Edit tour

Windows Analysis Report
Dhl Express Shipping Docs .pdf.exe

Overview

General Information

Sample name:	Dhl Express Shipping Docs .pdf.exe
Analysis ID:	1430785
MD5:	e7d52516ca8bcf4e8bcaf71a36a88300
SHA1:	d5a7eaad95ab6d4e492b128db0cf550c34170c90
SHA256:	8df5ecbc8ea978c98c9c3a0918fe9ee233f169ee9e3d38855b7da8fc96aad8dc
Tags:	DHLexeFormbook
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Sigma detected: Suspicious Double Extension File Execution

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code contains very large strings

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Dhl Express Shipping Docs .pdf.exe (PID: 7060 cmdline: "C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe" MD5: E7D52516CA8BCF4E8BCAF71A36A88300)

powershell.exe (PID: 6980 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6836 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7504 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6296 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emaGqYHYeYNHas" /XML "C:\Users\user\AppData\Local\Temp\tmpB967.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7292 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 7300 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 7308 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

emaGqYHYeYNHas.exe (PID: 7404 cmdline: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe MD5: E7D52516CA8BCF4E8BCAF71A36A88300)

schtasks.exe (PID: 7672 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emaGqYHYeYNHas" /XML "C:\Users\user\AppData\Local\Temp\tmpCA21.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7724 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 7732 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 7740 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "director@koddy.co.in", "Password": "u(!IUDW7"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000B.00000002.1431070123.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000012.00000002.2609746295.0000000002932000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000012.00000002.2609746295.000000000290E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.1431070123.0000000002B53000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.1431070123.0000000002B53000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.1425518560.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.1425518560.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000012.00000002.2609746295.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000002.2609746295.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1411956229.0000000008921000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1411956229.0000000008921000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Dhl Express Shipping Docs .pdf.exe PID: 7060	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Dhl Express Shipping Docs .pdf.exe PID: 7060	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Dhl Express Shipping Docs .pdf.exe PID: 7060	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7308	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7308	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: emaGqYHYeYNHas.exe PID: 7404	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 7740	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7740	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Dhl Express Shipping Docs .pdf.exe.89d9478.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Dhl Express Shipping Docs .pdf.exe.89d9478.10.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Dhl Express Shipping Docs .pdf.exe.89d9478.10.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32313:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32385:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3240f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x324a1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3250b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3257d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32613:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x326a3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Dhl Express Shipping Docs .pdf.exe.899de58.11.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Dhl Express Shipping Docs .pdf.exe.899de58.11.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Dhl Express Shipping Docs .pdf.exe.899de58.11.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32313:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32385:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3240f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x324a1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3250b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3257d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32613:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x326a3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34113:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34185:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3420f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x342a1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3430b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3437d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34413:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x344a3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Dhl Express Shipping Docs .pdf.exe.89d9478.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Dhl Express Shipping Docs .pdf.exe.89d9478.10.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Dhl Express Shipping Docs .pdf.exe.89d9478.10.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Dhl Express Shipping Docs .pdf.exe.89d9478.10.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34113:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f533:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34185:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f5a5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3420f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f62f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x342a1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f6c1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3430b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f72b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3437d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f79d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34413:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f833:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x344a3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6f8c3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Dhl Express Shipping Docs .pdf.exe.899de58.11.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Dhl Express Shipping Docs .pdf.exe.899de58.11.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Dhl Express Shipping Docs .pdf.exe.899de58.11.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Dhl Express Shipping Docs .pdf.exe.899de58.11.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34113:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f733:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xaab53:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34185:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f7a5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xaabc5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3420f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f82f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xaac4f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x342a1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f8c1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xaace1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3430b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f92b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xaad4b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3437d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f99d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xaadbd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34413:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6fa33:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xaae53:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 13 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe", CommandLine: "C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe", CommandLine|base64offset|contains: kz, Image: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe, NewProcessName: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe, OriginalFileName: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe", ProcessId: 7060, ProcessName: Dhl Express Shipping Docs .pdf.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe", ParentImage: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe, ParentProcessId: 7060, ParentProcessName: Dhl Express Shipping Docs .pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe", ProcessId: 6980, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emaGqYHYeYNHas" /XML "C:\Users\user\AppData\Local\Temp\tmpCA21.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emaGqYHYeYNHas" /XML "C:\Users\user\AppData\Local\Temp\tmpCA21.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe, ParentImage: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe, ParentProcessId: 7404, ParentProcessName: emaGqYHYeYNHas.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emaGqYHYeYNHas" /XML "C:\Users\user\AppData\Local\Temp\tmpCA21.tmp", ProcessId: 7672, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.199.223, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7308, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49709

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emaGqYHYeYNHas" /XML "C:\Users\user\AppData\Local\Temp\tmpB967.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emaGqYHYeYNHas" /XML "C:\Users\user\AppData\Local\Temp\tmpB967.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe", ParentImage: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe, ParentProcessId: 7060, ParentProcessName: Dhl Express Shipping Docs .pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emaGqYHYeYNHas" /XML "C:\Users\user\AppData\Local\Temp\tmpB967.tmp", ProcessId: 6296, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe", ParentImage: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe, ParentProcessId: 7060, ParentProcessName: Dhl Express Shipping Docs .pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe", ProcessId: 6980, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emaGqYHYeYNHas" /XML "C:\Users\user\AppData\Local\Temp\tmpB967.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emaGqYHYeYNHas" /XML "C:\Users\user\AppData\Local\Temp\tmpB967.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe", ParentImage: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe, ParentProcessId: 7060, ParentProcessName: Dhl Express Shipping Docs .pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emaGqYHYeYNHas" /XML "C:\Users\user\AppData\Local\Temp\tmpB967.tmp", ProcessId: 6296, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Dhl Express Shipping Docs .pdf.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe

Avira: detection malicious, Label: HEUR/AGEN.1309858

Found malware configuration

Source: 11.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "director@koddy.co.in", "Password": "u(!IUDW7"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Virustotal: Detection: 40%			Perma Link

Multi AV Scanner detection for submitted file

Source: Dhl Express Shipping Docs .pdf.exe	Virustotal: Detection: 40%			Perma Link
Source: Dhl Express Shipping Docs .pdf.exe	ReversingLabs: Detection: 36%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Dhl Express Shipping Docs .pdf.exe

Joe Sandbox ML: detected

Source: Dhl Express Shipping Docs .pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Dhl Express Shipping Docs .pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Code function: 4x nop then jmp 07A3208Ah		0_2_07A321AC
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Code function: 4x nop then jmp 0985163Ah		12_2_0985175C

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Dhl Express Shipping Docs .pdf.exe.89d9478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Dhl Express Shipping Docs .pdf.exe.899de58.11.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.8:49709 -> 208.91.199.223:587

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 208.91.199.223 208.91.199.223

Source: unknown

DNS query: name: ip-api.com

Source: global traffic

TCP traffic: 192.168.2.8:49709 -> 208.91.199.223:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: RegSvcs.exe, 0000000B.00000002.1431070123.0000000002B85000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1436074423.0000000005D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1436074423.0000000005D98000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2609746295.0000000002916000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2616814978.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2616814978.0000000005BE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegSvcs.exe, 0000000B.00000002.1436074423.0000000005D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1436074423.0000000005D98000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2616814978.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegSvcs.exe, 0000000B.00000002.1431070123.0000000002B85000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1436074423.0000000005D98000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2609746295.0000000002916000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2616814978.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2616814978.0000000005BE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: RegSvcs.exe, 0000000B.00000002.1431070123.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2609746295.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: Dhl Express Shipping Docs .pdf.exe, 00000000.00000002.1411956229.0000000008921000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1431070123.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1425518560.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1426674890.0000000000F12000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2609746295.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 0000000B.00000002.1431070123.0000000002B85000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1436074423.0000000005D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1436074423.0000000005D98000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2609746295.0000000002916000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2616814978.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2616814978.0000000005BE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegSvcs.exe, 0000000B.00000002.1431070123.0000000002B85000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1436074423.0000000005D98000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2609746295.0000000002916000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2616814978.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2616814978.0000000005BE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0A
Source: Dhl Express Shipping Docs .pdf.exe, 00000000.00000002.1404824641.0000000003381000.00000004.00000800.00020000.00000000.sdmp, Dhl Express Shipping Docs .pdf.exe, 00000000.00000002.1404824641.0000000003612000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1431070123.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, emaGqYHYeYNHas.exe, 0000000C.00000002.1446811774.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, emaGqYHYeYNHas.exe, 0000000C.00000002.1446811774.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2609746295.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 0000000B.00000002.1431070123.0000000002B85000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2609746295.000000000290E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: Dhl Express Shipping Docs .pdf.exe, 00000000.00000002.1411956229.0000000008921000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1425518560.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 0000000B.00000002.1431070123.0000000002B85000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1436074423.0000000005D98000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2609746295.0000000002916000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2616814978.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2616814978.0000000005BE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Dhl Express Shipping Docs .pdf.exe.89d9478.10.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.899de58.11.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.89d9478.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.899de58.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large array initializations

Source: Dhl Express Shipping Docs .pdf.exe, Book.cs

Large array initialization: : array initializer size 554226

.NET source code contains very large strings

Source: Dhl Express Shipping Docs .pdf.exe, Form1.cs

Long String: Length: 129808

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Dhl Express Shipping Docs .pdf.exe

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Code function: 0_2_0326DFCC	0_2_0326DFCC
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Code function: 0_2_078BD4D8	0_2_078BD4D8
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Code function: 0_2_078BE2C0	0_2_078BE2C0
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Code function: 0_2_078B5011	0_2_078B5011
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Code function: 0_2_078B3028	0_2_078B3028
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Code function: 0_2_078B3038	0_2_078B3038
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Code function: 0_2_078BBE30	0_2_078BBE30
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Code function: 0_2_078BDDB0	0_2_078BDDB0
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Code function: 0_2_078BB9F8	0_2_078BB9F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0111A8C8	11_2_0111A8C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0111EB60	11_2_0111EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01114AC0	11_2_01114AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0111AD20	11_2_0111AD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01113EA8	11_2_01113EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_011141F0	11_2_011141F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_063E65F8	11_2_063E65F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_063EB230	11_2_063EB230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_063E2360	11_2_063E2360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_063E51B0	11_2_063E51B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_063EC1A8	11_2_063EC1A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_063E7D80	11_2_063E7D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_063E76A0	11_2_063E76A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_063EE3C0	11_2_063EE3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_063E0040	11_2_063E0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_063E58F0	11_2_063E58F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_063E0006	11_2_063E0006
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Code function: 12_2_02B4DFCC	12_2_02B4DFCC
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Code function: 12_2_05261184	12_2_05261184
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Code function: 12_2_05260006	12_2_05260006
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Code function: 12_2_05260040	12_2_05260040
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Code function: 12_2_05261FF1	12_2_05261FF1
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Code function: 12_2_0973B9F8	12_2_0973B9F8
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Code function: 12_2_09730BA0	12_2_09730BA0
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Code function: 12_2_09730B9B	12_2_09730B9B
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Code function: 12_2_0973DDB0	12_2_0973DDB0
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Code function: 12_2_0973DD9F	12_2_0973DD9F
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Code function: 12_2_0973BE30	12_2_0973BE30
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Code function: 12_2_09733038	12_2_09733038
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Code function: 12_2_09733028	12_2_09733028
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Code function: 12_2_0973E2C0	12_2_0973E2C0
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Code function: 12_2_0973E2B9	12_2_0973E2B9
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Code function: 12_2_0973D4D8	12_2_0973D4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_02714AC0	18_2_02714AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0271EB60	18_2_0271EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0271A8C8	18_2_0271A8C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_02713EA8	18_2_02713EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0271AD20	18_2_0271AD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_027141F0	18_2_027141F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_061DAB74	18_2_061DAB74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_061DC2F8	18_2_061DC2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_061DA854	18_2_061DA854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_061DDEB0	18_2_061DDEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_061F65F8	18_2_061F65F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_061FB230	18_2_061FB230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_061F2360	18_2_061F2360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_061F51B0	18_2_061F51B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_061FC1A8	18_2_061FC1A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_061F7D80	18_2_061F7D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_061F76A0	18_2_061F76A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_061FE3C0	18_2_061FE3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_061F0040	18_2_061F0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_061F58F0	18_2_061F58F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_061F0006	18_2_061F0006

Source: Dhl Express Shipping Docs .pdf.exe, 00000000.00000002.1413117517.000000000A690000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Dhl Express Shipping Docs .pdf.exe
Source: Dhl Express Shipping Docs .pdf.exe, 00000000.00000002.1404824641.0000000003381000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename181c5655-392f-449d-a50a-3258bb70d9df.exe4 vs Dhl Express Shipping Docs .pdf.exe
Source: Dhl Express Shipping Docs .pdf.exe, 00000000.00000002.1411646480.0000000007F37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerS, vs Dhl Express Shipping Docs .pdf.exe
Source: Dhl Express Shipping Docs .pdf.exe, 00000000.00000000.1363495573.0000000001034000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameObtP.exeF vs Dhl Express Shipping Docs .pdf.exe
Source: Dhl Express Shipping Docs .pdf.exe, 00000000.00000002.1410498182.0000000005E20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs Dhl Express Shipping Docs .pdf.exe
Source: Dhl Express Shipping Docs .pdf.exe, 00000000.00000002.1403732762.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Dhl Express Shipping Docs .pdf.exe
Source: Dhl Express Shipping Docs .pdf.exe, 00000000.00000002.1405794257.000000000502B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Dhl Express Shipping Docs .pdf.exe
Source: Dhl Express Shipping Docs .pdf.exe, 00000000.00000002.1411956229.0000000008921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Dhl Express Shipping Docs .pdf.exe
Source: Dhl Express Shipping Docs .pdf.exe, 00000000.00000002.1411956229.0000000008921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename181c5655-392f-449d-a50a-3258bb70d9df.exe4 vs Dhl Express Shipping Docs .pdf.exe
Source: Dhl Express Shipping Docs .pdf.exe	Binary or memory string: OriginalFilenameObtP.exeF vs Dhl Express Shipping Docs .pdf.exe

Source: Dhl Express Shipping Docs .pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Dhl Express Shipping Docs .pdf.exe.89d9478.10.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.899de58.11.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.89d9478.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.899de58.11.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: Dhl Express Shipping Docs .pdf.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: emaGqYHYeYNHas.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, gFZLHtVi1cnGoMlI5C.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, gFZLHtVi1cnGoMlI5C.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, L91crkTO3pohiQSalL.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, L91crkTO3pohiQSalL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, L91crkTO3pohiQSalL.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, L91crkTO3pohiQSalL.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, L91crkTO3pohiQSalL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, L91crkTO3pohiQSalL.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@27/15@2/2

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe

File created: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5232:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_03
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Mutant created: \Sessions\1\BaseNamedObjects\IYXdPnPRUIEDkqCRQgkG

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmpB967.tmp

Jump to behavior

Source: Dhl Express Shipping Docs .pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Dhl Express Shipping Docs .pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Dhl Express Shipping Docs .pdf.exe	Virustotal: Detection: 40%
Source: Dhl Express Shipping Docs .pdf.exe	ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe

File read: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe "C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe"
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emaGqYHYeYNHas" /XML "C:\Users\user\AppData\Local\Temp\tmpB967.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emaGqYHYeYNHas" /XML "C:\Users\user\AppData\Local\Temp\tmpCA21.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emaGqYHYeYNHas" /XML "C:\Users\user\AppData\Local\Temp\tmpB967.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emaGqYHYeYNHas" /XML "C:\Users\user\AppData\Local\Temp\tmpCA21.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Dhl Express Shipping Docs .pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Dhl Express Shipping Docs .pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: Dhl Express Shipping Docs .pdf.exe, Form1.cs	.Net Code: InitializeComponent
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, L91crkTO3pohiQSalL.cs	.Net Code: TxoauTJ0xogNZ27m00j System.Reflection.Assembly.Load(byte[])
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, L91crkTO3pohiQSalL.cs	.Net Code: TxoauTJ0xogNZ27m00j System.Reflection.Assembly.Load(byte[])

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe"
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Code function: 0_2_078B479E pushfd ; iretd	0_2_078B479F
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Code function: 0_2_07A34F75 push FFFFFF8Bh; iretd	0_2_07A34F77
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Code function: 12_2_0973479E pushfd ; iretd	12_2_0973479F
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Code function: 12_2_0985451D push FFFFFF8Bh; iretd	12_2_0985451F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_061D53E0 push es; ret	18_2_061D53F0

Source: Dhl Express Shipping Docs .pdf.exe	Static PE information: section name: .text entropy: 7.109679695826465
Source: emaGqYHYeYNHas.exe.0.dr	Static PE information: section name: .text entropy: 7.109679695826465

Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, SpLaMOR3l4FeepxgUP.cs	High entropy of concatenated method names: 'bEiUP2Axeo', 'sWJUo96Cul', 'SbBU2wGLnV', 'Px7Ui3ZV2c', 'dOrUeO8gD5', 'PwyUOGS75B', 'M5EUJv22Pn', 'MbVUyJ6tRH', 'SltUdIy4RL', 'uwBUlLqMJr'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, VkmGye69RAYTxLxc2O.cs	High entropy of concatenated method names: 'teFsdx1EM4', 'FnMsgUIqNJ', 'b2MsXCXEi0', 'zPws9Vfhkv', 'FJ6siwg2iG', 'Pi8sA9krXQ', 'TTQseaUY7j', 'M2AsO3mcbb', 'VPIsIUMuio', 'WcfsJDRLpT'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, MGZb7lH7pkEf94MkqI.cs	High entropy of concatenated method names: 'UCvk5dtpdw', 'SbLkEiPnVb', 'ToString', 'A0gkty6ieJ', 'yq7k71aFRC', 'sGhkr6Pblx', 'DtokwPBKF9', 'SaKkuhvBN4', 'RGskZ7XN9q', 'FdVkVSo6CS'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, L91crkTO3pohiQSalL.cs	High entropy of concatenated method names: 'snQRK16LYq', 'BIvRt3cUxP', 'zNZR7J5wIJ', 'x8eRrpk8bd', 'YrhRwnACcK', 'EWfRuaUndK', 'FxARZOYJ4s', 'u7VRVcaisG', 'yhwRMgTqmS', 'bA7R5OaMHZ'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, kpYgb9D6Ff7fSuWovH.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'QkpmqQGXs9', 'YIvmxnoxVc', 'va5mzCCXtv', 'UaCR6B3BKe', 'ie0Raim06b', 'dIXRmquicH', 'i6aRR9fsOj', 'GKsEYAJ8UU7tT3LIDoN'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, aPihqT8BP7X01FASs8.cs	High entropy of concatenated method names: 'rG5ZfjVhIb', 'H8ZZBOto4S', 'uTmZFIhp5W', 'Xy2ZGebsLc', 'x6aZ309bjZ', 'evIZhV1PsZ', 'cr9ZCf1n6V', 'isxZPykJqG', 'tIGZopRDJh', 'PqwZN4Umkh'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, j1wTVNcYjWdZ0KBQ7U.cs	High entropy of concatenated method names: 'BCru1IpkjF', 'w5nuflNGDg', 'RW0uF5sKK6', 'zy8uG8vvAk', 'QrJuhhwdKU', 'dobuCxq21v', 'mBvuoj5LQi', 'Xj0uNdd2m0', 'VKZuy32CLqVGjDW0qKY', 'MaieSU2tbAUYMMiTSE0'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, wTgVfNuCI3uwOPGUST.cs	High entropy of concatenated method names: 'pnXWaSe4Iu', 'ObPWR1UYrd', 'OXSWYmLNdI', 'KkEWtdm9V8', 'JRJW7nQHA1', 'L8VWweWP0d', 'BiVWuCWTeu', 'mPqTpq40mF', 'mtBT0r0mYB', 'M6HTqVNwse'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, gkISpNzrNpOGGickBX.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nq2WULKJ4h', 'Sv4WsE9DVF', 'IG4WSXCYnU', 'nmYWkB9BeQ', 'V79WTStt9p', 'haTWWsdHtM', 'qsyWb5ruRL'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, w9mrUcoAIVkS8af7j1.cs	High entropy of concatenated method names: 'Dispose', 'ENnaqkRbsA', 'RsAmiFjqEu', 'jkDDDOJkvs', 'mxNaxGrqIk', 'RcHazgInEB', 'ProcessDialogKey', 'w76m60bhta', 'utSmaeO7St', 'qBGmm6xyAV'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, PatEWljIDc1m3P6XAa.cs	High entropy of concatenated method names: 'zb7k0vfSLY', 'NKlkxa2oNP', 'PKrT6h7CEu', 'K5VTaG6V7d', 'WZPklgqAUd', 'mBJkgje4kV', 'avLk4LwFJh', 'spkkXQ368n', 'RYxk9GyAEa', 'dg0kLZg63v'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, AvAgEHF7qrr70lpNOx.cs	High entropy of concatenated method names: 'NfGZtfoxRI', 'aZfZrKEaBJ', 'LA6ZuLutY5', 'pLSuxAe9CT', 'msduztIaEY', 'YmgZ6q1gB5', 'o3VZaZRgO1', 'p5pZm8DQun', 'eu2ZR1urOy', 'Nw4ZY26nBU'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, UajKYRILGVIbZJEpcb.cs	High entropy of concatenated method names: 'g5huKPCs5P', 'PIlu7dB7Dt', 'qjNuwb4O5u', 't6UuZAGnt8', 'H7ZuVNSfHC', 'Rp2wjace4a', 'GxTw8KxBte', 'pbdwpf0Gnm', 'Cksw0AKUF6', 'MjmwqcsE70'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, JfvSQw9dPmHZN4rpEr.cs	High entropy of concatenated method names: 'r9oFhXbn8', 'zVOGfZXDe', 'CuihkQN59', 'MZwCEWLLO', 'CFcobm0ix', 'oeYNvi18q', 'FEAWw1B04kjIymRxfk', 'atCqBinlfA46epT0uX', 'wCGTMrlkf', 'Jq3b4gWgp'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, q7S4syNbpmpA69hF6g.cs	High entropy of concatenated method names: 'ToString', 'N2FSlwRNH3', 'SuDSi2gGuB', 'WwASAEZ5f7', 'GlESekt0fZ', 'uc1SOQla3Y', 'wQMSIh9ged', 'oQTSJiQnLy', 'xdvSymR0ap', 'asyScdWgYW'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, f14LtGhlsArLGlCSZq.cs	High entropy of concatenated method names: 'CxPTt5IRhw', 'b6RT7kLaA5', 'obiTrAqCK5', 'C6pTwbhmZ2', 'G3STuIUSe4', 'DvPTZFD5Hv', 'cBLTVegGhB', 'fZyTMX1rdd', 'NsUT5XgPGx', 'nAGTES9vfV'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, QQ0ZQOfY6Ee2hmJYbs.cs	High entropy of concatenated method names: 'Ay0rG0j2Fs', 'bb0rhifsPc', 'SFkrPwLYa2', 'ocGrokRjvs', 'd5GrsC6JLK', 'N8VrSFvxym', 'GjArk3d0po', 'OXFrTANyDC', 'jv5rWaIR4q', 'OffrbUo70B'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, RE2ydl5EZwof1RDpK8.cs	High entropy of concatenated method names: 'N8RaZjYw6k', 'weUaVNdqa4', 'MJTa5C7JrG', 'WqWaEEUvs1', 'DQJasgOfbA', 'lbiaSjBmT9', 'MQaSfMrUtkilH5eHHr', 'bxUCUcH4KRXHo7uXtx', 'KFKaa4Mpn3', 'AigaR8f4gh'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, uRCQhtlE1kRh0amnF1N.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'q7FbXqlJKy', 'fnQb9cRgwY', 'WpQbLxngjv', 'uWObQZ1gnE', 'dFPbjMXEZm', 'KoFb8GZKtU', 'SPCbp38BM1'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, di82O4q6Uj53JxhWtk.cs	High entropy of concatenated method names: 'KOFjm62Rp3A6IaNaCZT', 'YNbXO52s25pHU1XVr6D', 'tCduTCLqZB', 'HEGuWnTt0x', 'uRFubUtihX', 'kmkSpm2V8K7Z0j4w9Pm', 'iDeFI02hgUA9DVGRfCv'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, bG8EMWkQddhC83cZ0X.cs	High entropy of concatenated method names: 'PILw3wkl6t', 'f4hwCfVkP3', 'TttrATBG7L', 'TaTrelgQQQ', 'JkbrOrKGAZ', 't3DrIXXRGD', 'ES7rJvWhhO', 'WRQryWsV9j', 'jFvrcZogjT', 'dpFrdT2HNv'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, UZvCihlpSA4KvawtT1t.cs	High entropy of concatenated method names: 'yMgWfVXKQc', 'JwdWBBCgVd', 'BvVWF3ckb1', 'AmwWGrZQJh', 'yAYW38VBJi', 'Q55WhJTFQF', 'iY9WC3ocIW', 'b4WWPoDA7M', 'afhWoqTPZi', 'eQvWNrEFmy'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, gFZLHtVi1cnGoMlI5C.cs	High entropy of concatenated method names: 'V8u7XW40nb', 'HVd797NJDB', 't5A7Ll6Cm5', 'HkE7Q5iG08', 'cr57jGg8XH', 'C7t78gTwTf', 'NTG7pPZnJV', 'ERT7000qO2', 'aFL7qSo6rv', 'nSR7x5y77m'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.a690000.12.raw.unpack, EdBOgyLQlxy8sD4Z9O.cs	High entropy of concatenated method names: 'wd4T2ilEop', 'pPdTiPCtyh', 'kk3TAntnOn', 'GWPTeSoKNp', 'VmSTXxn4ST', 'HEpTOh3W5Y', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, SpLaMOR3l4FeepxgUP.cs	High entropy of concatenated method names: 'bEiUP2Axeo', 'sWJUo96Cul', 'SbBU2wGLnV', 'Px7Ui3ZV2c', 'dOrUeO8gD5', 'PwyUOGS75B', 'M5EUJv22Pn', 'MbVUyJ6tRH', 'SltUdIy4RL', 'uwBUlLqMJr'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, VkmGye69RAYTxLxc2O.cs	High entropy of concatenated method names: 'teFsdx1EM4', 'FnMsgUIqNJ', 'b2MsXCXEi0', 'zPws9Vfhkv', 'FJ6siwg2iG', 'Pi8sA9krXQ', 'TTQseaUY7j', 'M2AsO3mcbb', 'VPIsIUMuio', 'WcfsJDRLpT'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, MGZb7lH7pkEf94MkqI.cs	High entropy of concatenated method names: 'UCvk5dtpdw', 'SbLkEiPnVb', 'ToString', 'A0gkty6ieJ', 'yq7k71aFRC', 'sGhkr6Pblx', 'DtokwPBKF9', 'SaKkuhvBN4', 'RGskZ7XN9q', 'FdVkVSo6CS'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, L91crkTO3pohiQSalL.cs	High entropy of concatenated method names: 'snQRK16LYq', 'BIvRt3cUxP', 'zNZR7J5wIJ', 'x8eRrpk8bd', 'YrhRwnACcK', 'EWfRuaUndK', 'FxARZOYJ4s', 'u7VRVcaisG', 'yhwRMgTqmS', 'bA7R5OaMHZ'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, kpYgb9D6Ff7fSuWovH.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'QkpmqQGXs9', 'YIvmxnoxVc', 'va5mzCCXtv', 'UaCR6B3BKe', 'ie0Raim06b', 'dIXRmquicH', 'i6aRR9fsOj', 'GKsEYAJ8UU7tT3LIDoN'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, aPihqT8BP7X01FASs8.cs	High entropy of concatenated method names: 'rG5ZfjVhIb', 'H8ZZBOto4S', 'uTmZFIhp5W', 'Xy2ZGebsLc', 'x6aZ309bjZ', 'evIZhV1PsZ', 'cr9ZCf1n6V', 'isxZPykJqG', 'tIGZopRDJh', 'PqwZN4Umkh'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, j1wTVNcYjWdZ0KBQ7U.cs	High entropy of concatenated method names: 'BCru1IpkjF', 'w5nuflNGDg', 'RW0uF5sKK6', 'zy8uG8vvAk', 'QrJuhhwdKU', 'dobuCxq21v', 'mBvuoj5LQi', 'Xj0uNdd2m0', 'VKZuy32CLqVGjDW0qKY', 'MaieSU2tbAUYMMiTSE0'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, wTgVfNuCI3uwOPGUST.cs	High entropy of concatenated method names: 'pnXWaSe4Iu', 'ObPWR1UYrd', 'OXSWYmLNdI', 'KkEWtdm9V8', 'JRJW7nQHA1', 'L8VWweWP0d', 'BiVWuCWTeu', 'mPqTpq40mF', 'mtBT0r0mYB', 'M6HTqVNwse'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, gkISpNzrNpOGGickBX.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nq2WULKJ4h', 'Sv4WsE9DVF', 'IG4WSXCYnU', 'nmYWkB9BeQ', 'V79WTStt9p', 'haTWWsdHtM', 'qsyWb5ruRL'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, w9mrUcoAIVkS8af7j1.cs	High entropy of concatenated method names: 'Dispose', 'ENnaqkRbsA', 'RsAmiFjqEu', 'jkDDDOJkvs', 'mxNaxGrqIk', 'RcHazgInEB', 'ProcessDialogKey', 'w76m60bhta', 'utSmaeO7St', 'qBGmm6xyAV'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, PatEWljIDc1m3P6XAa.cs	High entropy of concatenated method names: 'zb7k0vfSLY', 'NKlkxa2oNP', 'PKrT6h7CEu', 'K5VTaG6V7d', 'WZPklgqAUd', 'mBJkgje4kV', 'avLk4LwFJh', 'spkkXQ368n', 'RYxk9GyAEa', 'dg0kLZg63v'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, AvAgEHF7qrr70lpNOx.cs	High entropy of concatenated method names: 'NfGZtfoxRI', 'aZfZrKEaBJ', 'LA6ZuLutY5', 'pLSuxAe9CT', 'msduztIaEY', 'YmgZ6q1gB5', 'o3VZaZRgO1', 'p5pZm8DQun', 'eu2ZR1urOy', 'Nw4ZY26nBU'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, UajKYRILGVIbZJEpcb.cs	High entropy of concatenated method names: 'g5huKPCs5P', 'PIlu7dB7Dt', 'qjNuwb4O5u', 't6UuZAGnt8', 'H7ZuVNSfHC', 'Rp2wjace4a', 'GxTw8KxBte', 'pbdwpf0Gnm', 'Cksw0AKUF6', 'MjmwqcsE70'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, JfvSQw9dPmHZN4rpEr.cs	High entropy of concatenated method names: 'r9oFhXbn8', 'zVOGfZXDe', 'CuihkQN59', 'MZwCEWLLO', 'CFcobm0ix', 'oeYNvi18q', 'FEAWw1B04kjIymRxfk', 'atCqBinlfA46epT0uX', 'wCGTMrlkf', 'Jq3b4gWgp'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, q7S4syNbpmpA69hF6g.cs	High entropy of concatenated method names: 'ToString', 'N2FSlwRNH3', 'SuDSi2gGuB', 'WwASAEZ5f7', 'GlESekt0fZ', 'uc1SOQla3Y', 'wQMSIh9ged', 'oQTSJiQnLy', 'xdvSymR0ap', 'asyScdWgYW'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, f14LtGhlsArLGlCSZq.cs	High entropy of concatenated method names: 'CxPTt5IRhw', 'b6RT7kLaA5', 'obiTrAqCK5', 'C6pTwbhmZ2', 'G3STuIUSe4', 'DvPTZFD5Hv', 'cBLTVegGhB', 'fZyTMX1rdd', 'NsUT5XgPGx', 'nAGTES9vfV'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, QQ0ZQOfY6Ee2hmJYbs.cs	High entropy of concatenated method names: 'Ay0rG0j2Fs', 'bb0rhifsPc', 'SFkrPwLYa2', 'ocGrokRjvs', 'd5GrsC6JLK', 'N8VrSFvxym', 'GjArk3d0po', 'OXFrTANyDC', 'jv5rWaIR4q', 'OffrbUo70B'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, RE2ydl5EZwof1RDpK8.cs	High entropy of concatenated method names: 'N8RaZjYw6k', 'weUaVNdqa4', 'MJTa5C7JrG', 'WqWaEEUvs1', 'DQJasgOfbA', 'lbiaSjBmT9', 'MQaSfMrUtkilH5eHHr', 'bxUCUcH4KRXHo7uXtx', 'KFKaa4Mpn3', 'AigaR8f4gh'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, uRCQhtlE1kRh0amnF1N.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'q7FbXqlJKy', 'fnQb9cRgwY', 'WpQbLxngjv', 'uWObQZ1gnE', 'dFPbjMXEZm', 'KoFb8GZKtU', 'SPCbp38BM1'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, di82O4q6Uj53JxhWtk.cs	High entropy of concatenated method names: 'KOFjm62Rp3A6IaNaCZT', 'YNbXO52s25pHU1XVr6D', 'tCduTCLqZB', 'HEGuWnTt0x', 'uRFubUtihX', 'kmkSpm2V8K7Z0j4w9Pm', 'iDeFI02hgUA9DVGRfCv'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, bG8EMWkQddhC83cZ0X.cs	High entropy of concatenated method names: 'PILw3wkl6t', 'f4hwCfVkP3', 'TttrATBG7L', 'TaTrelgQQQ', 'JkbrOrKGAZ', 't3DrIXXRGD', 'ES7rJvWhhO', 'WRQryWsV9j', 'jFvrcZogjT', 'dpFrdT2HNv'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, UZvCihlpSA4KvawtT1t.cs	High entropy of concatenated method names: 'yMgWfVXKQc', 'JwdWBBCgVd', 'BvVWF3ckb1', 'AmwWGrZQJh', 'yAYW38VBJi', 'Q55WhJTFQF', 'iY9WC3ocIW', 'b4WWPoDA7M', 'afhWoqTPZi', 'eQvWNrEFmy'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, gFZLHtVi1cnGoMlI5C.cs	High entropy of concatenated method names: 'V8u7XW40nb', 'HVd797NJDB', 't5A7Ll6Cm5', 'HkE7Q5iG08', 'cr57jGg8XH', 'C7t78gTwTf', 'NTG7pPZnJV', 'ERT7000qO2', 'aFL7qSo6rv', 'nSR7x5y77m'
Source: 0.2.Dhl Express Shipping Docs .pdf.exe.52bc318.3.raw.unpack, EdBOgyLQlxy8sD4Z9O.cs	High entropy of concatenated method names: 'wd4T2ilEop', 'pPdTiPCtyh', 'kk3TAntnOn', 'GWPTeSoKNp', 'VmSTXxn4ST', 'HEpTOh3W5Y', 'Next', 'Next', 'Next', 'NextBytes'

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe

File created: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emaGqYHYeYNHas" /XML "C:\Users\user\AppData\Local\Temp\tmpB967.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: Dhl Express Shipping Docs .pdf.exe

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Dhl Express Shipping Docs .pdf.exe PID: 7060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: emaGqYHYeYNHas.exe PID: 7404, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Dhl Express Shipping Docs .pdf.exe, 00000000.00000002.1411956229.0000000008921000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1431070123.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1425518560.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2609746295.00000000028E1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Memory allocated: 3180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Memory allocated: 3380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Memory allocated: 3180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Memory allocated: 8120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Memory allocated: 76F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Memory allocated: 9120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Memory allocated: A120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Memory allocated: A710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Memory allocated: B710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Memory allocated: C710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Memory allocated: 2AE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Memory allocated: 2D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Memory allocated: 2B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Memory allocated: 7420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Memory allocated: 7170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Memory allocated: 8420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Memory allocated: 9420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Memory allocated: 9B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Memory allocated: AB80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Memory allocated: BB80000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4417	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5952	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1423	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1820	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 4604

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe TID: 2888	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2844	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7244	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7412	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7356	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe TID: 7476	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99060	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97969	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99655
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99203
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99092
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98187
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97311
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior

Source: RegSvcs.exe, 00000012.00000002.2609746295.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegSvcs.exe, 00000012.00000002.2609746295.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 0000000B.00000002.1425518560.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: emaGqYHYeYNHas.exe, 0000000C.00000002.1445320898.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\h
Source: RegSvcs.exe, 0000000B.00000002.1436074423.0000000005D98000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2616814978.0000000005BE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 11_2_011170B0 CheckRemoteDebuggerPresent,

11_2_011170B0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe"
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe"
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 9CA008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 6CA008	Jump to behavior

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emaGqYHYeYNHas" /XML "C:\Users\user\AppData\Local\Temp\tmpB967.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emaGqYHYeYNHas" /XML "C:\Users\user\AppData\Local\Temp\tmpCA21.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Queries volume information: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Queries volume information: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Dhl Express Shipping Docs .pdf.exe.89d9478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Dhl Express Shipping Docs .pdf.exe.899de58.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Dhl Express Shipping Docs .pdf.exe.89d9478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Dhl Express Shipping Docs .pdf.exe.899de58.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1431070123.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2609746295.0000000002932000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2609746295.000000000290E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1431070123.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1425518560.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2609746295.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1411956229.0000000008921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Dhl Express Shipping Docs .pdf.exe PID: 7060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7740, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 0.2.Dhl Express Shipping Docs .pdf.exe.89d9478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Dhl Express Shipping Docs .pdf.exe.899de58.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Dhl Express Shipping Docs .pdf.exe.89d9478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Dhl Express Shipping Docs .pdf.exe.899de58.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1431070123.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1425518560.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2609746295.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1411956229.0000000008921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Dhl Express Shipping Docs .pdf.exe PID: 7060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7740, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Dhl Express Shipping Docs .pdf.exe.89d9478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Dhl Express Shipping Docs .pdf.exe.899de58.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Dhl Express Shipping Docs .pdf.exe.89d9478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Dhl Express Shipping Docs .pdf.exe.899de58.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1431070123.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2609746295.0000000002932000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2609746295.000000000290E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1431070123.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1425518560.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2609746295.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1411956229.0000000008921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Dhl Express Shipping Docs .pdf.exe PID: 7060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7740, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	311 Process Injection	13 Obfuscated Files or Information	1 Credentials in Registry	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	1 Scheduled Task/Job	12 Software Packing	Security Account Manager	621 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	251 Virtualization/Sandbox Evasion	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	251 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Dhl Express Shipping Docs .pdf.exe	41%	Virustotal		Browse
Dhl Express Shipping Docs .pdf.exe	37%	ReversingLabs	Win32.Trojan.Generic
Dhl Express Shipping Docs .pdf.exe	100%	Avira	HEUR/AGEN.1309858
Dhl Express Shipping Docs .pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	100%	Avira	HEUR/AGEN.1309858
C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	37%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe	41%	Virustotal		Browse

Source	Detection	Scanner	Label
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://ocsp.sectigo.com0A	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.199.223	true	false		high
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	RegSvcs.exe, 0000000B.00000002.1431070123.0000000002B85000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1436074423.0000000005D98000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2609746295.0000000002916000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2616814978.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2616814978.0000000005BE0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0A	RegSvcs.exe, 0000000B.00000002.1431070123.0000000002B85000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1436074423.0000000005D98000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2609746295.0000000002916000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2616814978.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2616814978.0000000005BE0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	RegSvcs.exe, 0000000B.00000002.1431070123.0000000002B85000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1436074423.0000000005D98000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2609746295.0000000002916000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2616814978.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2616814978.0000000005BE0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	Dhl Express Shipping Docs .pdf.exe, 00000000.00000002.1411956229.0000000008921000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1425518560.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://us2.smtp.mailhostbox.com	RegSvcs.exe, 0000000B.00000002.1431070123.0000000002B85000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2609746295.000000000290E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Dhl Express Shipping Docs .pdf.exe, 00000000.00000002.1404824641.0000000003381000.00000004.00000800.00020000.00000000.sdmp, Dhl Express Shipping Docs .pdf.exe, 00000000.00000002.1404824641.0000000003612000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1431070123.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, emaGqYHYeYNHas.exe, 0000000C.00000002.1446811774.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, emaGqYHYeYNHas.exe, 0000000C.00000002.1446811774.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2609746295.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ip-api.com	RegSvcs.exe, 0000000B.00000002.1431070123.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2609746295.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
208.91.199.223	us2.smtp.mailhostbox.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430785
Start date and time:	2024-04-24 07:15:00 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Dhl Express Shipping Docs .pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@27/15@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 173 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:15:50	API Interceptor	1x Sleep call for process: Dhl Express Shipping Docs .pdf.exe modified
07:15:52	Task Scheduler	Run new task: emaGqYHYeYNHas path: C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe
07:15:52	API Interceptor	30x Sleep call for process: powershell.exe modified
07:15:54	API Interceptor	43x Sleep call for process: RegSvcs.exe modified
07:15:55	API Interceptor	1x Sleep call for process: emaGqYHYeYNHas.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	r)_78768.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	DAIKIN AC SPAIN 2024.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	transferencia.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	Zapytanie ofertowe (7427-23 ROCKFIN).vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	orden de compra.vbs	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	G4-TODOS.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	RICHIESTA-QUOTAZIONI.jar	Get hash	malicious	STRRAT	Browse	ip-api.com/json/
	explorer.exe	Get hash	malicious	RedLine, XWorm	Browse	ip-api.com/line/?fields=hosting
	X1.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
208.91.199.223	PR2403016.scr.exe	Get hash	malicious	AgentTesla	Browse
	HDPESDR11OD5606METERS.exe	Get hash	malicious	AgentTesla	Browse
	HDPESDR1145-6METERS.exe	Get hash	malicious	AgentTesla	Browse
	TT copy of the first payment.exe	Get hash	malicious	AgentTesla	Browse
	rTDN001-180424_PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	1iO53raUh69l6nV.exe	Get hash	malicious	AgentTesla	Browse
	HmGUCvTQIacWu7Q.exe	Get hash	malicious	AgentTesla	Browse
	Payment.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse
	Gcerti Quote.exe	Get hash	malicious	AgentTesla	Browse
	Syknivkloo.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
us2.smtp.mailhostbox.com	PR2403016.scr.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	OKJ2402PRT000025.PDF.scr.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Urgent PO 18-3081 Confirmation.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	HDPESDR11OD5606METERS.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	HDPESDR1145-6METERS.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	TT copy of the first payment.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	rTDN001-180424_PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.91.198.143
	1iO53raUh69l6nV.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	HmGUCvTQIacWu7Q.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	Payment.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	208.91.198.143
ip-api.com	r)_78768.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	DAIKIN AC SPAIN 2024.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	transferencia.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	Zapytanie ofertowe (7427-23 ROCKFIN).vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	orden de compra.vbs	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	G4-TODOS.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	RICHIESTA-QUOTAZIONI.jar	Get hash	malicious	STRRAT	Browse	208.95.112.1
	explorer.exe	Get hash	malicious	RedLine, XWorm	Browse	208.95.112.1
	X1.exe	Get hash	malicious	XWorm	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	r)_78768.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	DAIKIN AC SPAIN 2024.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	transferencia.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	Zapytanie ofertowe (7427-23 ROCKFIN).vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	orden de compra.vbs	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	G4-TODOS.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	RICHIESTA-QUOTAZIONI.jar	Get hash	malicious	STRRAT	Browse	208.95.112.1
	explorer.exe	Get hash	malicious	RedLine, XWorm	Browse	208.95.112.1
	X1.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
PUBLIC-DOMAIN-REGISTRYUS	BARSYL SHIPPING Co (VIETNAM).exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249
	PR2403016.scr.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	BARSYL SHIPPING Co (VIETNAM).exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249
	OKJ2402PRT000025.PDF.scr.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	PO82100088.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	BARSYL SHIPPING Co (VIETNAM).exe	Get hash	malicious	AgentTesla	Browse	162.215.248.214
	Urgent PO 18-3081 Confirmation.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	72625413524.vbs	Get hash	malicious	XWorm	Browse	116.206.104.215
	HDPESDR11OD5606METERS.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	SecuriteInfo.com.MSIL.Kryptik.AGUH.tr.13955.20631.exe	Get hash	malicious	AgentTesla	Browse	162.215.248.214

Process:	C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\emaGqYHYeYNHas.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:lGLHyIFKL3IZ2KRH9Oug8s
MD5:	16AD599332DD2FF94DA0787D71688B62
SHA1:	02F738694B02E84FFE3BAB7DE5709001823C6E40
SHA-256:	452876FE504FC0DBEDBD7F8467E94F6E80002DB4572D02C723ABC69F8DF0B367
SHA-512:	A96158FDFFA424A4AC01220EDC789F3236C03AAA6A7C1A3D8BE62074B4923957E6CFEEB6E8852F9064093E0A290B0E56E4B5504D18113A7983F48D5388CEC747
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1fnrznbs.oej.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aqje4zow.aau.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cssatfbo.obw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dn3rgoyt.hbf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h5zksprv.qqh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iynhucx1.oni.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kaffcvxv.x3r.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uixhcj4c.avk.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpB967.tmp

Download File

Process:	C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1587
Entropy (8bit):	5.11953542517831
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNti3xvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTev
MD5:	DCC0D3FCE34B147234429ED2E62FFFB4
SHA1:	7F6E5F43A1410593760E77DDF48B95AC67D279CA
SHA-256:	25E002735C1B8831532B4C5858083503B92E5A4EC69435F7D8BC6F4007ACBE8A
SHA-512:	370A56DC7D0D64F63700B55F25722AA16C578768FC42C1A71541006E755B28D35EC06EDC9A5D667F2E00DEC2905FD0E5B01D3419A2FFC9A5B499BB83E39FCE72
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmpCA21.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1587
Entropy (8bit):	5.11953542517831
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNti3xvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTev
MD5:	DCC0D3FCE34B147234429ED2E62FFFB4
SHA1:	7F6E5F43A1410593760E77DDF48B95AC67D279CA
SHA-256:	25E002735C1B8831532B4C5858083503B92E5A4EC69435F7D8BC6F4007ACBE8A
SHA-512:	370A56DC7D0D64F63700B55F25722AA16C578768FC42C1A71541006E755B28D35EC06EDC9A5D667F2E00DEC2905FD0E5B01D3419A2FFC9A5B499BB83E39FCE72
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe

Download File

Process:	C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	855552
Entropy (8bit):	7.102961572511479
Encrypted:	false
SSDEEP:	12288:+iEx72xrdlMXGnWnpLCzRdoJ6K5/w6ovt51qZ0o1LFMdDP+FIk7N:sSrdrWn4z26UNol510LFMdDP8Ik
MD5:	E7D52516CA8BCF4E8BCAF71A36A88300
SHA1:	D5A7EAAD95AB6D4E492B128DB0CF550C34170C90
SHA-256:	8DF5ECBC8EA978C98C9C3A0918FE9EE233F169EE9E3D38855B7DA8FC96AAD8DC
SHA-512:	0DC86396301012E035ED03086436411B5ABDBE7C2DC84B03D5385739250BF1EFA1BC6FAB96471EB277B62D7A3B1EA663565809493A26750951C6316B131C0751
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37% Antivirus: Virustotal, Detection: 41%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y(f............................."... ........@.. ....................................@..................................!..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................."......H...........(,......D....................................................0..A....... .........%.....(......... N........%....(.....+...(.........&...B...}......}.......".(........6(.........&...0..........r...p ...... .t.....(....t......0..........~......~+.....+V..E....&.......................^...........w.......=...u.......F...%............&...+....>T..... ..... ....Y..+. @... )...(+.....t......u.... .... ....(...+.u.... .... ....(...+,.....8D.....+..*...S .5...(B..

C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.102961572511479
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Dhl Express Shipping Docs .pdf.exe
File size:	855'552 bytes
MD5:	e7d52516ca8bcf4e8bcaf71a36a88300
SHA1:	d5a7eaad95ab6d4e492b128db0cf550c34170c90
SHA256:	8df5ecbc8ea978c98c9c3a0918fe9ee233f169ee9e3d38855b7da8fc96aad8dc
SHA512:	0dc86396301012e035ed03086436411b5abdbe7c2dc84b03d5385739250bf1efa1bc6fab96471eb277b62d7a3b1ea663565809493a26750951c6316b131c0751
SSDEEP:	12288:+iEx72xrdlMXGnWnpLCzRdoJ6K5/w6ovt51qZ0o1LFMdDP+FIk7N:sSrdrWn4z26UNol510LFMdDP8Ik
TLSH:	8105B03D1CBE22BB81B8C2A9CFD58827F540E46B7111AD7594D747A56346E8B38C323E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y(f............................."... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4d222e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x662859D1 [Wed Apr 24 01:01:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd21d4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd0234	0xd0400	6dbb807a9179c49d9586debfe1ec569a	False	0.7582052352190877	data	7.109679695826465	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xd4000	0x600	0x600	03125000af64011bb248673c1dff61cc	False	0.421875	data	4.101906794046182	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd6000	0xc	0x200	c529ae714c8744762b626ee9ed1a3e6b	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xd4090	0x334	data			0.42073170731707316
RT_MANIFEST	0xd43d4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 07:15:54.009422064 CEST	49708	80	192.168.2.8	208.95.112.1
Apr 24, 2024 07:15:54.169136047 CEST	80	49708	208.95.112.1	192.168.2.8
Apr 24, 2024 07:15:54.169290066 CEST	49708	80	192.168.2.8	208.95.112.1
Apr 24, 2024 07:15:54.170142889 CEST	49708	80	192.168.2.8	208.95.112.1
Apr 24, 2024 07:15:54.330070972 CEST	80	49708	208.95.112.1	192.168.2.8
Apr 24, 2024 07:15:54.376646042 CEST	49708	80	192.168.2.8	208.95.112.1
Apr 24, 2024 07:15:55.510374069 CEST	49709	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:15:55.691765070 CEST	587	49709	208.91.199.223	192.168.2.8
Apr 24, 2024 07:15:55.691885948 CEST	49709	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:15:56.281218052 CEST	587	49709	208.91.199.223	192.168.2.8
Apr 24, 2024 07:15:56.283309937 CEST	49709	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:15:56.464409113 CEST	587	49709	208.91.199.223	192.168.2.8
Apr 24, 2024 07:15:56.464538097 CEST	587	49709	208.91.199.223	192.168.2.8
Apr 24, 2024 07:15:56.465101004 CEST	49709	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:15:56.646502972 CEST	587	49709	208.91.199.223	192.168.2.8
Apr 24, 2024 07:15:56.653686047 CEST	49709	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:15:56.835109949 CEST	587	49709	208.91.199.223	192.168.2.8
Apr 24, 2024 07:15:56.835139990 CEST	587	49709	208.91.199.223	192.168.2.8
Apr 24, 2024 07:15:56.835151911 CEST	587	49709	208.91.199.223	192.168.2.8
Apr 24, 2024 07:15:56.835181952 CEST	587	49709	208.91.199.223	192.168.2.8
Apr 24, 2024 07:15:56.835206985 CEST	49709	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:15:56.835242033 CEST	49709	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:15:57.016264915 CEST	587	49709	208.91.199.223	192.168.2.8
Apr 24, 2024 07:15:57.056394100 CEST	49709	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:15:57.238287926 CEST	587	49709	208.91.199.223	192.168.2.8
Apr 24, 2024 07:15:57.350255013 CEST	49709	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:15:57.532001019 CEST	587	49709	208.91.199.223	192.168.2.8
Apr 24, 2024 07:15:57.736254930 CEST	49709	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:15:57.937726021 CEST	49712	80	192.168.2.8	208.95.112.1
Apr 24, 2024 07:15:58.097378969 CEST	80	49712	208.95.112.1	192.168.2.8
Apr 24, 2024 07:15:58.097505093 CEST	49712	80	192.168.2.8	208.95.112.1
Apr 24, 2024 07:15:58.098483086 CEST	49712	80	192.168.2.8	208.95.112.1
Apr 24, 2024 07:15:58.258677006 CEST	80	49712	208.95.112.1	192.168.2.8
Apr 24, 2024 07:15:58.327974081 CEST	49712	80	192.168.2.8	208.95.112.1
Apr 24, 2024 07:15:58.635691881 CEST	49709	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:15:58.636164904 CEST	49708	80	192.168.2.8	208.95.112.1
Apr 24, 2024 07:15:59.016530037 CEST	49713	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:15:59.197962999 CEST	587	49713	208.91.199.223	192.168.2.8
Apr 24, 2024 07:15:59.198040962 CEST	49713	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:15:59.384898901 CEST	587	49713	208.91.199.223	192.168.2.8
Apr 24, 2024 07:15:59.385119915 CEST	49713	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:15:59.566483974 CEST	587	49713	208.91.199.223	192.168.2.8
Apr 24, 2024 07:15:59.566503048 CEST	587	49713	208.91.199.223	192.168.2.8
Apr 24, 2024 07:15:59.566713095 CEST	49713	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:15:59.748529911 CEST	587	49713	208.91.199.223	192.168.2.8
Apr 24, 2024 07:15:59.752310991 CEST	49713	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:15:59.934272051 CEST	587	49713	208.91.199.223	192.168.2.8
Apr 24, 2024 07:15:59.934309006 CEST	587	49713	208.91.199.223	192.168.2.8
Apr 24, 2024 07:15:59.934324026 CEST	587	49713	208.91.199.223	192.168.2.8
Apr 24, 2024 07:15:59.934339046 CEST	587	49713	208.91.199.223	192.168.2.8
Apr 24, 2024 07:15:59.934381008 CEST	49713	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:15:59.934432983 CEST	49713	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:16:00.116247892 CEST	587	49713	208.91.199.223	192.168.2.8
Apr 24, 2024 07:16:00.117798090 CEST	49713	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:16:00.300029039 CEST	587	49713	208.91.199.223	192.168.2.8
Apr 24, 2024 07:16:00.314012051 CEST	49713	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:16:00.495778084 CEST	587	49713	208.91.199.223	192.168.2.8
Apr 24, 2024 07:16:00.496829033 CEST	49713	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:16:00.680989027 CEST	587	49713	208.91.199.223	192.168.2.8
Apr 24, 2024 07:16:00.681346893 CEST	49713	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:16:00.869206905 CEST	587	49713	208.91.199.223	192.168.2.8
Apr 24, 2024 07:16:00.869585991 CEST	49713	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:16:01.053373098 CEST	587	49713	208.91.199.223	192.168.2.8
Apr 24, 2024 07:16:01.054095030 CEST	49713	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:16:01.258399963 CEST	587	49713	208.91.199.223	192.168.2.8
Apr 24, 2024 07:16:01.258599043 CEST	49713	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:16:01.441355944 CEST	587	49713	208.91.199.223	192.168.2.8
Apr 24, 2024 07:16:01.441941977 CEST	49713	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:16:01.442035913 CEST	49713	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:16:01.442059040 CEST	49713	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:16:01.442078114 CEST	49713	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:16:01.623611927 CEST	587	49713	208.91.199.223	192.168.2.8
Apr 24, 2024 07:16:01.623667002 CEST	587	49713	208.91.199.223	192.168.2.8
Apr 24, 2024 07:16:01.756494045 CEST	587	49713	208.91.199.223	192.168.2.8
Apr 24, 2024 07:16:01.798496962 CEST	49713	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:16:42.806747913 CEST	80	49712	208.95.112.1	192.168.2.8
Apr 24, 2024 07:17:39.033879042 CEST	49713	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:17:39.217370987 CEST	587	49713	208.91.199.223	192.168.2.8
Apr 24, 2024 07:17:39.218302011 CEST	587	49713	208.91.199.223	192.168.2.8
Apr 24, 2024 07:17:39.218379021 CEST	49713	587	192.168.2.8	208.91.199.223
Apr 24, 2024 07:17:39.222618103 CEST	49713	587	192.168.2.8	208.91.199.223

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 07:15:53.827146053 CEST	51868	53	192.168.2.8	1.1.1.1
Apr 24, 2024 07:15:53.981570959 CEST	53	51868	1.1.1.1	192.168.2.8
Apr 24, 2024 07:15:55.351315022 CEST	55587	53	192.168.2.8	1.1.1.1
Apr 24, 2024 07:15:55.509624004 CEST	53	55587	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 07:15:53.827146053 CEST	192.168.2.8	1.1.1.1	0x46d5	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Apr 24, 2024 07:15:55.351315022 CEST	192.168.2.8	1.1.1.1	0xbc45	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 07:15:53.981570959 CEST	1.1.1.1	192.168.2.8	0x46d5	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Apr 24, 2024 07:15:55.509624004 CEST	1.1.1.1	192.168.2.8	0xbc45	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)	false
Apr 24, 2024 07:15:55.509624004 CEST	1.1.1.1	192.168.2.8	0xbc45	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)	false
Apr 24, 2024 07:15:55.509624004 CEST	1.1.1.1	192.168.2.8	0xbc45	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)	false
Apr 24, 2024 07:15:55.509624004 CEST	1.1.1.1	192.168.2.8	0xbc45	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49708	208.95.112.1	80	7308	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 07:15:54.170142889 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Apr 24, 2024 07:15:54.330070972 CEST	175	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 05:15:53 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49712	208.95.112.1	80	7740	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 07:15:58.098483086 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Apr 24, 2024 07:15:58.258677006 CEST	175	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 05:15:57 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 56 X-Rl: 43 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 24, 2024 07:15:56.281218052 CEST	587	49709	208.91.199.223	192.168.2.8	220 us2.outbound.mailhostbox.com ESMTP Postfix
Apr 24, 2024 07:15:56.283309937 CEST	49709	587	192.168.2.8	208.91.199.223	EHLO 124406
Apr 24, 2024 07:15:56.464538097 CEST	587	49709	208.91.199.223	192.168.2.8	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Apr 24, 2024 07:15:56.465101004 CEST	49709	587	192.168.2.8	208.91.199.223	STARTTLS
Apr 24, 2024 07:15:56.646502972 CEST	587	49709	208.91.199.223	192.168.2.8	220 2.0.0 Ready to start TLS
Apr 24, 2024 07:15:59.384898901 CEST	587	49713	208.91.199.223	192.168.2.8	220 us2.outbound.mailhostbox.com ESMTP Postfix
Apr 24, 2024 07:15:59.385119915 CEST	49713	587	192.168.2.8	208.91.199.223	EHLO 124406
Apr 24, 2024 07:15:59.566503048 CEST	587	49713	208.91.199.223	192.168.2.8	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Apr 24, 2024 07:15:59.566713095 CEST	49713	587	192.168.2.8	208.91.199.223	STARTTLS
Apr 24, 2024 07:15:59.748529911 CEST	587	49713	208.91.199.223	192.168.2.8	220 2.0.0 Ready to start TLS

Target ID:	0
Start time:	07:15:50
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe"
Imagebase:	0xf60000
File size:	855'552 bytes
MD5 hash:	E7D52516CA8BCF4E8BCAF71A36A88300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1411956229.0000000008921000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1411956229.0000000008921000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:15:51
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Dhl Express Shipping Docs .pdf.exe"
Imagebase:	0xd20000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:15:51
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:15:51
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe"
Imagebase:	0xd20000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:15:51
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:15:51
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emaGqYHYeYNHas" /XML "C:\Users\user\AppData\Local\Temp\tmpB967.tmp"
Imagebase:	0x210000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:15:51
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:15:52
Start date:	24/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x2e0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:15:52
Start date:	24/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x260000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:15:52
Start date:	24/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x7c0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.1431070123.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1431070123.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.1431070123.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1425518560.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.1425518560.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:15:52
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\emaGqYHYeYNHas.exe
Imagebase:	0x8f0000
File size:	855'552 bytes
MD5 hash:	E7D52516CA8BCF4E8BCAF71A36A88300
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs Detection: 41%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:15:54
Start date:	24/04/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	07:15:56
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emaGqYHYeYNHas" /XML "C:\Users\user\AppData\Local\Temp\tmpCA21.tmp"
Imagebase:	0x210000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	07:15:56
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	07:15:56
Start date:	24/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x420000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	07:15:56
Start date:	24/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x2a0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	07:15:56
Start date:	24/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x5d0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.2609746295.0000000002932000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.2609746295.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.2609746295.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.2609746295.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	143
Total number of Limit Nodes:	11

Executed Functions

Function 07A321AC Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1411530623.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a30000_Dhl Express Shipping Docs .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94d0a36bb9f8f56ff226239a5185b898eb5d62026ef40d5120794b1c7a8de8f
Instruction ID: c872a6f2463f3a144b9d2e05dc54d61ccf60b313178c7dc536a46e6f5f2b5296
Opcode Fuzzy Hash: a94d0a36bb9f8f56ff226239a5185b898eb5d62026ef40d5120794b1c7a8de8f
Instruction Fuzzy Hash: 34D06CB4868309CBC714DF69D844ABABBB8BB0B304F112096E42AF7251DA309884CE05

Uniqueness

Uniqueness Score: -1.00%

Function 078BEA40 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 078BEC76

Memory Dump Source

Source File: 00000000.00000002.1410937262.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78b0000_Dhl Express Shipping Docs .jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 075de39e27140edf4b2afa361c55c5fdc783ca81311d5732dc2bb80d4a7311af
Instruction ID: d5da881e105663468da36e15a2b407a3b2312a72a53a77ec48c3a26e3082cc1b
Opcode Fuzzy Hash: 075de39e27140edf4b2afa361c55c5fdc783ca81311d5732dc2bb80d4a7311af
Instruction Fuzzy Hash: 3E9139B1D0021ADFEB24CF68C8457EEBBB2BF44310F1485A9D849E7290DB759985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0326B1D0 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0326B426

Memory Dump Source

Source File: 00000000.00000002.1404687861.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_Dhl Express Shipping Docs .jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c87f0054278cab6c934a5e251920aab5c038a6882afb161d7b94f7402acc39a7
Instruction ID: bbfb7a8dfd1c28653d0662545a2de8e0a4dc045becd8baadc0b541031255b71c
Opcode Fuzzy Hash: c87f0054278cab6c934a5e251920aab5c038a6882afb161d7b94f7402acc39a7
Instruction Fuzzy Hash: 0E7157B0A10B058FDB24DF6AD15075ABBF5FF88200F148A2DD49ADBA50DB74E885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0326450C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 03265F11

Memory Dump Source

Source File: 00000000.00000002.1404687861.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_Dhl Express Shipping Docs .jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 79038d76d3b28178ae319e0d5c1790cba470605d0a72afb8895bdd2230ff52d2
Instruction ID: f1cfc2d30a9fc42b8a2b899ee40f55e8dbe44e96d751e66a3f91b233c1ab6a24
Opcode Fuzzy Hash: 79038d76d3b28178ae319e0d5c1790cba470605d0a72afb8895bdd2230ff52d2
Instruction Fuzzy Hash: 8C41CFB0C1071DCBDB24CFA9C844B9EBBF5BF49304F24846AD808AB251DBB56985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03265E55 Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 03265F11

Memory Dump Source

Source File: 00000000.00000002.1404687861.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_Dhl Express Shipping Docs .jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fef395f92d91c505c547af224a06d625ab964f366f3dff2eb40bd791e9d4f908
Instruction ID: a957c04857b75b32cddc5313cdb35e8ee59f6ac646db7fe2a6b039cc2b869088
Opcode Fuzzy Hash: fef395f92d91c505c547af224a06d625ab964f366f3dff2eb40bd791e9d4f908
Instruction Fuzzy Hash: 7641CDB0C10719CFDB24CFA9C84479EBBB5BF4A304F24856AD408AB291DBB56986CF50

Uniqueness

Uniqueness Score: -1.00%

Function 078BE7B8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 078BE848

Memory Dump Source

Source File: 00000000.00000002.1410937262.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78b0000_Dhl Express Shipping Docs .jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d7f7bd0ed109e4751e7524fe38aa0fa79ef8e4d4bdca1a6f9015c2d32e6a7d96
Instruction ID: 98afa99e1c71d53bc5a59e44bb715a1851df290f83554355272592b16caec011
Opcode Fuzzy Hash: d7f7bd0ed109e4751e7524fe38aa0fa79ef8e4d4bdca1a6f9015c2d32e6a7d96
Instruction Fuzzy Hash: B92127B19003499FDB10CFAAC881BDEBBF5FF48310F14842AE918A7340D7799945DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0326D238 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0326D66E,?,?,?,?,?), ref: 0326D72F

Memory Dump Source

Source File: 00000000.00000002.1404687861.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_Dhl Express Shipping Docs .jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e1a52e53b867a9152736d7f09f82c03fe3d330936686256f5a6f161b650f17cf
Instruction ID: d89b64ad2183e1e654e39ce94a74a8f3800d385f5120c9723ae507858555b6cd
Opcode Fuzzy Hash: e1a52e53b867a9152736d7f09f82c03fe3d330936686256f5a6f161b650f17cf
Instruction Fuzzy Hash: 8221E5B590024C9FDB11CFAAD884AEEFBF4EF48310F14841AE914A3350D374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0326D6A1 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0326D66E,?,?,?,?,?), ref: 0326D72F

Memory Dump Source

Source File: 00000000.00000002.1404687861.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_Dhl Express Shipping Docs .jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 70e7eb9d706d98dc41c964c6bbe4bd2c8809d13484b524b9a606726dde24c351
Instruction ID: c1bda796950917ff7ff96e991ab24bbd83dd6469de4222ea637175948656ab61
Opcode Fuzzy Hash: 70e7eb9d706d98dc41c964c6bbe4bd2c8809d13484b524b9a606726dde24c351
Instruction Fuzzy Hash: ED21B3B5D00249AFDB11CFAAD884ADEFBF8EB48310F14841AE914A3350D375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 078BE1E8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 078BE266

Memory Dump Source

Source File: 00000000.00000002.1410937262.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78b0000_Dhl Express Shipping Docs .jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7023fc99ecf844e049638f43af7f3ca982931835f30b0eeb0d4c2a7b08bf2dad
Instruction ID: aa1878d0ab0be9a0120446b75ad2f42457c3333edf811db263bd210f6d59483a
Opcode Fuzzy Hash: 7023fc99ecf844e049638f43af7f3ca982931835f30b0eeb0d4c2a7b08bf2dad
Instruction Fuzzy Hash: B42115B1D003098FDB14DFAAC8857EEBBF4AF48214F14842AE519A7340CB78A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 078BE8A8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 078BE928

Memory Dump Source

Source File: 00000000.00000002.1410937262.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78b0000_Dhl Express Shipping Docs .jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: fb83172bfea0f4b9e149c0698a4681927778029b744c27f2e0067aa013ae2089
Instruction ID: 031247b307beffcb30186dbe545e054f9cb4ada4dbaf5822fe45aca666a4b6af
Opcode Fuzzy Hash: fb83172bfea0f4b9e149c0698a4681927778029b744c27f2e0067aa013ae2089
Instruction Fuzzy Hash: 7F2139B19003499FDB10CFAAC880BEEFBF5FF48310F14842AE518A7250C7799905DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0326AEE8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0326B4A1,00000800,00000000,00000000), ref: 0326B6B2

Memory Dump Source

Source File: 00000000.00000002.1404687861.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_Dhl Express Shipping Docs .jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3e90a63ae7ce60c32aa3acbe0e6a12206e835a9ad8f063b0ab97a2ae8290059b
Instruction ID: 20e88d0ce123f045c397ab8b60089ce66b753972afc98538d1cf69c70e68ba5d
Opcode Fuzzy Hash: 3e90a63ae7ce60c32aa3acbe0e6a12206e835a9ad8f063b0ab97a2ae8290059b
Instruction Fuzzy Hash: FF1126B69003498FDB14CFAAC444BDEFBF4EF48710F14842AE919A7250C3B5A985CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0326B641 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0326B4A1,00000800,00000000,00000000), ref: 0326B6B2

Memory Dump Source

Source File: 00000000.00000002.1404687861.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_Dhl Express Shipping Docs .jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 273a5fc44e3998f8de3aa73f6bc045f92208a7a51e731612a1090dff98f49880
Instruction ID: 123931ccfeb4e7685f15d08894b2c501d6f3a8007fb287f039426c4859411bc0
Opcode Fuzzy Hash: 273a5fc44e3998f8de3aa73f6bc045f92208a7a51e731612a1090dff98f49880
Instruction Fuzzy Hash: 241144B29002098FDB10CFAAC844BDEFBF4AF58310F14841AD418A7210C374A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 078BE6F8 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 078BE766

Memory Dump Source

Source File: 00000000.00000002.1410937262.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78b0000_Dhl Express Shipping Docs .jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c23804168a29e70fe26466c8428e1a851230876d1bfcf041d2d7d98d1009290d
Instruction ID: 486772c9e72c4a3d90a2960822384f786c0bb5e1369040e2eed8ea2865ee4dd0
Opcode Fuzzy Hash: c23804168a29e70fe26466c8428e1a851230876d1bfcf041d2d7d98d1009290d
Instruction Fuzzy Hash: 3A1126729003499FDB20DFAAC844BDFBFF5AF48310F14881AE519A7250C779A940CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 078BDD00 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 078BDD62

Memory Dump Source

Source File: 00000000.00000002.1410937262.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78b0000_Dhl Express Shipping Docs .jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4cc4da7320c35f0847c30ae52ee9c1dd7c566196b0e0eef4cf32fceadae32b7e
Instruction ID: b2da1f2ddd161a7f1cbd3633ed198ba34f36e1ab6d7d3bcf549c0de1b10a8037
Opcode Fuzzy Hash: 4cc4da7320c35f0847c30ae52ee9c1dd7c566196b0e0eef4cf32fceadae32b7e
Instruction Fuzzy Hash: 0E113AB19003498FDB24DFAAC8457EFFBF4AF88714F14881AD519A7240C779A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0326B3C0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0326B426

Memory Dump Source

Source File: 00000000.00000002.1404687861.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_Dhl Express Shipping Docs .jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 87d95b779b8c3424bfbd51a086374147f3585b4a78f0e30c98dfc13f9d2cf172
Instruction ID: d9cdc0fbc9987d122adc623aa9f68fcfd86f036c90e43ce3f6eb9db0f44a99c5
Opcode Fuzzy Hash: 87d95b779b8c3424bfbd51a086374147f3585b4a78f0e30c98dfc13f9d2cf172
Instruction Fuzzy Hash: 6C11E0B5D007498FDB14CF9AD844BDEFBF4AF88314F14841AD829A7650C379A585CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07A330B9 Relevance: 1.5, APIs: 1, Instructions: 46
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 07A3311D

Memory Dump Source

Source File: 00000000.00000002.1411530623.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a30000_Dhl Express Shipping Docs .jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8ae849260030ece4258147fe9ad198413df25cdabb2db604ccdd164b7a0a7008
Instruction ID: 1b5ac4e94dc9dca37b8bb05a2760e8984d0c626e1fdd652be792d2c9355af7f4
Opcode Fuzzy Hash: 8ae849260030ece4258147fe9ad198413df25cdabb2db604ccdd164b7a0a7008
Instruction Fuzzy Hash: 1D1122B5800349DFDB10DF9AD885BDEFBF8EB48320F10880AE518A7600D375A940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07A330C0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07A3311D

Memory Dump Source

Source File: 00000000.00000002.1411530623.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a30000_Dhl Express Shipping Docs .jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a9fbccdaf8c046b83aa58ca858953a20e5f617b745c41eb4b47bf59a5d295bd3
Instruction ID: e6b131ef9cf69c3c132f59ad9e6268c70fd66bb0ef4468bd3c60bbce4a234b1f
Opcode Fuzzy Hash: a9fbccdaf8c046b83aa58ca858953a20e5f617b745c41eb4b47bf59a5d295bd3
Instruction Fuzzy Hash: 2C1115B58003499FDB10CF9AC885BDEFFF8EB48320F14841AE518A3240C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0192D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1404200925.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_192d000_Dhl Express Shipping Docs .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4de06a983e0aec32e8b2a3d3a296faa5b0ce2daf7a7787e1513d7a7764c66f2f
Instruction ID: 57359793b9844e1e84d2c73aec4d68a5b55c38ca8a534a0e16db1681c60498ff
Opcode Fuzzy Hash: 4de06a983e0aec32e8b2a3d3a296faa5b0ce2daf7a7787e1513d7a7764c66f2f
Instruction Fuzzy Hash: 9F2100B2504240EFEB05DF94D9C0F26BFE5FB88718F20C569E8090B25EC376D456CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0193D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1404277187.000000000193D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0193D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_193d000_Dhl Express Shipping Docs .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0896ee6414cba41c23bdfe8330abc02fd9f8ce118ceda710fefcf772a1d4817c
Instruction ID: 2b14cd66e19bf50c7584efe9d3639503795dc7e02ec715c06b181856f2959f9d
Opcode Fuzzy Hash: 0896ee6414cba41c23bdfe8330abc02fd9f8ce118ceda710fefcf772a1d4817c
Instruction Fuzzy Hash: 4F2100B1604200EFDB15DFA4D8D0B26FBE5FBC4A14F60C969E84E0B242C336D447CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0193D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1404277187.000000000193D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0193D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_193d000_Dhl Express Shipping Docs .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f97f382a064407578f82dc66f45eed424f38b44ea9c41e5cb8a461add090be03
Instruction ID: 1682512cc794c6c242bf83fb7d7130afb52c190fd5d9f938687ce325817d8c75
Opcode Fuzzy Hash: f97f382a064407578f82dc66f45eed424f38b44ea9c41e5cb8a461add090be03
Instruction Fuzzy Hash: 1E2183755093808FC703CF64D594715BFB1EB46214F28C5EAD8498F6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0192D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1404200925.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_192d000_Dhl Express Shipping Docs .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction ID: d90169cea4b29a6b7a97b35be07acfdf74650b7e6f8bfec06a2a70a3e6a5fbd8
Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction Fuzzy Hash: 9611D376504280CFDB16CF54D5C4B16BFB1FB84318F24C6A9D8494B65BC336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 078B5011 Relevance: 4.0, Strings: 3, Instructions: 254COMMON

Download Yara Rule

Strings

[V~*, xrefs: 078B518C
T+-q, xrefs: 078B535A
]\`, xrefs: 078B52A2

Memory Dump Source

Source File: 00000000.00000002.1410937262.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78b0000_Dhl Express Shipping Docs .jbxd

Similarity

API ID:
String ID: T+-q$[V~*$]\`
API String ID: 0-3978741314
Opcode ID: 1cae56b74e575d75424f7e168f07a77567ffe78094a51eb4fa0667f9a45bbb89
Instruction ID: b1cbc033e2bfd06305ccb368af94e298e6995505bed3d5590dd1c8e068102154
Opcode Fuzzy Hash: 1cae56b74e575d75424f7e168f07a77567ffe78094a51eb4fa0667f9a45bbb89
Instruction Fuzzy Hash: EAB1F7B4E15219DBCB04CFAAD9809DEFBB2BF9A300F14D52AD415EB358D330A9068F54

Uniqueness

Uniqueness Score: -1.00%

Function 078BD4D8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

T=}, xrefs: 078BD533

Memory Dump Source

Source File: 00000000.00000002.1410937262.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78b0000_Dhl Express Shipping Docs .jbxd

Similarity

API ID:
String ID: T=}
API String ID: 0-79086117
Opcode ID: de5c55312b72d1dc5e12f97ba87cf72303a9b72ae50bd6cd0fd2aa4f22983ad9
Instruction ID: 7a0c7f3f8be1c03b42614d4c9af1aca3ad6ebcde96525b2303802d281deb4639
Opcode Fuzzy Hash: de5c55312b72d1dc5e12f97ba87cf72303a9b72ae50bd6cd0fd2aa4f22983ad9
Instruction Fuzzy Hash: 97E10AB4E002199FDB14DFA9C580AAEFBB2FF89305F248169D418AB355D730AD41CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 078BE2C0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410937262.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78b0000_Dhl Express Shipping Docs .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a58d4526a9d33ecb6c881455c064cce252a71f54d1ef73c9596e657ff835497
Instruction ID: 379821668c7f516dcb8bfe8edbddd15f06cf43d9c8947d9a207d47bceec295e2
Opcode Fuzzy Hash: 1a58d4526a9d33ecb6c881455c064cce252a71f54d1ef73c9596e657ff835497
Instruction Fuzzy Hash: 66E1F7B4E102198FDB24DFA9C580AAEFBB2FF89305F2481A9D414AB355D730AD41CF65

Uniqueness

Uniqueness Score: -1.00%

Function 078BBE30 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410937262.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78b0000_Dhl Express Shipping Docs .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f03717dec4e0abbbc6864b243df8bd5aab6c7fc43f79eeb7e68f9123f5ff1f7
Instruction ID: 0e833c0fe4b4e83d8db49f0577fea4cebd802ba603eec8079584af02633f74e6
Opcode Fuzzy Hash: 5f03717dec4e0abbbc6864b243df8bd5aab6c7fc43f79eeb7e68f9123f5ff1f7
Instruction Fuzzy Hash: 72E108B4E102198FDB24DFA9C580AAEFBB2FF89305F2481A9D414AB355D730AD41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 078BDDB0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410937262.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78b0000_Dhl Express Shipping Docs .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f83ffc19b460fefd138703140dfaa30e8d1fb9b928f5bfb9ad428317edd34e6f
Instruction ID: 7bc3cadbcaa37440baa4e636aac8fcb19a3cec2931728a5df5a1a3854eb45037
Opcode Fuzzy Hash: f83ffc19b460fefd138703140dfaa30e8d1fb9b928f5bfb9ad428317edd34e6f
Instruction Fuzzy Hash: 7CE109B4E102198FDB24DFA9C580AAEFBB2FF89305F2481A9D414AB355D731AD41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 078BB9F8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410937262.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78b0000_Dhl Express Shipping Docs .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c72209bb050562f02d40e45f33d413d48571c4c8adbdbf985c289b210471d30
Instruction ID: c27209b6b2bff1c2b453f4314e10d292a26ccd8d6c1ebb44c1ea1fa06a180277
Opcode Fuzzy Hash: 9c72209bb050562f02d40e45f33d413d48571c4c8adbdbf985c289b210471d30
Instruction Fuzzy Hash: FAE1F9B4E102198FDB24DFA9C580AAEFBB2FF89305F248169D414AB355D734AD41CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 078B3028 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410937262.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78b0000_Dhl Express Shipping Docs .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac4748d54ce7acaeda7c6dce4e933f300d144cee9fb9bfc0853aee252729c3a
Instruction ID: 4c9decc66d6dc81ca065748430513036da2905f3e1180b03973367c33697bb97
Opcode Fuzzy Hash: 3ac4748d54ce7acaeda7c6dce4e933f300d144cee9fb9bfc0853aee252729c3a
Instruction Fuzzy Hash: C1D1063182075A8ACB11EBB4D9906A9F7B1FFD9300F11DB9AD44A37250EF746AC4CB91

Uniqueness

Uniqueness Score: -1.00%

Function 078B3038 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410937262.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78b0000_Dhl Express Shipping Docs .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3774937292c2ae3de53cebdb34441ffc33eec902cd0966741ace30ae750d967
Instruction ID: d36b523d3d96e44e18bf6084dddcdd1c6661186d206115735b4cce45addaeabc
Opcode Fuzzy Hash: b3774937292c2ae3de53cebdb34441ffc33eec902cd0966741ace30ae750d967
Instruction Fuzzy Hash: 46D1E63182075A8ACB11EBB4D9906A9F7B1FFD9300F10DB9AD54A37250EF746AC4CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0326DFCC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1404687861.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_Dhl Express Shipping Docs .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c0bb129065b839994c9125a37beef4e4779d3cb074ce83b48baddc9c1d3a68
Instruction ID: ccd3da1e035615dda233beb9d5fc40693d862983b9f126c06d33d105d111d3bd
Opcode Fuzzy Hash: d8c0bb129065b839994c9125a37beef4e4779d3cb074ce83b48baddc9c1d3a68
Instruction Fuzzy Hash: B1A18C36A20706DFCF05DFB4D98059EBBB2FF84300B15416AE805AB261DB71E996CB90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exePID: 7308, Parent PID: 7060COMMON

Execution Graph

Execution Coverage:	12.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	12.5%
Total number of Nodes:	24
Total number of Limit Nodes:	4

Executed Functions

Function 063E51B0 Relevance: 1.8, Strings: 1, Instructions: 589
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 063E553C

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: c600ab3abc3be60b81d8ac6b383f272d63cb6c9a35b67c68e69342b5bbc140f4
Instruction ID: a1122493bcda2579161ebf1259b5ef0fd4601f260a1d0ee635a3c5dfeac78377
Opcode Fuzzy Hash: c600ab3abc3be60b81d8ac6b383f272d63cb6c9a35b67c68e69342b5bbc140f4
Instruction Fuzzy Hash: 59229031F002258FDF64DBA4C5806AEB7B2FB85324F24856AD415AB394DB76DC46CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 011170B0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 01117127

Memory Dump Source

Source File: 0000000B.00000002.1430783720.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1110000_RegSvcs.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 253d0c49f3a3fba57c0e1c3044da46660b3e496c3c64a238bae5662589a285eb
Instruction ID: bf253723db6a60431d3e919e3b27f8f70009879d7bc40ea5af4a47bff3f0eaa8
Opcode Fuzzy Hash: 253d0c49f3a3fba57c0e1c3044da46660b3e496c3c64a238bae5662589a285eb
Instruction Fuzzy Hash: 392139B1801259CFDB14CF9AD884BEEFBF5AF49210F14842AE459A3350D778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 063E2360 Relevance: 1.5, Instructions: 1492COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e39e3b511082044f5d3061f7ea8ef7e101d6d96f19bd754f968e6dac044c7110
Instruction ID: 3b2a5b32e86e867476becaa8455446e420fae20971210dad1dc291f0b463d2da
Opcode Fuzzy Hash: e39e3b511082044f5d3061f7ea8ef7e101d6d96f19bd754f968e6dac044c7110
Instruction Fuzzy Hash: 11D26C30E00219CFDB64DB64C584A9EB7F2FF85314F5485AAD409AB3A1EB35ED85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 063E65F8 Relevance: .8, Instructions: 812COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2503dbcc0d956b2ee9eaeadea7908c3f370e7ce2ce69619c7b91ae4e12470ccf
Instruction ID: a7dde9e2a5f6b5d905916beab9ddf333c21d8aedfd3d95d00139a1649eba7291
Opcode Fuzzy Hash: 2503dbcc0d956b2ee9eaeadea7908c3f370e7ce2ce69619c7b91ae4e12470ccf
Instruction Fuzzy Hash: 94628B34A00225DFDF64DB68D985AADB7F2EF85314F148429E406EB391DB35EC46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 063EB230 Relevance: .8, Instructions: 774COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39dbdc7b6fc07bf15608d169821ac638b3124b0164583f2835ae0e17339771f5
Instruction ID: 5fcf3381450c462091d124ac0cf83b61a94a9763deeab89eafb496a5538b4d6f
Opcode Fuzzy Hash: 39dbdc7b6fc07bf15608d169821ac638b3124b0164583f2835ae0e17339771f5
Instruction Fuzzy Hash: 80528E30E102198FEF65DB68DA807ADF7B2EB85710F608526E406EB391DB35DC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 063EC1A8 Relevance: .6, Instructions: 637
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb24cd561552d51ece0609967fec49537f4c96ba252e5ec9068df4099697088
Instruction ID: 38c51f094abf859b28f5d448d29dc6facc0ebef84f66b6d6a4399b72a71d450b
Opcode Fuzzy Hash: adb24cd561552d51ece0609967fec49537f4c96ba252e5ec9068df4099697088
Instruction Fuzzy Hash: 2632AE30B102159FDF64DB68D980BADB7B2FB88314F109525E415EB395DB39EC46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 063E7D80 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c2fb0ede29e8b644fc4c3f7e2970c6de32066d211670adce56c2220218eeec
Instruction ID: 61786db58bafd67fc86ede05de4afb825fdd9e432466a4240bc79dd66a2f82e1
Opcode Fuzzy Hash: 40c2fb0ede29e8b644fc4c3f7e2970c6de32066d211670adce56c2220218eeec
Instruction Fuzzy Hash: CB029A30B00225DFDF54EB68D9946AEB7A2BF84314F248529D415EB391DB36EC46CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0111EFF8 Relevance: 1.6, APIs: 1, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1430783720.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1110000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b51525864878c820d336ed168e0452137f51be801549ae8d209aa251bd6df3a2
Instruction ID: 44e177123691c384161609f3b41428bec92ab09d570e45726e8a45dce619f21d
Opcode Fuzzy Hash: b51525864878c820d336ed168e0452137f51be801549ae8d209aa251bd6df3a2
Instruction Fuzzy Hash: BC411672D143998FDB14CFA9D8042DEFBF5AF85220F14856BD404A7281D7789889CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 011170AE Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 01117127

Memory Dump Source

Source File: 0000000B.00000002.1430783720.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1110000_RegSvcs.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: f7d62462495a5428650b88b7b811674a0eb8ac022b6a609a5f11d15dd179bce9
Instruction ID: 8bd60af54a1eeb94e241b76f90f9614ae01e6af48155d6cf160e8e953adbcf0d
Opcode Fuzzy Hash: f7d62462495a5428650b88b7b811674a0eb8ac022b6a609a5f11d15dd179bce9
Instruction Fuzzy Hash: 922159B1801259CFDB14CFAAD484BEEFBF4EF48210F14842AE459A3350C7789944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0111F0C8 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0111F137

Memory Dump Source

Source File: 0000000B.00000002.1430783720.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1110000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 617daf13be24612267751d98d981a0b267291616e772c7b45a1d9c8486db82eb
Instruction ID: 7e65f1851e2217da50f1a475a3571332deec3b2087b2e63fb445ff4357f4dd04
Opcode Fuzzy Hash: 617daf13be24612267751d98d981a0b267291616e772c7b45a1d9c8486db82eb
Instruction Fuzzy Hash: DE1130B2C0025ADBDB14CFAAC5447DEFBF4BF48220F10812AD828B7240D378A905CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 063EFEE3 Relevance: 1.3, Strings: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|, xrefs: 063EFF50

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 3c6b5bf08537cbc694c56bcef43368a30c4db72c9eed17cc17a276deff97a435
Instruction ID: 0c4c4f7253e36f4fe8e879789dd4477e5d5bf5c147139be6cdee020f7b1ad5b5
Opcode Fuzzy Hash: 3c6b5bf08537cbc694c56bcef43368a30c4db72c9eed17cc17a276deff97a435
Instruction Fuzzy Hash: 1E21C171F142109FDB50DB789804BAD7BF1AF8D610F1144AAE90ADB3A1DB399C05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 063EFF00 Relevance: 1.3, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|, xrefs: 063EFF50

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 7bf536a3c4b0a570f010d9355adc51f801ea3cba226fa429062802e7a15405c7
Instruction ID: 2f9862f386e3af6985ff366c2a845a810c1bb9fefdde782d045fbba728e6a787
Opcode Fuzzy Hash: 7bf536a3c4b0a570f010d9355adc51f801ea3cba226fa429062802e7a15405c7
Instruction Fuzzy Hash: 5F114C70B102259FDB54DB789804B6E77F5AF4C650F104469E50AEB390DB799901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 063ECF60 Relevance: .8, Instructions: 804
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd954d62ae39309ef46dfd336e1b08cf21299853362553d7015de4517c74da4b
Instruction ID: f180011ad36631216e76dcecdbf34c6ffe45d87aaf62e5e4b7ce1368248a247a
Opcode Fuzzy Hash: cd954d62ae39309ef46dfd336e1b08cf21299853362553d7015de4517c74da4b
Instruction Fuzzy Hash: 34626A30A0020A9FDF65EB68D990A9DB3F2FF84714F208A28D0099F755DB35ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 063EACC8 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3f2386c723d2ef0fa0063eb3607250744fb7196ff82b993798bcc6f009d34a
Instruction ID: 26c2d3c22d2a763a879b6b985db042dcf71113d2117b2fdb213aedfd4114c2cd
Opcode Fuzzy Hash: ef3f2386c723d2ef0fa0063eb3607250744fb7196ff82b993798bcc6f009d34a
Instruction Fuzzy Hash: 56E1AF30F102198FDF59EBA8D9806AEB7F2FFC5614F108529D406AB394DB359C46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 063EB220 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a01dfde49fc9f08e2b0f03f7fa80169e697fc30023799b124fa8afd060837fab
Instruction ID: e36ba28a7e79cd02fbdb146c4c3aead53267688bbbc39aec7fea59fe6750bd1a
Opcode Fuzzy Hash: a01dfde49fc9f08e2b0f03f7fa80169e697fc30023799b124fa8afd060837fab
Instruction Fuzzy Hash: 86A1A530F002198BEF65DB6CDA907AEF6A2EB89710F604425E406EB3D5CA34DC459BF5

Uniqueness

Uniqueness Score: -1.00%

Function 063E9148 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d847dece9beb90e320c4b7de7bb368833e11c8d9fabe260ec0f51ef04ecdacc5
Instruction ID: 7ffd1e6426006cfb71468d3f9029376acd4235a5176a9e58878804bd2bb104a2
Opcode Fuzzy Hash: d847dece9beb90e320c4b7de7bb368833e11c8d9fabe260ec0f51ef04ecdacc5
Instruction Fuzzy Hash: 17917030B0021A9FDF54EB69C9557AE73F6AF84704F108569D80AEB384EF31AD46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 063E5DF0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0256da0f9709bc0caf38ee23305f09ddf9575c013eed4ac4069b879c397f7145
Instruction ID: b1c616964ec638713a7678885c2427a009832003790884f2b023b9e38b0b4caa
Opcode Fuzzy Hash: 0256da0f9709bc0caf38ee23305f09ddf9575c013eed4ac4069b879c397f7145
Instruction Fuzzy Hash: 56610471F005214BDF50AA7EC98469EBAE7EFD4620F154439D80ADB360DE76ED0287D1

Uniqueness

Uniqueness Score: -1.00%

Function 063E3EA8 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b06bd4a9755d2f1bafec3d36e0566512ec41d2cf3ed99545f24294d23080e11
Instruction ID: f8db4354f4eca62e8f7c98f33a77980542880bd4d4b114e02352f07b7f377a67
Opcode Fuzzy Hash: 8b06bd4a9755d2f1bafec3d36e0566512ec41d2cf3ed99545f24294d23080e11
Instruction Fuzzy Hash: 94818E30B002199FDF54DBB9C9547AEB7F2AF89304F108529E40ADB395DB39EC468B91

Uniqueness

Uniqueness Score: -1.00%

Function 063E3EB8 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff864cf0fc596cfaec036ffd54fb1a8b9dece90e9bc768500fc040c20bf8ea04
Instruction ID: b7fdaac227c6f036468f527f81d0eb47f65424fac26f4d9d5fe63fe219d8ecfb
Opcode Fuzzy Hash: ff864cf0fc596cfaec036ffd54fb1a8b9dece90e9bc768500fc040c20bf8ea04
Instruction Fuzzy Hash: 7E817D30B002199FDF54DBB9C9547AEB7F2AF89304F108529E40AEB395DB35EC468B91

Uniqueness

Uniqueness Score: -1.00%

Function 063E41CC Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d505c2c74e1b655dff9e906f431d98a77cbc9cf9f91c2c9edc123804c003a00
Instruction ID: bde0855f4f673699f8852f01e2e9f6427cef4147530305bd3ae9b94abe0de163
Opcode Fuzzy Hash: 6d505c2c74e1b655dff9e906f431d98a77cbc9cf9f91c2c9edc123804c003a00
Instruction Fuzzy Hash: A5914F30E102198BDF60DF68C890BDDB7B1FF89310F208595D549AB295DB71AA85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 063E41E0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d9d85fe708b1efcc156861452f3afcbbb77e3f89c15e62216555abfa3e610a
Instruction ID: 461db02cc07cd33e3d5c9a4023f2eb704040bc3daa328d2856e2638e2531d717
Opcode Fuzzy Hash: 75d9d85fe708b1efcc156861452f3afcbbb77e3f89c15e62216555abfa3e610a
Instruction Fuzzy Hash: 7E913E30E102198BDF64DF68C890BDDB7B1FF89310F208599D549BB295EB71AA85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 063EEB20 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e2224e8fff0766422171d0a35f051b9c0cfbe2d1d6e1dc6ce6185d82ba3a4f
Instruction ID: 3b982da1a7071c69bea7578111e63090fdddbdbc007823781a19c8722dd505ca
Opcode Fuzzy Hash: c3e2224e8fff0766422171d0a35f051b9c0cfbe2d1d6e1dc6ce6185d82ba3a4f
Instruction Fuzzy Hash: 51713E34E002199FDB54DBA8D980A9EBBF6FF84314F248529E405EB395DB34ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 063EEB30 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c880182ed6a44c636270805dcb1727134673603d52a4b7cbc7d445ce9927d35c
Instruction ID: 783451fe745647498a23d8aeeb194d3a452767b626d31cf66fedc46cc7d7e5a2
Opcode Fuzzy Hash: c880182ed6a44c636270805dcb1727134673603d52a4b7cbc7d445ce9927d35c
Instruction Fuzzy Hash: F0711934E002199FDB54EBA9C980A9EBBF6FF84314F148529E405EB395DB34ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 063E4778 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa96400e6bd010976227ba82569e3208d6d6934ec20c3d832f8a3440f53d48ee
Instruction ID: 7e84e40310e5e25ae4d9cb2a677abfbb3b708f962dda5c721f85bced80c01e1b
Opcode Fuzzy Hash: fa96400e6bd010976227ba82569e3208d6d6934ec20c3d832f8a3440f53d48ee
Instruction Fuzzy Hash: 1E616F30F002189FEF54ABA5C9147AEBAF6FFC8710F20842AE505AB395DA758D059B90

Uniqueness

Uniqueness Score: -1.00%

Function 063EF63A Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b78fd0e1eee942aa707551df27de122d46782f8d65b55d089fbc17263348eb13
Instruction ID: be5d443109b9318cc6620e773581d43f61a7fd95cee7a91c27a9c79f993f7ade
Opcode Fuzzy Hash: b78fd0e1eee942aa707551df27de122d46782f8d65b55d089fbc17263348eb13
Instruction Fuzzy Hash: CA51E730B102248BFF65566CC9547AF3696D789B40F60452EE00ED77E9CEB9CC1583E2

Uniqueness

Uniqueness Score: -1.00%

Function 063EFCA0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260a437cacaa5334a8872d5dd4aa68efdbf4b6c30289812c075365b6014a7866
Instruction ID: c66578fe78d9fe7cf84491f96175f998fafc590d9965df828b752be30fa1310a
Opcode Fuzzy Hash: 260a437cacaa5334a8872d5dd4aa68efdbf4b6c30289812c075365b6014a7866
Instruction Fuzzy Hash: 7851CF31E00119CFDF64EB78E4446AEBBB2EF84315F20886DE106D7294DB759819CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 063E9138 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6762a2d10c0cfed019bd1567302c7134755dac4ca6abc7213f3cfb86698aad0
Instruction ID: c153c9e202af1cdd0764c6a151fba4e16207bec10a107325b4938a83f3b8288c
Opcode Fuzzy Hash: d6762a2d10c0cfed019bd1567302c7134755dac4ca6abc7213f3cfb86698aad0
Instruction Fuzzy Hash: B2517430B001159FDF54EB78D995BAE73F6EB88704F148469D809DB784EB359D02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 063EF648 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca1032f1a1b9c4a833e961c38aaa6d367f74c007ee7e1558a44ce630edf4715a
Instruction ID: 1ccdc116d6dc06936e4fe9c6fee3738c84f834d6db99755a47dcb6b00ea2c64d
Opcode Fuzzy Hash: ca1032f1a1b9c4a833e961c38aaa6d367f74c007ee7e1558a44ce630edf4715a
Instruction Fuzzy Hash: 4151C430B102248BFF64666CC99476F329AD789B54F60452EE00ED77E8CEB9CC4583E2

Uniqueness

Uniqueness Score: -1.00%

Function 063E51A1 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7afecffa8c3d5cbae31ef6ac1c66ad69e4f87119acf91408ee106fa272904b22
Instruction ID: 0b7b95beb0ac980d67cafc72b831c99d28e3368e46800e568ddcec879058bdc4
Opcode Fuzzy Hash: 7afecffa8c3d5cbae31ef6ac1c66ad69e4f87119acf91408ee106fa272904b22
Instruction Fuzzy Hash: EB518F34E102258BDFA1CBA8C88076EF7A1FB45324F648926E019DB6C5C776E845CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 063E4768 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b24e046375790211043303354759dc72fd81e0aac57cd2b922caf1c07d55fc
Instruction ID: 817cc9dbf2cdd71d698aedff8db2f9f5a7f6cff3f9766e94381fdfcb842cf04d
Opcode Fuzzy Hash: 20b24e046375790211043303354759dc72fd81e0aac57cd2b922caf1c07d55fc
Instruction Fuzzy Hash: 8D419370B002089FEF44AFA4C954B9EBBF6FF88710F20852AE105AB395DA758C05DB90

Uniqueness

Uniqueness Score: -1.00%

Function 063E5030 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a63af104383d2518ee676baa0410ae9e64f1fabe6877d2e55ccc0193710c539
Instruction ID: dfd4b39c26c691e314da460f12af8e3be41a039d0dab44cd0a11b3d9ad980886
Opcode Fuzzy Hash: 7a63af104383d2518ee676baa0410ae9e64f1fabe6877d2e55ccc0193710c539
Instruction Fuzzy Hash: 3E415171E006199FDF70CED9D880AAFF7B2FB84324F10492AE115D3650D732A9598BE0

Uniqueness

Uniqueness Score: -1.00%

Function 063E4500 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf4a3645d47b9a12cc043ea7893133c506fe83e964e27576a8cc04053836c671
Instruction ID: 0ade5beb7f16a86e41e10ab3f479bbcf9e9c637c78f5443e9cd31081ee07c1b5
Opcode Fuzzy Hash: bf4a3645d47b9a12cc043ea7893133c506fe83e964e27576a8cc04053836c671
Instruction Fuzzy Hash: CE416130E10214CFDB54DB68D494B9EBBF1EF89310F258469E40AEB3A2CA35DC45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 063EDAE8 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0503b4d5088b6eaf088c786a1276b46b7b6b2bab94834f25dd1ec7ee8c5e7e36
Instruction ID: 821d65e3ca870e92f81b34788c1a2f05296dadd800b8f816f7bb0c2071ed494e
Opcode Fuzzy Hash: 0503b4d5088b6eaf088c786a1276b46b7b6b2bab94834f25dd1ec7ee8c5e7e36
Instruction Fuzzy Hash: D7418F70E1031A9BDB64DF65D85479EBBB6FF85740F208529D402EB280EF71A846CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 063E44F0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 906172e4cda9428044d89cbae903df5c1a29fb3a5a1df794fd3e09502e03739f
Instruction ID: a498d11e06c5768cf90675daecf7e726dd710de642e41049010b001cee972044
Opcode Fuzzy Hash: 906172e4cda9428044d89cbae903df5c1a29fb3a5a1df794fd3e09502e03739f
Instruction Fuzzy Hash: D7416D70E10114CFDB54DB68D494B9EBBF2EF88310F258469E40AEB3A2DA75DC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 063EDAD5 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26c9be006330d2bf05cdc2f105147e4ab9ac570dc2eef37afa24fedf1db3e312
Instruction ID: e630cded7cf0e5143aeeeed75c2d6bb4a6fb0ab2eafeeef0755022ad98e16cec
Opcode Fuzzy Hash: 26c9be006330d2bf05cdc2f105147e4ab9ac570dc2eef37afa24fedf1db3e312
Instruction Fuzzy Hash: 3541C170E0035A9FDB15DF74D84469EBBB2FF86300F24852AD402EB280EF709806CB91

Uniqueness

Uniqueness Score: -1.00%

Function 063E21C5 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cef3ac56ecfd6089a0dc696b57c14ff5e08e71c743992107ed4cc3cbeef3f74e
Instruction ID: 16e4d87d41fb81713d3df9959a4a507a2f5a5b47a80b9e1b961ae9b60860e0d1
Opcode Fuzzy Hash: cef3ac56ecfd6089a0dc696b57c14ff5e08e71c743992107ed4cc3cbeef3f74e
Instruction Fuzzy Hash: 68313570B002168FDB59AB74D9543AF37AAAF89610F148528D402EB791DF39DD0ACBE1

Uniqueness

Uniqueness Score: -1.00%

Function 063E21D8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b3ddd441721c72da438a35695d7ea490ef35a601a4f09409cfa5c9a83adb5b
Instruction ID: 8ea827a27b218056f109abc20517feb7787ef1f7d6287d1d7b284153c6b8b349
Opcode Fuzzy Hash: 08b3ddd441721c72da438a35695d7ea490ef35a601a4f09409cfa5c9a83adb5b
Instruction Fuzzy Hash: FE31D430B102198FDB54AB74D91466F77AAAF89614F148528D402DB391DF35DD06C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 063E2088 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 877e55c384e84e314d4a797b4ab22afe0929ce78717883976102f392790d6a34
Instruction ID: 08fb8313cc1191112d658065ac1adfe7288793dee41c10f65fb84f4fef3d3458
Opcode Fuzzy Hash: 877e55c384e84e314d4a797b4ab22afe0929ce78717883976102f392790d6a34
Instruction Fuzzy Hash: 6631A230E10215DBCB19CFA4D89569EB7B6BF89300F11C919E806EB790DB75AD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 063E2098 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca8b0dbf3314a1c09e863f8d9a79b29bd87a2bb24abfbaef525f5005525e2c1
Instruction ID: ae53987a21cde10fec92fea40743df68685a0dadd779d5b8c75581bc2678d899
Opcode Fuzzy Hash: dca8b0dbf3314a1c09e863f8d9a79b29bd87a2bb24abfbaef525f5005525e2c1
Instruction Fuzzy Hash: 2A315C30E10219DBCB19CFA5D89569EB7B6BF89300F118919E806E7390DB75AD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 063E5021 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7f308fecf87e1003dc689f1d7c4d0e05d1c48361be1b5acd074aad38ed2a67
Instruction ID: 419c1bebab66bd152bcfc7e04691ba7c1e0e1730862074fae7fedaf1b30ad582
Opcode Fuzzy Hash: 5e7f308fecf87e1003dc689f1d7c4d0e05d1c48361be1b5acd074aad38ed2a67
Instruction Fuzzy Hash: 63317F71E007199FDF70CEA9C8817AEF7F2FB84224F14492AE115D3680D775A9498BE0

Uniqueness

Uniqueness Score: -1.00%

Function 063E3AB0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 861bbe4d99bf8f28a88d2f8d689dabb3008d06c744ceb6b0a3724a3f3b668b8c
Instruction ID: 21530fce738f2716b75fb366047ed19d6d670b70b29011094681c90972ad38a8
Opcode Fuzzy Hash: 861bbe4d99bf8f28a88d2f8d689dabb3008d06c744ceb6b0a3724a3f3b668b8c
Instruction Fuzzy Hash: 03219D31F002199FEB50DF69E980AAEBBF6FB48710F148425E905E7394EB35D845CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 063E3AC0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06252f83725580be1634ab6437482052ef9105328882f8759a24b5c2ee8b0535
Instruction ID: 97596e33c0f2ccf2db1e18fa4fdbc850410229e9278d3c692d2e0735abb7f09b
Opcode Fuzzy Hash: 06252f83725580be1634ab6437482052ef9105328882f8759a24b5c2ee8b0535
Instruction Fuzzy Hash: 48219D75F0121A9FEB50DF69E980AAEBBF5FB48710F148125E905E7384E731D840CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 063E3BD0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb9394000ecb233704c8b228b3d59cdbce1d6665e24c681744809535d64f7214
Instruction ID: 6ed409b2c4a17403cacf2380f567776ef7af805b2e1cfc520618f382b08b5ff3
Opcode Fuzzy Hash: fb9394000ecb233704c8b228b3d59cdbce1d6665e24c681744809535d64f7214
Instruction Fuzzy Hash: C411A135B141299FDF949A78DC146AE73EBEBC8310F018439D506E7384EE25DC068BE0

Uniqueness

Uniqueness Score: -1.00%

Function 063E3E07 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf8633b1d3e8260c06782b61b77e901cb1a7ffe57733c0660b16812f51f771c6
Instruction ID: 5b5282a0e0cfeccecd175aa8f656d4518808dd2f64eac7c18978625320491752
Opcode Fuzzy Hash: bf8633b1d3e8260c06782b61b77e901cb1a7ffe57733c0660b16812f51f771c6
Instruction Fuzzy Hash: B201F932B005201FEB21957D985475BB7EADBC5A10F14887BE40AC7381ED29DC0683E1

Uniqueness

Uniqueness Score: -1.00%

Function 063EEDA0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aca4845f1a5f1a82001f3e67048a4a0a9405a365d55df3df56b0a2011005df7
Instruction ID: 4e64eb99cab9118ae5a6abad635d913cd24b7e9486906b11a7724c6406f73696
Opcode Fuzzy Hash: 9aca4845f1a5f1a82001f3e67048a4a0a9405a365d55df3df56b0a2011005df7
Instruction Fuzzy Hash: C1012436B105215FCF229A3CD84076E73E6DFC9A10F104826F40AC7380EE29EC0683E1

Uniqueness

Uniqueness Score: -1.00%

Function 063E3888 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82153f4e07b658764118fd269982b1ca70b61d4240bbaceba4e8819e92286dc7
Instruction ID: 36749a97241fe0dbafa1e6ff8fd94b393d117806e6ff3d539f80e434c517d275
Opcode Fuzzy Hash: 82153f4e07b658764118fd269982b1ca70b61d4240bbaceba4e8819e92286dc7
Instruction Fuzzy Hash: B521C0B5D01259ABDB10CF9AD884BDEFBB4FB48210F10812AE918A7240D379A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 063EA301 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61915fae5357fc8a8c8f1c7a5d18e85d43767137fe24ee88078c629f4d4fd491
Instruction ID: 1efc0da53c39db3e35b45e923f32cf93eb99173032ad7bd995e135a7ef9959c0
Opcode Fuzzy Hash: 61915fae5357fc8a8c8f1c7a5d18e85d43767137fe24ee88078c629f4d4fd491
Instruction Fuzzy Hash: 2901D635B004205BDF61E67CED9575EB3E6EB89B24F10882AE40AC7781DE29ED0683D4

Uniqueness

Uniqueness Score: -1.00%

Function 063E3890 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c5a934b56c17e5318f9865f7a4ca25bac7dac203f5edc08fc62f598b30c4ae
Instruction ID: d5d15a896b848ab0857c417055906248a735679bc79c436c1a3549cc39db435a
Opcode Fuzzy Hash: e1c5a934b56c17e5318f9865f7a4ca25bac7dac203f5edc08fc62f598b30c4ae
Instruction Fuzzy Hash: 8E11CFB5D01219AFDB10CF9AD884BDEFBB4FB48310F10812AE918A7240C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 063E3E18 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eebd80c748b9a5f81cde2e23e8a7cf9b34f2a2d48b32de883641142d8732da0f
Instruction ID: d1d031e277ea2be0808b1d90508d73a02d8e51234b8aef0c38ecda1263632958
Opcode Fuzzy Hash: eebd80c748b9a5f81cde2e23e8a7cf9b34f2a2d48b32de883641142d8732da0f
Instruction Fuzzy Hash: 8501D132B108215BEB65957ED80576BF3DADBC9B10F10883AE10EC7380ED69DC0643E1

Uniqueness

Uniqueness Score: -1.00%

Function 063E3BC0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ac83dda3689c6e8b31daeddc0c18d4edd7243c804e5329687f84b3cdc1e59a
Instruction ID: ce2c56580525397f69d9627d7cbd64bdc8da58eb1f303d7447b12731a46e2c9d
Opcode Fuzzy Hash: 26ac83dda3689c6e8b31daeddc0c18d4edd7243c804e5329687f84b3cdc1e59a
Instruction Fuzzy Hash: 4901A736F140259BEF989568DD553EF33ABDBC8610F144536D50AE7284EE25DC0747E0

Uniqueness

Uniqueness Score: -1.00%

Function 063EEDB0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3226d222f41a767c76bebe0736a6f0cfb8c37e0daef78f00c2c2e5573ef2fd19
Instruction ID: 8cde37b92ea74d6f7faa8192b2018519419ab2eb1f256b450558631495e4ca07
Opcode Fuzzy Hash: 3226d222f41a767c76bebe0736a6f0cfb8c37e0daef78f00c2c2e5573ef2fd19
Instruction Fuzzy Hash: 6001A431B109215BDF65AA3DD85576F73DADBC9A10F108839F10AC7380EE19EC0683D1

Uniqueness

Uniqueness Score: -1.00%

Function 063E6438 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c613cd6c67b748f682124251274c62907ea7234708c815044f51083ae9878c20
Instruction ID: a2650a74b6b82633fbfa3da041ef95da10d89103bf74ef0385a899d4982514b7
Opcode Fuzzy Hash: c613cd6c67b748f682124251274c62907ea7234708c815044f51083ae9878c20
Instruction Fuzzy Hash: 5B01842292D3945FEB429E789D623CA3B619F93225F1504E7C444CF283E5288949C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 063EA310 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d52ce47f916621fd80670371e1447522a9ee76a641f0faf9011d793bc38704f8
Instruction ID: 498c555be31ac1f5353b5434b43ba4e704284a848b663b79f5eb396fa21e61b3
Opcode Fuzzy Hash: d52ce47f916621fd80670371e1447522a9ee76a641f0faf9011d793bc38704f8
Instruction Fuzzy Hash: 8801AF30B101205BDF61EA7CDC55B2EB3E6EB89B14F10882AE40AC7784DE29EC0687D4

Uniqueness

Uniqueness Score: -1.00%

Function 063EC7F8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d316ca667922da3d61dafa7464d0deace9570a05953245276a6da096b65d57
Instruction ID: cce4b0b632220f423e445833e4a1951328a6729f7cc3df448ae0ea732d546d4c
Opcode Fuzzy Hash: 29d316ca667922da3d61dafa7464d0deace9570a05953245276a6da096b65d57
Instruction Fuzzy Hash: 7E01C832F10234ABCF28AA69ED41A9EB779FB85754F004539E915E7384DB35A805CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 063E4661 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac793f00a224cdf71a9e0c00df6fa115437c53c6743e9732653789e0d034afb0
Instruction ID: 210525233ea81e5c3c7dba43b9da76c010564b359ebcc3913e4d505c63ae1eb8
Opcode Fuzzy Hash: ac793f00a224cdf71a9e0c00df6fa115437c53c6743e9732653789e0d034afb0
Instruction Fuzzy Hash: 53F0FE30A10229DFDB14DF94E859BAEBBB2FF48701F204119E406A7291CBB41C45DFD0

Uniqueness

Uniqueness Score: -1.00%

Function 063E6488 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436868181.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb8930aa85eaf97269b5899c0c8ef78ab01aaaf59dbb156fc85de883b627701
Instruction ID: b0afa36e8be90e6a1b7f2bf2642185b6104ee2c39c1af8a040d7ce6fd7e36aeb
Opcode Fuzzy Hash: 3eb8930aa85eaf97269b5899c0c8ef78ab01aaaf59dbb156fc85de883b627701
Instruction Fuzzy Hash: E1E0C270E2411CABDF50DEB4CE0775E73ADDB53214F2088A6D408C7281F172DA058BE0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: emaGqYHYeYNHas.exePID: 7404, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	317
Total number of Limit Nodes:	21

Executed Functions

Function 0973EA34 Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0973EC76

Memory Dump Source

Source File: 0000000C.00000002.1453731609.0000000009730000.00000040.00000800.00020000.00000000.sdmp, Offset: 09730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_9730000_emaGqYHYeYNHas.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c3bb86be2f3391e2bd452b484a7f64739834b4d484565b07da1dbed99231ee0
Instruction ID: 551654f773af0e756060b367b1375a3570399feb466f25af1586a3c2ae618faf
Opcode Fuzzy Hash: 1c3bb86be2f3391e2bd452b484a7f64739834b4d484565b07da1dbed99231ee0
Instruction Fuzzy Hash: A8A16D72D00219CFEF21CF68C841BDEBBB2BF44310F5485A9E859A7281DB759985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0973EA40 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0973EC76

Memory Dump Source

Source File: 0000000C.00000002.1453731609.0000000009730000.00000040.00000800.00020000.00000000.sdmp, Offset: 09730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_9730000_emaGqYHYeYNHas.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2116d76e3191e5e85a6a6d0356357c424ef9fe8f3e0e719b278552efedd850fe
Instruction ID: 1549ac76ca04a799473830d927e451e5f4d5e30a1650880060832ed0b5516979
Opcode Fuzzy Hash: 2116d76e3191e5e85a6a6d0356357c424ef9fe8f3e0e719b278552efedd850fe
Instruction Fuzzy Hash: 31915C72D00219CFEF21CF68C841BDEBBB2BF48310F5485A9E859A7281DB759985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02B4B1D0 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B4B426

Memory Dump Source

Source File: 0000000C.00000002.1446614033.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2b40000_emaGqYHYeYNHas.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ca0698d0b4516315676b44c306803765fc3d78e460778f5a490d6bb5693e8912
Instruction ID: 93ef106a38813db8a44cf023c586443e7080526000cf598656b55f5e426f7742
Opcode Fuzzy Hash: ca0698d0b4516315676b44c306803765fc3d78e460778f5a490d6bb5693e8912
Instruction Fuzzy Hash: 02714670A00B058FEB24DF6AD18175ABBF1FF88308F108A6DD59AD7A50DB74E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 052610E8 Relevance: 1.6, APIs: 1, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05261E02

Memory Dump Source

Source File: 0000000C.00000002.1451616599.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5260000_emaGqYHYeYNHas.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 76d75402a07e4cbb62b406322c6f6765cc3347599ef7399435609646f1d183ad
Instruction ID: f1a2a9114f0533cc8b76bdacef554f4f35981df6ebfd0d8aef910aeaa9261f25
Opcode Fuzzy Hash: 76d75402a07e4cbb62b406322c6f6765cc3347599ef7399435609646f1d183ad
Instruction Fuzzy Hash: 865136B1C143599FEB10CFA9C880ACEBBF1BF88710F24811AE418AB351D774A995CF95

Uniqueness

Uniqueness Score: -1.00%

Function 05261CE4 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05261E02

Memory Dump Source

Source File: 0000000C.00000002.1451616599.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5260000_emaGqYHYeYNHas.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4a004678c08d40e60ac1649a11ad3e3808f43d1d3ddbc4ee6d41b3d374187671
Instruction ID: 53449bfcf4974414cd41f7a1a736d01dab907c67611d836a453276d0ce1e974e
Opcode Fuzzy Hash: 4a004678c08d40e60ac1649a11ad3e3808f43d1d3ddbc4ee6d41b3d374187671
Instruction Fuzzy Hash: 5C51C3B1D10349DFDB14CFA9C884ADEBBB5FF48710F24812AE819AB250D775A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05261130 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05261E02

Memory Dump Source

Source File: 0000000C.00000002.1451616599.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5260000_emaGqYHYeYNHas.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3e00ec5198f5b1421753252b67126c0d4fb022af409cadc38bd28e3a858d765f
Instruction ID: ca080a935e061a859e43ee2ff214d174ae9e4ba4b63f034bdf8c7af32a37ffdc
Opcode Fuzzy Hash: 3e00ec5198f5b1421753252b67126c0d4fb022af409cadc38bd28e3a858d765f
Instruction Fuzzy Hash: 2251B1B1D10349DFDB14CF99C884ADEBBB6BF48310F64812AE819AB250D775A895CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B45E55 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02B45F11

Memory Dump Source

Source File: 0000000C.00000002.1446614033.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2b40000_emaGqYHYeYNHas.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0a4465ac9585d40dcf10e712fbd23320ef9936264857dd1670d851a3d027a0e4
Instruction ID: ef5862ab2c318aa6e1970f939f72c9cc2422b9a2601e6ce835eb7ee0d428aa8d
Opcode Fuzzy Hash: 0a4465ac9585d40dcf10e712fbd23320ef9936264857dd1670d851a3d027a0e4
Instruction Fuzzy Hash: 7241CFB0C00619CFDB24CFA9C9847DEBBB5FF48304F60856AD408AB251DB756946CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05261284 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05264381

Memory Dump Source

Source File: 0000000C.00000002.1451616599.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5260000_emaGqYHYeYNHas.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 31e4b8dea3a59f5049104566db1156f4c132fc8c4c9868a96c1e2da7069bcbd5
Instruction ID: 83e58379bbd3b6ccbb6ee35c0b5ce59fe4d0053ed5dae6f90ff75479d9ebec21
Opcode Fuzzy Hash: 31e4b8dea3a59f5049104566db1156f4c132fc8c4c9868a96c1e2da7069bcbd5
Instruction Fuzzy Hash: 7D415BB4910305CFDB14DF95C488AAAFBF5FF88314F248449E559AB360D774A881CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B4450C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02B45F11

Memory Dump Source

Source File: 0000000C.00000002.1446614033.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2b40000_emaGqYHYeYNHas.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b72f12dce1aaedff9b135f901d0e7a7a874412876addc8bbdcd343a311cd58eb
Instruction ID: f862588b6626d552387762e6df6957b17ce4e9f4fc135d48cae6f68f2fa7d720
Opcode Fuzzy Hash: b72f12dce1aaedff9b135f901d0e7a7a874412876addc8bbdcd343a311cd58eb
Instruction Fuzzy Hash: 7141B170D00719CBDB24CFAAC884BDEBBB5FF48304F60856AD408AB251DB756945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0973E7B0 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0973E848

Memory Dump Source

Source File: 0000000C.00000002.1453731609.0000000009730000.00000040.00000800.00020000.00000000.sdmp, Offset: 09730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_9730000_emaGqYHYeYNHas.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: cbabdd68e01257222bd726d80b064c6c9fc9c479d96301116d2ed5a3038a8204
Instruction ID: 5de767e8fe4712a947c6325bb058ebf0c25f57fcfc08e0a6173bac68bcef1097
Opcode Fuzzy Hash: cbabdd68e01257222bd726d80b064c6c9fc9c479d96301116d2ed5a3038a8204
Instruction Fuzzy Hash: F22135729003499FDB10CFAAC881BDEBBF5FF48310F10842AE918A7240D779A945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0973E7B8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0973E848

Memory Dump Source

Source File: 0000000C.00000002.1453731609.0000000009730000.00000040.00000800.00020000.00000000.sdmp, Offset: 09730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_9730000_emaGqYHYeYNHas.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 95c813d41757389250b23d48acbdcca40d53732d78395fe08fcda03fd6e11f80
Instruction ID: 034eacfe85dc9885facadf0c103453e0ad046bd15af213c3349dda7d1ffb1d9a
Opcode Fuzzy Hash: 95c813d41757389250b23d48acbdcca40d53732d78395fe08fcda03fd6e11f80
Instruction Fuzzy Hash: 3D212472D003499FDB10CFAAC881BDEBBF5FF48310F10842AE918A7241D7799944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0973E8A0 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0973E928

Memory Dump Source

Source File: 0000000C.00000002.1453731609.0000000009730000.00000040.00000800.00020000.00000000.sdmp, Offset: 09730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_9730000_emaGqYHYeYNHas.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 863525aa47617d6a4786c3234e657998f8328043ce7093b04916ce9276aed5e3
Instruction ID: dee52949ab0b6691946b5193e2fd0853b6433f54fcb40aa907b0fe0b0010138f
Opcode Fuzzy Hash: 863525aa47617d6a4786c3234e657998f8328043ce7093b04916ce9276aed5e3
Instruction Fuzzy Hash: B72128728003499FDB10DFAAC881BDEBBF5FF48310F50842AE519A7250D7799545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0973E1E0 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0973E266

Memory Dump Source

Source File: 0000000C.00000002.1453731609.0000000009730000.00000040.00000800.00020000.00000000.sdmp, Offset: 09730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_9730000_emaGqYHYeYNHas.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 489d0b2932a606eded1e9f2ff320eca933eddd46c09d47a9aa234209b345159c
Instruction ID: 1c13d9eae707bb24a110660603b3278684356abfc64ddf37218f98c588f95686
Opcode Fuzzy Hash: 489d0b2932a606eded1e9f2ff320eca933eddd46c09d47a9aa234209b345159c
Instruction Fuzzy Hash: 26213872D003098FDB14DFAAC8857EEBBF4EF48214F54842AE519A7641CB78A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02B4D238 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B4D66E,?,?,?,?,?), ref: 02B4D72F

Memory Dump Source

Source File: 0000000C.00000002.1446614033.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2b40000_emaGqYHYeYNHas.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6907a9175dd12aaf138d1c02e94d2fed11887c50c2f3f601136dafa81822a97f
Instruction ID: 326dcc5cfe356d5ed3b3d4ec566b2a63442419ed20b9a3e38ec6e078b5e6f394
Opcode Fuzzy Hash: 6907a9175dd12aaf138d1c02e94d2fed11887c50c2f3f601136dafa81822a97f
Instruction Fuzzy Hash: B221E6B59003499FDB10CFAAD584ADEFBF4EF48310F14805AE918A3350D774A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02B4D6A1 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B4D66E,?,?,?,?,?), ref: 02B4D72F

Memory Dump Source

Source File: 0000000C.00000002.1446614033.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2b40000_emaGqYHYeYNHas.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9f578899cee1ab3eb0350c306b5814c7fc69fe1edbed3c68eae53b9411984d25
Instruction ID: ab276bbe0d2b9499bd0f6a69217ce7fa10aa252e03d935baf8b6443ec3fd7209
Opcode Fuzzy Hash: 9f578899cee1ab3eb0350c306b5814c7fc69fe1edbed3c68eae53b9411984d25
Instruction Fuzzy Hash: BB21E4B5D00249AFDB10CFAAD984ADEBBF8FB48310F14805AE914A3350D378A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0973E8A8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0973E928

Memory Dump Source

Source File: 0000000C.00000002.1453731609.0000000009730000.00000040.00000800.00020000.00000000.sdmp, Offset: 09730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_9730000_emaGqYHYeYNHas.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: cb7cb3fe23a2c9fded85da4fc0135b99b21e38f664e85231d9cd39e11c9fae3e
Instruction ID: 8bf26e98d685e14569b070636aa073caa0c76f17e8a16acd0904e441d40147dd
Opcode Fuzzy Hash: cb7cb3fe23a2c9fded85da4fc0135b99b21e38f664e85231d9cd39e11c9fae3e
Instruction Fuzzy Hash: BA2128728003499FDB10CFAAC880BDEBBF5FF48310F50842AE518A7240D7799500CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0973E1E8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0973E266

Memory Dump Source

Source File: 0000000C.00000002.1453731609.0000000009730000.00000040.00000800.00020000.00000000.sdmp, Offset: 09730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_9730000_emaGqYHYeYNHas.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8192be1b5c038c594b461f27f246c970943d88fef77fefb47cb2d5b518b9aef2
Instruction ID: cd37a06848945f9569646f388a4ab885e719e54391a802b91eb3650ba7b810d6
Opcode Fuzzy Hash: 8192be1b5c038c594b461f27f246c970943d88fef77fefb47cb2d5b518b9aef2
Instruction Fuzzy Hash: 87214772D003098FDB10DFAAC4857EEBBF4EF48210F54842AE519A7241CB78A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0973E6F0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0973E766

Memory Dump Source

Source File: 0000000C.00000002.1453731609.0000000009730000.00000040.00000800.00020000.00000000.sdmp, Offset: 09730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_9730000_emaGqYHYeYNHas.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a346a86dd56ac9f7c078bb29d2a1b9c3f4221c814ddc9722ebe4733d731aee1e
Instruction ID: b97a1a3728fd95b301919ccb70435ca6bea887924429cf409f452f155850ca3a
Opcode Fuzzy Hash: a346a86dd56ac9f7c078bb29d2a1b9c3f4221c814ddc9722ebe4733d731aee1e
Instruction Fuzzy Hash: 7B1156728003489FDB10DFAAC844BDFBBF5EF88314F10881AE529A7250C776A940CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B4AEE8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B4B4A1,00000800,00000000,00000000), ref: 02B4B6B2

Memory Dump Source

Source File: 0000000C.00000002.1446614033.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2b40000_emaGqYHYeYNHas.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a76c9f55aae1c18f44628f25d479dc0a0050c6f127f49b146a067a6365ac8602
Instruction ID: 652da8696d278e1df7b1c6f5c4d099287fb7639b71bc78d1207c7cc364f541c5
Opcode Fuzzy Hash: a76c9f55aae1c18f44628f25d479dc0a0050c6f127f49b146a067a6365ac8602
Instruction Fuzzy Hash: B01103B6D002488FDB20CFAAC484ADEFBF4EB48314F10846AE519A7240C775A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02B4B641 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B4B4A1,00000800,00000000,00000000), ref: 02B4B6B2

Memory Dump Source

Source File: 0000000C.00000002.1446614033.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2b40000_emaGqYHYeYNHas.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d10dc0d6b88bb6fe750e7f8b9757fdc78e69a58a282b98649ac14013873687c6
Instruction ID: cb333b62e26282481ff6b4b7c50be5e11ba365cf5ffdc0e90e1e9a0f2bdaf8aa
Opcode Fuzzy Hash: d10dc0d6b88bb6fe750e7f8b9757fdc78e69a58a282b98649ac14013873687c6
Instruction Fuzzy Hash: 6F1114B6D002489FDB10CFAAC484ADEFBF4EB58314F14841AD519A7340C775A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0973E6F8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0973E766

Memory Dump Source

Source File: 0000000C.00000002.1453731609.0000000009730000.00000040.00000800.00020000.00000000.sdmp, Offset: 09730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_9730000_emaGqYHYeYNHas.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3af99df2d9f89e1c9e7312f93612d1b5f0a03eb7604a5d5489c31aa3d535230b
Instruction ID: b46927500b9cef3e29701d0802ea106fc845a673c1887dee28b6ef1846bfc832
Opcode Fuzzy Hash: 3af99df2d9f89e1c9e7312f93612d1b5f0a03eb7604a5d5489c31aa3d535230b
Instruction Fuzzy Hash: 8F1149729003499FDB10DFAAC844BDFBBF5EF88310F14841AE529A7250C775A540CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0973DCF9 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0973DD62

Memory Dump Source

Source File: 0000000C.00000002.1453731609.0000000009730000.00000040.00000800.00020000.00000000.sdmp, Offset: 09730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_9730000_emaGqYHYeYNHas.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d7d0e91ea43d75498390ff40745be87b981e1f35beb73dc27402af730ba15255
Instruction ID: 3669b18074f6e8322f18e73d147edbc266fe1255ced2d24ad0c498fd43f9b438
Opcode Fuzzy Hash: d7d0e91ea43d75498390ff40745be87b981e1f35beb73dc27402af730ba15255
Instruction Fuzzy Hash: CF1128719003488FDB24DFAAC8457DFFBF4AF88214F24841AD519A7650CB79A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0973DD00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0973DD62

Memory Dump Source

Source File: 0000000C.00000002.1453731609.0000000009730000.00000040.00000800.00020000.00000000.sdmp, Offset: 09730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_9730000_emaGqYHYeYNHas.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d2781e69bfa0446d2eed829a73afcb59dee98dbdaf0a0fed8571438e56356ee0
Instruction ID: 5d489abf5415ef0afa9809e00edae061dbab92b19ca40ab0875d405b1d8966c7
Opcode Fuzzy Hash: d2781e69bfa0446d2eed829a73afcb59dee98dbdaf0a0fed8571438e56356ee0
Instruction Fuzzy Hash: 8E113A719003488FDB20DFAAC4457DFFBF4AF88214F14841AD519A7640CB79A544CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02B4B3C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B4B426

Memory Dump Source

Source File: 0000000C.00000002.1446614033.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2b40000_emaGqYHYeYNHas.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 624952718ce2202e4281def532f735d481f1e9a600bd087ca739bf904f229610
Instruction ID: b9d1ec840e0040da0a72ab762c1596beebacefd3ecb0beaeaf57076942b63f41
Opcode Fuzzy Hash: 624952718ce2202e4281def532f735d481f1e9a600bd087ca739bf904f229610
Instruction Fuzzy Hash: CD110FB6D002498FCB20CF9AD484ADEFBF4EF88324F14845AD528A7640C779A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 09852668 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 098526CD

Memory Dump Source

Source File: 0000000C.00000002.1454045633.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_9850000_emaGqYHYeYNHas.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 584b7f511f08eddea6961f9e1347bdac11552439ec9ab4ac93d37a7975a22c04
Instruction ID: 072dcbf19083f7ad03614e944af486c420b8293aeccc360cfdaed001bcc9df0b
Opcode Fuzzy Hash: 584b7f511f08eddea6961f9e1347bdac11552439ec9ab4ac93d37a7975a22c04
Instruction Fuzzy Hash: FB11D3B58003499FDB10DF9AD885BDEBFF8EB48314F20841AE929A7750C375A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 09852670 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 098526CD

Memory Dump Source

Source File: 0000000C.00000002.1454045633.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_9850000_emaGqYHYeYNHas.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a256ccf83d40451dbf4d8d8a7d9c3162ccef1028261d3a3c9b5c5f94351d7017
Instruction ID: 8f87566507ccfec69cbef8ad756a55d94f23f2b115c0973a6f244bc76c32e919
Opcode Fuzzy Hash: a256ccf83d40451dbf4d8d8a7d9c3162ccef1028261d3a3c9b5c5f94351d7017
Instruction Fuzzy Hash: 2211E5B58003499FDB10DF9AD885BDEFBF8EB48310F10841AE929A7750C375A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F9D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1445214990.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f9d000_emaGqYHYeYNHas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e47264c1d37800b4a084f49b3e33f1a98575ddc264559e1c8606142de40587d
Instruction ID: c998fa2fe4d4606a8effa9a2ddf69c0841debc7f4866789fb568d887a3c6079d
Opcode Fuzzy Hash: 0e47264c1d37800b4a084f49b3e33f1a98575ddc264559e1c8606142de40587d
Instruction Fuzzy Hash: 4221D672904244DFEF15DF14D9C0B26BBA5FB84328F34C569E9050B256C336D856DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FAD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1445297128.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fad000_emaGqYHYeYNHas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60451dee6d4bdfd1a35b7e3eea82c0b728fa3bc323ed1dcae517095091a634b2
Instruction ID: 4020c25b5cb7b617e538168c73094cb891cd415be8d748378ab65e9be05f1966
Opcode Fuzzy Hash: 60451dee6d4bdfd1a35b7e3eea82c0b728fa3bc323ed1dcae517095091a634b2
Instruction Fuzzy Hash: 2C2107B5504340DFDB14DF20D9C4B16BBA5FB85324F20C56DE84B4B65AC336D847DA62

Uniqueness

Uniqueness Score: -1.00%

Function 00FAD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1445297128.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_fad000_emaGqYHYeYNHas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a60d1953fc958c83dc4c98f0cd8cea5047e38f9cc4d92a587426c5553833212
Instruction ID: 5dfae165fb9ece7191379e9c952d0f896e6cdcfe2a9f39fe810c858de622cdee
Opcode Fuzzy Hash: 7a60d1953fc958c83dc4c98f0cd8cea5047e38f9cc4d92a587426c5553833212
Instruction Fuzzy Hash: 062162755093C08FCB12CF24D994715BF71EB46314F28C5EAD8498F6A7C33A984ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F9D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1445214990.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f9d000_emaGqYHYeYNHas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction ID: c3248f8bac49a0265840af610b604f2fe8c75991771021b16552ac18339977aa
Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction Fuzzy Hash: FA119D76904280CFDF15CF10D5C4B16BF61FB94328F2886A9D8494B656C336D85ADBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exePID: 7740, Parent PID: 7404COMMON

Execution Graph

Execution Coverage:	12%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	95
Total number of Limit Nodes:	10

Executed Functions

Function 061F51B0 Relevance: 1.8, Strings: 1, Instructions: 589
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 061F553C

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 424839ae65109443f00833ac82a307f8189b7f3d97b94f981e47873bb1f3d5a3
Instruction ID: 0d5042a052575b5dc50661c27d13ff3d28a2e2c6c219c79444b850f991c00452
Opcode Fuzzy Hash: 424839ae65109443f00833ac82a307f8189b7f3d97b94f981e47873bb1f3d5a3
Instruction Fuzzy Hash: CB22BE31E202158FDF64DBA4C4806AEBBB3FF95320F258569D519AB354DB35EC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 061F2360 Relevance: 1.5, Instructions: 1491COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2c4a0bdd5dabb2edbeebb7b8d3e1c4a504ffdf82bb6ee776f84c2828562163a
Instruction ID: 2fee2cfd61558212a4e04f4e7bcb469a7cb1e8426dae71070d40926e08d6c8e5
Opcode Fuzzy Hash: f2c4a0bdd5dabb2edbeebb7b8d3e1c4a504ffdf82bb6ee776f84c2828562163a
Instruction Fuzzy Hash: 66D26830E10205CFDB64DBA8C584A9DB7F2FF89310F55C5AAD509AB261EB31ED85CB80

Uniqueness

Uniqueness Score: -1.00%

Function 061F65F8 Relevance: .8, Instructions: 812COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0702863b007d90c105c9ea6666daebc0b7d532c1e649f12023bafc6685815e3d
Instruction ID: f33d88459e8d14be259ceff1d25b08df45b9b8afe8fe267d1c0aca2207257288
Opcode Fuzzy Hash: 0702863b007d90c105c9ea6666daebc0b7d532c1e649f12023bafc6685815e3d
Instruction Fuzzy Hash: F462AC30B20205DFDB54DB68D594AADB7F2EF89310F248569E506EB394DB35EC46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 061FB230 Relevance: .8, Instructions: 774COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e3ec51f5ee92f469851d6f46f19fb86a58759c17d199ddf68619b44e7248e5
Instruction ID: ce557112496997511f67326b94b4a6de9871511d848f295031e6779a84794290
Opcode Fuzzy Hash: 24e3ec51f5ee92f469851d6f46f19fb86a58759c17d199ddf68619b44e7248e5
Instruction Fuzzy Hash: ED529230E242098FEF64DB68D4907AEB7B2FB85310F25852AE506EB395DB35DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 061FC1A8 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3309da66ad2fd994c86e5d7556765947abb3729ebf6eee23d02095fa2b5219f
Instruction ID: fd903cec65ba69d4197cc79993c0a6b596f2d42190cb295801c9456884d54d20
Opcode Fuzzy Hash: b3309da66ad2fd994c86e5d7556765947abb3729ebf6eee23d02095fa2b5219f
Instruction Fuzzy Hash: 3B327E34B202099FDF54DB68D890BAEB7B2FB89310F108565E605EB395DB35EC42DB90

Uniqueness

Uniqueness Score: -1.00%

Function 061F7D80 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb3221f2eeedd68b3a58418c6762c13edaec6968ebbc7428a9cd1dbc840b9ba
Instruction ID: 52c9013c320623052a62c70835b3b0f69ee34f8811900c68c9988a89c8582378
Opcode Fuzzy Hash: ffb3221f2eeedd68b3a58418c6762c13edaec6968ebbc7428a9cd1dbc840b9ba
Instruction Fuzzy Hash: C402BC30B20205CFDB98DB68D894AAEB7F2BF84310F558929D515EB394DB71EC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 061D3482 Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 061D350E
GetCurrentThread.KERNEL32 ref: 061D354B
GetCurrentProcess.KERNEL32 ref: 061D3588
GetCurrentThreadId.KERNEL32 ref: 061D35E1

Memory Dump Source

Source File: 00000012.00000002.2617656148.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61d0000_RegSvcs.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8726bc797bcbecbb70cf2e423b9121357272928be85a4aaf49fe681ad86a57f9
Instruction ID: 0922d0792fe39c3b9e3317ac9d4d561f6be11164ed997e25b66677b0c93c0ebd
Opcode Fuzzy Hash: 8726bc797bcbecbb70cf2e423b9121357272928be85a4aaf49fe681ad86a57f9
Instruction Fuzzy Hash: BE5155B0D007498FDB54CFAADA4879EBBF1AF48314F248459E019A7350D774A984CB66

Uniqueness

Uniqueness Score: -1.00%

Function 061D3490 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 061D350E
GetCurrentThread.KERNEL32 ref: 061D354B
GetCurrentProcess.KERNEL32 ref: 061D3588
GetCurrentThreadId.KERNEL32 ref: 061D35E1

Memory Dump Source

Source File: 00000012.00000002.2617656148.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61d0000_RegSvcs.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0ee3fc139e5733c0615b52f50789887409ca7c5acb146dffbd8cc3d83f368b9d
Instruction ID: 57668bc235513509f4e5a7f8c7f06efaddaa22ecc1c79c0815f3ed11faeea216
Opcode Fuzzy Hash: 0ee3fc139e5733c0615b52f50789887409ca7c5acb146dffbd8cc3d83f368b9d
Instruction Fuzzy Hash: AA5165B0D007498FDB54CFAADA48B9EBBF1AF48314F248459E019A7350D774A984CF66

Uniqueness

Uniqueness Score: -1.00%

Function 061DB9B8 Relevance: 1.7, APIs: 1, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 061DBC1E

Memory Dump Source

Source File: 00000012.00000002.2617656148.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61d0000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6051f5542a235cda8e3b2470eb2f5f94095afaa3f625ec5c3928a7ea74b80b78
Instruction ID: 12f27e0270b4b1eb953728eddb6e85cd6d7837182ae6932014b66393450affde
Opcode Fuzzy Hash: 6051f5542a235cda8e3b2470eb2f5f94095afaa3f625ec5c3928a7ea74b80b78
Instruction Fuzzy Hash: 928157B0A00B059FD764DF2AD44079ABBF1FF88300F048A2DD49ADBA50DB75E846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 061DDBA4 Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 061DDCC2

Memory Dump Source

Source File: 00000012.00000002.2617656148.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61d0000_RegSvcs.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f88701fe551ac9e324b461f19144c5332f5a7971a2bc099cf3fb78794e26dc8f
Instruction ID: b84e1a384b7d264cf6938dff01cf144630332be759501279b7dbb5d3b82bbe18
Opcode Fuzzy Hash: f88701fe551ac9e324b461f19144c5332f5a7971a2bc099cf3fb78794e26dc8f
Instruction Fuzzy Hash: C251D3B1D0034D9FDF14CFA9D884ADEBBB5BF48310F64852AE819AB250D7759845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 061DDBB0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 061DDCC2

Memory Dump Source

Source File: 00000012.00000002.2617656148.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61d0000_RegSvcs.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1a20d3884c1b414dc2947a98f37492f68e15a18abcafdb10de1337b30ab95cb1
Instruction ID: 31c22436ed32e866377d12b39f793dd87323cd54df777e2884dc01ccec133612
Opcode Fuzzy Hash: 1a20d3884c1b414dc2947a98f37492f68e15a18abcafdb10de1337b30ab95cb1
Instruction Fuzzy Hash: 8441B1B1D003499FDF14CFAAD884ADEBBB5BF48310F24852AE819AB250D7759845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 027170A9 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 02717127

Memory Dump Source

Source File: 00000012.00000002.2609346689.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2710000_RegSvcs.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 9fe0681b17cf322ca6b2441281bf191fdb4808c7d780c8e01ed1cc703d91a0b4
Instruction ID: 2019222fdd3441a1b833f78cbe4d02a4c392d4cc583ef722577390a28eebc804
Opcode Fuzzy Hash: 9fe0681b17cf322ca6b2441281bf191fdb4808c7d780c8e01ed1cc703d91a0b4
Instruction Fuzzy Hash: 462148B2901259CFDB14CF9AD884BEEFBF4AF48310F24845AE458A7250C7789944CF61

Uniqueness

Uniqueness Score: -1.00%

Function 027170B0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 02717127

Memory Dump Source

Source File: 00000012.00000002.2609346689.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2710000_RegSvcs.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 4f052c1a655cd30c925e68c2147695813b3e16585fd491748b6a680909478673
Instruction ID: f60076f6be42ddb0a6702cd9b349cb85d301f0fa1f30f1d613a2d9facb47dbdd
Opcode Fuzzy Hash: 4f052c1a655cd30c925e68c2147695813b3e16585fd491748b6a680909478673
Instruction Fuzzy Hash: 1E2139B2801259CFDB14CF9AD884BEEFBF4AF48210F14845AE455A3250D778A944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 061D36D0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 061D375F

Memory Dump Source

Source File: 00000012.00000002.2617656148.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61d0000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7ae42bb3029752699ca0de6069cb14ee5fb20a944984c5a49334e21522c59607
Instruction ID: cbdb0269d43c5a484765f6060e20374d337e0e701a27a6b8624d5c5f5d1b5443
Opcode Fuzzy Hash: 7ae42bb3029752699ca0de6069cb14ee5fb20a944984c5a49334e21522c59607
Instruction Fuzzy Hash: E421C4B5D00248EFDB10CFAAD984ADEBBF5EB48310F24841AE914A7350D374A955CF65

Uniqueness

Uniqueness Score: -1.00%

Function 061D36D8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 061D375F

Memory Dump Source

Source File: 00000012.00000002.2617656148.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61d0000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 78d6ab27fbf2cc58355487551428b3d78b8203e3765ea1d90ec1e3952fc2f2e0
Instruction ID: 4dbbdb94fcbaeedd962a093ea053965449286a48121b194fc20a0224f08a3eb1
Opcode Fuzzy Hash: 78d6ab27fbf2cc58355487551428b3d78b8203e3765ea1d90ec1e3952fc2f2e0
Instruction Fuzzy Hash: 2F21C4B5D00248AFDB10CFAAD984ADEBBF9EB48310F14841AE914A3350D374A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0271F0B7 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0271F137

Memory Dump Source

Source File: 00000012.00000002.2609346689.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2710000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: ae63ab732534e746a057a0b13a73491655e0bd7ef3f2f4dac116c4890f6871be
Instruction ID: ab81f2f27c4169da5c51a160c38a2eaebe95f1040fb0a0af911f99aa9ca01919
Opcode Fuzzy Hash: ae63ab732534e746a057a0b13a73491655e0bd7ef3f2f4dac116c4890f6871be
Instruction Fuzzy Hash: 151153B2C00659CFCB10CFAAC4447DEFBF4AF08210F10816AD828B7641D338A905CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 061DBE1B Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,061DBC99,00000800,00000000,00000000), ref: 061DBE8A

Memory Dump Source

Source File: 00000012.00000002.2617656148.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61d0000_RegSvcs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cacb97eec50c0b7c148e2376dd8c6d0f8f40e0d0410f22a9e47196b394feea25
Instruction ID: 237fbc68c748b9741bda9d9b1edc3c17080a6226a28dc5a86d9c4939ca6ffee5
Opcode Fuzzy Hash: cacb97eec50c0b7c148e2376dd8c6d0f8f40e0d0410f22a9e47196b394feea25
Instruction Fuzzy Hash: 131126B6C003089FDB10CFAAC844BDEFBF8EB88310F11841AE519A7210C775A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 061DA9B0 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,061DBC99,00000800,00000000,00000000), ref: 061DBE8A

Memory Dump Source

Source File: 00000012.00000002.2617656148.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61d0000_RegSvcs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7deb785106631ce2b21e79527fdf1e1620ce12efc25577dcf705f5531478e02c
Instruction ID: f3cb3710384e81da9950b829cdb75f274306dd5f119a1a9f4993b0adb11d8151
Opcode Fuzzy Hash: 7deb785106631ce2b21e79527fdf1e1620ce12efc25577dcf705f5531478e02c
Instruction Fuzzy Hash: 211103B6C043088FDB14CF9AC444B9EFBF9EB88610F11846AE519A7250C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0271F0D0 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0271F137

Memory Dump Source

Source File: 00000012.00000002.2609346689.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2710000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 41d8168327415981c0d44bdc8c395f451adb3bdf57cfc714a6bdae6289750a9e
Instruction ID: 4333282dfb501bdb540a6c4206e3de0c00c45c12bfd5ba00afa81e9a15b80f4a
Opcode Fuzzy Hash: 41d8168327415981c0d44bdc8c395f451adb3bdf57cfc714a6bdae6289750a9e
Instruction Fuzzy Hash: ED1126B1C006599BDB10CFAAC444BDEFBF4AF48220F11812AE818A7640D378A941CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 061DBBB8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 061DBC1E

Memory Dump Source

Source File: 00000012.00000002.2617656148.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61d0000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e5c6abeea1d5b18765537766ecedec49a1e817a65dd1d0c6b9f567115d2d7b5d
Instruction ID: 58d8a8a6e09c19cabef921d9e485d2c2bfd9da3acc8b8066227c60cf5c9ed95a
Opcode Fuzzy Hash: e5c6abeea1d5b18765537766ecedec49a1e817a65dd1d0c6b9f567115d2d7b5d
Instruction Fuzzy Hash: 6C1110B6C002498FCB20CF9AC844BDEFBF4AF88214F11841AD829A7210C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 061FFEE3 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

|, xrefs: 061FFF50

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 8e56a0265e9647b8dfc1f44892c30c2f94e22576d72b0bbef6eb69a65061bb73
Instruction ID: f1b53f6b3bcbcf941f5461cbc0888fefff965acffb1a47b8fd8c0710d6561756
Opcode Fuzzy Hash: 8e56a0265e9647b8dfc1f44892c30c2f94e22576d72b0bbef6eb69a65061bb73
Instruction Fuzzy Hash: 6C21E271F142508FCB91DF7898047ADBBF1AF89610F1544AEE64ADB3A2DB359C01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 061FFF00 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 061FFF50

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: eb2f0409a53745e7833374226493c000df66152c23bcd06f256be91028d0f047
Instruction ID: 6439998d7aeef9c472572d973825cda119f74f783fd2cb0217574fc064925274
Opcode Fuzzy Hash: eb2f0409a53745e7833374226493c000df66152c23bcd06f256be91028d0f047
Instruction Fuzzy Hash: F2115E71B102249FDB94DF789804B6E7BF1AF8C610F104469EA0AEB3A0DB759D01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 061FCF60 Relevance: .8, Instructions: 802COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 164c25399dec55798588af6bc765baac3b8f75c760f95bb50276137bad251c78
Instruction ID: b5632616c76ad4cd7dbf4f1c8dad9df1e1de3660add63a2a0a6414f69f64e7c9
Opcode Fuzzy Hash: 164c25399dec55798588af6bc765baac3b8f75c760f95bb50276137bad251c78
Instruction Fuzzy Hash: 6E626E30A1060ADFCF55EB68E590AADB3F2FF85714B208A68D1159F355EB71EC46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 061FACC8 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b83432b17b1ae035193e92d6187f1defbb62918abc648170e619a750fbc39d9
Instruction ID: 5a7052cc97162b850e7a8da4c3c0a37ded6152f6e586d48ee9fc995332229d77
Opcode Fuzzy Hash: 9b83432b17b1ae035193e92d6187f1defbb62918abc648170e619a750fbc39d9
Instruction Fuzzy Hash: 44E17C30E20209DFDF69DB69D8806AEB7B2BFC5210F108529D919AB345DB75E842CB90

Uniqueness

Uniqueness Score: -1.00%

Function 061FB220 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db7cc5cfdc0ed03543146382f1f301d7096ebb068c1deea744c25511800caffc
Instruction ID: a136d8d495798926333f56e72bb59e29937fe87d98eb10e96669030fe18b95f5
Opcode Fuzzy Hash: db7cc5cfdc0ed03543146382f1f301d7096ebb068c1deea744c25511800caffc
Instruction Fuzzy Hash: A1A1D830F242098BEF64DB6CD4907AEB7B2EB89310F604429E506EB395CB39DC418B55

Uniqueness

Uniqueness Score: -1.00%

Function 061F9148 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c957d28e09630c849d21a939aa748ac062db5067e4d26d71d1faac39ebcd29b5
Instruction ID: 1ba5d96381f5295c99095bd02318d521fdc7f42be1dc28e2fae06fd802d39747
Opcode Fuzzy Hash: c957d28e09630c849d21a939aa748ac062db5067e4d26d71d1faac39ebcd29b5
Instruction Fuzzy Hash: F7917F34B1060A9FDB94EB79D8547AE73F2AFC5300F118969D509EB384EB31AC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 061F5DF0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9631ef563e1dd7a904e9dd405e060f5d3fb069c2aad4a87ec0234dc745c5e1a7
Instruction ID: 6b94cb7b224a0ce8a12b9c27148388969e1a6615d8d82b2370252af87f60eda0
Opcode Fuzzy Hash: 9631ef563e1dd7a904e9dd405e060f5d3fb069c2aad4a87ec0234dc745c5e1a7
Instruction Fuzzy Hash: 5A61E071F101114BDF50AB7ED9846AEBAE7AFD4620B254439D80ADB321DFB6EC0287D1

Uniqueness

Uniqueness Score: -1.00%

Function 061F3EA8 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 267180d55160fd490d6623a2c934c33a497aadde686149ef77ba8e3f4ed117ea
Instruction ID: 2d778e548c6b3f4d014222bc1d96d32a955928d25d5fe7f021f44f316a48513e
Opcode Fuzzy Hash: 267180d55160fd490d6623a2c934c33a497aadde686149ef77ba8e3f4ed117ea
Instruction Fuzzy Hash: 91815D30B1020A9BDF54DFB9C4547AEB7F2AF85300F108529E51AEB395DB75EC428B91

Uniqueness

Uniqueness Score: -1.00%

Function 061F3EB8 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9174cc3982bc74dbe6b4d81c9c98ba66353523b9fe18e7fbaac1f505c315ff0
Instruction ID: 848886572e71b2d07d318c511dba85c3c2643ac2122b849dcdd8fee725fd3e01
Opcode Fuzzy Hash: e9174cc3982bc74dbe6b4d81c9c98ba66353523b9fe18e7fbaac1f505c315ff0
Instruction Fuzzy Hash: 5C814D30B1020A9BDF54DFB9C4547AEB7F2AF85300F108529E51AEB395DB75EC428B91

Uniqueness

Uniqueness Score: -1.00%

Function 061F41CC Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41c384e766e06af4d07a35a00061b55a12521ffaac807f9911d0b304fd0af3c1
Instruction ID: 6b34f07ff026763a81c2114ead771f0e6d94155b45c87ddb3e5e4a1ec86c55f6
Opcode Fuzzy Hash: 41c384e766e06af4d07a35a00061b55a12521ffaac807f9911d0b304fd0af3c1
Instruction Fuzzy Hash: AB914F30E106198BDF50DF68C890B9EB7B1FF85310F208699D549BB351EB71A985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061F41E0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7abbac82aa447189d7a96cc4a3e05591979777a343ce4e11cfcad74f507c6c6
Instruction ID: 6925672f812f1444ab9fd38f7c0176b8a4d60055a97c1cdd9bb7c6c592d4a487
Opcode Fuzzy Hash: b7abbac82aa447189d7a96cc4a3e05591979777a343ce4e11cfcad74f507c6c6
Instruction Fuzzy Hash: FA915030E102198BDF60DF68C880B9EB7B1FF89310F208599D549BB341EB71AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 061FEB20 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba64f1e761c1817509e85b51cfca2b75c6796015af024aca1b75bc435804e3c9
Instruction ID: ae3c6f4dc5be74c9733ec21f2b18782a26151b67ea4fe2b394e1f2e8a0662d90
Opcode Fuzzy Hash: ba64f1e761c1817509e85b51cfca2b75c6796015af024aca1b75bc435804e3c9
Instruction Fuzzy Hash: 40715C30E10209AFDB54DFA8D980A9DBBF6BF84310F248569E519EB365DB30EC46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 061FEB30 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce45dbe6190f694c63518a22760bbdaa85f866ea6690c1276e4219c8cf07ed4
Instruction ID: 0085a4a503ff60631ae749ccd786e1c5723c191d2c79234a9e45b6d18d536a12
Opcode Fuzzy Hash: 1ce45dbe6190f694c63518a22760bbdaa85f866ea6690c1276e4219c8cf07ed4
Instruction Fuzzy Hash: 9A712A30A10209AFDB54DFA9D990A9DBBF6BF88310F148569E519EB364DB30EC46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 061F4778 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f1359706e2f2e3f9b15eba92d5cf40ae492dee3858d9dc3e305fda98955b9d1
Instruction ID: 676577d61e52e138ab5dbd07ef1ea326677adde9e63864687a3c333347ff74c8
Opcode Fuzzy Hash: 2f1359706e2f2e3f9b15eba92d5cf40ae492dee3858d9dc3e305fda98955b9d1
Instruction Fuzzy Hash: 36617E30F102089FEF549BA5D854BAEBBF6FF88300F208529E506AB395DF758C458B94

Uniqueness

Uniqueness Score: -1.00%

Function 061FFCA0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eafb47cfdee108ad815056bc682e48cb228fb08e76361b90b10c4b4305bf01e9
Instruction ID: 1de3ca4a0cda38f1855dc50c60294bbcedfed5663a2a7549399ead294edbf4c5
Opcode Fuzzy Hash: eafb47cfdee108ad815056bc682e48cb228fb08e76361b90b10c4b4305bf01e9
Instruction Fuzzy Hash: 8B51DF31E20209DFDF54EF79E4886ADB7B2FF84311F11886AE206D7251DB719856CB90

Uniqueness

Uniqueness Score: -1.00%

Function 061F9138 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 966502327716d957ba7fb7626199de4360c32f2e65873c72c2ef861829a0d648
Instruction ID: 0b95f4425f8cce43fba6a6aec8a3993482f0b4b5c7c5d3509f5702c8250da4b5
Opcode Fuzzy Hash: 966502327716d957ba7fb7626199de4360c32f2e65873c72c2ef861829a0d648
Instruction Fuzzy Hash: D9517330B101059FDB54EB78D854BAE73F6ABC5310F118869D509EB394EB31DC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 061FF63B Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0b83461b9eb16e8d1d6a97185987772814bafb5866f9130062cbfe5f1d24268
Instruction ID: a95a9ff3e8f77b302bb067a37b302968c424e08726f9b2a4850a687b6e8f2b7d
Opcode Fuzzy Hash: f0b83461b9eb16e8d1d6a97185987772814bafb5866f9130062cbfe5f1d24268
Instruction Fuzzy Hash: FA51D830F202158FEF64576CD8947AF765AD7CAB10F60452AE20ACB3E9DFA9CC424791

Uniqueness

Uniqueness Score: -1.00%

Function 061FF648 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4749cd76f1abd57f325ffecada3a77bd163ff1b9ee13e72ad97b46021e919930
Instruction ID: c07edae4e45bb574f9daffd8e07f4e034404e95d8fa79a7f4389cd1ac00105c8
Opcode Fuzzy Hash: 4749cd76f1abd57f325ffecada3a77bd163ff1b9ee13e72ad97b46021e919930
Instruction Fuzzy Hash: 2D51C730F202159FEF64676CD89476F725AD7CAB10F60452AE20ACB3E9DFA9CC424791

Uniqueness

Uniqueness Score: -1.00%

Function 061F51A1 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 112506181743e983b25817d2d14497ff560813f330f1dd29b993e71083637c6d
Instruction ID: b6c4a5a65d3230495baed66c0ceb22fadb6124ce1452850f943bc72bd41e4d0f
Opcode Fuzzy Hash: 112506181743e983b25817d2d14497ff560813f330f1dd29b993e71083637c6d
Instruction Fuzzy Hash: DB519170E206058BDF61CBB8C4C0B6EFBB2FB55310F548A26E219DB285C775E841CB91

Uniqueness

Uniqueness Score: -1.00%

Function 061F4768 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7db186c0bbc01022ed7764f0a8fd0d2e7fc832f5a9c884cfef9bb067686a794
Instruction ID: 2a108dc5e90ce4338355cb4458a8b8e4760e5739dbeb6ab0b201884fd9cac52a
Opcode Fuzzy Hash: d7db186c0bbc01022ed7764f0a8fd0d2e7fc832f5a9c884cfef9bb067686a794
Instruction Fuzzy Hash: 9F415B70F102089FEB459FA5D854BAEBBF6FF88300F20852AE105AB395DF758C459B94

Uniqueness

Uniqueness Score: -1.00%

Function 061F5030 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f440b53e9e9941810b75f80a3b3d0ab8260746dac579c591658b2380f78cbec
Instruction ID: 14142aea4415f138bd7266cf50e6864f8a43f415b893a7067ca1044239ecb81a
Opcode Fuzzy Hash: 8f440b53e9e9941810b75f80a3b3d0ab8260746dac579c591658b2380f78cbec
Instruction Fuzzy Hash: 3D418D31E1060A9FDF70CF99D880AAFF7B3FB99214F10492AE216D3640D771E8558B90

Uniqueness

Uniqueness Score: -1.00%

Function 061FDAE8 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa9e7e1927bc3d40770997d5c9a78dd282cbe5c0d57f953f55c471f809087ae
Instruction ID: 28c97300a04757ed835311381eac818007f4f90b07c7c35578c0e86dbf14e0d1
Opcode Fuzzy Hash: 6aa9e7e1927bc3d40770997d5c9a78dd282cbe5c0d57f953f55c471f809087ae
Instruction Fuzzy Hash: A4418170E1074A9FDF54DF65E4546AEBBB6FF86300F208929D505EB240EF71A841CB81

Uniqueness

Uniqueness Score: -1.00%

Function 061FDAD5 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f4e2629a2d0fe3b3f90d930874737b727fdf04a6e73bd5dae50e48ded93d69a
Instruction ID: 1caafebdf96376f69c87a8d9ad9d1e99b952c1512e477d58718de9080ee6f166
Opcode Fuzzy Hash: 8f4e2629a2d0fe3b3f90d930874737b727fdf04a6e73bd5dae50e48ded93d69a
Instruction Fuzzy Hash: F1419D30E107499FDF15DF75E8546AEBBB6FF86300F248969D505EB240EB71A842CB81

Uniqueness

Uniqueness Score: -1.00%

Function 061F21C5 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6544e3749f83c8f3dec236727eb2c4a072fe9e1b03c2f70b3e2721fc80a11a66
Instruction ID: ff3da68ee5c3db16d7ffda33f6ee47139688ca50356d8d72f6550d12a6aad3e6
Opcode Fuzzy Hash: 6544e3749f83c8f3dec236727eb2c4a072fe9e1b03c2f70b3e2721fc80a11a66
Instruction Fuzzy Hash: F0311030B202068FDB599FB4D5546AE3BB7AF89200F254968C402EB390DF36CD46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 061F21D8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934d06c6e649d7b05f89072ac8af4281f510095ad9f58d6aa06ce107538b6207
Instruction ID: 74a431ebb0afde58931e5a1a1ed067ef390c287914962d68d5f60eb17077d488
Opcode Fuzzy Hash: 934d06c6e649d7b05f89072ac8af4281f510095ad9f58d6aa06ce107538b6207
Instruction Fuzzy Hash: E531E230B202468FDB58ABB4D4146AF7BE7AFC9610F244568D402EB380DF36DD42CB95

Uniqueness

Uniqueness Score: -1.00%

Function 061F2088 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0047697061dd4ff83c1306469b487824b00531db42584996b49f7029f70b0f9f
Instruction ID: 046479858042ae7ec47328a91badf40f24584966572f69c7614c21299570c6c1
Opcode Fuzzy Hash: 0047697061dd4ff83c1306469b487824b00531db42584996b49f7029f70b0f9f
Instruction Fuzzy Hash: 34317030E1061ADBCB19CFA4D89569EB7B2BF89300F10C959E916EB344DB71ED46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 061F2098 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a00cb93c3c0c4f03b0bb3d82c027a244f097ac023d3418dc9282da5f7c43b6
Instruction ID: c606d9e312e6e99d76b056003900abe3119f70a1d076695c5b133c5a0d2128d3
Opcode Fuzzy Hash: 57a00cb93c3c0c4f03b0bb3d82c027a244f097ac023d3418dc9282da5f7c43b6
Instruction Fuzzy Hash: 35315030E2060A9BCB19CFA4D89569EB7B6FF89300F10C959E916EB344DB71AD46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 061F5021 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad240199109c9a958dc42bb135f343a6b3d704ceed83f5aeaff0f9703945aaac
Instruction ID: 94b57ebe46343ec45faae6f05f442fd26aac39a54d915acd0a94a038734f948b
Opcode Fuzzy Hash: ad240199109c9a958dc42bb135f343a6b3d704ceed83f5aeaff0f9703945aaac
Instruction Fuzzy Hash: 09317C71E1070A9FDB60CFA9C881BABBBF3FB94210F10492AD259D3640D770A9458B90

Uniqueness

Uniqueness Score: -1.00%

Function 061F3AB0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c2937f4d0ceee9622dd486e02b589230552f6762e6207ae5081d07ba1537e9
Instruction ID: 95ff565449c6492275e9fdf026ac8600efbb1e4721a518f785b43a7bb03fea88
Opcode Fuzzy Hash: 83c2937f4d0ceee9622dd486e02b589230552f6762e6207ae5081d07ba1537e9
Instruction Fuzzy Hash: 2E21AC71F142199FDB01DFA9D880AAEBBF5FB88310F158025E904EB394EB35D845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 061F3AC0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 043548c8d1451ecf22ac72bb93514ec877822d1e037962bdcb8d16c3efb41b79
Instruction ID: ce3f95eb9ef639d78e1869e8d9950b18820245effd4806b8593664b7ac3354ea
Opcode Fuzzy Hash: 043548c8d1451ecf22ac72bb93514ec877822d1e037962bdcb8d16c3efb41b79
Instruction Fuzzy Hash: F221AC75F202199FDB51DFA9D890AAEB7F1FB88310F158429EA15EB350EB31D800CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0268D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2608986619.000000000268D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0268D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_268d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85afa1db1318c6cbec4ec81ede6b3f3ea7eb2c988413c19d50a7737371f60ed
Instruction ID: a27497cb9d16eb4148d802ef9e858a1de800a1bb1cae72b5bda997ecf7d96ecd
Opcode Fuzzy Hash: a85afa1db1318c6cbec4ec81ede6b3f3ea7eb2c988413c19d50a7737371f60ed
Instruction Fuzzy Hash: CF21C571504284DFDB14EF24D9C0B26BBA5FB84314F24C669E8494B3D6C376D457CA72

Uniqueness

Uniqueness Score: -1.00%

Function 0268D006 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2608986619.000000000268D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0268D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_268d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3101c1ed0f178b9eef89242c39ad584cdf023ad7de5adbcf1d48766f7eb54ec
Instruction ID: 768ebdab85dfbc85759b0b381fb1ab8ad203634b00f41a29e401f86beea4d318
Opcode Fuzzy Hash: d3101c1ed0f178b9eef89242c39ad584cdf023ad7de5adbcf1d48766f7eb54ec
Instruction Fuzzy Hash: AA216D7150D3C49FC703DF20D994711BF71AB46214F29C6DBD8898B2A7C33A985ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 061F3BD0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6801beacb256f6a80d0e2c27c37ce24626a8770b74024def4c7e3502e841286f
Instruction ID: 97fa343479b36bb157c97b9192a4ccb2e8b45c94c85b179fe09b204a0d4dd74f
Opcode Fuzzy Hash: 6801beacb256f6a80d0e2c27c37ce24626a8770b74024def4c7e3502e841286f
Instruction Fuzzy Hash: 8411A535B181289BCF589B78C8546AE73EAEBC9310F058439D506EB344EF65DC0287D0

Uniqueness

Uniqueness Score: -1.00%

Function 061F3E07 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd98d71829c0dbbfe65bb8eadd4ba3fb663748bc8192622d33e2bbb63590f7cf
Instruction ID: 43e28755d098078573ac2a0cfd5cabf5623ef9064ee219b25cd97a9fd2f0783d
Opcode Fuzzy Hash: bd98d71829c0dbbfe65bb8eadd4ba3fb663748bc8192622d33e2bbb63590f7cf
Instruction Fuzzy Hash: F001D231B215104FDB25877E981479BB7EACFC5A10F10887AE51ACB382EA65DC0287D2

Uniqueness

Uniqueness Score: -1.00%

Function 061FEDA0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd56a3bfcd2d02cf81ab6984357bee34c07064e6d451bc39f0c3bd63ce8a05d9
Instruction ID: 4cf6c014f690fbd08864cafcb5c4f004e21595553ba834f9a79914325ecb6811
Opcode Fuzzy Hash: fd56a3bfcd2d02cf81ab6984357bee34c07064e6d451bc39f0c3bd63ce8a05d9
Instruction Fuzzy Hash: 3301D871B215106FCB66DB7CE890B6E37D6DBC9610F144875F10ACB391DB25DC024791

Uniqueness

Uniqueness Score: -1.00%

Function 061F3888 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466baa849a0e1f3f65769e7efd624acd5519ec79f4b5fae58795f25808b138cb
Instruction ID: 85ec1053819b863e0cb7da2634acdec15de5641c11a3c307b5f43bee83b02110
Opcode Fuzzy Hash: 466baa849a0e1f3f65769e7efd624acd5519ec79f4b5fae58795f25808b138cb
Instruction Fuzzy Hash: 9721C0B5D01259ABCB10DF9AD884ACEFBF8FB48310F50812AE928B7250D774A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 061FA301 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55095e1e31935b5a06177757a5efe374fbeb0307e43158cda24e0cfd6d63b5d8
Instruction ID: 0cf3cc7109471e1a8ea36055cf8fdefd79dfd40337fbabcfc08ae1e412adc6c2
Opcode Fuzzy Hash: 55095e1e31935b5a06177757a5efe374fbeb0307e43158cda24e0cfd6d63b5d8
Instruction Fuzzy Hash: FA018471F10110ABDB61E67CD851B5E73EAEB89710F508429F10ECB341DB29EC018785

Uniqueness

Uniqueness Score: -1.00%

Function 061F3890 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7aee32779d9b0552768754fea33248a858e2ae4b656d9f2d25f0bcf255e4333
Instruction ID: e9a013b26f8be8f3e4e823fd7817d771c67f64d905ee993447c2b0725b1cecff
Opcode Fuzzy Hash: c7aee32779d9b0552768754fea33248a858e2ae4b656d9f2d25f0bcf255e4333
Instruction Fuzzy Hash: 1311AFB5D01259AFCB10DF9AD884ADEFBF4FB48310F50812AE928B7250C774A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 061F3E18 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a41cc470351bf07d3a1931ef7d80f715bcfbdbc2e4b1b591162cce6f8f91eb9
Instruction ID: cf7d96c436ba434f23cdb3e23aff375d4dfadf56bd7795575b64619d7fac0b6d
Opcode Fuzzy Hash: 1a41cc470351bf07d3a1931ef7d80f715bcfbdbc2e4b1b591162cce6f8f91eb9
Instruction Fuzzy Hash: 21016D35B204105BDB64966ED85476BB3DADBC9A10F10883AE61EC7386EE65DC0287D1

Uniqueness

Uniqueness Score: -1.00%

Function 061F3BC0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b527332a51369ab610d64394f4e9e24b022e230fadef6e741e8027cb8228b0b7
Instruction ID: 485aa009114773860db55a2d4250fb752a36a684abc4c067d8a1609103a3e9fa
Opcode Fuzzy Hash: b527332a51369ab610d64394f4e9e24b022e230fadef6e741e8027cb8228b0b7
Instruction Fuzzy Hash: F7018F76B280259BDB9896B8C9643EB72ABABC8210F454536D206E7384EE65DD0387D0

Uniqueness

Uniqueness Score: -1.00%

Function 061FEDB0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6773af198fd9b5773c13a68206e826c264b2107f8a80efe8c57fa76c53b49c
Instruction ID: 8cb43130694980a8083577b6eb3b1e1c383aa9a5d077d01da430001968341ad6
Opcode Fuzzy Hash: 3d6773af198fd9b5773c13a68206e826c264b2107f8a80efe8c57fa76c53b49c
Instruction Fuzzy Hash: 05018131B205106BDB659A3DE854B6E77DADBC9610F108829E20ECB341EF25EC024791

Uniqueness

Uniqueness Score: -1.00%

Function 061FA310 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa494286647fc3fcb5ff2198bf02e9cfb62453f354f93aeb3f5d0dfa42416f8d
Instruction ID: 873ae6a58e6d0137505e81f4dc509dacb1dabe0dc1202407775753507bbe8975
Opcode Fuzzy Hash: aa494286647fc3fcb5ff2198bf02e9cfb62453f354f93aeb3f5d0dfa42416f8d
Instruction Fuzzy Hash: 8C013131F201109BDB65E67CD851B6E73E6EB89710F108839E51FCB344DB29EC018785

Uniqueness

Uniqueness Score: -1.00%

Function 061F6440 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc23c70fef2a85e62a796a100a629376bdab36bc9470df63dc44197ff4ba12f
Instruction ID: 8afff116c005b032a773c86d41f0820ff48556b1aa809a2001ed6c6518115064
Opcode Fuzzy Hash: 8dc23c70fef2a85e62a796a100a629376bdab36bc9470df63dc44197ff4ba12f
Instruction Fuzzy Hash: 310181218393945FDB41DFB89D613CA3B64AF82218F1505E3C448CF243E2258948C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 061FC7F8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ec2e36966c36e3a2c9e4201699b96eef934909fcddc14e1225ffd28e04ee28
Instruction ID: 730f37d1e94d5328bf78e499c493c93821f0b1c81086ac98c9fb84c9face05c5
Opcode Fuzzy Hash: 24ec2e36966c36e3a2c9e4201699b96eef934909fcddc14e1225ffd28e04ee28
Instruction Fuzzy Hash: 6901C832F20229ABCF189B69E84469E777AFB85750F004579EA15EB344EB31A805DBC0

Uniqueness

Uniqueness Score: -1.00%

Function 061F4661 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f95d15f49fbdd775b4a13bedb3f9b357fc43f877f20a045951680ddd8b66171e
Instruction ID: 4934b8636c92984fafcff305cd46d4025f2287c288e1558e9ded44a48fa0ad41
Opcode Fuzzy Hash: f95d15f49fbdd775b4a13bedb3f9b357fc43f877f20a045951680ddd8b66171e
Instruction Fuzzy Hash: D2F0D430E20259DFDB14DF94E899BAEBBB2BF48711F200619E506A7291CBB41C45DFC0

Uniqueness

Uniqueness Score: -1.00%

Function 061F6488 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2617816062.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_61f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d138504dca74f90a75ddfacdebe15f7230bae778fd5490481d6a20d0052fadb2
Instruction ID: 448bf48c334dd88432643b18abba8d09bab6505d958f0dba0d01f22f04927ef4
Opcode Fuzzy Hash: d138504dca74f90a75ddfacdebe15f7230bae778fd5490481d6a20d0052fadb2
Instruction Fuzzy Hash: 47E01271E3410CABDF50EFB4DA5575E77BDDB82214F2089A5D509C7201E376DA0187C0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Dhl Express Shipping Docs .pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dhl Express Shipping Docs .pdf.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\emaGqYHYeYNHas.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1fnrznbs.oej.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aqje4zow.aau.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cssatfbo.obw.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dn3rgoyt.hbf.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h5zksprv.qqh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iynhucx1.oni.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kaffcvxv.x3r.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uixhcj4c.avk.psm1

C:\Users\user\AppData\Local\Temp\tmpB967.tmp

Windows Analysis Report
Dhl Express Shipping Docs .pdf.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre