Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
New DHL Shipment Document Arrival Notice.pdf.exe

Overview

General Information

Sample name:New DHL Shipment Document Arrival Notice.pdf.exe
Analysis ID:1430784
MD5:189b8ac3c0f8d840f30f4897b2d89773
SHA1:e6e6c3bd752cde7cf0677575d9268fc2a2070331
SHA256:7fee503438f90d0206012674566587b5ecef1d040935809ae308b12842dc6196
Tags:AgentTeslaDHLexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: RegAsm connects to smtp port
Sigma detected: Suspicious Double Extension File Execution
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • New DHL Shipment Document Arrival Notice.pdf.exe (PID: 6500 cmdline: "C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exe" MD5: 189B8AC3C0F8D840F30F4897B2D89773)
    • conhost.exe (PID: 6620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 4068 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
    • AddInProcess32.exe (PID: 3372 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • RegAsm.exe (PID: 4028 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 4724 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • WerFault.exe (PID: 1772 cmdline: C:\Windows\system32\WerFault.exe -u -p 6500 -s 1092 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.prestamp.in", "Username": "plant.ps2@prestamp.in", "Password": "Gds@123"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2184155849.00000161645D8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000005.00000002.3254981544.000000000318C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.3254981544.0000000003194000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000005.00000002.3252878938.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000005.00000002.3252878938.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 11 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.New DHL Shipment Document Arrival Notice.pdf.exe.161740b2f88.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.New DHL Shipment Document Arrival Notice.pdf.exe.161740b2f88.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.New DHL Shipment Document Arrival Notice.pdf.exe.161740b2f88.1.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x3310b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x3317d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x33207:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x33299:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x33303:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x33375:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x3340b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x3349b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  0.2.New DHL Shipment Document Arrival Notice.pdf.exe.16174076940.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    0.2.New DHL Shipment Document Arrival Notice.pdf.exe.16174076940.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 10 entries

                      Sigma Signatures

                      Networking

                      barindex
                      Sigma detected: RegAsm connects to smtp port
                      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 8.38.89.60, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 4028, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49710

                      System Summary

                      barindex
                      Sigma detected: Suspicious Double Extension File Execution
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exe", CommandLine: "C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exe", CommandLine|base64offset|contains: r, Image: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exe, NewProcessName: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exe, OriginalFileName: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5824, ProcessCommandLine: "C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exe", ProcessId: 6500, ProcessName: New DHL Shipment Document Arrival Notice.pdf.exe

                      Snort Signatures

                      Timestamp:04/24/24-07:15:17.148129
                      SID:2030171
                      Source Port:49710
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:19.418719
                      SID:2855542
                      Source Port:49712
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:19.418719
                      SID:2840032
                      Source Port:49712
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:19.418719
                      SID:2851779
                      Source Port:49712
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:17.148183
                      SID:2851779
                      Source Port:49710
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:17.148183
                      SID:2840032
                      Source Port:49710
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:19.414322
                      SID:2030171
                      Source Port:49712
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:17.148183
                      SID:2855542
                      Source Port:49710
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:17.148183
                      SID:2855245
                      Source Port:49710
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 5.2.RegAsm.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.prestamp.in", "Username": "plant.ps2@prestamp.in", "Password": "Gds@123"}
                      Multi AV Scanner detection for submitted file
                      Source: New DHL Shipment Document Arrival Notice.pdf.exeVirustotal: Detection: 14%Perma Link

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 00000000.00000002.2184155849.00000161645D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2184155849.0000016164089000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: New DHL Shipment Document Arrival Notice.pdf.exe PID: 6500, type: MEMORYSTR
                      Source: unknownHTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49724 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49704 version: TLS 1.2
                      Source: New DHL Shipment Document Arrival Notice.pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: mscorlib.pdbp^ source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: mscorlib.pdb source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: System.ni.pdbRSDS source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: mscorlib.ni.pdb source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: System.Core.pdb source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb- source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: System.pdbP source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: System.ni.pdb source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: System.pdb source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: System.Core.ni.pdbRSDS source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: System.Core.ni.pdb source: WER592E.tmp.dmp.9.dr

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49710 -> 8.38.89.60:587
                      Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49710 -> 8.38.89.60:587
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49710 -> 8.38.89.60:587
                      Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49710 -> 8.38.89.60:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49710 -> 8.38.89.60:587
                      Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49712 -> 8.38.89.60:587
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49712 -> 8.38.89.60:587
                      Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49712 -> 8.38.89.60:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49712 -> 8.38.89.60:587
                      Source: global trafficTCP traffic: 192.168.2.5:49710 -> 8.38.89.60:587
                      Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                      Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                      Source: Joe Sandbox ViewASN Name: CLOUD-SOUTHUS CLOUD-SOUTHUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 1138de370e523e824bbca92d049a3777
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: global trafficTCP traffic: 192.168.2.5:49710 -> 8.38.89.60:587
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: unknownHTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49724 version: TLS 1.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: unknownDNS traffic detected: queries for: api.ipify.org
                      Source: RegAsm.exe, 00000005.00000002.3254981544.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RegAsm.exe, 00000005.00000002.3254981544.000000000331D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3254981544.000000000318C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.prestamp.in
                      Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net
                      Source: New DHL Shipment Document Arrival Notice.pdf.exe, 00000000.00000002.2187402638.0000016174037000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3252878938.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: New DHL Shipment Document Arrival Notice.pdf.exe, 00000000.00000002.2187402638.0000016174037000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3252878938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3254981544.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                      Source: RegAsm.exe, 00000005.00000002.3254981544.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                      Source: RegAsm.exe, 00000005.00000002.3254981544.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                      Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49704 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.161740b2f88.1.raw.unpack, cPKWk.cs.Net Code: eHsXU2
                      Source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.16174076940.2.raw.unpack, cPKWk.cs.Net Code: eHsXU2

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.161740b2f88.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.16174076940.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.161740b2f88.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.16174076940.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: New DHL Shipment Document Arrival Notice.pdf.exe
                      Source: initial sampleStatic PE information: Filename: New DHL Shipment Document Arrival Notice.pdf.exe
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeCode function: 0_2_00007FF848F21D880_2_00007FF848F21D88
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeCode function: 0_2_00007FF848F129A10_2_00007FF848F129A1
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeCode function: 0_2_00007FF848F1EBF80_2_00007FF848F1EBF8
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeCode function: 0_2_00007FF848F143090_2_00007FF848F14309
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeCode function: 0_2_00007FF848F112180_2_00007FF848F11218
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeCode function: 0_2_00007FF848F1CE190_2_00007FF848F1CE19
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeCode function: 0_2_00007FF848F1246D0_2_00007FF848F1246D
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeCode function: 0_2_00007FF849000E290_2_00007FF849000E29
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_013841C85_2_013841C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0138E2B15_2_0138E2B1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0138A9705_2_0138A970
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_01384A985_2_01384A98
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0138ADE75_2_0138ADE7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_01383E805_2_01383E80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_06A7CA105_2_06A7CA10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_06A7F1585_2_06A7F158
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_06A71C9B5_2_06A71C9B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_06A718D85_2_06A718D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_06A9B6205_2_06A9B620
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_06A955905_2_06A95590
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_06A965C85_2_06A965C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_06A9B2085_2_06A9B208
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_06A930505_2_06A93050
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_06A9C1685_2_06A9C168
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_06A97D605_2_06A97D60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_06A976805_2_06A97680
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_06A9E3905_2_06A9E390
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_06A900405_2_06A90040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_06A95CBB5_2_06A95CBB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_06A903335_2_06A90333
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_06A900065_2_06A90006
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6500 -s 1092
                      Source: New DHL Shipment Document Arrival Notice.pdf.exeStatic PE information: No import functions for PE file found
                      Source: New DHL Shipment Document Arrival Notice.pdf.exe, 00000000.00000000.1996563825.00000161622A6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAxeputagecuyitigagikoB vs New DHL Shipment Document Arrival Notice.pdf.exe
                      Source: New DHL Shipment Document Arrival Notice.pdf.exe, 00000000.00000002.2187402638.0000016174037000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameabfb950a-2f96-4f7b-b318-2fe778e635b4.exe4 vs New DHL Shipment Document Arrival Notice.pdf.exe
                      Source: New DHL Shipment Document Arrival Notice.pdf.exe, 00000000.00000002.2187402638.0000016174037000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUjeruziruxitohacepapL vs New DHL Shipment Document Arrival Notice.pdf.exe
                      Source: New DHL Shipment Document Arrival Notice.pdf.exeBinary or memory string: OriginalFilenameAxeputagecuyitigagikoB vs New DHL Shipment Document Arrival Notice.pdf.exe
                      Source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.161740b2f88.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.16174076940.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.161740b2f88.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.16174076940.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: New DHL Shipment Document Arrival Notice.pdf.exe, getParentblockseFixedBuffer.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.161740b2f88.1.raw.unpack, cPs8D.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.161740b2f88.1.raw.unpack, 72CF8egH.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.161740b2f88.1.raw.unpack, G5CXsdn.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.161740b2f88.1.raw.unpack, 3uPsILA6U.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.161740b2f88.1.raw.unpack, 6oQOw74dfIt.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.161740b2f88.1.raw.unpack, aMIWm.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                      Source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.161740b2f88.1.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.161740b2f88.1.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winEXE@11/5@3/2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6500
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_03
                      Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\c3aa3a0c-06aa-4a3f-8324-25af856d069bJump to behavior
                      Source: New DHL Shipment Document Arrival Notice.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: New DHL Shipment Document Arrival Notice.pdf.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: New DHL Shipment Document Arrival Notice.pdf.exeVirustotal: Detection: 14%
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeFile read: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exe "C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exe"
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6500 -s 1092
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: New DHL Shipment Document Arrival Notice.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: New DHL Shipment Document Arrival Notice.pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: New DHL Shipment Document Arrival Notice.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: mscorlib.pdbp^ source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: mscorlib.pdb source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: System.ni.pdbRSDS source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: mscorlib.ni.pdb source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: System.Core.pdb source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb- source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: System.pdbP source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: System.ni.pdb source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: System.pdb source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: System.Core.ni.pdbRSDS source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WER592E.tmp.dmp.9.dr
                      Source: Binary string: System.Core.ni.pdb source: WER592E.tmp.dmp.9.dr
                      Source: New DHL Shipment Document Arrival Notice.pdf.exeStatic PE information: 0x9EA20D34 [Sun May 3 11:25:40 2054 UTC]
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeCode function: 0_2_00007FF848F1B0F8 push es; ret 0_2_00007FF848F1B107
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeCode function: 0_2_00007FF84900026B push esp; retf 4810h0_2_00007FF849000312
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0138E76F push ecx; retf 5_2_0138E787
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_01380C3D push edi; ret 5_2_01380CC2
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeFile created: \new dhl shipment document arrival notice.pdf.exe
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeFile created: \new dhl shipment document arrival notice.pdf.exe
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeFile created: \new dhl shipment document arrival notice.pdf.exe
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeFile created: \new dhl shipment document arrival notice.pdf.exe
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeFile created: \new dhl shipment document arrival notice.pdf.exe
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeFile created: \new dhl shipment document arrival notice.pdf.exe
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeFile created: \new dhl shipment document arrival notice.pdf.exeJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeFile created: \new dhl shipment document arrival notice.pdf.exeJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeFile created: \new dhl shipment document arrival notice.pdf.exeJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeFile created: \new dhl shipment document arrival notice.pdf.exeJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Uses an obfuscated file name to hide its real file extension (double extension)
                      Source: Possible double extension: pdf.exeStatic PE information: New DHL Shipment Document Arrival Notice.pdf.exe
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: New DHL Shipment Document Arrival Notice.pdf.exe PID: 6500, type: MEMORYSTR
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: New DHL Shipment Document Arrival Notice.pdf.exe, 00000000.00000002.2184155849.00000161645D8000.00000004.00000800.00020000.00000000.sdmp, New DHL Shipment Document Arrival Notice.pdf.exe, 00000000.00000002.2184155849.0000016164089000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: New DHL Shipment Document Arrival Notice.pdf.exe, 00000000.00000002.2184155849.00000161645D8000.00000004.00000800.00020000.00000000.sdmp, New DHL Shipment Document Arrival Notice.pdf.exe, 00000000.00000002.2184155849.0000016164089000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeMemory allocated: 161625D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeMemory allocated: 1617C030000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 1360000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 3110000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2E70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7641Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2208Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep count: 39 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -35971150943733603s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6052Thread sleep count: 7641 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -99890s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6052Thread sleep count: 2208 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -99765s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -99656s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -99547s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -99437s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -99328s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -99219s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -99094s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -98981s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -197718s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -98749s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -98640s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -197062s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -196844s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -196624s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -196406s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -98093s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -195968s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -97875s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -97765s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -97656s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -97547s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -97422s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -97312s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -97203s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -97094s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -96969s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -96859s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -96750s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -96640s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -99953s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -99844s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -99734s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -99625s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -99515s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -99406s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -99297s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -99187s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -99078s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -98969s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -98750s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -98641s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -98094s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99890Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99765Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99656Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99547Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99437Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99328Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99219Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99094Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98981Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98859Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98749Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98640Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98531Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98422Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98312Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98203Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98093Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97984Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97765Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97656Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97547Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97422Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97312Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97203Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97094Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96969Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96859Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96750Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96640Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99953Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99844Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99734Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99625Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99515Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99406Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99297Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99187Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99078Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98969Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98750Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98641Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98094Jump to behavior
                      Source: Amcache.hve.9.drBinary or memory string: VMware
                      Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
                      Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
                      Source: New DHL Shipment Document Arrival Notice.pdf.exe, 00000000.00000002.2184155849.0000016164089000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
                      Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                      Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: New DHL Shipment Document Arrival Notice.pdf.exe, 00000000.00000002.2184155849.0000016164089000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                      Source: New DHL Shipment Document Arrival Notice.pdf.exe, 00000000.00000002.2184155849.0000016164089000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                      Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                      Source: New DHL Shipment Document Arrival Notice.pdf.exe, 00000000.00000002.2184155849.0000016164089000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: New DHL Shipment Document Arrival Notice.pdf.exe, 00000000.00000002.2184155849.0000016164089000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                      Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: RegAsm.exe, 00000005.00000002.3260577063.000000000633C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: Amcache.hve.9.drBinary or memory string: vmci.sys
                      Source: Amcache.hve.9.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                      Source: New DHL Shipment Document Arrival Notice.pdf.exe, 00000000.00000002.2184155849.0000016164089000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                      Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
                      Source: New DHL Shipment Document Arrival Notice.pdf.exe, 00000000.00000002.2184155849.0000016164089000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                      Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
                      Source: New DHL Shipment Document Arrival Notice.pdf.exe, 00000000.00000002.2184155849.0000016164089000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                      Source: New DHL Shipment Document Arrival Notice.pdf.exe, 00000000.00000002.2184155849.0000016164089000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.9.drBinary or memory string: VMware20,1
                      Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                      Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
                      Source: New DHL Shipment Document Arrival Notice.pdf.exe, 00000000.00000002.2184155849.0000016164089000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: New DHL Shipment Document Arrival Notice.pdf.exe, 00000000.00000002.2184155849.0000016164089000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
                      Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
                      Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      .NET source code references suspicious native API functions
                      Source: New DHL Shipment Document Arrival Notice.pdf.exe, getParentblockseFixedBuffer.csReference to suspicious API methods: ((StartFileMode)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary(getMethodLdelemU2(CopyUtf8Formatter.FileReparsePointInformationMultiplySubtractByScalar)), getMethodLdelemU2(CopyUtf8Formatter.EndWriteBlt)), typeof(StartFileMode)))("Pointer", out var _)
                      Source: New DHL Shipment Document Arrival Notice.pdf.exe, getParentblockseFixedBuffer.csReference to suspicious API methods: ((StartFileMode)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary(getMethodLdelemU2(CopyUtf8Formatter.FileReparsePointInformationMultiplySubtractByScalar)), getMethodLdelemU2(CopyUtf8Formatter.EndWriteBlt)), typeof(StartFileMode)))("Pointer", out var _)
                      Source: New DHL Shipment Document Arrival Notice.pdf.exe, getParentblockseFixedBuffer.csReference to suspicious API methods: VirtualProtect(procAddress, (uint)array.Length, 64u, out var IsMetricTYPEFLAGFOLEAUTOMATION)
                      Source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.161740b2f88.1.raw.unpack, Ljq6xD21ACX.csReference to suspicious API methods: OZkujShDCVG.OpenProcess(aPNZ30.DuplicateHandle, bInheritHandle: true, (uint)snUp2.ProcessID)
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43E000Jump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000Jump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: FC1008Jump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeQueries volume information: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                      Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.161740b2f88.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.16174076940.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.161740b2f88.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.16174076940.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.3254981544.000000000318C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3254981544.0000000003194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3252878938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3254981544.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2187402638.0000016174037000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: New DHL Shipment Document Arrival Notice.pdf.exe PID: 6500, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4028, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.161740b2f88.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.16174076940.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.161740b2f88.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.16174076940.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.3252878938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3254981544.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2187402638.0000016174037000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: New DHL Shipment Document Arrival Notice.pdf.exe PID: 6500, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4028, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.161740b2f88.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.16174076940.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.161740b2f88.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New DHL Shipment Document Arrival Notice.pdf.exe.16174076940.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.3254981544.000000000318C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3254981544.0000000003194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3252878938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3254981544.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2187402638.0000016174037000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: New DHL Shipment Document Arrival Notice.pdf.exe PID: 6500, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4028, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		1
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Native API                      		Boot or Logon Initialization Scripts211
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      Input Capture                      		24
                      System Information Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		231
                      Security Software Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Timestomp                      		NTDS1
                      Process Discovery                      		Distributed Component Object Model1
                      Input Capture                      		2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets151
                      Virtualization/Sandbox Evasion                      		SSHKeylogging23
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                      Virtualization/Sandbox Evasion                      		DCSync1
                      System Network Configuration Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job211
                      Process Injection                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      New DHL Shipment Document Arrival Notice.pdf.exe11%ReversingLabsWin64.Infostealer.Generic
                      New DHL Shipment Document Arrival Notice.pdf.exe14%VirustotalBrowse

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      smtp.prestamp.in0%VirustotalBrowse
                      fp2e7a.wpc.phicdn.net0%VirustotalBrowse
                      windowsupdatebg.s.llnwi.net0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://smtp.prestamp.in0%Avira URL Cloudsafe
                      http://smtp.prestamp.in0%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api.ipify.org
                      		104.26.13.205
                      		truefalse
                        		high
                        smtp.prestamp.in
                        		8.38.89.60
                        		truetrueunknown
                        fp2e7a.wpc.phicdn.net
                        		192.229.211.108
                        		truefalseunknown
                        windowsupdatebg.s.llnwi.net
                        		68.142.107.4
                        		truefalseunknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.ipify.orgNew DHL Shipment Document Arrival Notice.pdf.exe, 00000000.00000002.2187402638.0000016174037000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3252878938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3254981544.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://upx.sf.netAmcache.hve.9.drfalse
                              		high
                              https://account.dyn.com/New DHL Shipment Document Arrival Notice.pdf.exe, 00000000.00000002.2187402638.0000016174037000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3252878938.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                		high
                                https://api.ipify.org/tRegAsm.exe, 00000005.00000002.3254981544.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://smtp.prestamp.inRegAsm.exe, 00000005.00000002.3254981544.000000000331D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3254981544.000000000318C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000005.00000002.3254981544.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    8.38.89.60
                                    		smtp.prestamp.inUnited States
                                    		13886CLOUD-SOUTHUStrue
                                    104.26.13.205
                                    		api.ipify.orgUnited States
                                    		13335CLOUDFLARENETUSfalse

                                    General Information

                                    Joe Sandbox version:40.0.0 Tourmaline
                                    Analysis ID:1430784
                                    Start date and time:2024-04-24 07:14:20 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 6m 24s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:14
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:New DHL Shipment Document Arrival Notice.pdf.exe
                                    Detection:MAL
                                    Classification:mal100.spre.troj.spyw.expl.evad.winEXE@11/5@3/2
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 77%
                                    • Number of executed functions: 69
                                    • Number of non-executed functions: 9
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 40.126.62.132, 40.126.62.131, 20.190.190.131, 40.126.62.130, 20.190.190.195, 40.126.62.129, 20.190.190.193, 20.190.190.196, 68.142.107.4, 192.229.211.108, 20.189.173.22, 40.68.123.157, 199.232.214.172, 13.95.31.18, 52.165.164.15
                                    • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, ocsp.edge.digicert.com, blobcollector.events.data.trafficmanager.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    07:15:13API Interceptor51x Sleep call for process: RegAsm.exe modified
                                    07:15:26API Interceptor1x Sleep call for process: WerFault.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    104.26.13.205SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                    • api.ipify.org/
                                    Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                    • api.ipify.org/?format=json
                                    ArenaWarSetup.exeGet hashmaliciousStealitBrowse
                                    • api.ipify.org/?format=json
                                    Sky-Beta Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/?format=json
                                    E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/
                                    E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/
                                    SecuriteInfo.com.Win64.RATX-gen.31127.4101.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                    • api.ipify.org/

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    fp2e7a.wpc.phicdn.netReconfirm Details.vbsGet hashmaliciousAgentTeslaBrowse
                                    • 192.229.211.108
                                    http://rum.browser-intake-foxbusiness.com:443Get hashmaliciousUnknownBrowse
                                    • 192.229.211.108
                                    http://42.193.223.169/extensioncompabilitynode.exeGet hashmaliciousUnknownBrowse
                                    • 192.229.211.108
                                    SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                    • 192.229.211.108
                                    ScreenConnect.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                    • 192.229.211.108
                                    ScreenConnect.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                    • 192.229.211.108
                                    SecuriteInfo.com.Python.Stealer.1437.14994.32063.exeGet hashmaliciousPython StealerBrowse
                                    • 192.229.211.108
                                    https://www.longin-eki.co.jp.cduhzkc.cn/Get hashmaliciousUnknownBrowse
                                    • 192.229.211.108
                                    https://www.longin-eki.co.jp.nebxshr.cn/Get hashmaliciousUnknownBrowse
                                    • 192.229.211.108
                                    https://www.admin-longin.co.jp.mc3lva.cn/Get hashmaliciousUnknownBrowse
                                    • 192.229.211.108
                                    api.ipify.orghesaphareketi_1.scr.exeGet hashmaliciousAgentTeslaBrowse
                                    • 104.26.13.205
                                    DHL Shipping doc.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 104.26.13.205
                                    purchase order pdf.exeGet hashmaliciousAgentTeslaBrowse
                                    • 104.26.12.205
                                    PO 23JC0704-Rollease-B.exeGet hashmaliciousAgentTeslaBrowse
                                    • 104.26.13.205
                                    BARSYL SHIPPING Co (VIETNAM).exeGet hashmaliciousAgentTeslaBrowse
                                    • 172.67.74.152
                                    SecuriteInfo.com.Python.Stealer.1437.14994.32063.exeGet hashmaliciousPython StealerBrowse
                                    • 172.67.74.152
                                    https://wmicrosouab-4ba8.udydzj.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                    • 104.26.13.205
                                    CR-FEDEX_TN-775720741041.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 172.67.74.152
                                    BARSYL SHIPPING Co (VIETNAM).exeGet hashmaliciousAgentTeslaBrowse
                                    • 172.67.74.152
                                    copy#10476235.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                    • 172.67.74.152
                                    windowsupdatebg.s.llnwi.netGHY7L7VaOL.exeGet hashmaliciousUnknownBrowse
                                    • 68.142.107.4
                                    https://auhsdbfjabsdfjs.z13.web.core.windows.net/Er0Win8helpline76/index.htmlGet hashmaliciousTechSupportScamBrowse
                                    • 68.142.107.4
                                    4BfhCycV4B.exeGet hashmaliciousMars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRATBrowse
                                    • 69.164.42.0
                                    https://caringhearts.foundation/wp-includes/widgets/ogk25/ogk/index.php&c=E,1,PBioTuoqxXxVmzOkxu8MYhWQ9ZbRNVLGpsstSuC0GQ2jNcQlIpYbU0K6d3lwsaeoT17vAF7VpKXs0qg9O-hGnfKxM3skSa-Jn2VJH7kX1A,,&typo=1Get hashmaliciousUnknownBrowse
                                    • 68.142.107.4
                                    https://caringhearts.foundation/wp-includes/widgets/ogk25/ogk/index.php&c=E,1,PBioTuoqxXxVmzOkxu8MYhWQ9ZbRNVLGpsstSuC0GQ2jNcQlIpYbU0K6d3lwsaeoT17vAF7VpKXs0qg9O-hGnfKxM3skSa-Jn2VJH7kX1A,,&typo=1Get hashmaliciousUnknownBrowse
                                    • 69.164.46.128
                                    CR-FEDEX_TN-775537409198_Doc.vbsGet hashmaliciousUnknownBrowse
                                    • 69.164.46.0
                                    copy_76499Kxls.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 69.164.46.0
                                    Purchase Inquiry.vbsGet hashmaliciousAgentTeslaBrowse
                                    • 69.164.46.128
                                    szamla_sorszam_8472.xlsmGet hashmaliciousUnknownBrowse
                                    • 69.164.42.0
                                    https://tom19-secondary.z15.web.core.windows.net/werrx01USAHTML/?bcda=+1-888-289-1419Get hashmaliciousTechSupportScamBrowse
                                    • 69.164.42.0

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    CLOUDFLARENETUShesaphareketi_1.scr.exeGet hashmaliciousAgentTeslaBrowse
                                    • 104.26.13.205
                                    Payment MT103.xlsGet hashmaliciousUnknownBrowse
                                    • 104.21.15.201
                                    e-dekont.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 104.21.27.85
                                    New Order .docGet hashmaliciousUnknownBrowse
                                    • 172.67.134.136
                                    orden de compra.vbsGet hashmaliciousAgentTeslaBrowse
                                    • 104.21.84.67
                                    DHL Shipping doc.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 104.26.13.205
                                    Reconfirm Details.vbsGet hashmaliciousAgentTeslaBrowse
                                    • 172.67.215.45
                                    Remittance-Advice.docGet hashmaliciousUnknownBrowse
                                    • 172.67.175.222
                                    shipping docs.docGet hashmaliciousUnknownBrowse
                                    • 104.21.74.191
                                    Invoice.docGet hashmaliciousAgentTeslaBrowse
                                    • 172.67.134.136
                                    CLOUD-SOUTHUSzGAzL2T5Kp.elfGet hashmaliciousMiraiBrowse
                                    • 104.233.72.109
                                    JeNG2S9wKC.exeGet hashmaliciousRaccoon Stealer v2Browse
                                    • 192.227.94.170
                                    z1kaJtWtK0.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                    • 154.27.70.229
                                    381o9buew9.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                    • 154.27.70.229
                                    O5Mn2N8yHv.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                    • 154.27.70.229
                                    VC42xEPNd4.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                    • 154.27.70.229
                                    BSgFkXHc9t.exeGet hashmaliciousPureLog StealerBrowse
                                    • 154.27.70.229
                                    05Gv8RwQ6G.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                    • 154.27.70.229
                                    SecuriteInfo.com.Program.Unwanted.5176.1954.19726.exeGet hashmaliciousHawkEye, PureLog Stealer, XmrigBrowse
                                    • 154.27.69.89
                                    SecuriteInfo.com.Program.Unwanted.5176.1954.19726.exeGet hashmaliciousHawkEye, Gocoder, PureLog Stealer, XmrigBrowse
                                    • 154.27.69.89

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    1138de370e523e824bbca92d049a3777Reconfirm Details.vbsGet hashmaliciousAgentTeslaBrowse
                                    • 23.1.237.91
                                    https://www.admin-longin.co.jp.mc3lva.cn/Get hashmaliciousUnknownBrowse
                                    • 23.1.237.91
                                    https://www.longin.co.jp.wiibhaq.cn/Get hashmaliciousUnknownBrowse
                                    • 23.1.237.91
                                    https://emv1.3rujia.cn/Get hashmaliciousUnknownBrowse
                                    • 23.1.237.91
                                    https://wmicrosouab-4ba8.udydzj.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                    • 23.1.237.91
                                    https://uqgekpc20qn1.azureedge.net/6466/Get hashmaliciousTechSupportScamBrowse
                                    • 23.1.237.91
                                    https://magnisteel.lk/4765445b-32c6-49b0-83e6-1d93765276ca.phpGet hashmaliciousHTMLPhisherBrowse
                                    • 23.1.237.91
                                    https://netorg442802-my.sharepoint.com/:b:/g/personal/darek_daronto_com/EeXtnEaZ3XJBqGk13it6odUB-K9vuYAC7zp7SfyciZ3BpQ?e=nkKu2wGet hashmaliciousUnknownBrowse
                                    • 23.1.237.91
                                    https://lithiuimvalley.com/ssdGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                    • 23.1.237.91
                                    https://u44056869.ct.sendgrid.net/ls/click?upn=u001.nH1ryR-2Btr2av-2Bkfc8quLEXKlGRKFonctFf3nB-2FAP-2Bjae3IsQgCoKtK-2FQ57cEEmmhZzRyd07G16kQ6rsc4EaJT6S7Rh48kOVsBPHV-2Fkkk9Vfz7cojLOCLuj4sUGVMM7pbdmwtinmtiLhfYkhEkgve628OiJsccHyeYc3lkmkn6epsOmmj4-2Fi-2BWjxfm73m7vUzCOGnDWnQJBmmd6DmkDcfIw-3D-3DlLb9_7VBE-2BPKrWdDFE8TeQU0FNoYmRNt3BbsAfHCQfpyMVcUv91cWM1GbR6tMnpfVZqwoeCii1Z-2FHB6Wp4CGi-2FJ4Nq2flvhbRyRKwbWUqyssDslf87wBQZbBQ0EZsTXlvzjuj1ZnarL4QCJJlvUup-2FiM-2F9GPG6X3nhhKKp6sQ0v-2BBs5Jrrpzc3e5B2aUKKEJUx1Hjrx3xc16wmpK1HmM2sLiNIweMaJlJ9frDis7-2BK565mLw-3DGet hashmaliciousHTMLPhisherBrowse
                                    • 23.1.237.91
                                    3b5074b1b5d032e5620f69f9f700ff0ehesaphareketi_1.scr.exeGet hashmaliciousAgentTeslaBrowse
                                    • 104.26.13.205
                                    e-dekont.exeGet hashmaliciousAgentTeslaBrowse
                                    • 104.26.13.205
                                    e-dekont.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 104.26.13.205
                                    DAIKIN AC SPAIN 2024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 104.26.13.205
                                    transferencia.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 104.26.13.205
                                    1000901 LIQUIDACION.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                    • 104.26.13.205
                                    Zapytanie ofertowe (7427-23 ROCKFIN).vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 104.26.13.205
                                    Factura240413227178.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 104.26.13.205
                                    JUSTIFICANTE DE PAGO.vbsGet hashmaliciousUnknownBrowse
                                    • 104.26.13.205
                                    JUSTIFICANTE DE PAGO.vbsGet hashmaliciousUnknownBrowse
                                    • 104.26.13.205

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_New DHL Shipment_2fb9a779aae7560f97a236ac8a8e38ee4627e80_832b6b58_d4673f3b-6d65-4ce4-a848-6247b28a8c7d\Report.wer

                                    Download File
                                    Process:C:\Windows\System32\WerFault.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):65536
                                    Entropy (8bit):1.029907973686532
                                    Encrypted:false
                                    SSDEEP:192:726r35/slT8gY5Q0UnUlaWxHa11zuiF2Z24lO8QWc:hrhslY1UnUlaGHa/zuiF2Y4lO8QWc
                                    MD5:F484EB5A381EE22AA3F8796CA1F1B69F
                                    SHA1:5F8F925631649817DECA972C788B52429DED4607
                                    SHA-256:E5780C16E2DF0F55D1538AD9608EDBADC9BBD9BAA530AFE49037758B1FBA0F99
                                    SHA-512:0F1AAED52CB213FA096477C52FABBA5EB02C118493434CB9694DC898623D305F639BEA76DA1634C91C502BB14BEEEEE02313AC6C9B3BE98B6DE1224A823B26B2
                                    Malicious:false
                                    Reputation:low
                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.4.0.9.3.1.2.0.7.2.1.0.6.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.4.0.9.3.1.2.8.2.2.1.0.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.4.6.7.3.f.3.b.-.6.d.6.5.-.4.c.e.4.-.a.8.4.8.-.6.2.4.7.b.2.8.a.8.c.7.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.2.8.a.6.7.1.0.-.d.d.0.e.-.4.e.5.b.-.a.6.0.a.-.d.f.d.b.3.b.d.c.f.2.a.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.N.e.w. .D.H.L. .S.h.i.p.m.e.n.t. .D.o.c.u.m.e.n.t. .A.r.r.i.v.a.l. .N.o.t.i.c.e...p.d.f...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.x.e.p.u.t.a.g.e.c.u.y.i.t.i.g.a.g.i.k.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.6.4.-.0.0.0.1.-.0.0.1.4.-.6.2.3.5.-.0.2.6.0.0.6.9.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.1.5.6.6.9.c.2.b.1.2.e.6.6.6.3.c.b.8.4.f.f.e.9.9.b.1.7.d.1.b.8.0.0.0.0.0.0.0.0.!.0.0.0.0.e.6.e.6.c.3.b.d.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER592E.tmp.dmp

                                    Download File
                                    Process:C:\Windows\System32\WerFault.exe
                                    File Type:Mini DuMP crash report, 16 streams, Wed Apr 24 05:15:12 2024, 0x1205a4 type
                                    Category:dropped
                                    Size (bytes):437761
                                    Entropy (8bit):3.2804251603357217
                                    Encrypted:false
                                    SSDEEP:3072:7pindLET+4Y/cSy51CCq/fAc3+v7nYc5eAMLJNHXyi:7pindlN4qnAc3Q7F5e3t
                                    MD5:4F6A940849345252F442B69A54203E19
                                    SHA1:70CA54E7F2B08D771899DADE475E27EBC23FA2AF
                                    SHA-256:C2BB6C8AC7C6AED6AB9A1C49C946845D97DBC9DFBD402D9333C1E3E7693273C0
                                    SHA-512:4EC775592D13F86BEDCFC9211037ACF4A163FD2216D4EF26D7FD22B35D6B8AC91240D4985C034A29D8D6D37B4EFBCE1E379C9E4EA8A0EC7B296BB8FEC981B50D
                                    Malicious:false
                                    Reputation:low
                                    Preview:MDMP..a..... .......`.(f............D...............d.......$...d........ ...........O..H...........l.......8...........T............+..............P=..........<?..............................................................................eJ.......?......Lw......................T.......d...\.(f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B03.tmp.WERInternalMetadata.xml

                                    Download File
                                    Process:C:\Windows\System32\WerFault.exe
                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):8744
                                    Entropy (8bit):3.713737988781394
                                    Encrypted:false
                                    SSDEEP:192:R6l7wVeJc5nW6YEIzcLW4gmfJ4nprA89bGJjffoCm:R6lXJ6W6YEccLW4gmfJ4HGdf0
                                    MD5:10BB970A5DB255D102C55CDF8183497D
                                    SHA1:FB7AE2496AA118309AB50575681EAEF3A7F0C419
                                    SHA-256:A7C76A8FCFA333C1584D14250614091AA55E72895997E229ED279A6F2E90DDAB
                                    SHA-512:B7B5D08EB53C0BA6C5F6088794F4D3EBBE7AD4FDD9B200BF4837D2319A70FF7DE23D31C8FAD8383AB9A0F6C3E43EB82327BF78C7C988C7DF06FAB962699699E5
                                    Malicious:false
                                    Reputation:low
                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.0.0.<./.P.i.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B33.tmp.xml

                                    Download File
                                    Process:C:\Windows\System32\WerFault.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):4941
                                    Entropy (8bit):4.566361375879203
                                    Encrypted:false
                                    SSDEEP:48:cvIwWl8zslJg771I9FaWpW8VY/Ym8M4Jym+FStyq85uXdoTWTmd:uIjf/I7Wb7VjJR8TWTmd
                                    MD5:AC8530AEC6E8253C29B22C97EBBE1329
                                    SHA1:A0199E13371C71958FA99638A9D80CA553A5DCE8
                                    SHA-256:8296BDEF957E8C5DE9E128C7E2D290A05FDE71227112FF24277FE7983E85532A
                                    SHA-512:B8D4EF09A863F28B904D723D310C7DA3E603AC225DF7EC6556B2A0AA97E0DDF462001931BCE46C87CC13A6CE99790F989719F2A4C6298A1805EFF899FB8463E3
                                    Malicious:false
                                    Reputation:low
                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="293537" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                    C:\Windows\appcompat\Programs\Amcache.hve

                                    Download File
                                    Process:C:\Windows\System32\WerFault.exe
                                    File Type:MS Windows registry file, NT/2000 or above
                                    Category:dropped
                                    Size (bytes):1835008
                                    Entropy (8bit):4.422258965197262
                                    Encrypted:false
                                    SSDEEP:6144:RSvfpi6ceLP/9skLmb0OTmWSPHaJG8nAgeMZMMhA2fX4WABlEnNL0uhiTw:ovloTmW+EZMM6DFyl03w
                                    MD5:36B16EEE3618A5C541120C323CF75610
                                    SHA1:8B547F044D59E44108B43CAF080F832D3EBB3FBD
                                    SHA-256:CF66E28DE3A61508FC7CB936833A9F69EAD571ABDA594FF267D9B58675236AD9
                                    SHA-512:D9CC6E5037C425639222FD58E0CC2C0474843C6E8F9CD3F7A52B429B5CB19C880CC9FAEA494F09EF4404C6F4C98B2330E919E29DE1A265F709DDEE6F3BCBC6DF
                                    Malicious:false
                                    Reputation:low
                                    Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...a................................................................................................................................................................................................................................................................................................................................................b..U........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    Static File Info

                                    General

                                    File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.431363023200837
                                    TrID:
                                    • Win64 Executable Console Net Framework (206006/5) 48.58%
                                    • Win64 Executable Console (202006/5) 47.64%
                                    • Win64 Executable (generic) (12005/4) 2.83%
                                    • Generic Win/DOS Executable (2004/3) 0.47%
                                    • DOS Executable Generic (2002/1) 0.47%
                                    File name:New DHL Shipment Document Arrival Notice.pdf.exe
                                    File size:1'015'405 bytes
                                    MD5:189b8ac3c0f8d840f30f4897b2d89773
                                    SHA1:e6e6c3bd752cde7cf0677575d9268fc2a2070331
                                    SHA256:7fee503438f90d0206012674566587b5ecef1d040935809ae308b12842dc6196
                                    SHA512:052b3ccd16b840ff50fecc83229a0e9b432629084ef1a43af02d794debfc95a0aa054840feb3a82631176b08a3fcc8c5542c8052811ba6434e416e339dccbf16
                                    SSDEEP:24576:o0QxK82SgCUzIQTTzhp11LP059ncTAG6Ox23:om8lgDIv59nXQ23
                                    TLSH:7025BF6273F8056AF7FB4B78A87466445DF6FED22A01FA5C4854C10E0862F809A793F7
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...4............."...0..-............... ....@...... ....................................`................................

                                    File Icon

                                    Icon Hash:00928e8e8686b000

                                    Static PE Info

                                    General

                                    Entrypoint:0x400000
                                    Entrypoint Section:
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows cui
                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x9EA20D34 [Sun May 3 11:25:40 2054 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:

                                    Entrypoint Preview

                                    Instruction
                                    dec ebp
                                    pop edx
                                    nop
                                    add byte ptr [ebx], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax+eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x660000xb84.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x64cce0x38.text
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000x62d840x62e004623d0b561ecedf83778d96681816c71False0.3354856392225032data5.514455644985598IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0x660000xb840xc00faa2ea400892017b819c8061c3001afbFalse0.2913411458333333data4.187924224257089IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_VERSION0x660b80x470data0.477112676056338
                                    RT_VERSION0x665280x470dataEnglishUnited States0.4788732394366197
                                    RT_MANIFEST0x669980x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    04/24/24-07:15:17.148129TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49710587192.168.2.58.38.89.60
                                    04/24/24-07:15:19.418719TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49712587192.168.2.58.38.89.60
                                    04/24/24-07:15:19.418719TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249712587192.168.2.58.38.89.60
                                    04/24/24-07:15:19.418719TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49712587192.168.2.58.38.89.60
                                    04/24/24-07:15:17.148183TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49710587192.168.2.58.38.89.60
                                    04/24/24-07:15:17.148183TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249710587192.168.2.58.38.89.60
                                    04/24/24-07:15:19.414322TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49712587192.168.2.58.38.89.60
                                    04/24/24-07:15:17.148183TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49710587192.168.2.58.38.89.60
                                    04/24/24-07:15:17.148183TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49710587192.168.2.58.38.89.60

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Apr 24, 2024 07:15:06.800882101 CEST49675443192.168.2.523.1.237.91
                                    Apr 24, 2024 07:15:06.800893068 CEST49674443192.168.2.523.1.237.91
                                    Apr 24, 2024 07:15:06.894632101 CEST49673443192.168.2.523.1.237.91
                                    Apr 24, 2024 07:15:12.608851910 CEST49704443192.168.2.5104.26.13.205
                                    Apr 24, 2024 07:15:12.608894110 CEST44349704104.26.13.205192.168.2.5
                                    Apr 24, 2024 07:15:12.609241009 CEST49704443192.168.2.5104.26.13.205
                                    Apr 24, 2024 07:15:12.616242886 CEST49704443192.168.2.5104.26.13.205
                                    Apr 24, 2024 07:15:12.616271019 CEST44349704104.26.13.205192.168.2.5
                                    Apr 24, 2024 07:15:12.951363087 CEST44349704104.26.13.205192.168.2.5
                                    Apr 24, 2024 07:15:12.951430082 CEST49704443192.168.2.5104.26.13.205
                                    Apr 24, 2024 07:15:12.954471111 CEST49704443192.168.2.5104.26.13.205
                                    Apr 24, 2024 07:15:12.954485893 CEST44349704104.26.13.205192.168.2.5
                                    Apr 24, 2024 07:15:12.954830885 CEST44349704104.26.13.205192.168.2.5
                                    Apr 24, 2024 07:15:13.003967047 CEST49704443192.168.2.5104.26.13.205
                                    Apr 24, 2024 07:15:13.028053045 CEST49704443192.168.2.5104.26.13.205
                                    Apr 24, 2024 07:15:13.068126917 CEST44349704104.26.13.205192.168.2.5
                                    Apr 24, 2024 07:15:13.399000883 CEST44349704104.26.13.205192.168.2.5
                                    Apr 24, 2024 07:15:13.399070024 CEST44349704104.26.13.205192.168.2.5
                                    Apr 24, 2024 07:15:13.399434090 CEST49704443192.168.2.5104.26.13.205
                                    Apr 24, 2024 07:15:13.405838013 CEST49704443192.168.2.5104.26.13.205
                                    Apr 24, 2024 07:15:15.366183043 CEST49710587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:15.578584909 CEST587497108.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:15.578680992 CEST49710587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:15.800605059 CEST587497108.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:15.800870895 CEST49710587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:16.016680956 CEST587497108.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:16.017509937 CEST49710587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:16.229746103 CEST587497108.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:16.230575085 CEST49710587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:16.410206079 CEST49674443192.168.2.523.1.237.91
                                    Apr 24, 2024 07:15:16.410206079 CEST49675443192.168.2.523.1.237.91
                                    Apr 24, 2024 07:15:16.444758892 CEST587497108.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:16.445002079 CEST49710587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:16.503952980 CEST49673443192.168.2.523.1.237.91
                                    Apr 24, 2024 07:15:16.659507036 CEST587497108.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:16.659703016 CEST49710587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:16.872674942 CEST587497108.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:16.873049021 CEST49710587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:17.145792007 CEST587497108.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:17.148128986 CEST49710587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:17.148183107 CEST49710587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:17.148241043 CEST49710587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:17.148258924 CEST49710587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:17.360531092 CEST587497108.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:17.361645937 CEST587497108.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:17.410176992 CEST49710587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:17.423260927 CEST49710587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:17.635735989 CEST587497108.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:17.635755062 CEST587497108.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:17.635814905 CEST49710587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:17.635890961 CEST49710587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:17.636962891 CEST49712587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:17.848174095 CEST587497108.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:17.849184036 CEST587497128.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:17.849297047 CEST49712587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:17.882128954 CEST4434970323.1.237.91192.168.2.5
                                    Apr 24, 2024 07:15:17.882332087 CEST49703443192.168.2.523.1.237.91
                                    Apr 24, 2024 07:15:18.071455002 CEST587497128.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:18.071738958 CEST49712587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:18.287717104 CEST587497128.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:18.288036108 CEST49712587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:18.503779888 CEST587497128.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:18.504293919 CEST49712587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:18.716854095 CEST587497128.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:18.717022896 CEST49712587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:18.931410074 CEST587497128.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:18.931572914 CEST49712587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:19.144268036 CEST587497128.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:19.144501925 CEST49712587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:19.406491041 CEST587497128.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:19.410901070 CEST587497128.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:19.414267063 CEST49712587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:19.414321899 CEST49712587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:19.418719053 CEST49712587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:19.418754101 CEST49712587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:19.418787956 CEST49712587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:19.418816090 CEST49712587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:19.418848038 CEST49712587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:19.418869972 CEST49712587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:19.418888092 CEST49712587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:19.418903112 CEST49712587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:19.626877069 CEST587497128.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:19.631241083 CEST587497128.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:19.631277084 CEST587497128.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:19.631310940 CEST587497128.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:19.631344080 CEST587497128.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:19.631814003 CEST587497128.38.89.60192.168.2.5
                                    Apr 24, 2024 07:15:19.676345110 CEST49712587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:15:28.392074108 CEST49703443192.168.2.523.1.237.91
                                    Apr 24, 2024 07:15:28.392185926 CEST49703443192.168.2.523.1.237.91
                                    Apr 24, 2024 07:15:28.429510117 CEST49724443192.168.2.523.1.237.91
                                    Apr 24, 2024 07:15:28.429608107 CEST4434972423.1.237.91192.168.2.5
                                    Apr 24, 2024 07:15:28.429728031 CEST49724443192.168.2.523.1.237.91
                                    Apr 24, 2024 07:15:28.469125986 CEST49724443192.168.2.523.1.237.91
                                    Apr 24, 2024 07:15:28.469165087 CEST4434972423.1.237.91192.168.2.5
                                    Apr 24, 2024 07:15:28.552714109 CEST4434970323.1.237.91192.168.2.5
                                    Apr 24, 2024 07:15:28.552736044 CEST4434970323.1.237.91192.168.2.5
                                    Apr 24, 2024 07:15:28.799385071 CEST4434972423.1.237.91192.168.2.5
                                    Apr 24, 2024 07:15:28.799495935 CEST49724443192.168.2.523.1.237.91
                                    Apr 24, 2024 07:15:48.006088018 CEST4434972423.1.237.91192.168.2.5
                                    Apr 24, 2024 07:15:48.006159067 CEST49724443192.168.2.523.1.237.91
                                    Apr 24, 2024 07:16:54.019680977 CEST49712587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:16:54.237237930 CEST587497128.38.89.60192.168.2.5
                                    Apr 24, 2024 07:16:54.237270117 CEST587497128.38.89.60192.168.2.5
                                    Apr 24, 2024 07:16:54.237353086 CEST49712587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:16:54.237561941 CEST49712587192.168.2.58.38.89.60
                                    Apr 24, 2024 07:16:54.451049089 CEST587497128.38.89.60192.168.2.5

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Apr 24, 2024 07:15:12.447891951 CEST5942353192.168.2.51.1.1.1
                                    Apr 24, 2024 07:15:12.601500988 CEST53594231.1.1.1192.168.2.5
                                    Apr 24, 2024 07:15:13.992084026 CEST5642853192.168.2.51.1.1.1
                                    Apr 24, 2024 07:15:15.007616043 CEST5642853192.168.2.51.1.1.1
                                    Apr 24, 2024 07:15:15.365432024 CEST53564281.1.1.1192.168.2.5
                                    Apr 24, 2024 07:15:15.365447044 CEST53564281.1.1.1192.168.2.5

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Apr 24, 2024 07:15:12.447891951 CEST192.168.2.51.1.1.10xd336Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                    Apr 24, 2024 07:15:13.992084026 CEST192.168.2.51.1.1.10xf39cStandard query (0)smtp.prestamp.inA (IP address)IN (0x0001)false
                                    Apr 24, 2024 07:15:15.007616043 CEST192.168.2.51.1.1.10xf39cStandard query (0)smtp.prestamp.inA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Apr 24, 2024 07:15:12.601500988 CEST1.1.1.1192.168.2.50xd336No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                    Apr 24, 2024 07:15:12.601500988 CEST1.1.1.1192.168.2.50xd336No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                    Apr 24, 2024 07:15:12.601500988 CEST1.1.1.1192.168.2.50xd336No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                    Apr 24, 2024 07:15:14.482464075 CEST1.1.1.1192.168.2.50xe71cNo error (0)windowsupdatebg.s.llnwi.net68.142.107.4A (IP address)IN (0x0001)false
                                    Apr 24, 2024 07:15:15.008364916 CEST1.1.1.1192.168.2.50x3a80No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                    Apr 24, 2024 07:15:15.008364916 CEST1.1.1.1192.168.2.50x3a80No error (0)fp2e7a.wpc.phicdn.net192.229.211.108A (IP address)IN (0x0001)false
                                    Apr 24, 2024 07:15:15.365432024 CEST1.1.1.1192.168.2.50xf39cNo error (0)smtp.prestamp.in8.38.89.60A (IP address)IN (0x0001)false
                                    Apr 24, 2024 07:15:15.365447044 CEST1.1.1.1192.168.2.50xf39cNo error (0)smtp.prestamp.in8.38.89.60A (IP address)IN (0x0001)false
                                    Apr 24, 2024 07:16:16.749797106 CEST1.1.1.1192.168.2.50xcec5No error (0)windowsupdatebg.s.llnwi.net68.142.107.4A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • api.ipify.org

                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.549704104.26.13.2054434028C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    TimestampBytes transferredDirectionData
                                    2024-04-24 05:15:13 UTC155OUTGET / HTTP/1.1
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                    Host: api.ipify.org
                                    Connection: Keep-Alive
                                    2024-04-24 05:15:13 UTC211INHTTP/1.1 200 OK
                                    Date: Wed, 24 Apr 2024 05:15:13 GMT
                                    Content-Type: text/plain
                                    Content-Length: 13
                                    Connection: close
                                    Vary: Origin
                                    CF-Cache-Status: DYNAMIC
                                    Server: cloudflare
                                    CF-RAY: 87939d3fa96d092a-LAX
                                    2024-04-24 05:15:13 UTC13INData Raw: 31 35 34 2e 31 36 2e 31 30 35 2e 33 36
                                    Data Ascii: 154.16.105.36


                                    SMTP Packets

                                    TimestampSource PortDest PortSource IPDest IPCommands
                                    Apr 24, 2024 07:15:15.800605059 CEST587497108.38.89.60192.168.2.5220 cs9.nethostingpoint.com
                                    Apr 24, 2024 07:15:15.800870895 CEST49710587192.168.2.58.38.89.60EHLO 093954
                                    Apr 24, 2024 07:15:16.016680956 CEST587497108.38.89.60192.168.2.5250-cs9.nethostingpoint.com Hello [154.16.105.36]
                                    250-SIZE 41943040
                                    250-AUTH LOGIN CRAM-MD5
                                    250-8BITMIME
                                    250-DSN
                                    250 OK
                                    Apr 24, 2024 07:15:16.017509937 CEST49710587192.168.2.58.38.89.60AUTH login cGxhbnQucHMyQHByZXN0YW1wLmlu
                                    Apr 24, 2024 07:15:16.229746103 CEST587497108.38.89.60192.168.2.5334 UGFzc3dvcmQ6
                                    Apr 24, 2024 07:15:16.444758892 CEST587497108.38.89.60192.168.2.5235 Authentication successful
                                    Apr 24, 2024 07:15:16.445002079 CEST49710587192.168.2.58.38.89.60MAIL FROM:<plant.ps2@prestamp.in>
                                    Apr 24, 2024 07:15:16.659507036 CEST587497108.38.89.60192.168.2.5250 OK <plant.ps2@prestamp.in> Sender ok
                                    Apr 24, 2024 07:15:16.659703016 CEST49710587192.168.2.58.38.89.60RCPT TO:<sjohne@yandex.com>
                                    Apr 24, 2024 07:15:16.872674942 CEST587497108.38.89.60192.168.2.5250 OK <sjohne@yandex.com> Recipient ok
                                    Apr 24, 2024 07:15:16.873049021 CEST49710587192.168.2.58.38.89.60DATA
                                    Apr 24, 2024 07:15:17.145792007 CEST587497108.38.89.60192.168.2.5354 Start mail input; end with <CRLF>.<CRLF>
                                    Apr 24, 2024 07:15:17.148258924 CEST49710587192.168.2.58.38.89.60.
                                    Apr 24, 2024 07:15:17.361645937 CEST587497108.38.89.60192.168.2.5250 OK
                                    Apr 24, 2024 07:15:17.423260927 CEST49710587192.168.2.58.38.89.60QUIT
                                    Apr 24, 2024 07:15:17.635735989 CEST587497108.38.89.60192.168.2.5221 Service closing transmission channel
                                    Apr 24, 2024 07:15:18.071455002 CEST587497128.38.89.60192.168.2.5220 cs9.nethostingpoint.com
                                    Apr 24, 2024 07:15:18.071738958 CEST49712587192.168.2.58.38.89.60EHLO 093954
                                    Apr 24, 2024 07:15:18.287717104 CEST587497128.38.89.60192.168.2.5250-cs9.nethostingpoint.com Hello [154.16.105.36]
                                    250-SIZE 41943040
                                    250-AUTH LOGIN CRAM-MD5
                                    250-8BITMIME
                                    250-DSN
                                    250 OK
                                    Apr 24, 2024 07:15:18.288036108 CEST49712587192.168.2.58.38.89.60AUTH login cGxhbnQucHMyQHByZXN0YW1wLmlu
                                    Apr 24, 2024 07:15:18.503779888 CEST587497128.38.89.60192.168.2.5334 UGFzc3dvcmQ6
                                    Apr 24, 2024 07:15:18.716854095 CEST587497128.38.89.60192.168.2.5235 Authentication successful
                                    Apr 24, 2024 07:15:18.717022896 CEST49712587192.168.2.58.38.89.60MAIL FROM:<plant.ps2@prestamp.in>
                                    Apr 24, 2024 07:15:18.931410074 CEST587497128.38.89.60192.168.2.5250 OK <plant.ps2@prestamp.in> Sender ok
                                    Apr 24, 2024 07:15:18.931572914 CEST49712587192.168.2.58.38.89.60RCPT TO:<sjohne@yandex.com>
                                    Apr 24, 2024 07:15:19.144268036 CEST587497128.38.89.60192.168.2.5250 OK <sjohne@yandex.com> Recipient ok
                                    Apr 24, 2024 07:15:19.144501925 CEST49712587192.168.2.58.38.89.60DATA
                                    Apr 24, 2024 07:15:19.410901070 CEST587497128.38.89.60192.168.2.5354 Start mail input; end with <CRLF>.<CRLF>
                                    Apr 24, 2024 07:15:19.418903112 CEST49712587192.168.2.58.38.89.60.
                                    Apr 24, 2024 07:15:19.631814003 CEST587497128.38.89.60192.168.2.5250 OK
                                    Apr 24, 2024 07:16:54.019680977 CEST49712587192.168.2.58.38.89.60QUIT
                                    Apr 24, 2024 07:16:54.237237930 CEST587497128.38.89.60192.168.2.5221 Service closing transmission channel

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:07:15:08
                                    Start date:24/04/2024
                                    Path:C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\New DHL Shipment Document Arrival Notice.pdf.exe"
                                    Imagebase:0x16162240000
                                    File size:1'015'405 bytes
                                    MD5 hash:189B8AC3C0F8D840F30F4897B2D89773
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2184155849.00000161645D8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2184155849.0000016164089000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2187402638.0000016174037000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2187402638.0000016174037000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:1
                                    Start time:07:15:08
                                    Start date:24/04/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:07:15:10
                                    Start date:24/04/2024
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                    Wow64 process (32bit):
                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                                    Imagebase:
                                    File size:262'432 bytes
                                    MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:false

                                    General

                                    Target ID:4
                                    Start time:07:15:11
                                    Start date:24/04/2024
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                    Wow64 process (32bit):
                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                    Imagebase:
                                    File size:43'008 bytes
                                    MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:false

                                    General

                                    Target ID:5
                                    Start time:07:15:11
                                    Start date:24/04/2024
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                                    Imagebase:0xd00000
                                    File size:65'440 bytes
                                    MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3254981544.000000000318C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3254981544.0000000003194000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3252878938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3252878938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3254981544.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3254981544.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:6
                                    Start time:07:15:11
                                    Start date:24/04/2024
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                                    Imagebase:0x120000
                                    File size:65'440 bytes
                                    MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:07:15:11
                                    Start date:24/04/2024
                                    Path:C:\Windows\System32\WerFault.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 6500 -s 1092
                                    Imagebase:0x7ff704d60000
                                    File size:570'736 bytes
                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:13.3%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:60
                                      Total number of Limit Nodes:2
                                      execution_graph 10567 7ff848f20519 10568 7ff848f2052f 10567->10568 10571 7ff848f1fcb0 10568->10571 10570 7ff848f20590 10572 7ff848f1fc73 10571->10572 10572->10571 10573 7ff848f1fd1f 10572->10573 10574 7ff848f1fe60 LoadLibraryA 10572->10574 10573->10570 10575 7ff848f1feb4 10574->10575 10575->10570 10576 7ff848f1e19d 10577 7ff848f1e1a7 10576->10577 10584 7ff848f10db0 10577->10584 10579 7ff848f1e207 10580 7ff848f10db0 LoadLibraryA 10579->10580 10581 7ff848f1e228 10580->10581 10582 7ff848f10db0 LoadLibraryA 10581->10582 10583 7ff848f1e23d 10582->10583 10587 7ff848f1fc73 10584->10587 10585 7ff848f1fd1f 10585->10579 10586 7ff848f1fe60 LoadLibraryA 10588 7ff848f1feb4 10586->10588 10587->10585 10587->10586 10588->10579 10563 7ff848f108bd 10564 7ff848f108cf FreeConsole 10563->10564 10566 7ff848f1094e 10564->10566 10593 7ff848f1fc91 10596 7ff848f1fc73 10593->10596 10594 7ff848f1fd1f 10595 7ff848f1fe60 LoadLibraryA 10597 7ff848f1feb4 10595->10597 10596->10594 10596->10595 10612 7ff848f1e2d0 10613 7ff848f10db0 LoadLibraryA 10612->10613 10614 7ff848f1e2da 10613->10614 10615 7ff848f10db0 LoadLibraryA 10614->10615 10616 7ff848f1e2ef 10615->10616 10598 7ff848f20492 10599 7ff848f20499 10598->10599 10608 7ff848f10db8 10599->10608 10602 7ff848f1fcb0 LoadLibraryA 10603 7ff848f204b4 10602->10603 10604 7ff848f10db8 LoadLibraryA 10603->10604 10605 7ff848f204d6 10604->10605 10606 7ff848f1fcb0 LoadLibraryA 10605->10606 10607 7ff848f204e3 10606->10607 10609 7ff848f20530 10608->10609 10610 7ff848f1fcb0 LoadLibraryA 10609->10610 10611 7ff848f204a7 10610->10611 10611->10602 10589 7ff848f202b4 10590 7ff848f202bd VirtualProtect 10589->10590 10592 7ff848f20381 10590->10592 10617 7ff848f203b4 10618 7ff848f203bd 10617->10618 10619 7ff848f1fcb0 LoadLibraryA 10618->10619 10620 7ff848f20403 10619->10620 10621 7ff848f10db8 LoadLibraryA 10620->10621 10622 7ff848f2042c 10621->10622 10623 7ff848f1fcb0 LoadLibraryA 10622->10623 10624 7ff848f20439 10623->10624 10625 7ff848f10db8 LoadLibraryA 10624->10625 10626 7ff848f2045b 10625->10626 10627 7ff848f1fcb0 LoadLibraryA 10626->10627 10628 7ff848f20468 10627->10628

                                      Executed Functions

                                      Function 00007FF848F1EBF8 Relevance: 3.2, Strings: 2, Instructions: 731COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 212 7ff848f1ebf8-7ff848f22261 call 7ff848f22120 219 7ff848f22284-7ff848f22293 212->219 220 7ff848f22263-7ff848f22279 call 7ff848f22120 call 7ff848f22170 219->220 221 7ff848f22295-7ff848f222af call 7ff848f22120 call 7ff848f22170 219->221 230 7ff848f2227b-7ff848f22282 220->230 231 7ff848f222b0-7ff848f22300 220->231 230->219 235 7ff848f2230c-7ff848f22343 231->235 236 7ff848f22302-7ff848f22307 call 7ff848f20d88 231->236 239 7ff848f22349-7ff848f22354 235->239 240 7ff848f2253f-7ff848f225a9 235->240 236->235 241 7ff848f223c8-7ff848f223cd 239->241 242 7ff848f22356-7ff848f22364 239->242 271 7ff848f225ab-7ff848f225b1 240->271 272 7ff848f225c6-7ff848f225f0 240->272 245 7ff848f223cf-7ff848f223db 241->245 246 7ff848f22440-7ff848f2244a 241->246 242->240 243 7ff848f2236a-7ff848f22379 242->243 247 7ff848f2237b-7ff848f223ab 243->247 248 7ff848f223ad-7ff848f223b8 243->248 245->240 250 7ff848f223e1-7ff848f223f4 245->250 251 7ff848f2246c-7ff848f22474 246->251 252 7ff848f2244c-7ff848f22459 call 7ff848f20da8 246->252 247->248 256 7ff848f223f9-7ff848f223fc 247->256 248->240 254 7ff848f223be-7ff848f223c6 248->254 255 7ff848f22477-7ff848f22482 250->255 251->255 267 7ff848f2245e-7ff848f2246a 252->267 254->241 254->242 255->240 258 7ff848f22488-7ff848f22498 255->258 260 7ff848f223fe-7ff848f2240e 256->260 261 7ff848f22412-7ff848f2241a 256->261 258->240 263 7ff848f2249e-7ff848f224ab 258->263 260->261 261->240 265 7ff848f22420-7ff848f2243f 261->265 263->240 266 7ff848f224b1-7ff848f224d1 263->266 266->240 274 7ff848f224d3-7ff848f224e2 266->274 267->251 275 7ff848f225f1-7ff848f22645 271->275 276 7ff848f225b3-7ff848f225c4 271->276 278 7ff848f2252d-7ff848f2253e 274->278 279 7ff848f224e4-7ff848f224ef 274->279 290 7ff848f22659-7ff848f22691 275->290 291 7ff848f22647-7ff848f22657 275->291 276->271 276->272 279->278 284 7ff848f224f1-7ff848f22528 call 7ff848f20da8 279->284 284->278 296 7ff848f226e8-7ff848f226ef 290->296 297 7ff848f22693-7ff848f22699 290->297 291->290 291->291 299 7ff848f226f1-7ff848f226f2 296->299 300 7ff848f22732-7ff848f2275b 296->300 297->296 298 7ff848f2269b-7ff848f2269c 297->298 301 7ff848f2269f-7ff848f226a2 298->301 302 7ff848f226f5-7ff848f226f8 299->302 304 7ff848f226a8-7ff848f226b5 301->304 305 7ff848f2275c-7ff848f22771 301->305 302->305 306 7ff848f226fa-7ff848f2270b 302->306 307 7ff848f226e1-7ff848f226e6 304->307 308 7ff848f226b7-7ff848f226de 304->308 315 7ff848f2277b-7ff848f22801 305->315 316 7ff848f22773-7ff848f2277a 305->316 309 7ff848f22729-7ff848f22730 306->309 310 7ff848f2270d-7ff848f22713 306->310 307->296 307->301 308->307 309->300 309->302 310->305 314 7ff848f22715-7ff848f22725 310->314 314->309 316->315
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2190489713.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff848f10000_New DHL Shipment Document Arrival Notice.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: hH$d
                                      • API String ID: 0-2066647031
                                      • Opcode ID: 3cfc4a94ab62dff271587252266861a5bf7dbefbb8c37fa1100b299735fdc599
                                      • Instruction ID: 8fef23501d5cf501d3c055c41ba141f48ae3419eea6926e1171925658a839da4
                                      • Opcode Fuzzy Hash: 3cfc4a94ab62dff271587252266861a5bf7dbefbb8c37fa1100b299735fdc599
                                      • Instruction Fuzzy Hash: 7A225531A1DA4A4FE349EB28A4825B1B7E0FF45350F1446BAD44AC71D7EF3AE8438785
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF848F129A1 Relevance: 2.0, Strings: 1, Instructions: 763COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 687 7ff848f129a1-7ff848f12a10 call 7ff848f10f88 693 7ff848f12c11-7ff848f12c16 687->693 694 7ff848f12a16-7ff848f12a29 call 7ff848f10e48 687->694 696 7ff848f130a8-7ff848f130b9 693->696 697 7ff848f12c1c-7ff848f12c1f call 7ff848f10fd8 693->697 701 7ff848f12a2b 694->701 702 7ff848f12a7e-7ff848f12a8a 694->702 703 7ff848f130bb-7ff848f130df call 7ff848f10770 call 7ff848f11000 call 7ff848f10750 696->703 704 7ff848f13110-7ff848f13115 696->704 705 7ff848f12c24-7ff848f12c34 697->705 708 7ff848f12a30-7ff848f12a3c 701->708 706 7ff848f12a8c-7ff848f12a96 702->706 707 7ff848f12ac3-7ff848f12ad9 call 7ff848f10e48 702->707 766 7ff848f130e1-7ff848f130e3 703->766 767 7ff848f130e5-7ff848f13104 703->767 719 7ff848f13116-7ff848f13118 704->719 711 7ff848f1322a-7ff848f13308 706->711 712 7ff848f12a9c-7ff848f12aa8 call 7ff848f10f38 706->712 722 7ff848f12adb-7ff848f12ae4 707->722 723 7ff848f12aec-7ff848f12af6 707->723 708->707 713 7ff848f12a42-7ff848f12a4c 708->713 724 7ff848f12aad-7ff848f12aaf 712->724 713->711 718 7ff848f12a52-7ff848f12a65 call 7ff848f10f40 713->718 739 7ff848f12a2d 718->739 740 7ff848f12a67-7ff848f12a6b 718->740 727 7ff848f1311a-7ff848f13122 call 7ff848f10750 719->727 728 7ff848f1314c-7ff848f13196 call 7ff848f101e8 call 7ff848f10768 719->728 731 7ff848f12aea 722->731 732 7ff848f12b7b-7ff848f12b7f 722->732 723->711 734 7ff848f12afc-7ff848f12b0f call 7ff848f10f38 723->734 735 7ff848f12a7b 724->735 736 7ff848f12ab1-7ff848f12ab5 724->736 749 7ff848f13129-7ff848f13148 727->749 750 7ff848f13124-7ff848f13127 727->750 781 7ff848f13198-7ff848f131a4 call 7ff848f11000 728->781 742 7ff848f12b2c-7ff848f12b44 731->742 743 7ff848f12c35-7ff848f12c3d 732->743 744 7ff848f12b85-7ff848f12b8c 732->744 772 7ff848f12b21-7ff848f12b22 734->772 773 7ff848f12b11-7ff848f12b1f call 7ff848f10f48 734->773 735->702 736->707 747 7ff848f12ab7-7ff848f12ac1 call 7ff848f10f50 736->747 739->708 740->707 748 7ff848f12a6d-7ff848f12a77 call 7ff848f10f50 740->748 759 7ff848f12b53-7ff848f12b55 742->759 760 7ff848f12b46-7ff848f12b4e call 7ff848f10f68 742->760 756 7ff848f12c58-7ff848f12c5c 743->756 757 7ff848f12c3f-7ff848f12c54 743->757 751 7ff848f12b8e-7ff848f12ba2 744->751 752 7ff848f12ba6-7ff848f12baa 744->752 747->707 747->735 748->739 788 7ff848f12a79 748->788 770 7ff848f1314a 749->770 750->770 751->752 764 7ff848f131ab-7ff848f131b3 call 7ff848f10750 752->764 765 7ff848f12bb0-7ff848f12bb5 752->765 756->765 774 7ff848f12c62-7ff848f12c66 756->774 757->756 759->732 762 7ff848f12b57-7ff848f12b62 759->762 760->759 762->711 776 7ff848f12b68-7ff848f12b76 call 7ff848f10fb0 762->776 803 7ff848f131b9-7ff848f131d8 764->803 804 7ff848f131b5-7ff848f131b7 764->804 765->719 778 7ff848f12bbb-7ff848f12bd0 call 7ff848f10e48 765->778 779 7ff848f13106-7ff848f1310f call 7ff848f11000 766->779 767->779 770->781 785 7ff848f12b27-7ff848f12b2a 772->785 773->785 774->764 786 7ff848f12c6c-7ff848f12c74 call 7ff848f10f90 774->786 776->732 810 7ff848f12be8-7ff848f12bfa call 7ff848f11170 778->810 811 7ff848f12bd2-7ff848f12bd5 call 7ff848f10f50 778->811 779->719 781->764 785->732 785->742 805 7ff848f12bfd-7ff848f12c0b 786->805 788->707 808 7ff848f131da-7ff848f131e3 call 7ff848f11000 803->808 804->808 805->693 805->694 820 7ff848f131ea-7ff848f131f2 call 7ff848f10750 808->820 810->805 818 7ff848f12bda-7ff848f12be2 811->818 818->810 821 7ff848f12e84-7ff848f12e94 818->821 826 7ff848f131f8-7ff848f13217 820->826 827 7ff848f131f4-7ff848f131f6 820->827 821->711 823 7ff848f12e9a-7ff848f12ea8 821->823 823->805 825 7ff848f12eae-7ff848f12eb2 823->825 828 7ff848f12eb8-7ff848f12ebc 825->828 829 7ff848f12f4b-7ff848f12f4f 825->829 830 7ff848f13219-7ff848f13229 call 7ff848f11000 826->830 827->830 831 7ff848f12ec2-7ff848f12ec6 828->831 832 7ff848f13025-7ff848f13030 828->832 833 7ff848f12f55-7ff848f12f59 829->833 834 7ff848f13037-7ff848f13042 829->834 830->711 831->820 836 7ff848f12ecc-7ff848f12ee8 call 7ff848f10e48 831->836 832->834 833->820 838 7ff848f12f5f-7ff848f12f74 call 7ff848f10e78 833->838 841 7ff848f13049-7ff848f13054 call 7ff848f10e78 834->841 847 7ff848f12f09-7ff848f12f0d 836->847 848 7ff848f12eea-7ff848f12ef4 836->848 850 7ff848f12fcb-7ff848f12fd0 838->850 851 7ff848f12f76-7ff848f12f82 838->851 841->850 853 7ff848f13069-7ff848f13071 call 7ff848f10750 847->853 854 7ff848f12f13-7ff848f12f40 call 7ff848f11168 call 7ff848f11170 847->854 848->711 852 7ff848f12efa-7ff848f12f03 848->852 856 7ff848f12ffb-7ff848f13016 call 7ff848f11170 850->856 857 7ff848f12fd2-7ff848f12fdb 850->857 851->850 855 7ff848f12f84-7ff848f12f8d 851->855 852->847 860 7ff848f13059-7ff848f13063 852->860 871 7ff848f13073-7ff848f13075 853->871 872 7ff848f13077-7ff848f13096 853->872 854->825 878 7ff848f12f46 854->878 855->711 863 7ff848f12f93-7ff848f12f9c 855->863 856->805 857->856 858 7ff848f12fdd-7ff848f12fea 857->858 858->711 864 7ff848f12ff0-7ff848f12ff9 858->864 860->853 860->854 863->850 868 7ff848f12f9e-7ff848f12fab 863->868 864->856 869 7ff848f1301b-7ff848f1301e 864->869 873 7ff848f12fad-7ff848f12fb0 868->873 874 7ff848f12fc5-7ff848f12fc6 868->874 869->832 876 7ff848f13098-7ff848f130a1 call 7ff848f11000 871->876 872->876 873->711 877 7ff848f12fb6-7ff848f12fbf 873->877 874->850 876->696 877->841 877->874 878->805
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2190489713.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff848f10000_New DHL Shipment Document Arrival Notice.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: HAH
                                      • API String ID: 0-1579723087
                                      • Opcode ID: 3648465cdc0b8106bfb25a10f5c045533ff2207c46de458ee950cfb38eacb638
                                      • Instruction ID: 245076edad1947726860000ee9b29c6c7cabd5df01ed94a3113653ea86c11541
                                      • Opcode Fuzzy Hash: 3648465cdc0b8106bfb25a10f5c045533ff2207c46de458ee950cfb38eacb638
                                      • Instruction Fuzzy Hash: BB42BE30A1CA164FE769FB6880516B9B3E1EF89390F14457DD48EC76D6DF28AC82C748
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF848F21D88 Relevance: 1.7, Strings: 1, Instructions: 474COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2190489713.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff848f10000_New DHL Shipment Document Arrival Notice.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: fish
                                      • API String ID: 0-1064584243
                                      • Opcode ID: ffeb31363651c7097cd34c3f9cd338d1ce877566378ae836dbcdfe1df4860e42
                                      • Instruction ID: c970ea4809aebd84e534a05027ada9f418a34146a1d60bd0f65e8d921c1729d1
                                      • Opcode Fuzzy Hash: ffeb31363651c7097cd34c3f9cd338d1ce877566378ae836dbcdfe1df4860e42
                                      • Instruction Fuzzy Hash: C5D13531A1DA4A0FE75CBB38A8655B977E1EF96350F04417ED48BC32D3DE29A8428385
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF849000E29 Relevance: 1.1, Instructions: 1108COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2191470419.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff849000000_New DHL Shipment Document Arrival Notice.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 49c72a6885577fef051b1a63a7d857ebc91beb2314d077605c5e99124d69fa3b
                                      • Instruction ID: 5edfa25e8a5a8ed8eff71d641598b583e7fe509e923cdb0f54307e0170f2d85e
                                      • Opcode Fuzzy Hash: 49c72a6885577fef051b1a63a7d857ebc91beb2314d077605c5e99124d69fa3b
                                      • Instruction Fuzzy Hash: 19721A3180DAC54FEBA6EF28A8555B47FE1FF56344F1901FEC089CB093E929A84AC751
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF848F14309 Relevance: .9, Instructions: 884COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2190489713.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff848f10000_New DHL Shipment Document Arrival Notice.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2a7c1f2695898131763e467521747b0193021194d1eabbe3b2cd2b3e1d471387
                                      • Instruction ID: ff136655992f4a3688956e4ee9152f995c800c098730fa06ad1f990db3812882
                                      • Opcode Fuzzy Hash: 2a7c1f2695898131763e467521747b0193021194d1eabbe3b2cd2b3e1d471387
                                      • Instruction Fuzzy Hash: DB420130A1CA464FE749BF2894416B9B3E2FFA5390F50017DD48E835C7EF29AC428789
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF848F1FCB0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 277libraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2190489713.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff848f10000_New DHL Shipment Document Arrival Notice.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID: $
                                      • API String ID: 1029625771-3993045852
                                      • Opcode ID: bd26c14fadc0d3bcadde598dc1dd9f800c1907958f8dda60706ef6b048cdfdf6
                                      • Instruction ID: 4e267d20ae5c01462a44f95b8843920d35a2f0c157502be351f6fba5d72f2aa6
                                      • Opcode Fuzzy Hash: bd26c14fadc0d3bcadde598dc1dd9f800c1907958f8dda60706ef6b048cdfdf6
                                      • Instruction Fuzzy Hash: 0381C030908A8D8FEB98EF28D8457B977E1FF59350F10417EE80DC7292DB79A8458B91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF84900026B Relevance: 2.3, Strings: 1, Instructions: 1032COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 518 7ff84900026b-7ff84900026d 519 7ff8490003b1-7ff8490003b7 518->519 520 7ff84900026e-7ff84900027c 518->520 523 7ff8490003b9-7ff8490003c8 519->523 522 7ff849000284-7ff849000286 520->522 524 7ff8490002f7-7ff849000306 522->524 525 7ff849000288-7ff849000289 522->525 527 7ff8490003c9-7ff849000427 523->527 526 7ff849000307-7ff849000309 524->526 528 7ff84900024f-7ff84900026a 525->528 529 7ff84900028b 525->529 526->519 531 7ff84900030a-7ff849000348 526->531 541 7ff84900045c-7ff849000474 527->541 542 7ff849000429-7ff849000440 527->542 528->518 529->526 533 7ff84900028d 529->533 531->523 555 7ff84900034a-7ff84900034d 531->555 535 7ff8490002d4 533->535 536 7ff84900028f-7ff8490002a0 533->536 535->519 540 7ff8490002da-7ff8490002f5 535->540 543 7ff849000234-7ff84900023b 536->543 544 7ff8490002a2-7ff8490002b8 536->544 540->524 547 7ff849000442-7ff84900045a 542->547 548 7ff8490004b1-7ff8490004d0 542->548 543->519 551 7ff849000241-7ff84900024e 543->551 544->519 550 7ff8490002be-7ff8490002d1 544->550 547->541 554 7ff8490004d1-7ff8490004e7 547->554 548->554 550->535 551->528 560 7ff84900051c-7ff849000534 554->560 561 7ff8490004e9-7ff849000500 554->561 555->527 558 7ff84900034f 555->558 562 7ff849000396-7ff8490003b0 558->562 563 7ff849000351-7ff84900035f 558->563 564 7ff849000502-7ff84900051a 561->564 565 7ff849000571-7ff849000590 561->565 563->562 564->560 569 7ff849000597-7ff8490005a7 565->569 570 7ff849000592-7ff849000595 565->570 574 7ff8490005dc-7ff8490005f4 569->574 575 7ff8490005a9-7ff8490005c0 569->575 570->569 577 7ff849000631-7ff84900067a 574->577 576 7ff8490005c2-7ff8490005da 575->576 575->577 576->574 584 7ff84900067c-7ff84900067e 577->584 585 7ff8490006eb-7ff8490006f9 577->585 586 7ff849000680 584->586 587 7ff8490006fa-7ff84900073c 584->587 585->587 589 7ff8490006c6-7ff8490006c7 586->589 590 7ff849000682-7ff8490006a8 586->590 594 7ff849000786-7ff84900078b 587->594 595 7ff84900073e-7ff849000772 587->595 600 7ff8490006bc-7ff8490006c5 590->600 601 7ff8490006aa-7ff8490006b9 590->601 597 7ff849000a42-7ff849000a56 594->597 599 7ff84900078c-7ff84900079e 594->599 595->597 598 7ff849000778-7ff849000781 595->598 610 7ff849000a57-7ff849000ab7 597->610 602 7ff849000784-7ff849000785 598->602 603 7ff84900079f-7ff8490007a3 599->603 600->589 601->600 602->594 605 7ff8490007a6-7ff8490007bd 603->605 606 7ff8490007a5 603->606 605->597 612 7ff8490007c3-7ff8490007d6 605->612 606->605 608 7ff8490007ef-7ff8490007f0 606->608 608->602 611 7ff8490007f2-7ff849000808 608->611 619 7ff849000aec-7ff849000b04 610->619 620 7ff849000ab9-7ff849000ad0 610->620 611->597 614 7ff84900080e-7ff849000821 611->614 622 7ff849000847-7ff849000856 612->622 623 7ff8490007d8-7ff8490007d9 612->623 617 7ff849000824 614->617 617->597 621 7ff84900082a-7ff849000845 617->621 624 7ff849000ad2-7ff849000aeb 620->624 625 7ff849000b41-7ff849000b77 620->625 621->622 628 7ff849000857-7ff849000859 622->628 623->603 629 7ff8490007db 623->629 624->619 638 7ff849000bac-7ff849000bc4 625->638 639 7ff849000b79-7ff849000b90 625->639 628->597 632 7ff84900085a-7ff849000872 628->632 629->628 633 7ff8490007dd 629->633 643 7ff849000874-7ff849000877 632->643 644 7ff8490008e3-7ff8490008f0 632->644 633->617 634 7ff8490007df-7ff8490007ed 633->634 634->608 641 7ff849000b92-7ff849000bab 639->641 642 7ff849000c01-7ff849000c09 639->642 641->638 646 7ff849000c62-7ff849000c6a 642->646 647 7ff849000c0b-7ff849000c37 642->647 650 7ff8490008f3 643->650 651 7ff849000879 643->651 644->650 662 7ff849000c6c-7ff849000c84 646->662 647->662 664 7ff849000c39-7ff849000c50 647->664 650->597 654 7ff8490008f9-7ff84900090c 650->654 656 7ff8490008c0 651->656 657 7ff84900087b-7ff8490008a2 651->657 670 7ff84900090e-7ff849000912 654->670 671 7ff84900097d-7ff849000990 654->671 660 7ff8490008c3-7ff8490008e1 656->660 661 7ff8490008c2 656->661 657->597 663 7ff8490008a8-7ff8490008be 657->663 660->644 661->660 663->597 663->656 668 7ff849000c52-7ff849000c60 664->668 669 7ff849000cc1-7ff849000cfe 664->669 668->646 672 7ff849000993 670->672 675 7ff849000914 670->675 671->672 672->597 676 7ff849000999-7ff8490009b5 672->676 678 7ff849000974-7ff84900097b 675->678 682 7ff8490009b7-7ff8490009cc 676->682 683 7ff8490009d2-7ff8490009e6 676->683 678->671 682->683 683->610 684 7ff8490009e8-7ff8490009ed 683->684 684->678 686 7ff8490009ef 684->686 686->597
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2191470419.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff849000000_New DHL Shipment Document Arrival Notice.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: A
                                      • API String ID: 0-3554254475
                                      • Opcode ID: de2951a86cd5119b3b61ef7b694165c861bed143d3ed78dbe95d46c76b00b94f
                                      • Instruction ID: bce6642eaba55ba3426fb7950b07fa1f035db3ff50adcaff512021fd30e950c8
                                      • Opcode Fuzzy Hash: de2951a86cd5119b3b61ef7b694165c861bed143d3ed78dbe95d46c76b00b94f
                                      • Instruction Fuzzy Hash: 5762187180DAC58FEB66EF2898556A47BF0FF56344F1805FEC08DCB193EA25A846C741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF848F202B4 Relevance: 1.6, APIs: 1, Instructions: 129memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1037 7ff848f202b4-7ff848f202bb 1038 7ff848f202bd-7ff848f202c5 1037->1038 1039 7ff848f202c6-7ff848f2037f VirtualProtect 1037->1039 1038->1039 1043 7ff848f20381 1039->1043 1044 7ff848f20387-7ff848f203af 1039->1044 1043->1044
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2190489713.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff848f10000_New DHL Shipment Document Arrival Notice.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: b13f80fb5648b94c3e0e75b63e8a307e7b3356436f176163f75bb9c161564256
                                      • Instruction ID: 66ea67c8889b97f864107592a4ebc22ce1f1bc441758f908a85bf4dae9cf5a9d
                                      • Opcode Fuzzy Hash: b13f80fb5648b94c3e0e75b63e8a307e7b3356436f176163f75bb9c161564256
                                      • Instruction Fuzzy Hash: A4312B3190CA4C8FDB08EB9898466F9BBE1FB55321F04426FD049C3192CF75A856C795
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF848F108BD Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1045 7ff848f108bd-7ff848f1094c FreeConsole 1049 7ff848f1094e 1045->1049 1050 7ff848f10954-7ff848f10970 1045->1050 1049->1050
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2190489713.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff848f10000_New DHL Shipment Document Arrival Notice.jbxd
                                      Similarity
                                      • API ID: ConsoleFree
                                      • String ID:
                                      • API String ID: 771614528-0
                                      • Opcode ID: 538808f788d5b7a36918575bafb37c0e77c04f1c7ba99df8aaf4af20cc3f2655
                                      • Instruction ID: 4be8e02a68d9df4839f9000c2d308ddd33f6b2d86f16d48fcbecf7680a72a3f8
                                      • Opcode Fuzzy Hash: 538808f788d5b7a36918575bafb37c0e77c04f1c7ba99df8aaf4af20cc3f2655
                                      • Instruction Fuzzy Hash: BA21927190CB4C8FDB69EB58D849AE9BBF0EB55310F00416FD08AC3652DB656845CB51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF849001269 Relevance: .2, Instructions: 151COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2191470419.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff849000000_New DHL Shipment Document Arrival Notice.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 32b0950c861a13308c81a0a95238ba879bed0bbfb799debda2366d6a4494abce
                                      • Instruction ID: 1f99e2dd650ea4eaedbc0fb1d6e428ddae60ea9a4a30ee56dc2c2e364758afe6
                                      • Opcode Fuzzy Hash: 32b0950c861a13308c81a0a95238ba879bed0bbfb799debda2366d6a4494abce
                                      • Instruction Fuzzy Hash: 9E41E73180CAC98FDFA6EF24E8958B47BE1FF65344B1901EAD049CB592EE25E845C741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF849000A07 Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2191470419.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff849000000_New DHL Shipment Document Arrival Notice.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 27143ef1844b1311c1672b5bd54d02121049e9b21702436597990735304f1a6b
                                      • Instruction ID: f5e10ccde78f58e0b9f7a5019f4121cb11b28f3a47cf3dfbaac75d3bb94a95d4
                                      • Opcode Fuzzy Hash: 27143ef1844b1311c1672b5bd54d02121049e9b21702436597990735304f1a6b
                                      • Instruction Fuzzy Hash: 7EE09A35A046298EDF65DB48EC41FD9B7B1EB94350F0041E6D54DE7251CB306A85CF92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 00007FF848F11218 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2190489713.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff848f10000_New DHL Shipment Document Arrival Notice.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: "1
                                      • API String ID: 0-1761163573
                                      • Opcode ID: a8263741188293e3f759bafa46384435d815a604a4eec7bb5adef3bc085c4552
                                      • Instruction ID: ea507d2f63f0257a3ad26c190caa1c365348783e870894aa3248e598a9f1f852
                                      • Opcode Fuzzy Hash: a8263741188293e3f759bafa46384435d815a604a4eec7bb5adef3bc085c4552
                                      • Instruction Fuzzy Hash: 7D51D92BB19532D5D6107A7EB4451DA7724EFC13BAB09067BC288CE4439A1D78CA87F8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF848F1CE19 Relevance: .7, Instructions: 699COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2190489713.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff848f10000_New DHL Shipment Document Arrival Notice.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3f91d8d0ae9c06d27008973ae9ed58d700db688f4f4d35ef7a550bcbc3b28343
                                      • Instruction ID: 1172b0c69c97a83cd0add18c05980b210c138f8c9874900b8153a42c58c78744
                                      • Opcode Fuzzy Hash: 3f91d8d0ae9c06d27008973ae9ed58d700db688f4f4d35ef7a550bcbc3b28343
                                      • Instruction Fuzzy Hash: 83221430A1DA864FE759BB2884511B4B7F0FF42354F6446BEC08AC75D7DB28BC528785
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF848F1246D Relevance: .6, Instructions: 575COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2190489713.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff848f10000_New DHL Shipment Document Arrival Notice.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7a282bff4db58ad418445ed2fd8e7b9ac166e8c6dd267aab9db1ec80d183a5cd
                                      • Instruction ID: 546d0b29940a3635022de0ad9d3c6d6e45b59473c011d61caa3d19b81f643eaa
                                      • Opcode Fuzzy Hash: 7a282bff4db58ad418445ed2fd8e7b9ac166e8c6dd267aab9db1ec80d183a5cd
                                      • Instruction Fuzzy Hash: 3602F030A0CA898FE759EBA88495672B7E2EF99350F1404B9C04AC76D3DF39BC46C744
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Execution Graph

                                      Execution Coverage:11.7%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:112
                                      Total number of Limit Nodes:8
                                      execution_graph 39849 1380848 39851 138084e 39849->39851 39850 138091b 39851->39850 39855 6a752c2 39851->39855 39859 6a752d0 39851->39859 39863 138137f 39851->39863 39856 6a752d0 39855->39856 39870 6a74b0c 39856->39870 39860 6a752df 39859->39860 39861 6a74b0c 3 API calls 39860->39861 39862 6a75300 39861->39862 39862->39851 39865 1381380 39863->39865 39864 1381484 39864->39851 39865->39864 39949 1387ea8 39865->39949 39956 1387c95 39865->39956 39960 1387d90 39865->39960 39964 1387d30 39865->39964 39871 6a74b17 39870->39871 39874 6a7626c 39871->39874 39873 6a76c86 39873->39873 39875 6a76277 39874->39875 39876 6a773ac 39875->39876 39879 6a79040 39875->39879 39884 6a78faf 39875->39884 39876->39873 39880 6a79061 39879->39880 39881 6a79085 39880->39881 39889 6a791f0 39880->39889 39893 6a791df 39880->39893 39881->39876 39886 6a78fdd 39884->39886 39885 6a79085 39885->39876 39886->39885 39887 6a791f0 3 API calls 39886->39887 39888 6a791df 3 API calls 39886->39888 39887->39885 39888->39885 39890 6a791fd 39889->39890 39891 6a79236 39890->39891 39897 6a77178 39890->39897 39891->39881 39894 6a791e6 39893->39894 39894->39894 39895 6a79236 39894->39895 39896 6a77178 3 API calls 39894->39896 39895->39881 39896->39895 39898 6a77183 39897->39898 39900 6a792a8 39898->39900 39901 6a77cf0 39898->39901 39900->39900 39902 6a77cfb 39901->39902 39908 6a77d00 39902->39908 39904 6a79317 39912 6a7e7a0 39904->39912 39917 6a7e7b8 39904->39917 39905 6a79351 39905->39900 39911 6a77d0b 39908->39911 39909 6a7a718 39909->39904 39910 6a79040 3 API calls 39910->39909 39911->39909 39911->39910 39913 6a7e7ad 39912->39913 39914 6a7e7f5 39913->39914 39923 6a7ea21 39913->39923 39927 6a7ea30 39913->39927 39914->39905 39919 6a7e7e9 39917->39919 39920 6a7e835 39917->39920 39918 6a7e7f5 39918->39905 39919->39918 39921 6a7ea21 3 API calls 39919->39921 39922 6a7ea30 3 API calls 39919->39922 39920->39905 39921->39920 39922->39920 39931 6a7ea80 39923->39931 39940 6a7ea70 39923->39940 39924 6a7ea3a 39924->39914 39928 6a7ea3a 39927->39928 39929 6a7ea80 2 API calls 39927->39929 39930 6a7ea70 2 API calls 39927->39930 39928->39914 39929->39928 39930->39928 39932 6a7ea91 39931->39932 39935 6a7eab4 39931->39935 39933 6a7de30 GetModuleHandleW 39932->39933 39934 6a7ea9c 39933->39934 39934->39935 39939 6a7ed08 GetModuleHandleW 39934->39939 39935->39924 39936 6a7eaac 39936->39935 39937 6a7ecb8 GetModuleHandleW 39936->39937 39938 6a7ece5 39937->39938 39938->39924 39939->39936 39941 6a7ea91 39940->39941 39944 6a7eab4 39940->39944 39942 6a7de30 GetModuleHandleW 39941->39942 39943 6a7ea9c 39942->39943 39943->39944 39948 6a7ed08 GetModuleHandleW 39943->39948 39944->39924 39945 6a7eaac 39945->39944 39946 6a7ecb8 GetModuleHandleW 39945->39946 39947 6a7ece5 39946->39947 39947->39924 39948->39945 39950 1387eb2 39949->39950 39951 1387ecc 39950->39951 39968 6a9fa28 39950->39968 39972 6a9fa18 39950->39972 39954 1387f12 39951->39954 39976 138f3ff 39951->39976 39954->39865 39957 1387d15 39956->39957 39958 1387c55 39956->39958 39957->39958 39959 138f3ff GlobalMemoryStatusEx 39957->39959 39958->39865 39959->39958 39962 1387da6 39960->39962 39961 1387f12 39961->39865 39962->39961 39963 138f3ff GlobalMemoryStatusEx 39962->39963 39963->39961 39966 1387da6 39964->39966 39965 1387f12 39965->39865 39966->39965 39967 138f3ff GlobalMemoryStatusEx 39966->39967 39967->39965 39970 6a9fa3d 39968->39970 39969 6a9fc52 39969->39951 39970->39969 39971 6a9fc69 GlobalMemoryStatusEx 39970->39971 39971->39970 39974 6a9fa3d 39972->39974 39973 6a9fc52 39973->39951 39974->39973 39975 6a9fc69 GlobalMemoryStatusEx 39974->39975 39975->39974 39977 138f40a 39976->39977 39979 6a9fa28 GlobalMemoryStatusEx 39977->39979 39980 6a9fa18 GlobalMemoryStatusEx 39977->39980 39978 138f411 39978->39954 39979->39978 39980->39978 39847 6a76620 DuplicateHandle 39848 6a766b6 39847->39848 39981 6a7eed8 39982 6a7ef20 LoadLibraryExW 39981->39982 39983 6a7ef1a 39981->39983 39984 6a7ef51 39982->39984 39983->39982

                                      Executed Functions

                                      Function 06A93050 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 656 6a93050-6a93071 657 6a93073-6a93076 656->657 658 6a93078-6a93097 657->658 659 6a9309c-6a9309f 657->659 658->659 660 6a93840-6a93842 659->660 661 6a930a5-6a930c4 659->661 663 6a93849-6a9384c 660->663 664 6a93844 660->664 669 6a930dd-6a930e7 661->669 670 6a930c6-6a930c9 661->670 663->657 666 6a93852-6a9385b 663->666 664->663 673 6a930ed-6a930fc 669->673 670->669 671 6a930cb-6a930db 670->671 671->673 782 6a930fe call 6a93868 673->782 783 6a930fe call 6a93870 673->783 675 6a93103-6a93108 676 6a9310a-6a93110 675->676 677 6a93115-6a933f2 675->677 676->666 698 6a933f8-6a934a7 677->698 699 6a93832-6a9383f 677->699 708 6a934a9-6a934ce 698->708 709 6a934d0 698->709 711 6a934d9-6a934ec 708->711 709->711 713 6a93819-6a93825 711->713 714 6a934f2-6a93514 711->714 713->698 715 6a9382b 713->715 714->713 717 6a9351a-6a93524 714->717 715->699 717->713 718 6a9352a-6a93535 717->718 718->713 719 6a9353b-6a93611 718->719 731 6a9361f-6a9364f 719->731 732 6a93613-6a93615 719->732 736 6a9365d-6a93669 731->736 737 6a93651-6a93653 731->737 732->731 738 6a936c9-6a936cd 736->738 739 6a9366b-6a9366f 736->739 737->736 740 6a9380a-6a93813 738->740 741 6a936d3-6a9370f 738->741 739->738 742 6a93671-6a9369b 739->742 740->713 740->719 752 6a9371d-6a9372b 741->752 753 6a93711-6a93713 741->753 749 6a936a9-6a936c6 742->749 750 6a9369d-6a9369f 742->750 749->738 750->749 756 6a9372d-6a93738 752->756 757 6a93742-6a9374d 752->757 753->752 756->757 762 6a9373a 756->762 760 6a9374f-6a93755 757->760 761 6a93765-6a93776 757->761 763 6a93759-6a9375b 760->763 764 6a93757 760->764 766 6a93778-6a9377e 761->766 767 6a9378e-6a9379a 761->767 762->757 763->761 764->761 768 6a93780 766->768 769 6a93782-6a93784 766->769 771 6a9379c-6a937a2 767->771 772 6a937b2-6a93803 767->772 768->767 769->767 773 6a937a4 771->773 774 6a937a6-6a937a8 771->774 772->740 773->772 774->772 782->675 783->675
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $cq$$cq$$cq$$cq$$cq$$cq
                                      • API String ID: 0-2877684506
                                      • Opcode ID: 2fe37c11d181af6d9e29aa96c6589d9369c21dd3996698ecd996ee174d61c263
                                      • Instruction ID: 9a160151076603eefd7fd8e0c4046fa9d6ec614738046af84d3ef51214423897
                                      • Opcode Fuzzy Hash: 2fe37c11d181af6d9e29aa96c6589d9369c21dd3996698ecd996ee174d61c263
                                      • Instruction Fuzzy Hash: DD321131E1061ACBCF15EFA5C99459DB7B2FFC9300F60C699D419AB264EB30AD85CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A9B620 Relevance: 8.0, Strings: 6, Instructions: 473COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 784 6a9b620-6a9b642 785 6a9b644-6a9b647 784->785 786 6a9b649-6a9b650 785->786 787 6a9b661-6a9b664 785->787 790 6a9b9cd-6a9ba06 786->790 791 6a9b656-6a9b65c 786->791 788 6a9b67e-6a9b681 787->788 789 6a9b666-6a9b66f 787->789 793 6a9b6ab-6a9b6ae 788->793 794 6a9b683-6a9b68a 788->794 789->790 792 6a9b675-6a9b679 789->792 799 6a9ba08-6a9ba0b 790->799 791->787 792->788 797 6a9b6b8-6a9b6bb 793->797 798 6a9b6b0-6a9b6b5 793->798 794->790 795 6a9b690-6a9b6a0 794->795 809 6a9b723-6a9b724 795->809 810 6a9b6a6 795->810 800 6a9b6cb-6a9b6ce 797->800 801 6a9b6bd-6a9b6c6 797->801 798->797 803 6a9ba11-6a9ba39 799->803 804 6a9bc77-6a9bc7a 799->804 805 6a9b6f8-6a9b6fb 800->805 806 6a9b6d0-6a9b6d7 800->806 801->800 839 6a9ba3b-6a9ba3e 803->839 840 6a9ba43-6a9ba87 803->840 811 6a9bc9d-6a9bc9f 804->811 812 6a9bc7c-6a9bc98 804->812 807 6a9b6fd-6a9b719 805->807 808 6a9b71e-6a9b721 805->808 806->790 813 6a9b6dd-6a9b6ed 806->813 807->808 808->809 814 6a9b729-6a9b72c 808->814 809->814 810->793 816 6a9bca1 811->816 817 6a9bca6-6a9bca9 811->817 812->811 823 6a9b6f3 813->823 824 6a9b7c6-6a9b7cd 813->824 814->809 822 6a9b72e-6a9b731 814->822 816->817 817->799 819 6a9bcaf-6a9bcb8 817->819 825 6a9b733-6a9b739 822->825 826 6a9b744-6a9b747 822->826 823->805 824->790 830 6a9b7d3-6a9b7e3 824->830 833 6a9b73f 825->833 834 6a9b987-6a9b98d 825->834 828 6a9b749-6a9b752 826->828 829 6a9b757-6a9b75a 826->829 828->829 836 6a9b75c-6a9b771 829->836 837 6a9b795-6a9b798 829->837 830->794 846 6a9b7e9 830->846 833->826 834->790 838 6a9b98f-6a9b996 834->838 836->790 856 6a9b777-6a9b790 836->856 842 6a9b7a9-6a9b7ac 837->842 843 6a9b79a-6a9b79e 837->843 844 6a9b99b-6a9b99e 838->844 839->819 888 6a9ba8d-6a9ba96 840->888 889 6a9bc6c-6a9bc76 840->889 849 6a9b7ae-6a9b7b0 842->849 850 6a9b7b3-6a9b7b6 842->850 847 6a9b904-6a9b90d 843->847 848 6a9b7a4 843->848 851 6a9b9b0-6a9b9b2 844->851 852 6a9b9a0 844->852 857 6a9b7ee-6a9b7f1 846->857 858 6a9b912-6a9b915 847->858 848->842 849->850 850->825 859 6a9b7bc-6a9b7bf 850->859 853 6a9b9b9-6a9b9bc 851->853 854 6a9b9b4 851->854 860 6a9b9a8-6a9b9ab 852->860 853->785 861 6a9b9c2-6a9b9cc 853->861 854->853 856->837 857->809 862 6a9b7f7-6a9b7fa 857->862 863 6a9b937-6a9b93a 858->863 864 6a9b917-6a9b932 858->864 865 6a9b82e-6a9b837 859->865 866 6a9b7c1-6a9b7c4 859->866 860->851 871 6a9b7fc-6a9b803 862->871 872 6a9b814-6a9b817 862->872 867 6a9b93c-6a9b93f 863->867 868 6a9b944-6a9b947 863->868 864->863 865->789 873 6a9b83d 865->873 866->824 866->857 867->868 875 6a9b949-6a9b95e 868->875 876 6a9b982-6a9b985 868->876 871->790 877 6a9b809-6a9b80f 871->877 878 6a9b829-6a9b82c 872->878 879 6a9b819-6a9b824 872->879 874 6a9b842-6a9b845 873->874 881 6a9b855-6a9b858 874->881 882 6a9b847-6a9b850 874->882 875->790 893 6a9b960-6a9b97d 875->893 876->834 876->844 877->872 878->865 878->874 879->878 885 6a9b85a-6a9b860 881->885 886 6a9b865-6a9b868 881->886 882->881 885->886 891 6a9b86a-6a9b871 886->891 892 6a9b87f-6a9b882 886->892 894 6a9ba9c-6a9bb08 call 6a96578 888->894 895 6a9bc62-6a9bc67 888->895 891->790 896 6a9b877-6a9b87a 891->896 892->809 897 6a9b888-6a9b88b 892->897 893->876 915 6a9bb0e-6a9bb13 894->915 916 6a9bc02-6a9bc17 894->916 895->889 896->892 899 6a9b88d-6a9b8ea call 6a96578 897->899 900 6a9b8ef-6a9b8f2 897->900 899->900 903 6a9b8ff-6a9b902 900->903 904 6a9b8f4-6a9b8fa 900->904 903->847 903->858 904->903 919 6a9bb2f 915->919 920 6a9bb15-6a9bb1b 915->920 916->895 923 6a9bb31-6a9bb37 919->923 921 6a9bb1d-6a9bb1f 920->921 922 6a9bb21-6a9bb23 920->922 925 6a9bb2d 921->925 922->925 926 6a9bb39-6a9bb3f 923->926 927 6a9bb4c-6a9bb59 923->927 925->923 928 6a9bbed-6a9bbfc 926->928 929 6a9bb45 926->929 934 6a9bb5b-6a9bb61 927->934 935 6a9bb71-6a9bb7e 927->935 928->915 928->916 929->927 932 6a9bb80-6a9bb8d 929->932 933 6a9bbb4-6a9bbc1 929->933 944 6a9bb8f-6a9bb95 932->944 945 6a9bba5-6a9bbb2 932->945 941 6a9bbd9-6a9bbe6 933->941 942 6a9bbc3-6a9bbc9 933->942 937 6a9bb63 934->937 938 6a9bb65-6a9bb67 934->938 935->928 937->935 938->935 941->928 946 6a9bbcb 942->946 947 6a9bbcd-6a9bbcf 942->947 948 6a9bb99-6a9bb9b 944->948 949 6a9bb97 944->949 945->928 946->941 947->941 948->945 949->945
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $cq$$cq$$cq$$cq$$cq$$cq
                                      • API String ID: 0-2877684506
                                      • Opcode ID: dc825fd20aa0349402476723193ab3022013062b9af04521b21ef6b8505dd79c
                                      • Instruction ID: dbe6cc02f589f4cfc90faf7b2e4e870d78d3c4b9edb01c10844834bd1dbef3e7
                                      • Opcode Fuzzy Hash: dc825fd20aa0349402476723193ab3022013062b9af04521b21ef6b8505dd79c
                                      • Instruction Fuzzy Hash: 32023C30E1010A8FDF64EB68E5946AEB7F2EF45310F24856AE415DF291DB34EC85CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A97D60 Relevance: 3.0, Strings: 2, Instructions: 473COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1326 6a97d60-6a97d7e 1327 6a97d80-6a97d83 1326->1327 1328 6a97d85-6a97d9f 1327->1328 1329 6a97da4-6a97da7 1327->1329 1328->1329 1330 6a97da9-6a97dc5 1329->1330 1331 6a97dca-6a97dcd 1329->1331 1330->1331 1332 6a97dda-6a97ddd 1331->1332 1333 6a97dcf-6a97dd9 1331->1333 1335 6a97ddf-6a97ded 1332->1335 1336 6a97df4-6a97df6 1332->1336 1343 6a97e06-6a97e1c 1335->1343 1344 6a97def 1335->1344 1338 6a97df8 1336->1338 1339 6a97dfd-6a97e00 1336->1339 1338->1339 1339->1327 1339->1343 1346 6a97e22-6a97e2b 1343->1346 1347 6a98037-6a98041 1343->1347 1344->1336 1348 6a97e31-6a97e4e 1346->1348 1349 6a98042-6a98077 1346->1349 1356 6a98024-6a98031 1348->1356 1357 6a97e54-6a97e7c 1348->1357 1352 6a98079-6a9807c 1349->1352 1354 6a982a8-6a982ab 1352->1354 1355 6a98082-6a98091 1352->1355 1358 6a982b1-6a982bd 1354->1358 1359 6a98362-6a98365 1354->1359 1366 6a980b0-6a980eb 1355->1366 1367 6a98093-6a980ae 1355->1367 1356->1346 1356->1347 1357->1356 1384 6a97e82-6a97e8b 1357->1384 1368 6a982c8-6a982ca 1358->1368 1361 6a98388-6a9838a 1359->1361 1362 6a98367-6a98383 1359->1362 1363 6a9838c 1361->1363 1364 6a98391-6a98394 1361->1364 1362->1361 1363->1364 1364->1352 1370 6a9839a-6a983a3 1364->1370 1382 6a9827c-6a98292 1366->1382 1383 6a980f1-6a98102 1366->1383 1367->1366 1371 6a982cc-6a982d2 1368->1371 1372 6a982e2-6a982e9 1368->1372 1378 6a982d4 1371->1378 1379 6a982d6-6a982d8 1371->1379 1373 6a982eb-6a982f8 1372->1373 1374 6a982fa 1372->1374 1380 6a982ff-6a98301 1373->1380 1374->1380 1378->1372 1379->1372 1385 6a98318-6a98351 1380->1385 1386 6a98303-6a98306 1380->1386 1382->1354 1392 6a98108-6a98125 1383->1392 1393 6a98267-6a98276 1383->1393 1384->1349 1388 6a97e91-6a97ead 1384->1388 1385->1355 1408 6a98357-6a98361 1385->1408 1386->1370 1396 6a97eb3-6a97edd 1388->1396 1397 6a98012-6a9801e 1388->1397 1392->1393 1405 6a9812b-6a98221 call 6a96578 1392->1405 1393->1382 1393->1383 1410 6a98008-6a9800d 1396->1410 1411 6a97ee3-6a97f0b 1396->1411 1397->1356 1397->1384 1459 6a9822f 1405->1459 1460 6a98223-6a9822d 1405->1460 1410->1397 1411->1410 1418 6a97f11-6a97f3f 1411->1418 1418->1410 1423 6a97f45-6a97f4e 1418->1423 1423->1410 1424 6a97f54-6a97f86 1423->1424 1432 6a97f88-6a97f8c 1424->1432 1433 6a97f91-6a97fad 1424->1433 1432->1410 1435 6a97f8e 1432->1435 1433->1397 1436 6a97faf-6a98006 call 6a96578 1433->1436 1435->1433 1436->1397 1461 6a98234-6a98236 1459->1461 1460->1461 1461->1393 1462 6a98238-6a9823d 1461->1462 1463 6a9824b 1462->1463 1464 6a9823f-6a98249 1462->1464 1465 6a98250-6a98252 1463->1465 1464->1465 1465->1393 1466 6a98254-6a98260 1465->1466 1466->1393
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $cq$$cq
                                      • API String ID: 0-2695052418
                                      • Opcode ID: 94d6a699126a568d3167406d022ad6e251473c19e46b90e9f596e3237bdee67f
                                      • Instruction ID: e65872d8bbd7ae6f3f3d41fe97f816550919e75df58161200dde9a6c24f93d17
                                      • Opcode Fuzzy Hash: 94d6a699126a568d3167406d022ad6e251473c19e46b90e9f596e3237bdee67f
                                      • Instruction Fuzzy Hash: 1002D130B102068FDF55EB69D5506AEB7F2FF85304F248969D8169B394DB39EC82CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A95590 Relevance: 1.8, Strings: 1, Instructions: 592COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2771 6a95590-6a955ad 2772 6a955af-6a955b2 2771->2772 2773 6a955c8-6a955cb 2772->2773 2774 6a955b4-6a955bd 2772->2774 2777 6a955cd-6a955d2 2773->2777 2778 6a955d5-6a955d8 2773->2778 2775 6a956f9-6a95702 2774->2775 2776 6a955c3 2774->2776 2779 6a95761-6a9578b 2775->2779 2780 6a95704-6a9570c 2775->2780 2776->2773 2777->2778 2781 6a955da-6a955e7 2778->2781 2782 6a955ec-6a955ef 2778->2782 2795 6a95795-6a95798 2779->2795 2780->2779 2783 6a9570e-6a9571e 2780->2783 2781->2782 2784 6a955f1-6a95600 2782->2784 2785 6a95605-6a95608 2782->2785 2783->2779 2788 6a95720-6a95724 2783->2788 2784->2785 2786 6a9560a-6a95620 2785->2786 2787 6a95625-6a95628 2785->2787 2786->2787 2791 6a9562a-6a9562d 2787->2791 2792 6a9567f-6a95682 2787->2792 2793 6a95729-6a9572c 2788->2793 2797 6a9562f-6a95639 2791->2797 2799 6a95647-6a9564a 2791->2799 2792->2797 2798 6a95684 2792->2798 2793->2774 2800 6a95732-6a95735 2793->2800 2801 6a957ba-6a957bd 2795->2801 2802 6a9579a-6a9579e 2795->2802 2814 6a95640-6a95642 2797->2814 2803 6a95689-6a9568c 2798->2803 2804 6a9565b-6a9565e 2799->2804 2805 6a9564c-6a95650 2799->2805 2806 6a95741-6a95743 2800->2806 2807 6a95737-6a95740 2800->2807 2812 6a957bf-6a957c6 2801->2812 2813 6a957c7-6a957ca 2801->2813 2808 6a95882-6a958bc 2802->2808 2809 6a957a4-6a957ac 2802->2809 2810 6a956a8-6a956ab 2803->2810 2811 6a9568e-6a956a3 2803->2811 2819 6a95668-6a9566b 2804->2819 2820 6a95660-6a95663 2804->2820 2815 6a95753-6a95760 2805->2815 2816 6a95656 2805->2816 2817 6a9574a-6a9574d 2806->2817 2818 6a95745 2806->2818 2842 6a958be-6a958c1 2808->2842 2809->2808 2823 6a957b2-6a957b5 2809->2823 2821 6a956ad-6a956ca 2810->2821 2822 6a956cf-6a956d2 2810->2822 2811->2810 2824 6a957cc-6a957dd 2813->2824 2825 6a957e2-6a957e5 2813->2825 2814->2799 2816->2804 2817->2772 2817->2815 2818->2817 2826 6a9567a-6a9567d 2819->2826 2827 6a9566d-6a95673 2819->2827 2820->2819 2821->2822 2832 6a956dc-6a956df 2822->2832 2833 6a956d4-6a956d9 2822->2833 2823->2801 2824->2825 2830 6a95807-6a9580a 2825->2830 2831 6a957e7-6a957eb 2825->2831 2826->2792 2826->2803 2834 6a956ee-6a956ef 2827->2834 2835 6a95675 2827->2835 2836 6a9581a-6a9581d 2830->2836 2837 6a9580c-6a95813 2830->2837 2831->2808 2844 6a957f1-6a957f9 2831->2844 2839 6a956e9-6a956ec 2832->2839 2840 6a956e1-6a956e4 2832->2840 2833->2832 2841 6a956f4-6a956f7 2834->2841 2835->2826 2847 6a9581f-6a95823 2836->2847 2848 6a95837-6a9583a 2836->2848 2845 6a9587a-6a95881 2837->2845 2846 6a95815 2837->2846 2839->2834 2839->2841 2840->2839 2841->2775 2841->2793 2849 6a958db-6a958de 2842->2849 2850 6a958c3-6a958d4 2842->2850 2844->2808 2851 6a957ff-6a95802 2844->2851 2846->2836 2847->2808 2852 6a95825-6a9582d 2847->2852 2853 6a9583c-6a95840 2848->2853 2854 6a95854-6a95857 2848->2854 2856 6a958f8-6a958fb 2849->2856 2857 6a958e0-6a958f1 2849->2857 2870 6a95917-6a9591e 2850->2870 2871 6a958d6 2850->2871 2851->2830 2852->2808 2860 6a9582f-6a95832 2852->2860 2853->2808 2861 6a95842-6a9584a 2853->2861 2863 6a95859-6a95863 2854->2863 2864 6a95868-6a9586a 2854->2864 2858 6a95909-6a9590c 2856->2858 2859 6a958fd-6a95904 2856->2859 2857->2870 2875 6a958f3 2857->2875 2865 6a95912-6a95915 2858->2865 2866 6a95994-6a95b28 2858->2866 2859->2858 2860->2848 2861->2808 2867 6a9584c-6a9584f 2861->2867 2863->2864 2868 6a9586c 2864->2868 2869 6a95871-6a95874 2864->2869 2865->2870 2873 6a95923-6a95926 2865->2873 2920 6a95c5e-6a95c71 2866->2920 2921 6a95b2e-6a95b35 2866->2921 2867->2854 2868->2869 2869->2795 2869->2845 2870->2873 2871->2849 2876 6a95928-6a95939 2873->2876 2877 6a95940-6a95943 2873->2877 2875->2856 2876->2857 2887 6a9593b 2876->2887 2879 6a9594d-6a95950 2877->2879 2880 6a95945-6a9594a 2877->2880 2882 6a9596e-6a95971 2879->2882 2883 6a95952-6a95963 2879->2883 2880->2879 2885 6a9598b-6a9598e 2882->2885 2886 6a95973-6a95984 2882->2886 2892 6a95c79-6a95c8c 2883->2892 2894 6a95969 2883->2894 2885->2866 2889 6a95c74-6a95c77 2885->2889 2886->2870 2895 6a95986 2886->2895 2887->2877 2889->2892 2893 6a95c8f-6a95c92 2889->2893 2893->2866 2896 6a95c98-6a95c9a 2893->2896 2894->2882 2895->2885 2899 6a95c9c 2896->2899 2900 6a95ca1-6a95ca4 2896->2900 2899->2900 2900->2842 2902 6a95caa-6a95cb3 2900->2902 2922 6a95be9-6a95bf0 2921->2922 2923 6a95b3b-6a95b6e 2921->2923 2922->2920 2925 6a95bf2-6a95c25 2922->2925 2934 6a95b70 2923->2934 2935 6a95b73-6a95bb4 2923->2935 2936 6a95c2a-6a95c57 2925->2936 2937 6a95c27 2925->2937 2934->2935 2945 6a95bcc-6a95bd3 2935->2945 2946 6a95bb6-6a95bc7 2935->2946 2936->2902 2937->2936 2948 6a95bdb-6a95bdd 2945->2948 2946->2902 2948->2902
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $
                                      • API String ID: 0-3993045852
                                      • Opcode ID: 84fe20e8d7744b26dac94fc0c6c39735efca8c5c44936258e9856fe5e5276b38
                                      • Instruction ID: 0c15717f42695954f87dd120e96a83558fc17cce75eb5532750a6cfae52c4fc7
                                      • Opcode Fuzzy Hash: 84fe20e8d7744b26dac94fc0c6c39735efca8c5c44936258e9856fe5e5276b38
                                      • Instruction Fuzzy Hash: 4322C275E002158FDF65EBA8C9816AEB7F2FF85320F248469D515AF394DA31DC41CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A965C8 Relevance: .8, Instructions: 820COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a34a8b87082ab67bb64f7aa5ec2f0df828056dacbc0212c44586cfe10cd18552
                                      • Instruction ID: e0d7c1012ccfd337602b8f8534e624784a2973a15e3ffb7beebba28dce6c46c7
                                      • Opcode Fuzzy Hash: a34a8b87082ab67bb64f7aa5ec2f0df828056dacbc0212c44586cfe10cd18552
                                      • Instruction Fuzzy Hash: 60628F34A002059FEF55EB68D594BADB7F2EF88314F248469E406DB390DB35ED46CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A9C168 Relevance: .6, Instructions: 640COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 08a21f0af28121de0c7d23fb2e691146e39fccdee7c4bc70a6df14022f56d600
                                      • Instruction ID: a0d55a2d865248ca519ba916a00910fa03b8e580e079e2013e7c44a2b9248df1
                                      • Opcode Fuzzy Hash: 08a21f0af28121de0c7d23fb2e691146e39fccdee7c4bc70a6df14022f56d600
                                      • Instruction Fuzzy Hash: A6327334B105059FDF55EB68D990AADB7F2FB88320F208525E516DB391DB34EC82CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A9B208 Relevance: .6, Instructions: 564COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 451f2cfd70ed474d423a08452bb9055ce717ccb182099a7a0a10ee27d390121b
                                      • Instruction ID: 3ad7846b057ec40212fbd1c88e8f1943f7b9a26636c03f20b9950862a98dde18
                                      • Opcode Fuzzy Hash: 451f2cfd70ed474d423a08452bb9055ce717ccb182099a7a0a10ee27d390121b
                                      • Instruction Fuzzy Hash: 9B222B74E101098FEF64EB98E5947AEB7F2EB89310F248565E419DB391CA34DC81CB71
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A9ACB0 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 526 6a9acb0-6a9acce 527 6a9acd0-6a9acd3 526->527 528 6a9aced-6a9acf0 527->528 529 6a9acd5-6a9acde 527->529 532 6a9ad00-6a9ad03 528->532 533 6a9acf2-6a9acfb 528->533 530 6a9ace4-6a9ace8 529->530 531 6a9aee7-6a9aef1 529->531 530->528 539 6a9aef3-6a9aef5 531->539 540 6a9ae94-6a9aea6 531->540 534 6a9ad05-6a9ad12 532->534 535 6a9ad17-6a9ad1a 532->535 533->532 534->535 537 6a9ad1c-6a9ad21 535->537 538 6a9ad24-6a9ad27 535->538 537->538 542 6a9ad29-6a9ad3c 538->542 543 6a9ad41-6a9ad44 538->543 544 6a9ae98-6a9ae9f 539->544 545 6a9aef7-6a9af1e 539->545 569 6a9aeaf-6a9aec3 540->569 542->543 546 6a9ad55-6a9ad58 543->546 547 6a9ad46-6a9ad4a 543->547 544->539 565 6a9aea1-6a9aea6 544->565 551 6a9af20-6a9af23 545->551 549 6a9aecd-6a9aed6 546->549 550 6a9ad5e-6a9ad61 546->550 553 6a9aedc-6a9aee6 547->553 554 6a9ad50 547->554 549->529 549->553 555 6a9ad63-6a9ad7f 550->555 556 6a9ad84-6a9ad86 550->556 558 6a9af25-6a9af41 551->558 559 6a9af46-6a9af49 551->559 554->546 555->556 563 6a9ad88 556->563 564 6a9ad8d-6a9ad90 556->564 558->559 561 6a9af58-6a9af5b 559->561 562 6a9af4b call 6a9b208 559->562 567 6a9af68-6a9af6b 561->567 568 6a9af5d-6a9af67 561->568 572 6a9af51-6a9af53 562->572 563->564 564->527 570 6a9ad96-6a9adba 564->570 565->569 573 6a9af71-6a9afac 567->573 574 6a9b1d4-6a9b1d7 567->574 591 6a9aeca 569->591 570->591 592 6a9adc0-6a9adcf 570->592 572->561 585 6a9b19f-6a9b1b2 573->585 586 6a9afb2-6a9afbe 573->586 578 6a9b1d9-6a9b1dd 574->578 579 6a9b1e8-6a9b1ea 574->579 578->573 582 6a9b1e3 578->582 583 6a9b1ec 579->583 584 6a9b1f1-6a9b1f4 579->584 582->579 583->584 584->551 588 6a9b1fa-6a9b204 584->588 590 6a9b1b4 585->590 595 6a9afde-6a9b022 586->595 596 6a9afc0-6a9afd9 586->596 590->574 591->549 597 6a9add1-6a9add7 592->597 598 6a9ade7-6a9ae22 call 6a96578 592->598 611 6a9b03e-6a9b07d 595->611 612 6a9b024-6a9b036 595->612 596->590 599 6a9add9 597->599 600 6a9addb-6a9addd 597->600 614 6a9ae3a-6a9ae51 598->614 615 6a9ae24-6a9ae2a 598->615 599->598 600->598 621 6a9b083-6a9b15e call 6a96578 611->621 622 6a9b164-6a9b179 611->622 612->611 627 6a9ae69-6a9ae7a 614->627 628 6a9ae53-6a9ae59 614->628 616 6a9ae2c 615->616 617 6a9ae2e-6a9ae30 615->617 616->614 617->614 621->622 622->585 634 6a9ae7c-6a9ae82 627->634 635 6a9ae92 627->635 630 6a9ae5b 628->630 631 6a9ae5d-6a9ae5f 628->631 630->627 631->627 637 6a9ae84 634->637 638 6a9ae86-6a9ae88 634->638 635->540 637->635 638->635
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $cq$$cq$$cq$$cq$$cq$$cq$$cq$$cq
                                      • API String ID: 0-3377385791
                                      • Opcode ID: 2f7ed34ed436d4740247d7acdaaad0c304441e736ce19a3172d35764d17cf2b4
                                      • Instruction ID: 3ca21554026d9453d86b08f37b984a3534d3903397d7f8b0ea3f69b0b15e4c4b
                                      • Opcode Fuzzy Hash: 2f7ed34ed436d4740247d7acdaaad0c304441e736ce19a3172d35764d17cf2b4
                                      • Instruction Fuzzy Hash: EDE19130E1021A8FDF55EB69D5506AEB7F2FF89304F30852AE905AB354DB359C46CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A99130 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 952 6a99130-6a99155 953 6a99157-6a9915a 952->953 954 6a9915c-6a9917b 953->954 955 6a99180-6a99183 953->955 954->955 956 6a99189-6a9919e 955->956 957 6a99a43-6a99a45 955->957 964 6a991a0-6a991a6 956->964 965 6a991b6-6a991cc 956->965 959 6a99a4c-6a99a4f 957->959 960 6a99a47 957->960 959->953 962 6a99a55-6a99a5f 959->962 960->959 966 6a991a8 964->966 967 6a991aa-6a991ac 964->967 969 6a991d7-6a991d9 965->969 966->965 967->965 970 6a991db-6a991e1 969->970 971 6a991f1-6a99262 969->971 972 6a991e3 970->972 973 6a991e5-6a991e7 970->973 982 6a9928e-6a992aa 971->982 983 6a99264-6a99287 971->983 972->971 973->971 988 6a992ac-6a992cf 982->988 989 6a992d6-6a992f1 982->989 983->982 988->989 994 6a9931c-6a99337 989->994 995 6a992f3-6a99315 989->995 1000 6a99339-6a9935b 994->1000 1001 6a99362-6a9936c 994->1001 995->994 1000->1001 1002 6a9937c-6a993f6 1001->1002 1003 6a9936e-6a99377 1001->1003 1009 6a993f8-6a99416 1002->1009 1010 6a99443-6a99458 1002->1010 1003->962 1014 6a99418-6a99427 1009->1014 1015 6a99432-6a99441 1009->1015 1010->957 1014->1015 1015->1009 1015->1010
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $cq$$cq$$cq$$cq
                                      • API String ID: 0-2876200767
                                      • Opcode ID: fdc9947ea85baf277af01a11872859eda8715bd90a4cce52ed21d50b3f9ba761
                                      • Instruction ID: e2295fa452e63430e5e61806c1732eb5c4123fb6c458f901b8d6595a5599abdf
                                      • Opcode Fuzzy Hash: fdc9947ea85baf277af01a11872859eda8715bd90a4cce52ed21d50b3f9ba761
                                      • Instruction Fuzzy Hash: 6D915030B1020A9FDF55DB69D9507AFB3F6FBC4240F248469D819DB384EB349C868BA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A9CF30 Relevance: 4.5, Strings: 3, Instructions: 799COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1018 6a9cf30-6a9cf4b 1019 6a9cf4d-6a9cf50 1018->1019 1020 6a9cf99-6a9cf9c 1019->1020 1021 6a9cf52-6a9cf94 1019->1021 1022 6a9cf9e-6a9cfe0 1020->1022 1023 6a9cfe5-6a9cfe8 1020->1023 1021->1020 1022->1023 1024 6a9cfea-6a9d02c 1023->1024 1025 6a9d031-6a9d034 1023->1025 1024->1025 1027 6a9d07d-6a9d080 1025->1027 1028 6a9d036-6a9d078 1025->1028 1032 6a9d08f-6a9d092 1027->1032 1033 6a9d082-6a9d084 1027->1033 1028->1027 1038 6a9d098-6a9d09b 1032->1038 1039 6a9d41c-6a9d428 1032->1039 1036 6a9d419 1033->1036 1037 6a9d08a 1033->1037 1036->1039 1037->1032 1040 6a9d09d-6a9d0df 1038->1040 1041 6a9d0e4-6a9d0e7 1038->1041 1044 6a9d42e-6a9d71b 1039->1044 1045 6a9d1c0-6a9d1cf 1039->1045 1040->1041 1047 6a9d0e9-6a9d0ff 1041->1047 1048 6a9d104-6a9d107 1041->1048 1231 6a9d721-6a9d727 1044->1231 1232 6a9d942-6a9d94c 1044->1232 1049 6a9d1de-6a9d1ea 1045->1049 1050 6a9d1d1-6a9d1d6 1045->1050 1047->1048 1054 6a9d109-6a9d10e 1048->1054 1055 6a9d111-6a9d114 1048->1055 1058 6a9d94d-6a9d986 1049->1058 1059 6a9d1f0-6a9d202 1049->1059 1050->1049 1054->1055 1061 6a9d15d-6a9d160 1055->1061 1062 6a9d116-6a9d158 1055->1062 1082 6a9d988-6a9d98b 1058->1082 1076 6a9d207-6a9d20a 1059->1076 1065 6a9d16f-6a9d172 1061->1065 1066 6a9d162-6a9d164 1061->1066 1062->1061 1078 6a9d1bb-6a9d1be 1065->1078 1079 6a9d174-6a9d183 1065->1079 1074 6a9d16a 1066->1074 1075 6a9d2d7-6a9d2e0 1066->1075 1074->1065 1092 6a9d2ef-6a9d2fb 1075->1092 1093 6a9d2e2-6a9d2e7 1075->1093 1090 6a9d20c-6a9d24e 1076->1090 1091 6a9d253-6a9d256 1076->1091 1078->1045 1078->1076 1083 6a9d192-6a9d19e 1079->1083 1084 6a9d185-6a9d18a 1079->1084 1087 6a9d99a-6a9d99d 1082->1087 1088 6a9d98d call 6a9daa5 1082->1088 1083->1058 1094 6a9d1a4-6a9d1b6 1083->1094 1084->1083 1095 6a9d99f-6a9d9cb 1087->1095 1096 6a9d9d0-6a9d9d3 1087->1096 1107 6a9d993-6a9d995 1088->1107 1090->1091 1101 6a9d279-6a9d27c 1091->1101 1102 6a9d258-6a9d274 1091->1102 1097 6a9d40c-6a9d411 1092->1097 1098 6a9d301-6a9d315 1092->1098 1093->1092 1094->1078 1095->1096 1108 6a9d9d5-6a9d9f1 1096->1108 1109 6a9d9f6-6a9d9f8 1096->1109 1097->1036 1098->1036 1125 6a9d31b-6a9d32d 1098->1125 1103 6a9d27e-6a9d2c0 1101->1103 1104 6a9d2c5-6a9d2c7 1101->1104 1102->1101 1103->1104 1114 6a9d2c9 1104->1114 1115 6a9d2ce-6a9d2d1 1104->1115 1107->1087 1108->1109 1116 6a9d9fa 1109->1116 1117 6a9d9ff-6a9da02 1109->1117 1114->1115 1115->1019 1115->1075 1116->1117 1117->1082 1126 6a9da04-6a9da13 1117->1126 1135 6a9d32f-6a9d335 1125->1135 1136 6a9d351-6a9d353 1125->1136 1137 6a9da7a-6a9da8f 1126->1137 1138 6a9da15-6a9da78 call 6a96578 1126->1138 1145 6a9d339-6a9d345 1135->1145 1146 6a9d337 1135->1146 1142 6a9d35d-6a9d369 1136->1142 1154 6a9da90 1137->1154 1138->1137 1158 6a9d36b-6a9d375 1142->1158 1159 6a9d377 1142->1159 1148 6a9d347-6a9d34f 1145->1148 1146->1148 1148->1142 1154->1154 1160 6a9d37c-6a9d37e 1158->1160 1159->1160 1160->1036 1164 6a9d384-6a9d3a0 call 6a96578 1160->1164 1172 6a9d3af-6a9d3bb 1164->1172 1173 6a9d3a2-6a9d3a7 1164->1173 1172->1097 1176 6a9d3bd-6a9d40a 1172->1176 1173->1172 1176->1036 1233 6a9d729-6a9d72e 1231->1233 1234 6a9d736-6a9d73f 1231->1234 1233->1234 1234->1058 1235 6a9d745-6a9d758 1234->1235 1237 6a9d75e-6a9d764 1235->1237 1238 6a9d932-6a9d93c 1235->1238 1239 6a9d773-6a9d77c 1237->1239 1240 6a9d766-6a9d76b 1237->1240 1238->1231 1238->1232 1239->1058 1241 6a9d782-6a9d7a3 1239->1241 1240->1239 1244 6a9d7b2-6a9d7bb 1241->1244 1245 6a9d7a5-6a9d7aa 1241->1245 1244->1058 1246 6a9d7c1-6a9d7de 1244->1246 1245->1244 1246->1238 1249 6a9d7e4-6a9d7ea 1246->1249 1249->1058 1250 6a9d7f0-6a9d809 1249->1250 1252 6a9d80f-6a9d836 1250->1252 1253 6a9d925-6a9d92c 1250->1253 1252->1058 1256 6a9d83c-6a9d846 1252->1256 1253->1238 1253->1249 1256->1058 1257 6a9d84c-6a9d863 1256->1257 1259 6a9d872-6a9d88d 1257->1259 1260 6a9d865-6a9d870 1257->1260 1259->1253 1265 6a9d893-6a9d8ac call 6a96578 1259->1265 1260->1259 1269 6a9d8bb-6a9d8c4 1265->1269 1270 6a9d8ae-6a9d8b3 1265->1270 1269->1058 1271 6a9d8ca-6a9d91e 1269->1271 1270->1269 1271->1253
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $cq$$cq$$cq
                                      • API String ID: 0-2085107096
                                      • Opcode ID: 1119986c01580518bfe3ca21d4076b434883b354c943bd8f214cf0fcb72e4425
                                      • Instruction ID: 185672b25b52dc3d0cc7a3c81d79a5d3276a74b85d7b1c5ec2da0fa1982c9baf
                                      • Opcode Fuzzy Hash: 1119986c01580518bfe3ca21d4076b434883b354c943bd8f214cf0fcb72e4425
                                      • Instruction Fuzzy Hash: 10628170A106068FCB55EB68D690A5EB7F3FF84304B308969E4169F365DB35EC86CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A94B58 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1279 6a94b58-6a94b7c 1280 6a94b7e-6a94b81 1279->1280 1281 6a94b83-6a94b9d 1280->1281 1282 6a94ba2-6a94ba5 1280->1282 1281->1282 1283 6a94bab-6a94ca3 1282->1283 1284 6a95284-6a95286 1282->1284 1302 6a94ca9-6a94cf6 call 6a95401 1283->1302 1303 6a94d26-6a94d2d 1283->1303 1285 6a95288 1284->1285 1286 6a9528d-6a95290 1284->1286 1285->1286 1286->1280 1289 6a95296-6a952a3 1286->1289 1316 6a94cfc-6a94d18 1302->1316 1304 6a94db1-6a94dba 1303->1304 1305 6a94d33-6a94da3 1303->1305 1304->1289 1322 6a94dae 1305->1322 1323 6a94da5 1305->1323 1320 6a94d1a 1316->1320 1321 6a94d23-6a94d24 1316->1321 1320->1321 1321->1303 1322->1304 1323->1322
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: fhq$XPhq$\Ohq
                                      • API String ID: 0-1165799323
                                      • Opcode ID: de8d3f8a300a1477d3ae98a33f3f43d7191f05ce3330d28d6f748750a2812466
                                      • Instruction ID: bfa49e47f3eb348aa70a21ec6466caf086ea874f6fa50d40a93628b515dc6430
                                      • Opcode Fuzzy Hash: de8d3f8a300a1477d3ae98a33f3f43d7191f05ce3330d28d6f748750a2812466
                                      • Instruction Fuzzy Hash: AB615E70F002199FEF55AFA9C8147AEBAF6FF88310F208429E106EB3D5DA754C458B90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A99125 Relevance: 2.7, Strings: 2, Instructions: 167COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2216 6a99125-6a99155 2217 6a99157-6a9915a 2216->2217 2218 6a9915c-6a9917b 2217->2218 2219 6a99180-6a99183 2217->2219 2218->2219 2220 6a99189-6a9919e 2219->2220 2221 6a99a43-6a99a45 2219->2221 2228 6a991a0-6a991a6 2220->2228 2229 6a991b6-6a991cc 2220->2229 2223 6a99a4c-6a99a4f 2221->2223 2224 6a99a47 2221->2224 2223->2217 2226 6a99a55-6a99a5f 2223->2226 2224->2223 2230 6a991a8 2228->2230 2231 6a991aa-6a991ac 2228->2231 2233 6a991d7-6a991d9 2229->2233 2230->2229 2231->2229 2234 6a991db-6a991e1 2233->2234 2235 6a991f1-6a99262 2233->2235 2236 6a991e3 2234->2236 2237 6a991e5-6a991e7 2234->2237 2246 6a9928e-6a992aa 2235->2246 2247 6a99264-6a99287 2235->2247 2236->2235 2237->2235 2252 6a992ac-6a992cf 2246->2252 2253 6a992d6-6a992f1 2246->2253 2247->2246 2252->2253 2258 6a9931c-6a99337 2253->2258 2259 6a992f3-6a99315 2253->2259 2264 6a99339-6a9935b 2258->2264 2265 6a99362-6a9936c 2258->2265 2259->2258 2264->2265 2266 6a9937c-6a993f6 2265->2266 2267 6a9936e-6a99377 2265->2267 2273 6a993f8-6a99416 2266->2273 2274 6a99443-6a99458 2266->2274 2267->2226 2278 6a99418-6a99427 2273->2278 2279 6a99432-6a99441 2273->2279 2274->2221 2278->2279 2279->2273 2279->2274
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $cq$$cq
                                      • API String ID: 0-2695052418
                                      • Opcode ID: fe67eb8c3cfb7c62ca8458aad8d28631a207da1caa8a8cae64685d4d078331b2
                                      • Instruction ID: 1fd0163ec62783c5a877e7a5b028eb6f591799833d3b4f3c5e49ad879e7120b7
                                      • Opcode Fuzzy Hash: fe67eb8c3cfb7c62ca8458aad8d28631a207da1caa8a8cae64685d4d078331b2
                                      • Instruction Fuzzy Hash: 72514030B001069FDF55EB79D95076FB3F6EBC8244F248469D80ADB394EB35AC428BA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A94B48 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2282 6a94b48-6a94b7c 2283 6a94b7e-6a94b81 2282->2283 2284 6a94b83-6a94b9d 2283->2284 2285 6a94ba2-6a94ba5 2283->2285 2284->2285 2286 6a94bab-6a94ca3 2285->2286 2287 6a95284-6a95286 2285->2287 2305 6a94ca9-6a94cf6 call 6a95401 2286->2305 2306 6a94d26-6a94d2d 2286->2306 2288 6a95288 2287->2288 2289 6a9528d-6a95290 2287->2289 2288->2289 2289->2283 2292 6a95296-6a952a3 2289->2292 2319 6a94cfc-6a94d18 2305->2319 2307 6a94db1-6a94dba 2306->2307 2308 6a94d33-6a94da3 2306->2308 2307->2292 2325 6a94dae 2308->2325 2326 6a94da5 2308->2326 2323 6a94d1a 2319->2323 2324 6a94d23-6a94d24 2319->2324 2323->2324 2324->2306 2325->2307 2326->2325
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: fhq$XPhq
                                      • API String ID: 0-3594109931
                                      • Opcode ID: 31264b5809d3a3c94d3e1d99b628f49dab5964d6846b930596154f0ac4e078ff
                                      • Instruction ID: 0d331f867e3023b6ee274b56bede4d2b87c770e3fbcea5c5bff22d356beb6678
                                      • Opcode Fuzzy Hash: 31264b5809d3a3c94d3e1d99b628f49dab5964d6846b930596154f0ac4e078ff
                                      • Instruction Fuzzy Hash: 3B515F74F102099FEB55EFA9C8147AEBBF6FF88300F208529D105AB3D5DA758C068B90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A7EA80 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3261983612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a70000_RegAsm.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 869d2651e51af8cf37d1226a454235fef3d27c450c09d788238c4e0bed8cc551
                                      • Instruction ID: ab997642ccb5f2be752e812ab53cf5f4143d842c43acbe6c2a46c3ad368acfd7
                                      • Opcode Fuzzy Hash: 869d2651e51af8cf37d1226a454235fef3d27c450c09d788238c4e0bed8cc551
                                      • Instruction Fuzzy Hash: B2714570A00B098FD7A4EF2AD95075ABBF1FF88204F108969D45ADBA40D774F849CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0138EB48 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3253739944.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_1380000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 883dcb779621c98c9cb2fb5a53091a94a0e8cca1bef59621966bd4a2795eac1b
                                      • Instruction ID: a19ea314e20fb1e7e927919a7e23ee33626880ac1a39c1a0d01e7c37fa24730a
                                      • Opcode Fuzzy Hash: 883dcb779621c98c9cb2fb5a53091a94a0e8cca1bef59621966bd4a2795eac1b
                                      • Instruction Fuzzy Hash: E9413672D0438A8FDB01EFB9D8102EEBFF1AF99310F15856AD554A7381D7349845CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A76618 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06A766A7
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3261983612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a70000_RegAsm.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 3c3a6e77749847e00ed445e71738dbffbb09af5558b935ddb3a2aacd0febd938
                                      • Instruction ID: 7834166b0b5d2c4e64e34559c12a00f2fd49b29a35ac03b6b505b29c1e7e8ce3
                                      • Opcode Fuzzy Hash: 3c3a6e77749847e00ed445e71738dbffbb09af5558b935ddb3a2aacd0febd938
                                      • Instruction Fuzzy Hash: 46214BB5D00249DFCB10CF9AE984ADEBBF4EB48311F14842AE915E7350C3349A54CF65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A76620 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06A766A7
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3261983612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a70000_RegAsm.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 1a495bca2d65b275029614b767f5af74df52128020536b3045068c1475760af0
                                      • Instruction ID: ef41100c386121191106b0f38f35c868974d4cf0d5858c3d872fb5ffcc5948d7
                                      • Opcode Fuzzy Hash: 1a495bca2d65b275029614b767f5af74df52128020536b3045068c1475760af0
                                      • Instruction Fuzzy Hash: E521C4B5D102499FDB10CFAAD984ADEBBF4EB48310F14841AE918A7350D374A954CF65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A7EED0 Relevance: 1.6, APIs: 1, Instructions: 59libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,?,?), ref: 06A7EF42
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3261983612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a70000_RegAsm.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: b987bcf3ca534cf3879ff52d09748a2c2523209ff76a665f77e16c7b9942ac0d
                                      • Instruction ID: 91a1226104996219520b37e5e7db1abbf04e40d488902dbe19bfc2b84eaa73fa
                                      • Opcode Fuzzy Hash: b987bcf3ca534cf3879ff52d09748a2c2523209ff76a665f77e16c7b9942ac0d
                                      • Instruction Fuzzy Hash: 941144B6C002499FDB10CF9AD844ADEFBF8EB49324F14842AE419A7600C374A545CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A7EED8 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,?,?), ref: 06A7EF42
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3261983612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a70000_RegAsm.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 245e6126728de25baf12d0eae4cdaddf0991fcdc352fd9c54bb412eca363d013
                                      • Instruction ID: 1a78145671b4fc23449b433f1d4ca299424d4034da545a0983450009977bdc28
                                      • Opcode Fuzzy Hash: 245e6126728de25baf12d0eae4cdaddf0991fcdc352fd9c54bb412eca363d013
                                      • Instruction Fuzzy Hash: B311F3B6C003498FDB10DF9AD844ADEFBF4EF88314F14846AE519A7600C375A549CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0138EC30 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalMemoryStatusEx.KERNEL32 ref: 0138EC97
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3253739944.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_1380000_RegAsm.jbxd
                                      Similarity
                                      • API ID: GlobalMemoryStatus
                                      • String ID:
                                      • API String ID: 1890195054-0
                                      • Opcode ID: c2ccb0637d194c598f98d7f738c764d96eaae3343e1dc539cdfbe4c7e6e925a6
                                      • Instruction ID: 76350dd66d5688943a9eb67caebf71cee1431dedc2622d481a29115c497cef2c
                                      • Opcode Fuzzy Hash: c2ccb0637d194c598f98d7f738c764d96eaae3343e1dc539cdfbe4c7e6e925a6
                                      • Instruction Fuzzy Hash: 6F1123B1C0065A9FCB10DF9AC544BDEFBF4AF48324F15852AD818B7240D378A944CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A7DE30 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,06A7EA9C), ref: 06A7ECD6
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3261983612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a70000_RegAsm.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 7795897586cefab5a938ce76b30da37b6a4f11e17f53375239b2a10d8f774112
                                      • Instruction ID: 4dc311eac03fff82368362f48736361ea889b99a1e68c767c29d3cbf6a77d00d
                                      • Opcode Fuzzy Hash: 7795897586cefab5a938ce76b30da37b6a4f11e17f53375239b2a10d8f774112
                                      • Instruction Fuzzy Hash: 5F1102B6C006498FDB10DF9AC944A9EFBF4EB88315F10846AD519BB200C375A545CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A9DAA5 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: PHcq
                                      • API String ID: 0-4245845256
                                      • Opcode ID: 02a614bf43caecbbdfdd6477dc4c9f9fcf2d75ef2e4c8fbcfcfc5ee6679e6255
                                      • Instruction ID: 829b3579b884546be2c859a13a9bdca4835458303b71ff6022660dd7d706ed5d
                                      • Opcode Fuzzy Hash: 02a614bf43caecbbdfdd6477dc4c9f9fcf2d75ef2e4c8fbcfcfc5ee6679e6255
                                      • Instruction Fuzzy Hash: EB419470E0060A9FDF65FF65C45469EBBF2FF85300F208529E406EB241DB74A886CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A921BD Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: PHcq
                                      • API String ID: 0-4245845256
                                      • Opcode ID: 402c2fecd02853d0335b7c0a8e086cbb247bca964c376f3bf06b15195399a908
                                      • Instruction ID: 5a7a35bf8261be11e095e50dd63f5c78264122fef24162d71e45b6cd168cd15e
                                      • Opcode Fuzzy Hash: 402c2fecd02853d0335b7c0a8e086cbb247bca964c376f3bf06b15195399a908
                                      • Instruction Fuzzy Hash: F831C030B202019FDF5AAB74C56476E7BF3EB89200F248568D406DB385DE39DD4ACBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A921D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: PHcq
                                      • API String ID: 0-4245845256
                                      • Opcode ID: 87bc9ab318a571c82c2a2e443effe3ecae3e0355934db0b7ee1a3563bf5824c1
                                      • Instruction ID: 47cedeb5bf5d31f8f8bcdd247dec667c1bd82deff2bea5d210433a6299ab9834
                                      • Opcode Fuzzy Hash: 87bc9ab318a571c82c2a2e443effe3ecae3e0355934db0b7ee1a3563bf5824c1
                                      • Instruction Fuzzy Hash: 3231AF30B202069FDF59AB74C55476F7AE7AF89200F248468D406DB385DE39DE45CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A982A7 Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $cq
                                      • API String ID: 0-2110363268
                                      • Opcode ID: b5efc56ea88e6985e5f772c78de374fbe74e812ebdb31ba202be835b36282da5
                                      • Instruction ID: 14b35ef86eaade96e368f48e05234f86758e03b728c85d8efc100334d26a7aa2
                                      • Opcode Fuzzy Hash: b5efc56ea88e6985e5f772c78de374fbe74e812ebdb31ba202be835b36282da5
                                      • Instruction Fuzzy Hash: 0AF08235E00114CFDF64AF55E6446ADB7F4FB46250F3848A2D812AB191C33D9986CB64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A961C8 Relevance: .2, Instructions: 229COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 86fb68b7a4145befe1e529093980b4bc66bb728c3e37f06d77012853410bacc5
                                      • Instruction ID: 11fae1bbec2e46bdb585aa4aeb7cdaf8b37216c6ce62f63245e99d86e251e5e8
                                      • Opcode Fuzzy Hash: 86fb68b7a4145befe1e529093980b4bc66bb728c3e37f06d77012853410bacc5
                                      • Instruction Fuzzy Hash: 7C61A271F100124FDF55AB6EC84466FAAE7AFC4220B254479E80EDB364DE7ADD0287E1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A94291 Relevance: .2, Instructions: 222COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0d5b0bfc7e3cc145b02aaad475598dbe2d86dea66f758daf84902733700f4178
                                      • Instruction ID: b1f8b3e84023f744ff7da9fc7890b8378040d9170898bb8e4db6a95f9315b53c
                                      • Opcode Fuzzy Hash: 0d5b0bfc7e3cc145b02aaad475598dbe2d86dea66f758daf84902733700f4178
                                      • Instruction Fuzzy Hash: F1813934B0020A8BDF54EFB9D55466EB7F2EB89304F208429D41AEB394EA35DC468B91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A945AC Relevance: .2, Instructions: 218COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d50ae62307ead70dfa7f918f8df4761b9264f7c3ed85ed5f9ed935c68c37bf25
                                      • Instruction ID: e70528c7e3ac92298f5090b66d4b6ade1de39e76146276bb76cb5717743fc85b
                                      • Opcode Fuzzy Hash: d50ae62307ead70dfa7f918f8df4761b9264f7c3ed85ed5f9ed935c68c37bf25
                                      • Instruction Fuzzy Hash: 8D914E74E0061A8BDF60DF68C850B9DB7B1FF89310F208595D549AB295DB70AA86CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A945C0 Relevance: .2, Instructions: 210COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9474e6676eb7885d77fdf31021f9464d5fe95e6ae5d32a20baf696547d6cee22
                                      • Instruction ID: d496531fcdf4a4e2c963803e2341827e14608058074484192b4fe602067392c5
                                      • Opcode Fuzzy Hash: 9474e6676eb7885d77fdf31021f9464d5fe95e6ae5d32a20baf696547d6cee22
                                      • Instruction Fuzzy Hash: 9C914F74E0061A8BDF60DF68C850B9DB7B1FF89310F208599D549BB395DB70AA86CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A942F7 Relevance: .2, Instructions: 204COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a165c15b00070568edcb3dd52c0376019372f691b5b9ad47c64267747ced95d3
                                      • Instruction ID: d27f0f3d581fa39d5c76f9a150fca776ba496ca73585905cebb72cf7705c4d4a
                                      • Opcode Fuzzy Hash: a165c15b00070568edcb3dd52c0376019372f691b5b9ad47c64267747ced95d3
                                      • Instruction Fuzzy Hash: 07712934B0020A8BDF54EFB9D55476EB7F2EF89304F248429D40ADB295EA34DC868B91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A9EAF8 Relevance: .2, Instructions: 202COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 247b7d937931f928df0f95824cef107a09f2c77b5034b933f1b7fc62e7dce6fd
                                      • Instruction ID: 49b87139d58dfbe6bce6dc9cd15189853f74923bcffc6e3818a085c04a97067a
                                      • Opcode Fuzzy Hash: 247b7d937931f928df0f95824cef107a09f2c77b5034b933f1b7fc62e7dce6fd
                                      • Instruction Fuzzy Hash: BD713970E002099FDF55EBA9D990A9EBBF6FF88304F248429E415AB355DB34EC46CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A9EB08 Relevance: .2, Instructions: 201COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 475574f4be43384cb210bfb84166de6a8003d8ad0cf45cda6ea454fd4bd3a83a
                                      • Instruction ID: 48086bfe7069bde4ed57e68ece51d8d67abd9c2f2cd8089bf37faa5e64ebf1d9
                                      • Opcode Fuzzy Hash: 475574f4be43384cb210bfb84166de6a8003d8ad0cf45cda6ea454fd4bd3a83a
                                      • Instruction Fuzzy Hash: EE711A70E002099FDF54EBA9D990A9EBBF6FF88304F248429E415AB355DA34EC46CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A9FC69 Relevance: .2, Instructions: 177COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0f252ab43abb3de5e0888205982846fa7f7aeee9ea598193658b1fa9b106bdb3
                                      • Instruction ID: 49f8958fbaa2b8c6daa2976a16dcf33bbc1a9f3735aef9291cb46e3416fad7af
                                      • Opcode Fuzzy Hash: 0f252ab43abb3de5e0888205982846fa7f7aeee9ea598193658b1fa9b106bdb3
                                      • Instruction Fuzzy Hash: AF51F031E00109DFDF64BBB8E5546ADBBF2FB89315F208869E106DB251DB359C46CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A9FA18 Relevance: .2, Instructions: 167COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c1c76cad60e237a6a9c00d58f1a6e9d71c106a7ec48864cf0e0db298672fdca2
                                      • Instruction ID: 957dd6bd2f026deca5a2601b9181435dceb9a8923377f314ec756f5e94fa5c09
                                      • Opcode Fuzzy Hash: c1c76cad60e237a6a9c00d58f1a6e9d71c106a7ec48864cf0e0db298672fdca2
                                      • Instruction Fuzzy Hash: 9751F5B4B201058FEF64676CD96476F26EAD78D310F30442AD50ACB7E5CA68CC91C7B2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A9FA28 Relevance: .2, Instructions: 163COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5eb4a4b257dc337883e5adaa389238816aa3cf3d827b7ee7f7500ad20cf1ee18
                                      • Instruction ID: 3b215cb05308570ef40235c38f3e70aa01c8ddb7aae5a045a31f1d131f0f10ee
                                      • Opcode Fuzzy Hash: 5eb4a4b257dc337883e5adaa389238816aa3cf3d827b7ee7f7500ad20cf1ee18
                                      • Instruction Fuzzy Hash: 7951D7B4B201059FEF64676DD96472F26EAD78D310F30442AD50ACB7D5CA68CC91C7B2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A95580 Relevance: .2, Instructions: 150COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 17f829963f88450f735a77325a8fee59e44d72f8094da2fe6852ce3be7a09546
                                      • Instruction ID: 4a70fc9bcac2d87897fd396f54519f843ac1701a140f24482190a5050803f70b
                                      • Opcode Fuzzy Hash: 17f829963f88450f735a77325a8fee59e44d72f8094da2fe6852ce3be7a09546
                                      • Instruction Fuzzy Hash: 31516F74E002058FDF62AB69C481A7EF7F2EB45310F388926D656DB291C634D981CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A95401 Relevance: .1, Instructions: 130COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4d375d8875748d9c31c0e1444eebc67a912fa8229fae41400865d654154f7890
                                      • Instruction ID: 236b0ce77f3a2ec15a8414d243ce65af602dcf245e84355c9e444f792bf08cf5
                                      • Opcode Fuzzy Hash: 4d375d8875748d9c31c0e1444eebc67a912fa8229fae41400865d654154f7890
                                      • Instruction Fuzzy Hash: 2C415F71E006099FDF71DFA9D881AAFF7F2EB84310F20492AD116DB641D731E8558BA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A9D958 Relevance: .1, Instructions: 99COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8bb69d6910a5fd21e6357ed12c058a9c25150dd86e077d326aaccdbaba840684
                                      • Instruction ID: 3a452a8945b94edaf8307cc1ae4cf75820f4ceec1658d144ab458bba63838b1d
                                      • Opcode Fuzzy Hash: 8bb69d6910a5fd21e6357ed12c058a9c25150dd86e077d326aaccdbaba840684
                                      • Instruction Fuzzy Hash: 1C31C870E107069FDF15EF69D95069EBBF2FF85304F208929E805AB640DB70A986C760
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A92080 Relevance: .1, Instructions: 95COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0ec3ad1a9a2cd1408a443103ff7244f01c995c038f7e4d200bab398dc9b0a771
                                      • Instruction ID: 210c5bc67a65cfc72f0423f9d1cb79f2fd8ad0e6052fc132676155726fd012ec
                                      • Opcode Fuzzy Hash: 0ec3ad1a9a2cd1408a443103ff7244f01c995c038f7e4d200bab398dc9b0a771
                                      • Instruction Fuzzy Hash: 6A316130E102099BDB49DFA4D95479EB7F2FF8A300F208529E906EB754DB719D46CB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A92090 Relevance: .1, Instructions: 91COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 797e595205473b53e915746bfff1d0f8b919b6cf0dbb57061fd17b5992ce9315
                                      • Instruction ID: a084784e95b564b3077646d758d9af68eb883a1e32ccb761b46dc93065b59853
                                      • Opcode Fuzzy Hash: 797e595205473b53e915746bfff1d0f8b919b6cf0dbb57061fd17b5992ce9315
                                      • Instruction Fuzzy Hash: A6318030E10209ABDB49DF64D95479EB7F6FF89300F208529E906EB354DB71AD46CB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A93A91 Relevance: .1, Instructions: 85COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5f8722e49b8aa9ef2399670a606ded5871e9e1f3a831fd0ed509aab5f8837995
                                      • Instruction ID: d5a43619f12ab3aec022e647dd92b25704d9086c74981358153f0ab54d6cfe4b
                                      • Opcode Fuzzy Hash: 5f8722e49b8aa9ef2399670a606ded5871e9e1f3a831fd0ed509aab5f8837995
                                      • Instruction Fuzzy Hash: CC217A75E012059FDF50DFB9D980AEEBBF1EB48310F208025E915EB390E635D8418BA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A93AA0 Relevance: .1, Instructions: 78COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 09287119ea1fc18ddbe3d5962c2a49c0a7f0cd6420d0846f5021b1743181cc71
                                      • Instruction ID: 58ebcd0c10cd2c533de52fe063616a73987d0dcee2a93cba6cd777e983230e4f
                                      • Opcode Fuzzy Hash: 09287119ea1fc18ddbe3d5962c2a49c0a7f0cd6420d0846f5021b1743181cc71
                                      • Instruction Fuzzy Hash: 43213B75E016159FDF50DFAAD980AAEB7F5EB48310F208025E915E7395E735EC408BA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0131D030 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3253461772.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_131d000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8d8487a1326bcfe61c6b7b685a2fc21737dc714d7b934ee4ae63feff2822d495
                                      • Instruction ID: bff9ed9878b6675482034e73d908174e95f8bbfc6373a733af8c86bbeb6fe782
                                      • Opcode Fuzzy Hash: 8d8487a1326bcfe61c6b7b685a2fc21737dc714d7b934ee4ae63feff2822d495
                                      • Instruction Fuzzy Hash: 6D2134B1504244DFDB19DF98D9C8B26BBA5EB85318F24C66DD8094B24AC33AD847CA62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A9304E Relevance: .1, Instructions: 64COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c0e27941fb85419b2507b3a4d632f65d72852d44d39cc0bc8aabe345ff0d8dd8
                                      • Instruction ID: 077abc142ce817db0f4b75c886c8f76ac9f4ecfb4b65274daed1a23b52632c35
                                      • Opcode Fuzzy Hash: c0e27941fb85419b2507b3a4d632f65d72852d44d39cc0bc8aabe345ff0d8dd8
                                      • Instruction Fuzzy Hash: CE119371E002199FCF68EB78D9815DEF7F2EF89310F208569E006EB244DA318D41CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A93BB0 Relevance: .1, Instructions: 59COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 22bb5d819f10254841e797987cece389a671ffd005edd2c46fa71f97d37deda8
                                      • Instruction ID: db8887f04fdb14be21a3c5c97216451da7a6009dfef9ef4dbdc8c6e99dea654d
                                      • Opcode Fuzzy Hash: 22bb5d819f10254841e797987cece389a671ffd005edd2c46fa71f97d37deda8
                                      • Instruction Fuzzy Hash: D611A536B005294BDF549A69C9146AE73FAEBC8710F104536D406EB384DE64DC0687A1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A941F0 Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9682f8e467a3baeb908a1c85e5b35c635e492a4443ea0fa72772d08fc82afc3a
                                      • Instruction ID: 3a041fed634cdd69e6f51585279ffa289514bba1278f782ffffeb821655eaf86
                                      • Opcode Fuzzy Hash: 9682f8e467a3baeb908a1c85e5b35c635e492a4443ea0fa72772d08fc82afc3a
                                      • Instruction Fuzzy Hash: FE019E31B000115BEB65E6BD9554B1BBBDBEBC9620F248479E50ECB354ED25DC4343A1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A93868 Relevance: .1, Instructions: 54COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ec2dd81213af7ccea97aa2882a36fd06a7d50eb28de8db5e2eeb02592db79c3b
                                      • Instruction ID: 6fd9167eb1ae16318dbf25da3158df8a333affb2a3513719bfbc065dee86d22c
                                      • Opcode Fuzzy Hash: ec2dd81213af7ccea97aa2882a36fd06a7d50eb28de8db5e2eeb02592db79c3b
                                      • Instruction Fuzzy Hash: 2E21F2B5C01259AFCB10DF9AD884ACEFFB4FB49310F10812AE918A7200C774A954CBA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A9ED79 Relevance: .1, Instructions: 54COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1b1190d60fdf5053957ebbcfc3d050623a04fad07c2b5f4fc43c7ebd256d4d21
                                      • Instruction ID: 38cf07ddd1cc2e4594d52878e0070506e07844b585b3cc3fb7ef9ac78bb19542
                                      • Opcode Fuzzy Hash: 1b1190d60fdf5053957ebbcfc3d050623a04fad07c2b5f4fc43c7ebd256d4d21
                                      • Instruction Fuzzy Hash: AC017C31B000125BDF65E77C9560B6EA7E7EBC9620F30893AE40ACB346EA65DC534791
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0131D02B Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3253461772.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_131d000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e64fc474496645f77accdbd1a3ad286c5c0c617209a35917f0f7eb2d8cd15d48
                                      • Instruction ID: cfa51f6464091a8c426eb68faf1bf1864569c1b4a438825516192264cb276326
                                      • Opcode Fuzzy Hash: e64fc474496645f77accdbd1a3ad286c5c0c617209a35917f0f7eb2d8cd15d48
                                      • Instruction Fuzzy Hash: 8D110D75504280CFCB16CF58D9C8B15FFA1FB84318F28C6AAD8494B65AC33AD44ACB62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A93B9F Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b36051fc6ef1530118a8ad4a0e0f42d82d25c624a808cbaadbfbd364fcb2cd0e
                                      • Instruction ID: 5aea9cb202a579f5c95939e45af765f8a8e168ecb286c8a653135072a4ef9af5
                                      • Opcode Fuzzy Hash: b36051fc6ef1530118a8ad4a0e0f42d82d25c624a808cbaadbfbd364fcb2cd0e
                                      • Instruction Fuzzy Hash: 6201D476B000295BDF54DABDD9206EF77FADBC9310F24413AE40ADB380EE649C0687A1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A93870 Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5076a05bb22ba831c53688fac2e4bd7a18132329e3da0e6e56be5ba09ce9c5b5
                                      • Instruction ID: 4af65fb53517f9a78f983dbc5b2c6d99649e19937b54e87610bf3c357e82d8fc
                                      • Opcode Fuzzy Hash: 5076a05bb22ba831c53688fac2e4bd7a18132329e3da0e6e56be5ba09ce9c5b5
                                      • Instruction Fuzzy Hash: FC11D0B5D01259AFCB00DF9AD884ACEFFB4FB49310F10812AE918B7200C374A954CBA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A94200 Relevance: .1, Instructions: 51COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e42a19d37bdfe542e1e294e8d679032e772e1464b40697eac064e74abc325da1
                                      • Instruction ID: 7624e893211f0cfb16f6f763b1525eb8a24ddd7574c79f359e6cc7b5b66f9181
                                      • Opcode Fuzzy Hash: e42a19d37bdfe542e1e294e8d679032e772e1464b40697eac064e74abc325da1
                                      • Instruction Fuzzy Hash: D6014631B100114BEBA4A6BD955472BB7DBEBC9720F308839E50ECB394ED65DC4343A5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A9A2E8 Relevance: .0, Instructions: 50COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2a4188610beb2e857f94863e88171cc47eabeeea7c2befa7f37155c97da35087
                                      • Instruction ID: 55cb99433eb969210b4c61567a732082f3b1a561e75e36cbb24dbbf72800a12c
                                      • Opcode Fuzzy Hash: 2a4188610beb2e857f94863e88171cc47eabeeea7c2befa7f37155c97da35087
                                      • Instruction Fuzzy Hash: E4017135B001115FDB60EB3CE59076FB3E2EB85714F30892AE50ACB395DA25ED528790
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A9ED88 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 467f06f9640d7d2745fbb5c31e3519a2a585b1be6072879c5f6d2f2a8877436c
                                      • Instruction ID: 4cf5eef05872df87d3c9d63aa8d5372bf81743c896589f812e0b99fae11372bc
                                      • Opcode Fuzzy Hash: 467f06f9640d7d2745fbb5c31e3519a2a585b1be6072879c5f6d2f2a8877436c
                                      • Instruction Fuzzy Hash: 26018C31B100161BDF65E76C9560B2EA3DBEBC9620F30883AE50ACB381EE25DC4243A1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A9A2F8 Relevance: .0, Instructions: 46COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f2e60f92012c0832a74477df4439aae4a9cf1e8db313862064564c3e9983f4bf
                                      • Instruction ID: f0a905157cf40fc0ba1acdee2baf7ecec518bbd3e3ca4c6e80d893d81565264e
                                      • Opcode Fuzzy Hash: f2e60f92012c0832a74477df4439aae4a9cf1e8db313862064564c3e9983f4bf
                                      • Instruction Fuzzy Hash: 79018139B101154BDB60EB7DE55071FF3E6E789720F30882AE60ACB390DE25EC424390
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A9AF00 Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f75210e93a5c57527946da80a843a159fe3bc12f6d6e2ba353f7abdf38d8c39b
                                      • Instruction ID: 2e38745222e26844fefa5cbe4caeb5018ced35f48b69e599a13dc8f2e68400f9
                                      • Opcode Fuzzy Hash: f75210e93a5c57527946da80a843a159fe3bc12f6d6e2ba353f7abdf38d8c39b
                                      • Instruction Fuzzy Hash: 46F0F671E002195BDF64A76CD54069EBBE6EB85324F20443EE50DEB340D6219C0583D0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A9C7C0 Relevance: .0, Instructions: 33COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7cf2e5298770e77ddbe40627d215d6e27de419191c0efe73ae92e105ba7c5d29
                                      • Instruction ID: a56f699f844cc775a1ced5d30643e5c3188323decfc985db46e64bab442032bc
                                      • Opcode Fuzzy Hash: 7cf2e5298770e77ddbe40627d215d6e27de419191c0efe73ae92e105ba7c5d29
                                      • Instruction Fuzzy Hash: E8F0A732E202289BDF546765D81099AB7B9E784664F104439ED01A7244D6356C04C7D0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A96448 Relevance: .0, Instructions: 26COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 27d735475ffcebc815aad594c024afeee4e62fa9f7805218ef60768f6154fe47
                                      • Instruction ID: 0e81002b197612d7af28aedef234eb9a37b130da0587b331f523e2f24f4079bf
                                      • Opcode Fuzzy Hash: 27d735475ffcebc815aad594c024afeee4e62fa9f7805218ef60768f6154fe47
                                      • Instruction Fuzzy Hash: 79E0D871E281445BEF50EFB08B1475A7BF6DB82244F3188A6C444CF101E175CE018BA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 06A97680 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $cq$$cq$$cq$$cq$$cq$$cq$$cq$$cq$$cq$$cq
                                      • API String ID: 0-539408830
                                      • Opcode ID: fcf17c354d2f0cf0599da24b72e5eec6fa356f20bb25e923a60655573c1eb610
                                      • Instruction ID: a5921dc75674e634d88554b53bcfd2f39e6569c904acd83212f46e324c299bc4
                                      • Opcode Fuzzy Hash: fcf17c354d2f0cf0599da24b72e5eec6fa356f20bb25e923a60655573c1eb610
                                      • Instruction Fuzzy Hash: 8C121C30A1021ACFDF64EF69C954A9EB7F2BF89304F208569D406AB355DB34DD85CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A9A918 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $cq$$cq$$cq$$cq$$cq$$cq$$cq$$cq
                                      • API String ID: 0-3377385791
                                      • Opcode ID: ccd39213ac6ed598c6bfbaece18d6a217c179efc93268a910603b2e1ee784753
                                      • Instruction ID: 028cf6b37e108c5b64dfd07c02eac62719ce75b8d8a224a7c36cd2153c6c2f03
                                      • Opcode Fuzzy Hash: ccd39213ac6ed598c6bfbaece18d6a217c179efc93268a910603b2e1ee784753
                                      • Instruction Fuzzy Hash: 01914E30A1020ADFDF64EB65DA5476EB7F2FF84304F30852AE511AB291DB749D85CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A97080 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .5{q$$cq$$cq$$cq$$cq$$cq$$cq
                                      • API String ID: 0-986819311
                                      • Opcode ID: 63c7536fbc9dfb1f5012c2c66ed6ca8bf5612dbfcc0cb1bb8778076d6ec58c10
                                      • Instruction ID: 04379b24db2cf713611ca74d52066d86cb7023c7a0422babc8bf9d5fe64bc827
                                      • Opcode Fuzzy Hash: 63c7536fbc9dfb1f5012c2c66ed6ca8bf5612dbfcc0cb1bb8778076d6ec58c10
                                      • Instruction Fuzzy Hash: 9EF14A34B10209CFDB59EBA9D554A6EB7F2FF88304F208569D4159B394DB35EC82CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A983B8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $cq$$cq$$cq$$cq
                                      • API String ID: 0-2876200767
                                      • Opcode ID: 04581fb9183ec9dac0fd65e329304e500db681d4620692ee719b590c4d99c4ad
                                      • Instruction ID: aa24f6cfe7867ff2f6af2760964e5d9a2a4c28bc2083e38b2be55560d7c8b07a
                                      • Opcode Fuzzy Hash: 04581fb9183ec9dac0fd65e329304e500db681d4620692ee719b590c4d99c4ad
                                      • Instruction Fuzzy Hash: 80B12930A102098FDF64EF69D5906AEB7F2FF85304F248929D4059B395DB79DC86CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A987D0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: LRcq$LRcq$$cq$$cq
                                      • API String ID: 0-2876661331
                                      • Opcode ID: a481b91544134fb8bc1fa7b738d1d05d6c47578cce62ab1cd12375e2a39a238f
                                      • Instruction ID: 4ebda5fb96d7d6d4daa39ba53792e668d904353943b6cdfd9117ea611f917b45
                                      • Opcode Fuzzy Hash: a481b91544134fb8bc1fa7b738d1d05d6c47578cce62ab1cd12375e2a39a238f
                                      • Instruction Fuzzy Hash: A651A630B102019FDF58EB29D950A6AB7F2FF89354F208969E4159F3A5DB34EC40CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06A9ACA2 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.3262083715.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_6a90000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $cq$$cq$$cq$$cq
                                      • API String ID: 0-2876200767
                                      • Opcode ID: 59294a5915033ce2001eb50ca69a5adf1b3f14f0c4f797cac7e20c66e9a6f2f2
                                      • Instruction ID: 50a025c71cfd19606ef8c344bf2b41a30632fd31eb50d712243446828c3fed63
                                      • Opcode Fuzzy Hash: 59294a5915033ce2001eb50ca69a5adf1b3f14f0c4f797cac7e20c66e9a6f2f2
                                      • Instruction Fuzzy Hash: 8B518234E102159FDF65EB68D5806AEB3F2EB85314F34852AE916DB350DB35EC41CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%