b13ce2f2b81b439d6e1ab1afc9178c337418b9b5
                                                                                • Instruction Fuzzy Hash: 602117B5D002099FCB10CF9AC884BDEFBF4FB48320F148429E859A7240D778A584CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02F39BB0 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 175 2f39bb0-2f39bf8 177 2f39c00-2f39c2f LoadLibraryExW 175->177 178 2f39bfa-2f39bfd 175->178 179 2f39c31-2f39c37 177->179 180 2f39c38-2f39c55 177->180 178->177 179->180
                                                                                APIs
                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02F39A11,00000800,00000000,00000000), ref: 02F39C22
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.510628436.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_2f30000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: d764c5e5ac734e0be6cc8d676899c26809ae127e40c689028e4de8a4c6c66944
                                                                                • Instruction ID: 31fca3ae0010d34b20773dbbfb8a157837a712accb7cefe51ed53ce00d3cd228
                                                                                • Opcode Fuzzy Hash: d764c5e5ac734e0be6cc8d676899c26809ae127e40c689028e4de8a4c6c66944
                                                                                • Instruction Fuzzy Hash: 802103B2D002499FDB10CF9AC884ADEBBF4EB49750F14846AD855AB600C3B8A945CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02F38CF8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 183 2f38cf8-2f39bf8 185 2f39c00-2f39c2f LoadLibraryExW 183->185 186 2f39bfa-2f39bfd 183->186 187 2f39c31-2f39c37 185->187 188 2f39c38-2f39c55 185->188 186->185 187->188
                                                                                APIs
                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02F39A11,00000800,00000000,00000000), ref: 02F39C22
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.510628436.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_2f30000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: aa84a8e5b1769e55a4e3f749ff41f7bcdc7d8d6d4f64ce50ee3468b6487429e8
                                                                                • Instruction ID: 3a3119e34c38b6f59b9ce65c9a4683d6e33fe761aecd0eedd68a1a5655b35be2
                                                                                • Opcode Fuzzy Hash: aa84a8e5b1769e55a4e3f749ff41f7bcdc7d8d6d4f64ce50ee3468b6487429e8
                                                                                • Instruction Fuzzy Hash: 781103B2D002098FCB10CF9AC884ADEBBF4AB48760F10846AD915A7200C3B4A945CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07916920 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 191 7916920-79169a0 VirtualProtect 193 79169a2-79169a8 191->193 194 79169a9-79169ca 191->194 193->194
                                                                                APIs
                                                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 07916993
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.578954850.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7910000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID: ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 544645111-0
                                                                                • Opcode ID: 863f6b8fb3cb6346650f78d56ed17bb6fbaf5ca8dfc80acd62f83513f619d8f4
                                                                                • Instruction ID: 7c1f6f65afb30b87a4ad3783d8e781a940fc2bb7f8754cc6190b401cc2a97f33
                                                                                • Opcode Fuzzy Hash: 863f6b8fb3cb6346650f78d56ed17bb6fbaf5ca8dfc80acd62f83513f619d8f4
                                                                                • Instruction Fuzzy Hash: 4021E4B5D002499FCB10CF9AC984BDEFBF4FB48320F108469E859A7250D778A684DFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0791DB28 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0791DB93
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.578954850.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7910000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 821ef79547d0694c3f39252d6b7959467e8be0f621bca429a78a4899144fa67f
                                                                                • Instruction ID: f6c3ebdb99d7c820bb4a36b2272cf5f8548883d4c8713426caadbd234a132718
                                                                                • Opcode Fuzzy Hash: 821ef79547d0694c3f39252d6b7959467e8be0f621bca429a78a4899144fa67f
                                                                                • Instruction Fuzzy Hash: 0211F2B59002499FCB10CF9AC888BDEBFF8FB48324F108419E529A7210C375A994CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02F39930 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 02F39996
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.510628436.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_2f30000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID:
                                                                                • API String ID: 4139908857-0
                                                                                • Opcode ID: 3e6b5d226011f6765f5813da0064c80eed0bff3f65878dac96356cc362e77482
                                                                                • Instruction ID: 2f8e9064128a75bd863d9a031561e803cf81cb900224ab0530a558bbdd712925
                                                                                • Opcode Fuzzy Hash: 3e6b5d226011f6765f5813da0064c80eed0bff3f65878dac96356cc362e77482
                                                                                • Instruction Fuzzy Hash: 0D110FB2C002498FCB10CF9AC484BDEFBF4AB88364F10846AD869B7600C3B4A545CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0791A7B8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 0791E715
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.578954850.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7910000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePost
                                                                                • String ID:
                                                                                • API String ID: 410705778-0
                                                                                • Opcode ID: 661cfe81449bc0f86f6978b418b5dfb9ad280ba44313f94053e7d98a6638b5b9
                                                                                • Instruction ID: 11f65b8f8321d75ae0923f0b7edac33bb55865884d4c4f4fc62852258d5d790e
                                                                                • Opcode Fuzzy Hash: 661cfe81449bc0f86f6978b418b5dfb9ad280ba44313f94053e7d98a6638b5b9
                                                                                • Instruction Fuzzy Hash: 5111F5B58003499FDB10DF9AC888BDEBBF8EB49324F108859E855A7700C374A994CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0791DD88 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.578954850.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7910000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID: ResumeThread
                                                                                • String ID:
                                                                                • API String ID: 947044025-0
                                                                                • Opcode ID: a1e885b14b0ede68f3fa410bab949c12a051f23570cd70c05e5fe9193f4a2c77
                                                                                • Instruction ID: abc6e280c0408c447f7f3bcbf030c809d523839f4107408ee42dc49c25f0a4b1
                                                                                • Opcode Fuzzy Hash: a1e885b14b0ede68f3fa410bab949c12a051f23570cd70c05e5fe9193f4a2c77
                                                                                • Instruction Fuzzy Hash: 3211E5B59002598FCB10CF9AD984BDEBBF4EB48724F10845AD419B7640C775A544CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 012BD4A0 Relevance: .1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.507093841.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_12bd000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6761631aeb8eb6574ca899b93e035f4f1723e825ab7482ce0d27c22d32a1a986
                                                                                • Instruction ID: 552f2d9311a88e65589d24d5a9e8af2ee14a63eb5381c33d89ce0da0771899dd
                                                                                • Opcode Fuzzy Hash: 6761631aeb8eb6574ca899b93e035f4f1723e825ab7482ce0d27c22d32a1a986
                                                                                • Instruction Fuzzy Hash: E0213671514249DFDB16CF48E8C0BD6BF61FB8436CF248569D9060B206C336E846CBA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 012BD3B4 Relevance: .1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.507093841.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_12bd000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 58fb1d082e4ec41d3575c6b6cb595164c7100e4f33348a5b2b293723d81ba1cf
                                                                                • Instruction ID: 798fac10ac51226601e3e97aaffa9d8d549dc691bbdb001ec3c8c1da1422b7be
                                                                                • Opcode Fuzzy Hash: 58fb1d082e4ec41d3575c6b6cb595164c7100e4f33348a5b2b293723d81ba1cf
                                                                                • Instruction Fuzzy Hash: 4221F1B1514249DFDB05DF58D8C0BD6BF75FB84368F24C569E9050B207C33AE856CAA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 012CD01C Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.507411134.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_12cd000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1c0b6d32da173a8b6a2a7bc79382ba809de24d99c47f554c7256d221fe80f5d4
                                                                                • Instruction ID: 1f4e4bd8f2eeb7ca770fd1d448d1d6aaed03dbfd785e361cf4238b99cc55566b
                                                                                • Opcode Fuzzy Hash: 1c0b6d32da173a8b6a2a7bc79382ba809de24d99c47f554c7256d221fe80f5d4
                                                                                • Instruction Fuzzy Hash: C8212575514248DFDB15CF5CD4C0B16BBA1FB84B64F20CA7DDA4A0B246C376D847CAA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 012CD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.507411134.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_12cd000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5b1d98fa5f91a0a6476a79820e9c068a95affe0761bd37b5e04f88dfdf351d2f
                                                                                • Instruction ID: 15aa77f14372282b3449be0d3191e15d9fd9f6cc0ee974d5eccc53a2435ba6af
                                                                                • Opcode Fuzzy Hash: 5b1d98fa5f91a0a6476a79820e9c068a95affe0761bd37b5e04f88dfdf351d2f
                                                                                • Instruction Fuzzy Hash: 46212871554244DFDB01DF54D9C0B16BB62FB84B24F20C77DDA494B247C376D846CAA2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 012CD006 Relevance: .1, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.507411134.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_12cd000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cc9f4250f4cbb1aebae603e057f422445bbc43caec938f6f5ddb9e84c6bac239
                                                                                • Instruction ID: c4558a2302e7fc5ffb39ab3a0e3b02acf77caef8732b11d3408407f8e07c90ec
                                                                                • Opcode Fuzzy Hash: cc9f4250f4cbb1aebae603e057f422445bbc43caec938f6f5ddb9e84c6bac239
                                                                                • Instruction Fuzzy Hash: FD2180755083849FCB03CF28D994B11BF71EB46314F28C6EAD9458F657C33A984ACBA2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 012BD3AF Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.507093841.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_12bd000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                                                • Instruction ID: d516cad3355633ac091c187c6de4a1739c25a782ab053f286ac113cc94a24f0b
                                                                                • Opcode Fuzzy Hash: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                                                • Instruction Fuzzy Hash: 83112676404284CFCB02CF54D5C0B96BF71FB84328F24C6A9D9440B617C33AE45ACBA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 012BD49B Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.507093841.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_12bd000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                                                • Instruction ID: e34c88c93dedfba59d7941d9b45000ea98fead741278f25a97310d2e2a275129
                                                                                • Opcode Fuzzy Hash: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                                                • Instruction Fuzzy Hash: 8E110376904285CFDB12CF48D5C0B96BF71FB84328F28C6A9D9050B617C336D456CBA2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 012CD1CF Relevance: .1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.507411134.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_12cd000_vOqVEnqC.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f825cc49a36603e58b05d30dbcded4ff69a659c0c942629433790640a090c2f4
                                                                                • Instruction ID: c5f9feb3e8d1c6e242d0198f584b2bc77612c1432b60ca3b31119d9461e747f8
                                                                                • Opcode Fuzzy Hash: f825cc49a36603e58b05d30dbcded4ff69a659c0c942629433790640a090c2f4
                                                                                • Instruction Fuzzy Hash: D111BE76544284DFDB02CF54C5C0B15BBA2FB84724F24C6ADDA494B657C33AD44ACBA2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Execution Graph

                                                                                Execution Coverage:15.4%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:232
                                                                                Total number of Limit Nodes:16
                                                                                execution_graph 26286 62acb38 26287 62acb9e 26286->26287 26288 62acc4d 26287->26288 26292 62ace0f 26287->26292 26295 62acd41 26287->26295 26299 62acd50 26287->26299 26303 62ac70c 26292->26303 26296 62acd7b 26295->26296 26297 62ac70c DuplicateHandle 26296->26297 26298 62acdcc 26296->26298 26297->26298 26298->26288 26300 62acd7b 26299->26300 26301 62ac70c DuplicateHandle 26300->26301 26302 62acdcc 26300->26302 26301->26302 26302->26288 26304 62acf58 DuplicateHandle 26303->26304 26305 62ace4e 26304->26305 26305->26288 26496 62af179 26497 62af189 KiUserCallbackDispatcher 26496->26497 26498 62af1b6 26497->26498 26306 118b430 26307 118b44e 26306->26307 26310 118b3e8 26307->26310 26309 118b485 26311 118cf50 LoadLibraryA 26310->26311 26313 118d02c 26311->26313 26318 11848d0 26319 11848e4 26318->26319 26324 1184b28 26319->26324 26331 1184ab7 26319->26331 26338 1184ac8 26319->26338 26320 11848ed 26325 1184b1a 26324->26325 26326 1184b23 26324->26326 26345 1184cfc 26325->26345 26350 1184d16 26325->26350 26355 1184c00 26325->26355 26360 1184bf0 26325->26360 26326->26320 26332 1184ac2 26331->26332 26333 1184b23 26332->26333 26334 1184cfc 2 API calls 26332->26334 26335 1184bf0 2 API calls 26332->26335 26336 1184c00 2 API calls 26332->26336 26337 1184d16 2 API calls 26332->26337 26333->26320 26334->26333 26335->26333 26336->26333 26337->26333 26339 1184ae0 26338->26339 26341 1184cfc 2 API calls 26339->26341 26342 1184bf0 2 API calls 26339->26342 26343 1184c00 2 API calls 26339->26343 26344 1184d16 2 API calls 26339->26344 26340 1184b23 26340->26320 26341->26340 26342->26340 26343->26340 26344->26340 26346 1184caf 26345->26346 26347 1184d3b 26346->26347 26365 1184ff8 26346->26365 26370 1185008 26346->26370 26351 1184d29 26350->26351 26352 1184d3b 26350->26352 26353 1184ff8 2 API calls 26351->26353 26354 1185008 2 API calls 26351->26354 26353->26352 26354->26352 26356 1184c44 26355->26356 26357 1184d3b 26356->26357 26358 1184ff8 2 API calls 26356->26358 26359 1185008 2 API calls 26356->26359 26358->26357 26359->26357 26361 1184c00 26360->26361 26362 1184d3b 26361->26362 26363 1184ff8 2 API calls 26361->26363 26364 1185008 2 API calls 26361->26364 26363->26362 26364->26362 26366 1185008 26365->26366 26375 1185058 26366->26375 26379 1185048 26366->26379 26367 1185026 26367->26347 26371 1185016 26370->26371 26373 1185058 RtlEncodePointer 26371->26373 26374 1185048 RtlEncodePointer 26371->26374 26372 1185026 26372->26347 26373->26372 26374->26372 26376 1185092 26375->26376 26377 11850bc RtlEncodePointer 26376->26377 26378 11850e5 26376->26378 26377->26378 26378->26367 26380 1185058 26379->26380 26381 11850bc RtlEncodePointer 26380->26381 26382 11850e5 26380->26382 26381->26382 26382->26367 26278 62afaa0 26279 62afaab 26278->26279 26280 62afabb 26279->26280 26282 62ae234 26279->26282 26283 62afaf0 OleInitialize 26282->26283 26285 62afb54 26283->26285 26285->26280 26314 62a2700 26315 62a271f LdrInitializeThunk 26314->26315 26317 62a2770 26315->26317 26383 62a7260 26384 62a726a 26383->26384 26387 62a743c 26384->26387 26385 62a7274 26388 62a744b 26387->26388 26389 62a7471 26387->26389 26388->26389 26392 62a7bff 26388->26392 26397 62a7c00 26388->26397 26389->26385 26393 62a7c15 26392->26393 26394 62a7ef4 26393->26394 26396 62abc21 GlobalMemoryStatusEx 26393->26396 26402 62abd4b 26393->26402 26394->26389 26396->26393 26399 62a7c15 26397->26399 26398 62a7ef4 26398->26389 26399->26398 26400 62abd4b GlobalMemoryStatusEx 26399->26400 26401 62abc21 GlobalMemoryStatusEx 26399->26401 26400->26399 26401->26399 26403 62abd4c 26402->26403 26404 62abd8e 26403->26404 26407 62adb88 26403->26407 26411 62adb87 26403->26411 26404->26393 26415 62adbff 26407->26415 26420 62adc00 26407->26420 26408 62adb96 26408->26404 26412 62adb96 26411->26412 26413 62adbff GlobalMemoryStatusEx 26411->26413 26414 62adc00 GlobalMemoryStatusEx 26411->26414 26412->26404 26413->26412 26414->26412 26416 62adc0d 26415->26416 26417 62adc35 26415->26417 26416->26408 26425 62aca98 26417->26425 26419 62adc52 26419->26408 26421 62adc0d 26420->26421 26422 62adc35 26420->26422 26421->26408 26423 62aca98 GlobalMemoryStatusEx 26422->26423 26424 62adc52 26423->26424 26424->26408 26426 62adde0 GlobalMemoryStatusEx 26425->26426 26428 62ade56 26426->26428 26428->26419 26512 62a7fc0 26513 62a7fd3 26512->26513 26516 62a11e8 26513->26516 26515 62a7fde 26517 62a11f3 26516->26517 26518 62a804a 26517->26518 26521 62a8060 26517->26521 26531 62a8050 26517->26531 26518->26515 26523 62a8082 26521->26523 26522 62a818b 26522->26518 26523->26522 26541 62a8e01 26523->26541 26524 62a82f8 26525 62a13b4 GetModuleHandleW 26524->26525 26526 62a8321 26524->26526 26527 62a834b 26525->26527 26526->26526 26529 62aaddd CreateWindowExW CreateWindowExW 26527->26529 26530 62aae00 CreateWindowExW 26527->26530 26529->26526 26530->26526 26533 62a8082 26531->26533 26532 62a818b 26532->26518 26533->26532 26538 62a8e01 GetModuleHandleW 26533->26538 26534 62a82f8 26535 62a13b4 GetModuleHandleW 26534->26535 26537 62a8321 26534->26537 26536 62a834b 26535->26536 26554 62aaddd 26536->26554 26561 62aae00 26536->26561 26538->26534 26542 62a8e2d 26541->26542 26543 62a8eae 26542->26543 26545 62a9134 26542->26545 26546 62a13b4 GetModuleHandleW 26545->26546 26548 62a9151 26546->26548 26547 62a931c 26547->26543 26548->26547 26549 62a13b4 GetModuleHandleW 26548->26549 26550 62a92a2 26549->26550 26550->26547 26551 62a13b4 GetModuleHandleW 26550->26551 26552 62a92f0 26551->26552 26552->26547 26553 62a13b4 GetModuleHandleW 26552->26553 26553->26547 26555 62aae3e CreateWindowExW 26554->26555 26556 62aae06 26554->26556 26560 62aaf74 26555->26560 26557 62aae35 26556->26557 26564 62a8a34 26556->26564 26557->26537 26562 62a8a34 CreateWindowExW 26561->26562 26563 62aae35 26562->26563 26563->26537 26565 62aae50 CreateWindowExW 26564->26565 26567 62aaf74 26565->26567 26429 112e3dc 26430 112e3f4 26429->26430 26431 112e44e 26430->26431 26437 62ab008 26430->26437 26443 62aaff7 26430->26443 26449 62a8a4c 26430->26449 26453 62a8a5c 26430->26453 26461 62ae258 26430->26461 26438 62ab02e 26437->26438 26439 62a8a4c 2 API calls 26438->26439 26440 62ab03a 26439->26440 26441 62a8a5c CallWindowProcW 26440->26441 26442 62ab04f 26441->26442 26442->26431 26444 62ab02e 26443->26444 26445 62a8a4c 2 API calls 26444->26445 26446 62ab03a 26445->26446 26447 62a8a5c CallWindowProcW 26446->26447 26448 62ab04f 26447->26448 26448->26431 26450 62a8a57 26449->26450 26469 62a8a84 26450->26469 26452 62ab277 26452->26431 26454 62a8a67 26453->26454 26455 62ae301 26454->26455 26457 62ae2f1 26454->26457 26458 62ae2ff 26455->26458 26488 62acafc 26455->26488 26480 62ae580 26457->26480 26484 62ae590 26457->26484 26462 62ae25d 26461->26462 26463 62ae301 26462->26463 26465 62ae2f1 26462->26465 26464 62acafc CallWindowProcW 26463->26464 26466 62ae2ff 26463->26466 26464->26466 26467 62ae580 CallWindowProcW 26465->26467 26468 62ae590 CallWindowProcW 26465->26468 26467->26466 26468->26466 26470 62a8a8f 26469->26470 26472 62ab37b 26470->26472 26476 62a13b4 26470->26476 26473 62ab44d 26472->26473 26474 62adbff GlobalMemoryStatusEx 26472->26474 26475 62adc00 GlobalMemoryStatusEx 26472->26475 26474->26473 26475->26473 26477 62a94e8 GetModuleHandleW 26476->26477 26479 62a955d 26477->26479 26479->26472 26482 62ae59e 26480->26482 26481 62acafc CallWindowProcW 26481->26482 26482->26481 26483 62ae68b 26482->26483 26483->26458 26486 62ae59e 26484->26486 26485 62acafc CallWindowProcW 26485->26486 26486->26485 26487 62ae68b 26486->26487 26487->26458 26489 62acb07 26488->26489 26490 62ae852 CallWindowProcW 26489->26490 26491 62ae801 26489->26491 26490->26491 26491->26458 26499 6565b88 26501 6565ba7 26499->26501 26500 6565e11 26501->26500 26503 6566158 RegQueryValueExW 26501->26503 26504 6565ea0 26501->26504 26503->26501 26505 6565ef2 RegOpenKeyExW 26504->26505 26507 6565f66 26505->26507 26492 62a94e5 26493 62a952a 26492->26493 26494 62a9530 GetModuleHandleW 26492->26494 26493->26494 26495 62a955d 26494->26495

                                                                                Executed Functions

                                                                                Function 062A2508 Relevance: 1.8, APIs: 1, Instructions: 304libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 124 62a2508-62a2555 129 62a255b-62a256e 124->129 130 62a2683-62a268d 124->130 129->130 132 62a2574-62a257d 129->132 133 62a2693-62a26bf 132->133 134 62a2583-62a25ac 132->134 137 62a26c1-62a26cb 133->137 138 62a26e4-62a2737 133->138 146 62a266e-62a2672 134->146 147 62a25b2-62a265b 134->147 140 62a26cd-62a26de 137->140 141 62a26e0-62a26e3 137->141 156 62a273f-62a2745 138->156 140->141 149 62a268e 146->149 150 62a2674-62a267d 146->150 147->146 149->133 150->130 150->132 158 62a274c 156->158 160 62a2753-62a276a LdrInitializeThunk 158->160 161 62a28b3-62a28d0 160->161 162 62a2770-62a278a 160->162 178 62a28d5-62a28de 161->178 162->161 167 62a2790-62a27aa 162->167 172 62a27ac-62a27ae 167->172 173 62a27b0 167->173 175 62a27b3-62a280e call 62a1074 172->175 173->175 191 62a2810-62a2812 175->191 192 62a2814 175->192 194 62a2817-62a28b1 call 62a1074 191->194 192->194 194->178
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.635540830.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_62a0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 01fac1a660198b15a0131558e5c62c06cdda668708e71cef71064d50fa238fa8
                                                                                • Instruction ID: 497a817cb559b5e0d78ee74b8eb35e0b5e093bfe28ecf7e1c3b1aaab68d3774f
                                                                                • Opcode Fuzzy Hash: 01fac1a660198b15a0131558e5c62c06cdda668708e71cef71064d50fa238fa8
                                                                                • Instruction Fuzzy Hash: 88B1A130A11306DFCB44EBB4D845AAEBBF2BF84300B148569E446DB355DF78E906CBA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 062A5048 Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 404 62a5048-62a5094 LdrInitializeThunk 408 62a509b-62a50a7 404->408 409 62a50ad-62a50b6 408->409 410 62a52a7-62a52ba 408->410 411 62a52dc 409->411 412 62a50bc-62a50d1 409->412 413 62a52e1-62a52e5 410->413 411->413 417 62a50eb-62a5106 412->417 418 62a50d3-62a50e6 412->418 414 62a52f0 413->414 415 62a52e7 413->415 419 62a52f1 414->419 415->414 429 62a5108-62a5112 417->429 430 62a5114 417->430 420 62a527b-62a527f 418->420 419->419 421 62a528a-62a5293 420->421 422 62a5281 420->422 426 62a52d7 421->426 427 62a5295-62a52a1 421->427 422->421 426->411 427->409 427->410 431 62a5119-62a511b 429->431 430->431 432 62a511d-62a5130 431->432 433 62a5135-62a51cd call 62a4588 431->433 432->420 452 62a51db 433->452 453 62a51cf-62a51d9 433->453 454 62a51e0-62a51e2 452->454 453->454 455 62a51e4-62a51e6 454->455 456 62a5225-62a5279 454->456 457 62a51e8-62a51f2 455->457 458 62a51f4 455->458 456->420 460 62a51f9-62a51fb 457->460 458->460 460->456 461 62a51fd-62a5223 460->461 461->456
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.635540830.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_62a0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 129608384bf4bcdf4165af48348285e1171e805609c45854a1514e991a4e8889
                                                                                • Instruction ID: 556f71fe2167a94ac2e6447c8ebba8bf360103106174a69253e172530c82aea3
                                                                                • Opcode Fuzzy Hash: 129608384bf4bcdf4165af48348285e1171e805609c45854a1514e991a4e8889
                                                                                • Instruction Fuzzy Hash: 07614D30E20306DFDB54EFB4D4557AEBBB1BF84305F108429E802A7254DFB89846CB94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 062AADDD Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 471 62aaddd-62aae04 472 62aae3e-62aaeb6 471->472 473 62aae06-62aae2d 471->473 476 62aaeb8-62aaebe 472->476 477 62aaec1-62aaec8 472->477 474 62aae35-62aae36 473->474 475 62aae30 call 62a8a34 473->475 475->474 476->477 478 62aaeca-62aaed0 477->478 479 62aaed3-62aaf72 CreateWindowExW 477->479 478->479 481 62aaf7b-62aafb3 479->481 482 62aaf74-62aaf7a 479->482 486 62aafc0 481->486 487 62aafb5-62aafb8 481->487 482->481 488 62aafc1 486->488 487->486 488->488
                                                                                APIs
                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 062AAF62
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.635540830.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_62a0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: CreateWindow
                                                                                • String ID:
                                                                                • API String ID: 716092398-0
                                                                                • Opcode ID: db502a0715223eda2428213a351b0988aa4557f08a183a68973f979a912b5137
                                                                                • Instruction ID: 5aa450862426be2d8fe93e88e11b9bcd16c858d3dc1e7cd76d01d41231155ae3
                                                                                • Opcode Fuzzy Hash: db502a0715223eda2428213a351b0988aa4557f08a183a68973f979a912b5137
                                                                                • Instruction Fuzzy Hash: FC510EB1C11349AFCF06CFA9C980ADEBFB2BF48310F15816AE818AB221D7759945DF50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 062A2700 Relevance: 1.6, APIs: 1, Instructions: 138libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 489 62a2700-62a276a LdrInitializeThunk 497 62a28b3-62a28d0 489->497 498 62a2770-62a278a 489->498 509 62a28d5-62a28de 497->509 498->497 501 62a2790-62a27aa 498->501 505 62a27ac-62a27ae 501->505 506 62a27b0 501->506 507 62a27b3-62a280e call 62a1074 505->507 506->507 517 62a2810-62a2812 507->517 518 62a2814 507->518 519 62a2817-62a28b1 call 62a1074 517->519 518->519 519->509
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.635540830.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_62a0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: e583fb6023437f9a8c3fafdaa4a9388b3f6583301cd92978e9f4b38c10f5a451
                                                                                • Instruction ID: 4068ace915f3def9ddfcab38947fcda40a66bc383c2a5b175f19e00dc605090d
                                                                                • Opcode Fuzzy Hash: e583fb6023437f9a8c3fafdaa4a9388b3f6583301cd92978e9f4b38c10f5a451
                                                                                • Instruction Fuzzy Hash: 5E41D170A20306DFCB04EFB4C844AAEBBB5FF84300F148529E542DB285DF78A9058BA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 062A8A34 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 537 62a8a34-62aaeb6 539 62aaeb8-62aaebe 537->539 540 62aaec1-62aaec8 537->540 539->540 541 62aaeca-62aaed0 540->541 542 62aaed3-62aaf72 CreateWindowExW 540->542 541->542 544 62aaf7b-62aafb3 542->544 545 62aaf74-62aaf7a 542->545 549 62aafc0 544->549 550 62aafb5-62aafb8 544->550 545->544 551 62aafc1 549->551 550->549 551->551
                                                                                APIs
                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 062AAF62
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.635540830.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_62a0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: CreateWindow
                                                                                • String ID:
                                                                                • API String ID: 716092398-0
                                                                                • Opcode ID: ac69225059a1f22257921181cbdfc66901aef72b5faa30ab7b0abec2469d5a75
                                                                                • Instruction ID: 3e5aa7ce635b90df5ccf30c8dd2f03f20542c6306a94d9f945e537e7af102168
                                                                                • Opcode Fuzzy Hash: ac69225059a1f22257921181cbdfc66901aef72b5faa30ab7b0abec2469d5a75
                                                                                • Instruction Fuzzy Hash: 7051C1B1D10309DFDB14CF9AC984ADEBBB5BF48710F64852AE819AB210D7B5A845CF90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 062ACAFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 552 62acafc-62ae7f4 555 62ae7fa-62ae7ff 552->555 556 62ae8a4-62ae8c4 call 62a8a5c 552->556 558 62ae852-62ae88a CallWindowProcW 555->558 559 62ae801-62ae838 555->559 563 62ae8c7-62ae8d4 556->563 561 62ae88c-62ae892 558->561 562 62ae893-62ae8a2 558->562 566 62ae83a-62ae840 559->566 567 62ae841-62ae850 559->567 561->562 562->563 566->567 567->563
                                                                                APIs
                                                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 062AE879
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.635540830.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_62a0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: CallProcWindow
                                                                                • String ID:
                                                                                • API String ID: 2714655100-0
                                                                                • Opcode ID: ffdf532706df4a8bdab6fcdfc27f485525b3bf2a0654bc46a96c470504933b1f
                                                                                • Instruction ID: 12eb50c736a82a1d1d0a2e69ea98f4a21d140cad6d51fe250b41c001f77f8cb4
                                                                                • Opcode Fuzzy Hash: ffdf532706df4a8bdab6fcdfc27f485525b3bf2a0654bc46a96c470504933b1f
                                                                                • Instruction Fuzzy Hash: 2B415AB4D10305CFDB50CF99C488AAABFF5FF88314F258459D959AB321C7B4A841DBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 062ADDB0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 569 62addb0-62ade1e 572 62ade26-62ade54 GlobalMemoryStatusEx 569->572 573 62ade5d-62ade85 572->573 574 62ade56-62ade5c 572->574 574->573
                                                                                APIs
                                                                                • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,062ADC52), ref: 062ADE47
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.635540830.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_62a0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: GlobalMemoryStatus
                                                                                • String ID:
                                                                                • API String ID: 1890195054-0
                                                                                • Opcode ID: 386c5b3dc8f2d9949758960218c4622920e0934669aba7eb808edb5f5595bcbd
                                                                                • Instruction ID: 4b6974c483488211d72ea4a4de3fa71e25f0a966a06f6036ce337fd97cd4836c
                                                                                • Opcode Fuzzy Hash: 386c5b3dc8f2d9949758960218c4622920e0934669aba7eb808edb5f5595bcbd
                                                                                • Instruction Fuzzy Hash: B121BDB1C047999FCB00CFAAC844BDEBFB4AF0A350F0985AAC454A7682D3785945CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0118B3E8 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 577 118b3e8-118cfa7 579 118cfa9-118cfb3 577->579 580 118cfe0-118d02a LoadLibraryA 577->580 579->580 581 118cfb5-118cfb7 579->581 587 118d02c-118d032 580->587 588 118d033-118d064 580->588 582 118cfb9-118cfc3 581->582 583 118cfda-118cfdd 581->583 585 118cfc5 582->585 586 118cfc7-118cfd6 582->586 583->580 585->586 586->586 589 118cfd8 586->589 587->588 591 118d074 588->591 592 118d066-118d06a 588->592 589->583 595 118d075 591->595 592->591 594 118d06c 592->594 594->591 595->595
                                                                                APIs
                                                                                • LoadLibraryA.KERNELBASE(?), ref: 0118D01A
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.589285476.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_1180000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: e0cc20321ad8e152d175223cc5a446805090156bd9f0bc4e436e85ba63b51c44
                                                                                • Instruction ID: 1b934ec6edfef8bbe9aafa5e9c25c192693e3c5156e4e5369da4771f60a2c9cf
                                                                                • Opcode Fuzzy Hash: e0cc20321ad8e152d175223cc5a446805090156bd9f0bc4e436e85ba63b51c44
                                                                                • Instruction Fuzzy Hash: C03147B0D00359CFDB18DFA9D4847DEBBF1AF08310F148129E815AB280D7789442CF96
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0118CF45 Relevance: 1.6, APIs: 1, Instructions: 88libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 596 118cf45-118cfa7 597 118cfa9-118cfb3 596->597 598 118cfe0-118d02a LoadLibraryA 596->598 597->598 599 118cfb5-118cfb7 597->599 605 118d02c-118d032 598->605 606 118d033-118d064 598->606 600 118cfb9-118cfc3 599->600 601 118cfda-118cfdd 599->601 603 118cfc5 600->603 604 118cfc7-118cfd6 600->604 601->598 603->604 604->604 607 118cfd8 604->607 605->606 609 118d074 606->609 610 118d066-118d06a 606->610 607->601 613 118d075 609->613 610->609 612 118d06c 610->612 612->609 613->613
                                                                                APIs
                                                                                • LoadLibraryA.KERNELBASE(?), ref: 0118D01A
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.589285476.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_1180000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 805ef5291dc0771e6a7a60995cff48695a76b54ca3cdadc5e5d77d2bb5ca7aac
                                                                                • Instruction ID: 27cceecfd8d5d72fbd17ec471368b71a752a79402e8f09fb49f4086015b6fb0a
                                                                                • Opcode Fuzzy Hash: 805ef5291dc0771e6a7a60995cff48695a76b54ca3cdadc5e5d77d2bb5ca7aac
                                                                                • Instruction Fuzzy Hash: 4E3142B0D00359CFDB18DFA9D4847DEBBB1AB08310F14812AE815EB290D7789482CF96
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 06566158 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1233 6566158-65661c1 1235 65661c3-65661c6 1233->1235 1236 65661c9-65661d3 1233->1236 1235->1236 1237 65661d5-65661dd 1236->1237 1238 65661df-6566221 RegQueryValueExW 1236->1238 1237->1238 1239 6566223-6566229 1238->1239 1240 656622a-6566264 1238->1240 1239->1240 1244 6566266 1240->1244 1245 656626e 1240->1245 1244->1245 1246 656626f 1245->1246 1246->1246
                                                                                APIs
                                                                                • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 06566211
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.636621442.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_6560000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: QueryValue
                                                                                • String ID:
                                                                                • API String ID: 3660427363-0
                                                                                • Opcode ID: 4195d2667e9a778ecbb454881938c38a5d3d65a933a73469fdbfe19cffcd4211
                                                                                • Instruction ID: e9aaaaeeed0b4287ab04b031249b141f5665eefbbb554b6eeded6970cd50c04c
                                                                                • Opcode Fuzzy Hash: 4195d2667e9a778ecbb454881938c38a5d3d65a933a73469fdbfe19cffcd4211
                                                                                • Instruction Fuzzy Hash: E131DCB1D00258DFCB20CF9AC884ACEBBF5BF48710F54812AE819AB214D774A945CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 06565EA0 Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1247 6565ea0-6565ef0 1248 6565ef2-6565ef5 1247->1248 1249 6565ef8-6565f64 RegOpenKeyExW 1247->1249 1248->1249 1251 6565f66-6565f6c 1249->1251 1252 6565f6d-6565fa5 1249->1252 1251->1252 1256 6565fa7-6565fb0 1252->1256 1257 6565fb8 1252->1257 1256->1257
                                                                                APIs
                                                                                • RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 06565F54
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.636621442.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_6560000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: Open
                                                                                • String ID:
                                                                                • API String ID: 71445658-0
                                                                                • Opcode ID: f8d4f1b17b00a65c8ed19d49393fbf5be05145793fade6aee16eac16c90707e5
                                                                                • Instruction ID: 1ef2f08a013a001c5ef0c2169fcb91868e0d3b15928aba5a425313d87950a7a6
                                                                                • Opcode Fuzzy Hash: f8d4f1b17b00a65c8ed19d49393fbf5be05145793fade6aee16eac16c90707e5
                                                                                • Instruction Fuzzy Hash: 8C31FFB1D002498FDB10CF9AC584A8EFFF5BF48304F28816AE409AB341D7759984CFA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 062AC70C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1258 62ac70c-62acfec DuplicateHandle 1260 62acfee-62acff4 1258->1260 1261 62acff5-62ad012 1258->1261 1260->1261
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,00000023,?,?,?,?), ref: 062ACFDF
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.635540830.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_62a0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: f37684a2c7d4d2a2acd2e010704d2988b03ff85e63f735b85dab6dafd74e26f0
                                                                                • Instruction ID: dfc1e933e3f490ab18dccc9a5220cbd2e2c6563dbd2d632ef235c3f4fd4537f6
                                                                                • Opcode Fuzzy Hash: f37684a2c7d4d2a2acd2e010704d2988b03ff85e63f735b85dab6dafd74e26f0
                                                                                • Instruction Fuzzy Hash: BA21E5B59103099FDB10CF9AD984ADEBFF4EB48320F14841AE915B7310D378A944DFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 062ACF57 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1264 62acf57-62acfec DuplicateHandle 1265 62acfee-62acff4 1264->1265 1266 62acff5-62ad012 1264->1266 1265->1266
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,00000023,?,?,?,?), ref: 062ACFDF
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.635540830.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_62a0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: 09ab83f4603400337a9f688e0eaa5d934dab9fe11d2b33ea9a4f48ebd20ce080
                                                                                • Instruction ID: 80630ca67d8671013c80d7d998c0511298a60e107d81bc04671f75ca6bfaf2a9
                                                                                • Opcode Fuzzy Hash: 09ab83f4603400337a9f688e0eaa5d934dab9fe11d2b33ea9a4f48ebd20ce080
                                                                                • Instruction Fuzzy Hash: 9C21E2B5D002099FDB00CFAAD984AEEBBF4EB48320F14841AE914B7310D378A944DFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01185048 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 011850D2
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.589285476.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_1180000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: EncodePointer
                                                                                • String ID:
                                                                                • API String ID: 2118026453-0
                                                                                • Opcode ID: 7a817119dec5c1b4d3c0d21884aa02fbc20c3b3b7081c7278336ddf6b6676655
                                                                                • Instruction ID: fda090519bba5a5942969a3bf62d948901695593d8b29cba72c03b781acd289b
                                                                                • Opcode Fuzzy Hash: 7a817119dec5c1b4d3c0d21884aa02fbc20c3b3b7081c7278336ddf6b6676655
                                                                                • Instruction Fuzzy Hash: F2218CB19013098FDB50EFA9C9497EEBFF8FB45310F14816AE505A3600CB396544CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 062ACA98 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,062ADC52), ref: 062ADE47
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.635540830.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_62a0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: GlobalMemoryStatus
                                                                                • String ID:
                                                                                • API String ID: 1890195054-0
                                                                                • Opcode ID: 23a240f8ce55ec66c020bded13a379ec2f56084473e8868b0cc0f3abe08424ae
                                                                                • Instruction ID: af6d7eec050195357334df116fd72463de37f5c91ff97b75d31c5427c935b42b
                                                                                • Opcode Fuzzy Hash: 23a240f8ce55ec66c020bded13a379ec2f56084473e8868b0cc0f3abe08424ae
                                                                                • Instruction Fuzzy Hash: B111F2B1C1061A9BCB10CF9AC9447EEFBB4AF48720F14856AD814B7640D7B8A944CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01185058 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 011850D2
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.589285476.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_1180000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: EncodePointer
                                                                                • String ID:
                                                                                • API String ID: 2118026453-0
                                                                                • Opcode ID: 37cece3d022ccadc1432dd6d468033aefde41833ac618747e7360df198f0cfd1
                                                                                • Instruction ID: e192d7ce25ab72f4d56d187b6c725ff9fbba88a116793f469376536bd8940372
                                                                                • Opcode Fuzzy Hash: 37cece3d022ccadc1432dd6d468033aefde41833ac618747e7360df198f0cfd1
                                                                                • Instruction Fuzzy Hash: 501179B09013098FDB50EFA9C6487AEBFF9FB44314F24C46AD505A7600CB79A544CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 062AE226 Relevance: 1.6, APIs: 1, Instructions: 51comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OleInitialize.OLE32(00000000), ref: 062AFB45
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.635540830.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_62a0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize
                                                                                • String ID:
                                                                                • API String ID: 2538663250-0
                                                                                • Opcode ID: 1ae7e8c995c72f516e223cbca06022be549c16b150c255e1a5dbfd2a60224687
                                                                                • Instruction ID: 6e6d4b73c780a8cea5f15c9cf03ce821794c676506684791b0f21d75f779f6ab
                                                                                • Opcode Fuzzy Hash: 1ae7e8c995c72f516e223cbca06022be549c16b150c255e1a5dbfd2a60224687
                                                                                • Instruction Fuzzy Hash: 531158B1904348CFCB10CF9AC588BDEBFF4EB48320F24845AD859A7611C7B8A944CBA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 062A5045 Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.635540830.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_62a0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 41d67c595280befedb3b3f5c7c6822d4170d7a90b2acd59e5d27eee305007913
                                                                                • Instruction ID: 09057e95b2f55149651357bbc6cfda2b54725f1aacfcfd84b4ed6a362df3e6ec
                                                                                • Opcode Fuzzy Hash: 41d67c595280befedb3b3f5c7c6822d4170d7a90b2acd59e5d27eee305007913
                                                                                • Instruction Fuzzy Hash: 83116070D21309DFCB04DFA4D484A9EBBB1FF48315F208428E401BB254CBB5A885CF54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 062A13B4 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 062A954E
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.635540830.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_62a0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID:
                                                                                • API String ID: 4139908857-0
                                                                                • Opcode ID: 6dddad563fe6f5aedaded4dd63f675d69e341d54831e3c58414dbbccf8876c84
                                                                                • Instruction ID: e72527783f0834eceb1f1de827b486c481cce50ecd31066b5ba9a33e1bea0b6b
                                                                                • Opcode Fuzzy Hash: 6dddad563fe6f5aedaded4dd63f675d69e341d54831e3c58414dbbccf8876c84
                                                                                • Instruction Fuzzy Hash: 2E1104B5C103498FDB10CF9AC444ADEFBF4EF88324F14846AD829A7610D3B4A585CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 062AF0F2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,062AF117), ref: 062AF1A7
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.635540830.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_62a0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: CallbackDispatcherUser
                                                                                • String ID:
                                                                                • API String ID: 2492992576-0
                                                                                • Opcode ID: 8e14da6af88746ec54cd1d36c1ce1275dfa46b905f7035cafdca17dc1d19cb19
                                                                                • Instruction ID: 31800072cb077b499ade6d21f6add0b8f056437a304d8714ff64ecaabd6a5343
                                                                                • Opcode Fuzzy Hash: 8e14da6af88746ec54cd1d36c1ce1275dfa46b905f7035cafdca17dc1d19cb19
                                                                                • Instruction Fuzzy Hash: 28117CB6A043448FCB10DFE9D89479EBFF0EF85310F15489AD559EB261C778A844CBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 062AFAE8 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OleInitialize.OLE32(00000000), ref: 062AFB45
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.635540830.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_62a0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize
                                                                                • String ID:
                                                                                • API String ID: 2538663250-0
                                                                                • Opcode ID: b773851b5d67c0e154eefc5706654fea09d751d4289396b6fefbe2d69ca16aa8
                                                                                • Instruction ID: ce20e8adfef63b03da8566b329041e24cf6f0cf04f2f104a82ba724e1c1a95df
                                                                                • Opcode Fuzzy Hash: b773851b5d67c0e154eefc5706654fea09d751d4289396b6fefbe2d69ca16aa8
                                                                                • Instruction Fuzzy Hash: 471136B58003488FCB20CF9AD584BDEBFF8AB48720F14845AD855A7600C378A944CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 062A94E5 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 062A954E
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.635540830.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_62a0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID:
                                                                                • API String ID: 4139908857-0
                                                                                • Opcode ID: abc2d00b4923d563635436b4015fb64ef2ea41b088f101240084848937b74058
                                                                                • Instruction ID: 078827bfd1ee5e79695d75402d614632701169b9a4bf67076b9142f1ad6592c4
                                                                                • Opcode Fuzzy Hash: abc2d00b4923d563635436b4015fb64ef2ea41b088f101240084848937b74058
                                                                                • Instruction Fuzzy Hash: 331113B6D103098FCB10CF9AD444ADEFBF5AF88324F14846AD829A7610D378A585CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 062AE234 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OleInitialize.OLE32(00000000), ref: 062AFB45
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.635540830.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_62a0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize
                                                                                • String ID:
                                                                                • API String ID: 2538663250-0
                                                                                • Opcode ID: e87057a8c95588e8de6008089989b7d72b19e9ef7802e5b92c36dffea10c2271
                                                                                • Instruction ID: 430099839c0a08bded1398ff246e8d8edaadc8cadd0369d0bf86e537f7fc3468
                                                                                • Opcode Fuzzy Hash: e87057a8c95588e8de6008089989b7d72b19e9ef7802e5b92c36dffea10c2271
                                                                                • Instruction Fuzzy Hash: E41145B1910349CFCB10CF9AC584BDEBBF4EB48320F24841AD919A7600C3B8A944CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 062AFB7C Relevance: 1.5, APIs: 1, Instructions: 32comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OleInitialize.OLE32(00000000), ref: 062AFB45
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.635540830.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_62a0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize
                                                                                • String ID:
                                                                                • API String ID: 2538663250-0
                                                                                • Opcode ID: bae155cc9c4a9fa4e5619a5f57231e6efdf9f2abd49622598253812acd0f204b
                                                                                • Instruction ID: bddb8a5cfc3a039d9a1b28ecb5b7750879d5c8ebe4fe38b48011eb6cfaed6e15
                                                                                • Opcode Fuzzy Hash: bae155cc9c4a9fa4e5619a5f57231e6efdf9f2abd49622598253812acd0f204b
                                                                                • Instruction Fuzzy Hash: B6F059729083808FC75087AD88643D9FFF0DF54308F24899EC446D7561C3BC9185D7A0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 062AF179 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,062AF117), ref: 062AF1A7
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.635540830.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_62a0000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID: CallbackDispatcherUser
                                                                                • String ID:
                                                                                • API String ID: 2492992576-0
                                                                                • Opcode ID: dc1b345e91f90f7ce8afa8bc0cf53631f8e1c675914fa6b7e7d61e702c74d111
                                                                                • Instruction ID: bd6bd8c36518a39f9d3494fc47cae8b554508eb6df90c3aae3e7884b127b7c2f
                                                                                • Opcode Fuzzy Hash: dc1b345e91f90f7ce8afa8bc0cf53631f8e1c675914fa6b7e7d61e702c74d111
                                                                                • Instruction Fuzzy Hash: B3F0C4B5900209CFDB10DB99D8847DEBBF4AF88324F24846AD519A7650C779A984CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0112DA01 Relevance: 1.2, Instructions: 1248COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.588761344.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_112d000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 788027bc89231bd2b384e78422a3626c241a2d71f2ffa0887d9664de0b027d81
                                                                                • Instruction ID: f662d66e2b974452d3678498bf41fb912f024ebfd0f8ebb9b1e34104347fc0bf
                                                                                • Opcode Fuzzy Hash: 788027bc89231bd2b384e78422a3626c241a2d71f2ffa0887d9664de0b027d81
                                                                                • Instruction Fuzzy Hash: 3542D67649E3D19FD3478BB0E8666853FB09F13230B4E41DBD880CA1A3E25D595ACB36
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0112E16B Relevance: .3, Instructions: 319COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.588761344.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_112d000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8c0c079f5f95b2526da19331c61a9188af944944c5a3c44d6317f11c47450a8b
                                                                                • Instruction ID: 09613654c4b43f2c52600b9a6fc7371c28a89344f5f0a531a1671cbbadad5344
                                                                                • Opcode Fuzzy Hash: 8c0c079f5f95b2526da19331c61a9188af944944c5a3c44d6317f11c47450a8b
                                                                                • Instruction Fuzzy Hash: F281307645D3819FD3478BA0D8567813FB1EB13231F1A41DAD884CB1A3D26D985ACB72
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0111D4D8 Relevance: .1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.588579094.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_111d000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4ee44042d9a7167049db6115651ce9c22cef0dd5d8bfa86d23deef17be450c04
                                                                                • Instruction ID: 7fea810f2df4a5527da1f9402e213aacae3489ff644039258d5d3f4ffea056dd
                                                                                • Opcode Fuzzy Hash: 4ee44042d9a7167049db6115651ce9c22cef0dd5d8bfa86d23deef17be450c04
                                                                                • Instruction Fuzzy Hash: 2D21B271504240DFDF49DF58E9C8B16BF75FB88328F248579E9050B21AC336D856DBA2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0112E3DC Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.588761344.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_112d000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e8af854d0b3572d0de2df5a5df5390d1b1484b50fe492466e2fe2e1ce790c303
                                                                                • Instruction ID: 5f17308c8ec3c5bf2408dc91cfec6e0e1f66dca6a8a04a85bf52c1038f0e4b3c
                                                                                • Opcode Fuzzy Hash: e8af854d0b3572d0de2df5a5df5390d1b1484b50fe492466e2fe2e1ce790c303
                                                                                • Instruction Fuzzy Hash: 17210775504280DFDB09DF18D9C4B16BF65FB84324F24C66DD9498B346C336D856CB62
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0111D4D3 Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.588579094.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_111d000_shipping_documents.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                                                • Instruction ID: 93fbc1d2819fca668feefe603ad6b881bdb18c3bf8e789d974533a0acee8f411
                                                                                • Opcode Fuzzy Hash: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                                                • Instruction Fuzzy Hash: 9B11D376504280CFDF16CF54D5C4B16FF71FB84324F2486A9D8050B61AC33AD456CBA2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%