Edit tour

Windows Analysis Report
DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

Overview

General Information

Sample name:	DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe
Analysis ID:	1432022
MD5:	840cbf490ce0600e1057f72949a37c73
SHA1:	151c7c81a8f1e9dd889eef12e8c4ca6749495dac
SHA256:	b09a0b160629c46cd40123518cf4beed875c630f8836e2fea5d894c43fd58093
Tags:	exe
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Contains functionality to log keystrokes (.Net Source)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to detect virtual machines (SGDT)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe (PID: 6532 cmdline: "C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe" MD5: 840CBF490CE0600E1057F72949A37C73)

powershell.exe (PID: 6880 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1056 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LJAGvecDW.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 2728 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 4364 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LJAGvecDW" /XML "C:\Users\user\AppData\Local\Temp\tmp87CB.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 5560 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

WerFault.exe (PID: 4196 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 1400 MD5: C31336C1EFC2CCB44B4326EA793040F2)

LJAGvecDW.exe (PID: 2744 cmdline: C:\Users\user\AppData\Roaming\LJAGvecDW.exe MD5: 840CBF490CE0600E1057F72949A37C73)

schtasks.exe (PID: 1444 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LJAGvecDW" /XML "C:\Users\user\AppData\Local\Temp\tmpA44C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 5656 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

WerFault.exe (PID: 3328 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 1760 MD5: C31336C1EFC2CCB44B4326EA793040F2)

boqXv.exe (PID: 5264 cmdline: "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 5616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

boqXv.exe (PID: 2360 cmdline: "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 5828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.clslk.com", "Username": "gm@clslk.com", "Password": "NUZRATHinam1978"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.2413879455.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2408863258.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2408863258.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2353913822.0000000003A79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.2413879455.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000014.00000002.3497093745.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000014.00000002.3497093745.0000000002C97000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2359343012.00000000071F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.2413879455.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2413879455.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000014.00000002.3497093745.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.3497093745.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2353913822.0000000004467000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2353913822.0000000004467000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe PID: 6532	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe PID: 6532	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe PID: 6532	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 5560	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5560	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: LJAGvecDW.exe PID: 2744	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 5656	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5656	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.71f0000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.71f0000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.3a79970.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.3a79970.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33afc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33b6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33bf8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33cf4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33d66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33dfc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33e8c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.46a9af0.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.46a9af0.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.46a9af0.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31cfc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31d6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31df8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31e8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31ef4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31f66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ffc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3208c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31cfc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31d6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31df8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31e8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31ef4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31f66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ffc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3208c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.46a9af0.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.46a9af0.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.46a9af0.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.46a9af0.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33afc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33b6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33bf8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33cf4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33d66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33dfc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33e8c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33afc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6eb1c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33b6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6eb8e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33bf8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6ec18:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6ecaa:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33cf4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6ed14:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33d66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ed86:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33dfc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ee1c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33e8c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6eeac:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 16 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe", ParentImage: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe, ParentProcessId: 6532, ParentProcessName: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe", ProcessId: 6880, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5560, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boqXv

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LJAGvecDW" /XML "C:\Users\user\AppData\Local\Temp\tmpA44C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LJAGvecDW" /XML "C:\Users\user\AppData\Local\Temp\tmpA44C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\LJAGvecDW.exe, ParentImage: C:\Users\user\AppData\Roaming\LJAGvecDW.exe, ParentProcessId: 2744, ParentProcessName: LJAGvecDW.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LJAGvecDW" /XML "C:\Users\user\AppData\Local\Temp\tmpA44C.tmp", ProcessId: 1444, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 50.87.253.239, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 5560, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49721

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LJAGvecDW" /XML "C:\Users\user\AppData\Local\Temp\tmp87CB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LJAGvecDW" /XML "C:\Users\user\AppData\Local\Temp\tmp87CB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe", ParentImage: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe, ParentProcessId: 6532, ParentProcessName: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LJAGvecDW" /XML "C:\Users\user\AppData\Local\Temp\tmp87CB.tmp", ProcessId: 4364, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe", ParentImage: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe, ParentProcessId: 6532, ParentProcessName: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe", ProcessId: 6880, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LJAGvecDW" /XML "C:\Users\user\AppData\Local\Temp\tmp87CB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LJAGvecDW" /XML "C:\Users\user\AppData\Local\Temp\tmp87CB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe", ParentImage: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe, ParentProcessId: 6532, ParentProcessName: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LJAGvecDW" /XML "C:\Users\user\AppData\Local\Temp\tmp87CB.tmp", ProcessId: 4364, ProcessName: schtasks.exe

Snort Signatures

ETPRO TROJAN Win32/Agent Tesla SMTP Activity - Source IP: 192.168.2.6 - Destination IP: 50.87.253.239

Timestamp:	04/26/24-10:06:29.016387
SID:	2839723
Source Port:	49721
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.6 - Destination IP: 50.87.253.239

Timestamp:	04/26/24-10:06:29.016387
SID:	2030171
Source Port:	49721
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.6 - Destination IP: 50.87.253.239

Timestamp:	04/26/24-10:06:40.359218
SID:	2030171
Source Port:	49731
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/Agent Tesla SMTP Activity - Source IP: 192.168.2.6 - Destination IP: 50.87.253.239

Timestamp:	04/26/24-10:06:40.359218
SID:	2839723
Source Port:	49731
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://mail.clslk.com

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe

Avira: detection malicious, Label: HEUR/AGEN.1305452

Found malware configuration

Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.clslk.com", "Username": "gm@clslk.com", "Password": "NUZRATHinam1978"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Virustotal: Detection: 51%			Perma Link

Multi AV Scanner detection for submitted file

Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Virustotal: Detection: 51%			Perma Link
Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	ReversingLabs: Detection: 44%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

Joe Sandbox ML: detected

Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: oZr.pdb source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe, WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr, LJAGvecDW.exe.1.dr
Source:	Binary string: System.Data.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Xml.ni.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: Accessibility.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.ni.pdbRSDS source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: mscorlib.pdbx source: WER93E1.tmp.dmp.22.dr
Source:	Binary string: RegSvcs.pdb, source: boqXv.exe, 00000012.00000000.2398561366.0000000000F92000.00000002.00000001.01000000.0000000E.sdmp, boqXv.exe.9.dr
Source:	Binary string: oZr.pdb> source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.pdb(N source: WER93E1.tmp.dmp.22.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: RegSvcs.pdb source: boqXv.exe, 00000012.00000000.2398561366.0000000000F92000.00000002.00000001.01000000.0000000E.sdmp, boqXv.exe.9.dr
Source:	Binary string: System.Data.ni.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Configuration.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Core.pdbH source: WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Xml.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Core.ni.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Windows.Forms.pdbPq source: WER6D7D.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: mscorlib.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Drawing.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: mscorlib.ni.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Data.ni.pdbRSDS source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Xml.pdb< source: WER6D7D.tmp.dmp.12.dr
Source:	Binary string: System.Core.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Core.pdbMZ source: WER6D7D.tmp.dmp.12.dr
Source:	Binary string: Accessibility.pdb< source: WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Drawing.pdb$ source: WER93E1.tmp.dmp.22.dr
Source:	Binary string: oZr.pdbSHA2560Q source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe, LJAGvecDW.exe.1.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Data.pdb, source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.ni.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49721 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.6:49721 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49731 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.6:49731 -> 50.87.253.239:587

Yara detected Generic Downloader

Source: Yara match	File source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.46a9af0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.6:49721 -> 50.87.253.239:587

Source: Joe Sandbox View

IP Address: 50.87.253.239 50.87.253.239

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: global traffic

TCP traffic: 192.168.2.6:49721 -> 50.87.253.239:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mail.clslk.com

Source: RegSvcs.exe, 00000009.00000002.2413879455.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000014.00000002.3497093745.0000000002C97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.clslk.com
Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe, 00000001.00000002.2353195129.0000000002AED000.00000004.00000800.00020000.00000000.sdmp, LJAGvecDW.exe, 0000000D.00000002.2446819021.000000000279D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.12.dr	String found in binary or memory: http://upx.sf.net
Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe, 00000001.00000002.2353913822.0000000004467000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2408863258.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.raw.unpack, umlRMRbjNqD.cs	.Net Code: fKv0R
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.46a9af0.5.raw.unpack, umlRMRbjNqD.cs	.Net Code: fKv0R

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.46a9af0.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.46a9af0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_05041808	1_2_05041808
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_050417F8	1_2_050417F8
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_0702A688	1_2_0702A688
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_07029CC8	1_2_07029CC8
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_07026CD8	1_2_07026CD8
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_070239C0	1_2_070239C0
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_0702C378	1_2_0702C378
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_0702C388	1_2_0702C388
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_0702A3E0	1_2_0702A3E0
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_0702A3F0	1_2_0702A3F0
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_07027271	1_2_07027271
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_07027280	1_2_07027280
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_07029CB8	1_2_07029CB8
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_07349BC0	1_2_07349BC0
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_07347A20	1_2_07347A20
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_0734C900	1_2_0734C900
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_0734AA60	1_2_0734AA60
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_0734BED0	1_2_0734BED0
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_0734F148	1_2_0734F148
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_07340006	1_2_07340006
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_07340040	1_2_07340040
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_0734D8A8	1_2_0734D8A8
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_0734BC88	1_2_0734BC88
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_073E7728	1_2_073E7728
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_073EB6F0	1_2_073EB6F0
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_073E3560	1_2_073E3560
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_073E4C08	1_2_073E4C08
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_073E2CF0	1_2_073E2CF0
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_073E4BF8	1_2_073E4BF8
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_073E3128	1_2_073E3128
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_073E5040	1_2_073E5040
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_078FC550	1_2_078FC550
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_078FE6F0	1_2_078FE6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0131A3D8	9_2_0131A3D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0131D658	9_2_0131D658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01319810	9_2_01319810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01314AD0	9_2_01314AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01313EB8	9_2_01313EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01314200	9_2_01314200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0652B5A0	9_2_0652B5A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_06529F6C	9_2_06529F6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_06530E60	9_2_06530E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_06539F80	9_2_06539F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_065343F8	9_2_065343F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_06533398	9_2_06533398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_06535B80	9_2_06535B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_06539038	9_2_06539038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0653C1A0	9_2_0653C1A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_065354A0	9_2_065354A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_06533AF0	9_2_06533AF0
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_025C1CC4	13_2_025C1CC4
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_025C01A0	13_2_025C01A0
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_025C0B50	13_2_025C0B50
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_025C0B60	13_2_025C0B60
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_025C2B11	13_2_025C2B11
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_02601808	13_2_02601808
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_026017F8	13_2_026017F8
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_04D3C550	13_2_04D3C550
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_04D3E6F0	13_2_04D3E6F0
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_06DB7A20	13_2_06DB7A20
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_06DB9BC0	13_2_06DB9BC0
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_06DBC900	13_2_06DBC900
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_06DBBED0	13_2_06DBBED0
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_06DBAA60	13_2_06DBAA60
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_06DBBC88	13_2_06DBBC88
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_06DBD8A8	13_2_06DBD8A8
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_06DB0040	13_2_06DB0040
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_06DB0007	13_2_06DB0007
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_06DBF148	13_2_06DBF148
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_084B910B	13_2_084B910B
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_084B5040	13_2_084B5040
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_084BA958	13_2_084BA958
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_084B3128	13_2_084B3128
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_084B4BF8	13_2_084B4BF8
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_084B83B8	13_2_084B83B8
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_084B4C08	13_2_084B4C08
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_084B2CF0	13_2_084B2CF0
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_084B3560	13_2_084B3560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_051ED650	20_2_051ED650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_051EA3D0	20_2_051EA3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_051E3EB8	20_2_051E3EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_051E4AD0	20_2_051E4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_051E4200	20_2_051E4200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_063AB5A0	20_2_063AB5A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_063A9D54	20_2_063A9D54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_063B9F80	20_2_063B9F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_063B5B80	20_2_063B5B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_063B43F8	20_2_063B43F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_063B902B	20_2_063B902B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_063B0040	20_2_063B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_063BE190	20_2_063BE190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_063BC460	20_2_063BC460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_063B54A0	20_2_063B54A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_063B3ADB	20_2_063B3ADB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_063B3398	20_2_063B3398

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 1400

Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe, 00000001.00000002.2361303192.0000000007350000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe
Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe, 00000001.00000002.2353195129.0000000002B02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename9e4810db-acaa-47dc-a281-6153255fd520.exe4 vs DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe
Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe, 00000001.00000000.2238446670.00000000006D0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameoZr.exe. vs DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe
Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe, 00000001.00000002.2358846503.0000000006F95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe
Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe, 00000001.00000002.2353913822.0000000004467000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename9e4810db-acaa-47dc-a281-6153255fd520.exe4 vs DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe
Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe, 00000001.00000002.2353913822.0000000004467000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe
Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe, 00000001.00000002.2352092660.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe
Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Binary or memory string: OriginalFilenameoZr.exe. vs DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.46a9af0.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.46a9af0.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: LJAGvecDW.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.3a79970.3.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.3a79970.3.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.71f0000.6.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.71f0000.6.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.raw.unpack, v9Lsz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.raw.unpack, VFo.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.raw.unpack, 5FJ0H20tobu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.raw.unpack, NtdoTGO.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.raw.unpack, XBsYgp.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.raw.unpack, AwxUa2Na.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, Y5gZfkJXWveVrlnV3i.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, pG8amSqlnJ4quD2sgH.cs	Security API names: _0020.SetAccessControl
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, pG8amSqlnJ4quD2sgH.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, pG8amSqlnJ4quD2sgH.cs	Security API names: _0020.AddAccessRule

Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.2ad68cc.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7220000.7.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.2ac652c.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@25/28@1/1

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

File created: C:\Users\user\AppData\Roaming\LJAGvecDW.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5276:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3260:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2744
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5616:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6872:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6532
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_03

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

File created: C:\Users\user\AppData\Local\Temp\tmp87CB.tmp

Jump to behavior

Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Virustotal: Detection: 51%
Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

File read: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe "C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe"
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LJAGvecDW.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LJAGvecDW" /XML "C:\Users\user\AppData\Local\Temp\tmp87CB.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 1400
Source: unknown	Process created: C:\Users\user\AppData\Roaming\LJAGvecDW.exe C:\Users\user\AppData\Roaming\LJAGvecDW.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LJAGvecDW" /XML "C:\Users\user\AppData\Local\Temp\tmpA44C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 1760
Source: unknown	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LJAGvecDW.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LJAGvecDW" /XML "C:\Users\user\AppData\Local\Temp\tmp87CB.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LJAGvecDW" /XML "C:\Users\user\AppData\Local\Temp\tmpA44C.tmp"
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: oZr.pdb source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe, WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr, LJAGvecDW.exe.1.dr
Source:	Binary string: System.Data.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Xml.ni.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: Accessibility.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.ni.pdbRSDS source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: mscorlib.pdbx source: WER93E1.tmp.dmp.22.dr
Source:	Binary string: RegSvcs.pdb, source: boqXv.exe, 00000012.00000000.2398561366.0000000000F92000.00000002.00000001.01000000.0000000E.sdmp, boqXv.exe.9.dr
Source:	Binary string: oZr.pdb> source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.pdb(N source: WER93E1.tmp.dmp.22.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: RegSvcs.pdb source: boqXv.exe, 00000012.00000000.2398561366.0000000000F92000.00000002.00000001.01000000.0000000E.sdmp, boqXv.exe.9.dr
Source:	Binary string: System.Data.ni.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Configuration.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Core.pdbH source: WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Xml.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Core.ni.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Windows.Forms.pdbPq source: WER6D7D.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: mscorlib.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Drawing.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: mscorlib.ni.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Data.ni.pdbRSDS source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Xml.pdb< source: WER6D7D.tmp.dmp.12.dr
Source:	Binary string: System.Core.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Core.pdbMZ source: WER6D7D.tmp.dmp.12.dr
Source:	Binary string: Accessibility.pdb< source: WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Drawing.pdb$ source: WER93E1.tmp.dmp.22.dr
Source:	Binary string: oZr.pdbSHA2560Q source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe, LJAGvecDW.exe.1.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Data.pdb, source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.ni.pdb source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER6D7D.tmp.dmp.12.dr, WER93E1.tmp.dmp.22.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.3a79970.3.raw.unpack, V4uC3Iifq56IKQcfry.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.71f0000.6.raw.unpack, V4uC3Iifq56IKQcfry.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, pG8amSqlnJ4quD2sgH.cs

.Net Code: jtYClDwqj2 System.Reflection.Assembly.Load(byte[])

Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

Static PE information: 0xF3ED4585 [Sun Sep 6 21:28:37 2099 UTC]

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_07343E3A push ds; ret	1_2_07343E3B
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Code function: 1_2_078F7E88 pushad ; iretd	1_2_078F7E91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0652FD30 push es; ret	9_2_0652FD40
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_04D37E88 pushad ; iretd	13_2_04D37E91
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Code function: 13_2_06DB3E3A push ds; ret	13_2_06DB3E3B

Source: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Static PE information: section name: .text entropy: 7.954566370427042
Source: LJAGvecDW.exe.1.dr	Static PE information: section name: .text entropy: 7.954566370427042

Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, FQjI6xswpurevFyFrHc.cs	High entropy of concatenated method names: 'TaR04YGBWa', 'JE60rW2lwN', 'x9P0loTJFg', 'j2Y061B2Pm', 'WTS0jrC5Di', 'sb30fHsMys', 'YRg0b1cPQP', 'Tbv0JUSP9m', 'UiK0csHUtB', 'BKM0kRrSva'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, j8KIOynUvUE6avXM9q.cs	High entropy of concatenated method names: 'a5cE5JhV0y', 'O0kEmuusm4', 'NBpE8McgXp', 'xmV8tuZ00P', 'ehL8zTgoyZ', 'OE3Ewt6Rq7', 'nkZEsWa06H', 'MPvEgOPMra', 'kWdEKmUiy2', 'q7BECOE50G'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, aUXYCqtwfT655GPHKy.cs	High entropy of concatenated method names: 'V4I0ssK2j6', 'iqG0KvbGnL', 'Eas0CMhmiU', 'srF05XMIo2', 'ybG0uKyBeB', 'fO10MO0xMx', 'INM08CaMx7', 'W0iNYBZ60E', 'fTGNHJ7mbu', 'MLfNdXwkB2'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, BO2pWNVo2dQDk4L5AL.cs	High entropy of concatenated method names: 'i1R8URcB7n', 'cps8ukfh0q', 'vmd8MUCSRh', 'Maw8Ees7oi', 'MeP8qYbdyf', 'DFqMxM5lU4', 'EnLMBqq6Lf', 'TkKMYEBqnZ', 'FqvMHdCBsV', 'cBdMdmYaBa'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, pG8amSqlnJ4quD2sgH.cs	High entropy of concatenated method names: 'g3kKUEi0kL', 'EexK5Km5BK', 'hiSKu5l7US', 'BPuKmFvxLr', 'pLNKMUCu0E', 'PHdK8hPbmC', 'rV8KEXanZx', 'zaqKqEUHg5', 'Y3YKyGuJ3v', 'VsLKpoNoV9'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, Dyi1eossp9DjXPSKtmZ.cs	High entropy of concatenated method names: 'ToString', 'aBMDKU3YAH', 'IcqDC9B0d4', 'AjoDUZ9FWQ', 'zwWD5OtHYM', 'CDqDucI4pk', 'Wg0DmbYfL4', 'undDME2mdO', 'GNBuZcrBmeyVPIG4W4P', 'WtkCH8rIx9p0wrbp1N2'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, SSUKlkc9axQbVVUYQj.cs	High entropy of concatenated method names: 'tSJm60lQ9B', 'qGcmfS55yP', 'YRamJljIdl', 'QosmcyP9YV', 'qs4mvd59Yf', 'Hu3mGlCk1g', 'NtvmFubWBr', 'NjbmNXq5pc', 'eQIm0cXkp6', 'Im6mDSFvlU'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, PMN4xKPUAJtFCI5QgV.cs	High entropy of concatenated method names: 'Fu8FpBnCt7', 't1UFXh190g', 'ToString', 'oeHF5qxWuY', 'fBcFuPQYwZ', 'sGLFmT9aSf', 'OpDFMsvEFD', 'LwDF8juNLg', 'WM4FEdQm9c', 'f83FqpcH9E'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, wg8p4uLkAXM2VBKjl5.cs	High entropy of concatenated method names: 'ToString', 'qVSGWr5qJ9', 'tAAGeW69dc', 'rlFGSqraJc', 'KT1GIYlwrZ', 'rSGGAwI2GA', 'mjsG7hpvF8', 'YR3Gn0Qkx3', 'q9kGZ9DhNU', 'nLMG1WVoex'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, tl2aMA934ntNhTkLCI.cs	High entropy of concatenated method names: 'RLmvaCp025', 'jiKvRlZVVZ', 'VVyv9N3jeP', 'mAwvTjl3i8', 'oZXvemKQLp', 'CuqvS8OCnQ', 'G40vIdTJJ1', 'twavAQASWN', 'KP1v74Ofux', 'JkHvnb6exE'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, T4WMKYhPVCAIdTeZWR.cs	High entropy of concatenated method names: 'H8O3JpoJpZ', 'oca3cT660v', 'Yyg3VCU5ql', 'dxL3ebfctR', 'CSw3IhRwdU', 'o2R3AIjGTJ', 'bh73nDb7gi', 'TdC3ZlfnGw', 'Si63aXytfh', 'f3J3Wau9kV'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, FUNVgrCo3A2OAg79xZ.cs	High entropy of concatenated method names: 'q5tsE5gZfk', 'nWvsqeVrln', 'E9aspxQbVV', 'eYQsXjC67H', 'xdosvV5fO2', 'mWNsGo2dQD', 'uVaqmUQNJ5sB4IKWet', 'xR8HX1iPMaxy2RjvWO', 'aYasswksxX', 'LuUsKRu6hY'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, d67HrGkKQkART4doV5.cs	High entropy of concatenated method names: 'ITrMjXGD6v', 'rRjMbiCYl5', 'U4umSpdWRi', 'MLYmIMhHwa', 'avmmAwi1GJ', 'wX0m7HpXcQ', 'JpFmnEGnAo', 'sgCmZDo0yf', 'TaNm17Ynmj', 'mLSma8g9DN'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, TRjKYPgmr4NNIidoLj.cs	High entropy of concatenated method names: 'yi1lfgMB2', 'VlY62I1Vv', 'fRffswoGl', 'DP7bhYhYD', 'gcHcW3x80', 'J5GkehBHH', 'UHdoQLfGlDFexkPWVW', 'tdkknV4RIKC0xLVZlg', 'eYxN2VaHh', 'WTuDG1xpL'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, Pnsbg1sK7lr0S11sX87.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OqgD9QjnaM', 'PjrDTiwK7C', 'vTkDLqoyn1', 'ztUDPyVqqD', 'aMaDxrKTfZ', 'NSlDBACiEL', 'tC8DY0OTop'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, Y5gZfkJXWveVrlnV3i.cs	High entropy of concatenated method names: 'KI2u9A8Ee6', 'UsiuTAtGc3', 'NRouL1N21d', 'PEluPZkRxb', 'nILuxD6fud', 'E6HuBK5aaZ', 'UOauYJGDYt', 'rCxuHaTyIk', 'j4dud7gA5b', 'kmXutJn61N'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, gtcrRxH52rIVWQSJlQ.cs	High entropy of concatenated method names: 'dWLN5yvta7', 'x3FNubpG1Y', 'kLiNmIKfHf', 'AnkNMiKces', 'NaGN8fHRF5', 'vGMNEuopwH', 'cExNq0w6O8', 'GFhNywZpf3', 'gBFNpWq9i5', 'k2hNXwnxqG'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, kCEvdfBXVjP5RGAHJe.cs	High entropy of concatenated method names: 'p87FHcClqE', 'DVtFt9xnlK', 'IFpNwkVdMQ', 'pU2Nsgl2dT', 'lmdFWaQc8q', 'WskFR4KPOx', 'D7YFhY4jBp', 'jWDF9KWUXL', 'CFqFT0JHa2', 'z61FLWotUB'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, mjuNBZ1EFXVl4IlIcE.cs	High entropy of concatenated method names: 'HkME4ISx4C', 'JC7Erlh785', 'WMZEl7wyPU', 'zA6E6HOKxo', 'duZEjeEoW6', 'nrFEfYi7Ry', 'VWNEbuHh1F', 'gIGEJlMLqf', 'BYbEcU14x9', 'eNFEkp0JYl'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, hDQ0TDdW0HH4oWZIbA.cs	High entropy of concatenated method names: 'aX6NVnPpyU', 'Rg7NefD9KN', 'v5bNSqp0sq', 'InjNIkj3Rb', 'ShFN9kNVyG', 'PQgNA5jsBg', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.7350000.8.raw.unpack, pN8dXwurL9ll7OKPvM.cs	High entropy of concatenated method names: 'Dispose', 'WDIsdbbauQ', 'X1pgeyy5IM', 'hjg22Wh0Qv', 'KutstcrRx5', 'trIszVWQSJ', 'ProcessDialogKey', 'zQMgwDQ0TD', 'O0HgsH4oWZ', 'IbAggwUXYC'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.3a79970.3.raw.unpack, V4uC3Iifq56IKQcfry.cs	High entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.3a79970.3.raw.unpack, vpednoN8EZgsJ4TDwx.cs	High entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.71f0000.6.raw.unpack, V4uC3Iifq56IKQcfry.cs	High entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
Source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.71f0000.6.raw.unpack, vpednoN8EZgsJ4TDwx.cs	High entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	File created: \dhl - overdue account notice - 1301669350.exe
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	File created: \dhl - overdue account notice - 1301669350.exe
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	File created: \dhl - overdue account notice - 1301669350.exe
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	File created: \dhl - overdue account notice - 1301669350.exe
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	File created: \dhl - overdue account notice - 1301669350.exe
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	File created: \dhl - overdue account notice - 1301669350.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	File created: \dhl - overdue account notice - 1301669350.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	File created: \dhl - overdue account notice - 1301669350.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	File created: \dhl - overdue account notice - 1301669350.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe			Jump to dropped file
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	File created: C:\Users\user\AppData\Roaming\LJAGvecDW.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LJAGvecDW" /XML "C:\Users\user\AppData\Local\Temp\tmp87CB.tmp"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run boqXv			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run boqXv			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe:Zone.Identifier read attributes \| delete

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LJAGvecDW.exe PID: 2744, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Memory allocated: 1070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Memory allocated: 2A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Memory allocated: 9060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Memory allocated: 7A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Memory allocated: A060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Memory allocated: B060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Memory allocated: B590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Memory allocated: 9060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Memory allocated: AF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Memory allocated: 2720000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Memory allocated: C10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Memory allocated: 8680000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Memory allocated: 6EC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Memory allocated: 9680000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Memory allocated: A680000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Memory allocated: AB90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Memory allocated: 8680000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 17B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 3320000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 1830000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 1540000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 3390000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 30E0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

Code function: 1_2_078FF508 sgdt fword ptr [edi]

1_2_078FF508

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2780	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4487	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 517	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2128	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 894	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3019

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5676	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1080	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4616	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 420	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 2144	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 2184	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99574	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99458	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98811	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98689	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97749	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99202
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99093
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98106
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.12.dr	Binary or memory string: VMware
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.12.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.12.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.12.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.12.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegSvcs.exe, 00000009.00000002.2413533818.0000000001448000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000014.00000002.3506077772.0000000006260000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.12.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.12.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.12.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1
Source: LJAGvecDW.exe, 0000000D.00000002.2452107240.0000000006C24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.12.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.12.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process queried: DebugPort

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe"
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LJAGvecDW.exe"
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LJAGvecDW.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: E1C008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D62008

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LJAGvecDW.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LJAGvecDW" /XML "C:\Users\user\AppData\Local\Temp\tmp87CB.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LJAGvecDW" /XML "C:\Users\user\AppData\Local\Temp\tmpA44C.tmp"
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Queries volume information: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Queries volume information: C:\Users\user\AppData\Roaming\LJAGvecDW.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\LJAGvecDW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation

Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.46a9af0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.46a9af0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2413879455.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2408863258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2413879455.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3497093745.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3497093745.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2413879455.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3497093745.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2353913822.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5656, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.71f0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.71f0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.3a79970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.3a79970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2353913822.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2359343012.00000000071F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.46a9af0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.46a9af0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2408863258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2413879455.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3497093745.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2353913822.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5656, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.46a9af0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.46a9af0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.466ead0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2413879455.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2408863258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2413879455.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3497093745.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3497093745.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2413879455.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3497093745.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2353913822.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5656, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.71f0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.71f0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.3a79970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.3a79970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2353913822.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2359343012.00000000071F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	311 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	2 Obfuscated Files or Information	1 Credentials in Registry	231 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	22 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	161 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	161 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	311 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	51%	Virustotal		Browse
DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	45%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	100%	Avira	HEUR/AGEN.1305452
DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\LJAGvecDW.exe	100%	Avira	HEUR/AGEN.1305452
C:\Users\user\AppData\Roaming\LJAGvecDW.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\LJAGvecDW.exe	45%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\LJAGvecDW.exe	51%	Virustotal		Browse
C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	0%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
mail.clslk.com	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://mail.clslk.com	100%	Avira URL Cloud	malware
http://mail.clslk.com	2%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.clslk.com	50.87.253.239	true	true	2%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.12.dr	false		high
http://mail.clslk.com	RegSvcs.exe, 00000009.00000002.2413879455.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000014.00000002.3497093745.0000000002C97000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://account.dyn.com/	DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe, 00000001.00000002.2353913822.0000000004467000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2408863258.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe, 00000001.00000002.2353195129.0000000002AED000.00000004.00000800.00020000.00000000.sdmp, LJAGvecDW.exe, 0000000D.00000002.2446819021.000000000279D000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
50.87.253.239	mail.clslk.com	United States		46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432022
Start date and time:	2024-04-26 10:05:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@25/28@1/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 98% Number of executed functions: 252 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20, 52.182.143.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target boqXv.exe, PID 2360 because it is empty
Execution Graph export aborted for target boqXv.exe, PID 5264 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:06:19	API Interceptor	1x Sleep call for process: DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe modified
10:06:23	API Interceptor	40x Sleep call for process: powershell.exe modified
10:06:24	Task Scheduler	Run new task: LJAGvecDW path: C:\Users\user\AppData\Roaming\LJAGvecDW.exe
10:06:25	API Interceptor	37x Sleep call for process: RegSvcs.exe modified
10:06:25	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run boqXv C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
10:06:27	API Interceptor	1x Sleep call for process: LJAGvecDW.exe modified
10:06:29	API Interceptor	2x Sleep call for process: WerFault.exe modified
10:06:33	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run boqXv C:\Users\user\AppData\Roaming\boqXv\boqXv.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
50.87.253.239	2UHM2qaBWc.exe	Get hash	malicious	FormBook	Browse	www.nzhorrorfan.com/g22y/?7nr=UlSpjty&DVo=duzldioexDDlB4DMbPZnZ3oFioc8ODg8sXLpFdRenDAB6KcB0Wl7OltmwVmSQUiOOLKB
	SD 1476187 85250296 MV ORIENT GLORY.xlsx	Get hash	malicious	FormBook	Browse	www.180cliniconline.com/aky/?pL08=Cv0e5xcycHu/jj9c+Bm6TZuJ2sSpc7+qQNv7jFIv1TirEUN5Q8TsPaCd/DQVlMEaxK1KhA==&PJ=zXd8_XtXO
	yaQjVEGNEb.exe	Get hash	malicious	FormBook	Browse	www.180cliniconline.com/aky/?3fcl7=Cv0e5xc3cAu7jzxQ8Bm6TZuJ2sSpc7+qQN3r/GUuxziqElh/XsCgZe6f8m8p+swp+Lg6&9r4LE=B8xX4PgPJ2gdf

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.clslk.com	DHL_1003671162.exe	Get hash	malicious	AgentTesla	Browse	50.87.253.239
	I-IN-6757165752-DEL983527_20240416074318.exe	Get hash	malicious	AgentTesla	Browse	50.87.253.239
	SecuriteInfo.com.PWSX-gen.32561.14552.exe	Get hash	malicious	AgentTesla	Browse	50.87.253.239
	DN.exe	Get hash	malicious	AgentTesla	Browse	50.87.253.239
	SecuriteInfo.com.Win32.TrojanX-gen.32302.18886.exe	Get hash	malicious	AgentTesla	Browse	50.87.253.239
	SecuriteInfo.com.Trojan.MulDropNET.68.28054.3825.exe	Get hash	malicious	AgentTesla	Browse	50.87.253.239
	Consignment 5059367692.exe	Get hash	malicious	AgentTesla	Browse	50.87.253.239
	DHL - 1ST PAYMENT REMINDER - 1003671162.exe	Get hash	malicious	AgentTesla	Browse	50.87.253.239
	5059367692.exe	Get hash	malicious	AgentTesla	Browse	50.87.253.239
	5059367692.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.253.239

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	SOA FOR APR 2024 PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.195.61
	INQ No. HDPE-16-GM-00- PI-INQ-3001.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	162.240.81.18
	DOC-Zcns1G_.html	Get hash	malicious	HTMLPhisher	Browse	192.232.216.145
	DOC-Zcns1G_.html	Get hash	malicious	HTMLPhisher	Browse	192.232.216.145
	DOC-Zcns1G_.html	Get hash	malicious	HTMLPhisher	Browse	192.232.216.145
	https://www.bing.com/ck/a?!&&p=8c604c2d3901cb1eJmltdHM9MTcxMjc5MzYwMCZpZ3VpZD0wODdjNjgyYy00N2ZlLTYyOGQtMzA1ZC03YmVmNDY5NTYzNjUmaW5zaWQ9NTE2MQ&ptn=3&ver=2&hsh=3&fclid=087c682c-47fe-628d-305d-7bef46956365&u=a1aHR0cHM6Ly9rZWljb3NlY3VyaXR5LmNvbS5teC8&ntb=1	Get hash	malicious	Unknown	Browse	192.185.214.24
	https://web.lehighvalleychamber.org/cwt/external/wcpages/referral.aspx?ReferralType=W&ProfileID=5337&ListingID=4065&CategoryID=74&SubCategoryID=0&url=//sanemedia.ca/owaow/yjyo8q/bWFyaWEud29qY2llY2hvd3NraUBjby5tb25tb3V0aC5uai51cw==	Get hash	malicious	HTMLPhisher	Browse	162.241.120.242
	https://web.lehighvalleychamber.org/cwt/external/wcpages/referral.aspx?ReferralType=W&ProfileID=5337&ListingID=4065&CategoryID=74&SubCategoryID=0&url=//sanemedia.ca/owaow/yjyo8q/bWFyaWEud29qY2llY2hvd3NraUBjby5tb25tb3V0aC5uai51cw==	Get hash	malicious	HTMLPhisher	Browse	162.241.120.242
	https://web.lehighvalleychamber.org/cwt/external/wcpages/referral.aspx?ReferralType=W&ProfileID=5337&ListingID=4065&CategoryID=74&SubCategoryID=0&url=//sanemedia.ca/owaow/o76fri/enpmZG9tbF9zdXBlcnZpc29yMXN0X2Fzc2lzdGFudEBmZC5vcmc=	Get hash	malicious	HTMLPhisher	Browse	162.241.120.242
	https://pub-02d879d6055b4f31b3db7cbbb1499011.r2.dev/%60%60~~~%5D%5D%5D%5D%5D.html#theunis@khk.co.za	Get hash	malicious	HTMLPhisher	Browse	162.241.27.10

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	TYPE_C_31_M_12 TAMAR 25.4.2024.exe	Get hash	malicious	AgentTesla	Browse
	Total Invoice.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	62402781, Fiyat Teklif Talebi.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse
	CREDIT NOTE.exe	Get hash	malicious	AgentTesla	Browse
	Total Invoices.exe	Get hash	malicious	AgentTesla	Browse
	BARSYL SHIPPING Co (VIETNAM).exe	Get hash	malicious	AgentTesla	Browse
	BARSYL SHIPPING Co (VIETNAM).exe	Get hash	malicious	AgentTesla	Browse
	Urgent PO 18-3081 Confirmation.exe	Get hash	malicious	AgentTesla	Browse
	CAHKHCM2404009CFS.exe	Get hash	malicious	AgentTesla	Browse
	FAR.N_2430-240009934.exe	Get hash	malicious	AgentTesla	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_KN5M2K4GWI0PYGPD_7bface649acb4a5ac8b8c5eb3fa345c55bbcc55f_6ddcc831_e065b1b5-2f12-4cbf-afc1-37e3179d3098\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3192452659091853
Encrypted:	false
SSDEEP:	192:a+79VetkFaAv+0BU/6aOOJo1ZrFqq6zuiFPZ24IO8u:B9Fa6BU/6aJRZzuiFPY4IO8u
MD5:	18C8807BF363CDB82A790BB8B6FFEA58
SHA1:	01B6D616C0C29A1FC6B8E0446344EA3D9874AAFF
SHA-256:	2C76E89A3112A47B95A06FA53D4E1B8790D4315C8AE1130DB911814FD378E7B7
SHA-512:	058FB8AD4C8845EB479AF62968DB3415BB61BF22FCBC2FD75F182282AA88760DC59AFF50A7201BB49B7EF664A2731E0DF9DC7682AE59C8EFD4B83EE75D12845B
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.9.2.3.8.6.1.4.1.3.8.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.9.2.3.8.7.2.6.6.3.6.6.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.0.6.5.b.1.b.5.-.2.f.1.2.-.4.c.b.f.-.a.f.c.1.-.3.7.e.3.1.7.9.d.3.0.9.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.b.c.6.9.6.1.c.-.1.4.9.e.-.4.0.7.7.-.a.a.1.b.-.9.1.3.8.c.b.e.e.d.0.4.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.D.H.L. .-. .O.V.E.R.D.U.E. .A.C.C.O.U.N.T. .N.O.T.I.C.E. .-. .1.3.0.1.6.6.9.3.5.0...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.o.Z.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.8.4.-.0.0.0.1.-.0.0.1.5.-.0.c.e.7.-.b.5.9.d.b.0.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.d.0.9.f.a.7.0.9.b.3.8.6.4.b.e.2.5.6.d.c.c.0.c.4.2.4.1.3.3.1.5.0.0.0.0.0.0.0.0.!.0.0.0.0.1.5.1.c.7.c.8.1.a.8.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LJAGvecDW.exe_832a725c84dc7e8e3d76e7274e65236eca5dcd_4d380c1c_19f9609d-8e2b-4b9e-a3c0-f528eeb6c484\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2843380745914814
Encrypted:	false
SSDEEP:	192:6h07HkneNRk8w1O7v+0BU/HlkauOJo1ZrFqyozuiFPZ24IO8fet:57E31IBU/aapRTzuiFPY4IO8W
MD5:	27176EAB4D4D1E8BCEC170509D989E81
SHA1:	CBC4F295575384FDA04D8776DA5C8E1750CFB713
SHA-256:	81A248483A85BFA8DF9168EA1332D891D3C3C17BC591500678D57C02DF9867D0
SHA-512:	D941CE183D72C2A930F2EC92F6CAED6F7EE6BBC769B63F56881BF41545BA126439554814905F4BBDCD369BE9ADA22FF422F695780F9779B3AE45C865F04BF8FF
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.9.2.3.9.5.4.7.8.1.6.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.9.2.3.9.7.2.2.8.1.5.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.9.f.9.6.0.9.d.-.8.e.2.b.-.4.b.9.e.-.a.3.c.0.-.f.5.2.8.e.e.b.6.c.4.8.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.1.8.8.a.6.0.9.-.b.b.d.f.-.4.8.c.f.-.a.9.f.c.-.a.2.2.8.0.0.5.d.a.0.d.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.L.J.A.G.v.e.c.D.W...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.o.Z.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.b.8.-.0.0.0.1.-.0.0.1.5.-.0.3.3.7.-.8.2.a.2.b.0.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.d.0.9.f.a.7.0.9.b.3.8.6.4.b.e.2.5.6.d.c.c.0.c.4.2.4.1.3.3.1.5.0.0.0.0.0.0.0.0.!.0.0.0.0.1.5.1.c.7.c.8.1.a.8.f.1.e.9.d.d.8.8.9.e.e.f.1.2.e.8.c.4.c.a.6.7.4.9.4.9.5.d.a.c.!.L.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D7D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Apr 26 08:06:26 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	360546
Entropy (8bit):	4.081705367550406
Encrypted:	false
SSDEEP:	6144:jd/7vhv1VEiEEWVj4AT8peYTgbTheMPvy:j55v1kX1YTgeMH
MD5:	C5032B3ED081312EDFD1588703E7C097
SHA1:	CFEE6A4D2011A19755F7AC35F753F4477B49E738
SHA-256:	B7979DBC2B19861D009ED4DE9BEA7CA8D3A0B38CD4C9A497ABF6508E4F713AC9
SHA-512:	4FD013746265364198138E3A329AC3F319E8BA6C45D5E18770D2759B216C6CB3DF556B4FD0D0A749B1DE18C1E8E10C25E361EA5B8ED484115ECB9497A496254A
Malicious:	false
Preview:	MDMP..a..... ........`+f.........................#..........$....-......T0..Xh..........`.......8...........T...........(G..:9...........-.........../..............................................................................eJ......p0......GenuineIntel............T...........y`+f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER706C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8504
Entropy (8bit):	3.71396809981572
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+16zP6Y2D7SUAxOfgmfZ56prm89b8SsfXb0m:R6lXJM6b6Y2SUAx+gmfX48Rfd
MD5:	C5335539E642EB9C615937234808A939
SHA1:	39D3B5744BB7C2D75B2F6FB1D12A4A1F33F031ED
SHA-256:	4249D7E3B04C97146FEF8DB1C45A3187DC038A5E8441F7007C13E319834F2B53
SHA-512:	BE63EE582BA4280F130C847FBB85C91AEB30DCEE522EEED4716689EEA9DB3C749C6A24FA3B6F97E3C220E8CABD6F9323E4D7C30365D00E00148446585FB704B4
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.3.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER70BB.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4865
Entropy (8bit):	4.574317774614031
Encrypted:	false
SSDEEP:	48:cvIwWl8zstJg77aI9zEVWpW8VYMLYm8M4JFe8FqkU+q8veem2D3iHd:uIjfHI7hEk7VtOJKkUK82D3Md
MD5:	B870A6F65449F919104FDC570F55C609
SHA1:	D4170B1FBD72FE15EA45A01DDA3F49A1EFFD2D54
SHA-256:	C88EDC2028D0D3D3DD6228B1ABD975D7523B99BC90DB653025AADC696A0552FD
SHA-512:	FAF53EF1E7AAC67F7CE214F14C3619E15C842737FE72109260CDE9AFD39FE57E8CAE70287C04E8E8C7457B31D9AF8737E7AF89F29C6BDD1FB4C1D7B7E55E5302
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="296589" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER93E1.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Apr 26 08:06:36 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	356074
Entropy (8bit):	4.076411196391038
Encrypted:	false
SSDEEP:	3072:DUmi1x96g4apxzdEUyIhSHe/d4SU4uEqYr7LfVnCWLTgfM+qIIyr1tsKiX:DJE9x5xzdrheQU4b7LfVHTg5FIyfsXX
MD5:	FC90271CECEE30ADF16D70C1761B93CA
SHA1:	3B156254A32F62E1EF399141CFF9512CC1D086BF
SHA-256:	A96C9A584FBE11EA173A389F000F28054196377A1CA17E8791C2F4C9927775FB
SHA-512:	955F768857789E310955A7F0EC73A328FF6698CEE89FF4A2FF9D7F7F5F0CA954FEDE179651710FC42EB23EBB335C10E36FDBCFC6936E62F8485C02E6CF56A224
Malicious:	false
Preview:	MDMP..a..... ........`+f........................t#..........<...\-......./...g..........`.......8...........T........... E...)...........-.........../..............................................................................eJ.......0......GenuineIntel............T............`+f............................. ..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER96FF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6384
Entropy (8bit):	3.7222245590318335
Encrypted:	false
SSDEEP:	192:R6l7wVeJF9O6gE9YZpF6prg89btcsfpxvm:R6lXJG6hY16tvfpE
MD5:	0967B89F2C1F5B328A3076BBAAF21190
SHA1:	061E788E525BCBB890013765A872E572D46A9F01
SHA-256:	69B48210817EC0D3169F1810F74D90721328BF5E3B974370B388B8634F19315F
SHA-512:	61784B4CEFA35011A4F946581AE0C7BCB1C4A6E83F64D5DE61147A770DB92CEB1739197C1CD827D6F2DEF55224F7E999504598A4F61CA622F01BDDF3B32BB954
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.7.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER975D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4731
Entropy (8bit):	4.4697981657723584
Encrypted:	false
SSDEEP:	48:cvIwWl8zstJg77aI9zEVWpW8VYjYm8M4JUQRe8FI9C+q8viRe22htfHd:uIjfHI7hEk7VjJUQbKij2ht/d
MD5:	7FC62174713C29564DE18A32C429910A
SHA1:	2B6F74990B275B599E8E2453461CA899F5F88583
SHA-256:	863D7CA025652B7EF5C6984FD99C705483BDF3445C7257547A9A71893973EA7B
SHA-512:	5C3A387399C948ED1DC50B3107FF665CD4FA014327511549D439E5EE2AA90AD07A24D72CEB1E5AE531B1CB82777F3B787E277484B1F64B700CFDCE03FD9DCEE1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="296589" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.log

Download File

Process:	C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LJAGvecDW.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\LJAGvecDW.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\boqXv.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:lGLHyIFKL3IZ2KRH9Oug8s
MD5:	16AD599332DD2FF94DA0787D71688B62
SHA1:	02F738694B02E84FFE3BAB7DE5709001823C6E40
SHA-256:	452876FE504FC0DBEDBD7F8467E94F6E80002DB4572D02C723ABC69F8DF0B367
SHA-512:	A96158FDFFA424A4AC01220EDC789F3236C03AAA6A7C1A3D8BE62074B4923957E6CFEEB6E8852F9064093E0A290B0E56E4B5504D18113A7983F48D5388CEC747
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmpcqmml.uam.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ibdnocms.0e0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k512x23z.gbm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ovmymys3.fdz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uruf5iq5.hb1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_whjysj2c.rds.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xeqvqlsp.toa.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yq5fpoaw.4fa.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp87CB.tmp

Download File

Process:	C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1596
Entropy (8bit):	5.097363318585517
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLYkxvn:cge7QYrFdOFzOzN33ODOiDdKrsuT80v
MD5:	B6BF1574914D5030ACAF60C0EF3384C8
SHA1:	E8AB7FE69CBEB0BCDC9588FC445C8AB16362D01F
SHA-256:	CD51388055262B02A5DEAF19EFC4C6894D58911B0579343C9DD6420E185C87F6
SHA-512:	73311CA1CD0A4AF0511CB0D1D4767BDC0E300C9BA3AD986867EBF6D02989162B405680AC1BE8CBA47070329E720DBFFB66F651462153DDADB470A0C89FF662E2
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Local\Temp\tmpA44C.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\LJAGvecDW.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1596
Entropy (8bit):	5.097363318585517
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLYkxvn:cge7QYrFdOFzOzN33ODOiDdKrsuT80v
MD5:	B6BF1574914D5030ACAF60C0EF3384C8
SHA1:	E8AB7FE69CBEB0BCDC9588FC445C8AB16362D01F
SHA-256:	CD51388055262B02A5DEAF19EFC4C6894D58911B0579343C9DD6420E185C87F6
SHA-512:	73311CA1CD0A4AF0511CB0D1D4767BDC0E300C9BA3AD986867EBF6D02989162B405680AC1BE8CBA47070329E720DBFFB66F651462153DDADB470A0C89FF662E2
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Roaming\LJAGvecDW.exe

Download File

Process:	C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	881664
Entropy (8bit):	7.595213133553131
Encrypted:	false
SSDEEP:	12288:0YIPXjD9Mo4ALYp92DzclnPtgmDHTtI24666LZwzcu+UEkwE6eeE2:0YIPiEYpQUlPvI251uAuhF5eB
MD5:	840CBF490CE0600E1057F72949A37C73
SHA1:	151C7C81A8F1E9DD889EEF12E8C4CA6749495DAC
SHA-256:	B09A0B160629C46CD40123518CF4BEED875C630F8836E2FEA5D894C43FD58093
SHA-512:	922E31024AD6994330A528289D3EC3A9584E78B21BC32D8EE5419BC3793911FC4C092B96DF0C3C55FE562F6FC761E1D60C8AC229E6C23BF8AB64E2D180C3B3F9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 45% Antivirus: Virustotal, Detection: 51%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E................0.................. ........@.. ....................................@.................................N...O.......$...........................l...p............................................ ............... ..H............text........ ...................... ..`.rsrc...$...........................@..@.reloc...............r..............@..B........................H............N......+.......`............................................0...........sq...}.....st...}.....st...}.....sX...}.....s....}.....sj...}.....s....}.....sj...}.....sl...}.....sR...}.....s....}.....s....}.....s]...}......}.....(.......()........{....(.......{&...(......(......(.........0............{.....{....o~.....{.....{....ox.....{.....{....ov.....{.....{....o\|.....{.....{....oz.....{.....o......{.....o......{.....o......{.....o......{.....o......{#...r...p.{...

C:\Users\user\AppData\Roaming\LJAGvecDW.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\boqXv\boqXv.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	45984
Entropy (8bit):	6.16795797263964
Encrypted:	false
SSDEEP:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
MD5:	9D352BC46709F0CB5EC974633A0C3C94
SHA1:	1969771B2F022F9A86D77AC4D4D239BECDF08D07
SHA-256:	2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
SHA-512:	13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: TYPE_C_31_M_12 TAMAR 25.4.2024.exe, Detection: malicious, Browse Filename: Total Invoice.exe, Detection: malicious, Browse Filename: 62402781, Fiyat Teklif Talebi.pdf.exe, Detection: malicious, Browse Filename: CREDIT NOTE.exe, Detection: malicious, Browse Filename: Total Invoices.exe, Detection: malicious, Browse Filename: BARSYL SHIPPING Co (VIETNAM).exe, Detection: malicious, Browse Filename: BARSYL SHIPPING Co (VIETNAM).exe, Detection: malicious, Browse Filename: Urgent PO 18-3081 Confirmation.exe, Detection: malicious, Browse Filename: CAHKHCM2404009CFS.exe, Detection: malicious, Browse Filename: FAR.N_2430-240009934.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469021818116032
Encrypted:	false
SSDEEP:	6144:ZzZfpi6ceLPx9skLmb0f2ZWSP3aJG8nAgeiJRMMhA2zX4WABluuN5jDH5S:xZHt2ZWOKnMM6bFpLj4
MD5:	44B74CE0899F41CCDDB945DCCDC1ED2D
SHA1:	155C0D66BC526938E906380856B11B904EA64F48
SHA-256:	42C27285A7F9B4ACDAA2AEFBA6FDE6AD0C580AC07F5111211AFE2244C0DC4B16
SHA-512:	F916AB7E641EF6BF944736570B2D44447FDC0A6226CD1971A41EB9C84C5A31A0FA50684D5AF2194B252985B5AAC4A88144A12FE394D17DB6195CD2D5F5437A9B
Malicious:	false
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....................................................................................................................................................................................................................................................................................................................................................s..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.442398121585593
Encrypted:	false
SSDEEP:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
MD5:	6FB4D27A716A8851BC0505666E7C7A10
SHA1:	AD2A232C6E709223532C4D1AB892303273D8C814
SHA-256:	1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
SHA-512:	3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.595213133553131
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe
File size:	881'664 bytes
MD5:	840cbf490ce0600e1057f72949a37c73
SHA1:	151c7c81a8f1e9dd889eef12e8c4ca6749495dac
SHA256:	b09a0b160629c46cd40123518cf4beed875c630f8836e2fea5d894c43fd58093
SHA512:	922e31024ad6994330a528289d3ec3a9584e78b21bc32d8ee5419bc3793911fc4c092b96df0c3c55fe562f6fc761e1d60c8ac229e6c23bf8ab64e2d180c3b3f9
SSDEEP:	12288:0YIPXjD9Mo4ALYp92DzclnPtgmDHTtI24666LZwzcu+UEkwE6eeE2:0YIPiEYpQUlPvI251uAuhF5eB
TLSH:	141568A037565292D42AB7B71030807422649F5D1F2FD27B3A89FF869DFB2D4CF22616
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E................0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	176952f8b9512917

Static PE Info

General

Entrypoint:	0x4aeca2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF3ED4585 [Sun Sep 6 21:28:37 2099 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
xor eax, 35455354h
xor dword ptr [edi+eax*2], esi
dec eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+4Ah], dl
push ebx
cmp byte ptr [eax+edi+34h], al
inc ebx
inc ebx
xor al, 37h
xor eax, 00000035h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaec4e	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb0000	0x2a124	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xace6c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xaccc8	0xace00	e9b130cdb10a44bb341ced349dc2c7b1	False	0.9524683093817787	data	7.954566370427042	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb0000	0x2a124	0x2a200	75b09bfd6fda26c50849a2b72aa19a76	False	0.1300306008902077	data	3.9579735755049703	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdc000	0xc	0x200	2ed21aa793a76544b4e82c8dca719a0d	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb02b0	0x2146	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9930734914299131
RT_ICON	0xb23f8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.04977522772980007
RT_ICON	0xc2c20	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.07373344544881227
RT_ICON	0xcc0c8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.08216266173752311
RT_ICON	0xd1550	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.09648086915446387
RT_ICON	0xd5778	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.14885892116182572
RT_ICON	0xd7d20	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.19160412757973733
RT_ICON	0xd8dc8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.2807377049180328
RT_ICON	0xd9750	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.34397163120567376
RT_GROUP_ICON	0xd9bb8	0x84	data	0.7045454545454546
RT_VERSION	0xd9c3c	0x2fc	data	0.443717277486911
RT_MANIFEST	0xd9f38	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/26/24-10:06:29.016387	TCP	2839723	ETPRO TROJAN Win32/Agent Tesla SMTP Activity	49721	587	192.168.2.6	50.87.253.239
04/26/24-10:06:29.016387	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49721	587	192.168.2.6	50.87.253.239
04/26/24-10:06:40.359218	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49731	587	192.168.2.6	50.87.253.239
04/26/24-10:06:40.359218	TCP	2839723	ETPRO TROJAN Win32/Agent Tesla SMTP Activity	49731	587	192.168.2.6	50.87.253.239

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 10:06:27.259871006 CEST	49721	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:27.456449986 CEST	587	49721	50.87.253.239	192.168.2.6
Apr 26, 2024 10:06:27.456650972 CEST	49721	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:27.712315083 CEST	587	49721	50.87.253.239	192.168.2.6
Apr 26, 2024 10:06:27.712992907 CEST	49721	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:27.909785986 CEST	587	49721	50.87.253.239	192.168.2.6
Apr 26, 2024 10:06:27.913459063 CEST	49721	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:28.114681005 CEST	587	49721	50.87.253.239	192.168.2.6
Apr 26, 2024 10:06:28.115801096 CEST	49721	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:28.334466934 CEST	587	49721	50.87.253.239	192.168.2.6
Apr 26, 2024 10:06:28.334762096 CEST	49721	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:28.531352043 CEST	587	49721	50.87.253.239	192.168.2.6
Apr 26, 2024 10:06:28.534941912 CEST	49721	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:28.774986029 CEST	587	49721	50.87.253.239	192.168.2.6
Apr 26, 2024 10:06:28.808058023 CEST	587	49721	50.87.253.239	192.168.2.6
Apr 26, 2024 10:06:28.808238029 CEST	49721	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:29.004662991 CEST	587	49721	50.87.253.239	192.168.2.6
Apr 26, 2024 10:06:29.004985094 CEST	587	49721	50.87.253.239	192.168.2.6
Apr 26, 2024 10:06:29.016386986 CEST	49721	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:29.016467094 CEST	49721	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:29.016499996 CEST	49721	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:29.018994093 CEST	49721	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:29.212958097 CEST	587	49721	50.87.253.239	192.168.2.6
Apr 26, 2024 10:06:29.217401981 CEST	587	49721	50.87.253.239	192.168.2.6
Apr 26, 2024 10:06:29.361205101 CEST	49721	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:37.628329039 CEST	49721	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:38.629363060 CEST	49731	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:38.825890064 CEST	587	49731	50.87.253.239	192.168.2.6
Apr 26, 2024 10:06:38.826059103 CEST	49731	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:39.096323013 CEST	587	49731	50.87.253.239	192.168.2.6
Apr 26, 2024 10:06:39.096745014 CEST	49731	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:39.293577909 CEST	587	49731	50.87.253.239	192.168.2.6
Apr 26, 2024 10:06:39.294231892 CEST	49731	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:39.491781950 CEST	587	49731	50.87.253.239	192.168.2.6
Apr 26, 2024 10:06:39.492440939 CEST	49731	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:39.690692902 CEST	587	49731	50.87.253.239	192.168.2.6
Apr 26, 2024 10:06:39.690979958 CEST	49731	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:39.887558937 CEST	587	49731	50.87.253.239	192.168.2.6
Apr 26, 2024 10:06:39.887757063 CEST	49731	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:40.125382900 CEST	587	49731	50.87.253.239	192.168.2.6
Apr 26, 2024 10:06:40.161436081 CEST	587	49731	50.87.253.239	192.168.2.6
Apr 26, 2024 10:06:40.161607981 CEST	49731	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:40.358155012 CEST	587	49731	50.87.253.239	192.168.2.6
Apr 26, 2024 10:06:40.358381987 CEST	587	49731	50.87.253.239	192.168.2.6
Apr 26, 2024 10:06:40.359217882 CEST	49731	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:40.359282017 CEST	49731	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:40.359319925 CEST	49731	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:40.359334946 CEST	49731	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:06:40.555744886 CEST	587	49731	50.87.253.239	192.168.2.6
Apr 26, 2024 10:06:40.557014942 CEST	587	49731	50.87.253.239	192.168.2.6
Apr 26, 2024 10:06:40.781363010 CEST	49731	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:08:18.643331051 CEST	49731	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:08:18.880176067 CEST	587	49731	50.87.253.239	192.168.2.6
Apr 26, 2024 10:08:19.041877985 CEST	587	49731	50.87.253.239	192.168.2.6
Apr 26, 2024 10:08:19.042030096 CEST	49731	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:08:19.042155027 CEST	49731	587	192.168.2.6	50.87.253.239
Apr 26, 2024 10:08:19.238532066 CEST	587	49731	50.87.253.239	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 10:06:27.021886110 CEST	62651	53	192.168.2.6	1.1.1.1
Apr 26, 2024 10:06:27.209973097 CEST	53	62651	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2024 10:06:27.021886110 CEST	192.168.2.6	1.1.1.1	0x6696	Standard query (0)	mail.clslk.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 26, 2024 10:06:27.209973097 CEST	1.1.1.1	192.168.2.6	0x6696	No error (0)	mail.clslk.com		50.87.253.239	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 26, 2024 10:06:27.712315083 CEST	587	49721	50.87.253.239	192.168.2.6	220-box2224.bluehost.com ESMTP Exim 4.96.2 #2 Fri, 26 Apr 2024 02:06:27 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 26, 2024 10:06:27.712992907 CEST	49721	587	192.168.2.6	50.87.253.239	EHLO 216554
Apr 26, 2024 10:06:27.909785986 CEST	587	49721	50.87.253.239	192.168.2.6	250-box2224.bluehost.com Hello 216554 [102.129.152.220] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 26, 2024 10:06:27.913459063 CEST	49721	587	192.168.2.6	50.87.253.239	AUTH login Z21AY2xzbGsuY29t
Apr 26, 2024 10:06:28.114681005 CEST	587	49721	50.87.253.239	192.168.2.6	334 UGFzc3dvcmQ6
Apr 26, 2024 10:06:28.334466934 CEST	587	49721	50.87.253.239	192.168.2.6	235 Authentication succeeded
Apr 26, 2024 10:06:28.334762096 CEST	49721	587	192.168.2.6	50.87.253.239	MAIL FROM:<gm@clslk.com>
Apr 26, 2024 10:06:28.531352043 CEST	587	49721	50.87.253.239	192.168.2.6	250 OK
Apr 26, 2024 10:06:28.534941912 CEST	49721	587	192.168.2.6	50.87.253.239	RCPT TO:<devendra@syncro-group.xyz>
Apr 26, 2024 10:06:28.808058023 CEST	587	49721	50.87.253.239	192.168.2.6	250 Accepted
Apr 26, 2024 10:06:28.808238029 CEST	49721	587	192.168.2.6	50.87.253.239	DATA
Apr 26, 2024 10:06:29.004985094 CEST	587	49721	50.87.253.239	192.168.2.6	354 Enter message, ending with "." on a line by itself
Apr 26, 2024 10:06:29.018994093 CEST	49721	587	192.168.2.6	50.87.253.239	.
Apr 26, 2024 10:06:29.217401981 CEST	587	49721	50.87.253.239	192.168.2.6	250 OK id=1s0GbE-003cJ1-2v
Apr 26, 2024 10:06:39.096323013 CEST	587	49731	50.87.253.239	192.168.2.6	220-box2224.bluehost.com ESMTP Exim 4.96.2 #2 Fri, 26 Apr 2024 02:06:38 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 26, 2024 10:06:39.096745014 CEST	49731	587	192.168.2.6	50.87.253.239	EHLO 216554
Apr 26, 2024 10:06:39.293577909 CEST	587	49731	50.87.253.239	192.168.2.6	250-box2224.bluehost.com Hello 216554 [102.129.152.220] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 26, 2024 10:06:39.294231892 CEST	49731	587	192.168.2.6	50.87.253.239	AUTH login Z21AY2xzbGsuY29t
Apr 26, 2024 10:06:39.491781950 CEST	587	49731	50.87.253.239	192.168.2.6	334 UGFzc3dvcmQ6
Apr 26, 2024 10:06:39.690692902 CEST	587	49731	50.87.253.239	192.168.2.6	235 Authentication succeeded
Apr 26, 2024 10:06:39.690979958 CEST	49731	587	192.168.2.6	50.87.253.239	MAIL FROM:<gm@clslk.com>
Apr 26, 2024 10:06:39.887558937 CEST	587	49731	50.87.253.239	192.168.2.6	250 OK
Apr 26, 2024 10:06:39.887757063 CEST	49731	587	192.168.2.6	50.87.253.239	RCPT TO:<devendra@syncro-group.xyz>
Apr 26, 2024 10:06:40.161436081 CEST	587	49731	50.87.253.239	192.168.2.6	250 Accepted
Apr 26, 2024 10:06:40.161607981 CEST	49731	587	192.168.2.6	50.87.253.239	DATA
Apr 26, 2024 10:06:40.358381987 CEST	587	49731	50.87.253.239	192.168.2.6	354 Enter message, ending with "." on a line by itself
Apr 26, 2024 10:06:40.359334946 CEST	49731	587	192.168.2.6	50.87.253.239	.
Apr 26, 2024 10:06:40.557014942 CEST	587	49731	50.87.253.239	192.168.2.6	250 OK id=1s0GbQ-003cRz-0p
Apr 26, 2024 10:08:18.643331051 CEST	49731	587	192.168.2.6	50.87.253.239	QUIT
Apr 26, 2024 10:08:19.041877985 CEST	587	49731	50.87.253.239	192.168.2.6	221 box2224.bluehost.com closing connection

Target ID:	1
Start time:	10:06:17
Start date:	26/04/2024
Path:	C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe"
Imagebase:	0x620000
File size:	881'664 bytes
MD5 hash:	840CBF490CE0600E1057F72949A37C73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.2353913822.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.2359343012.00000000071F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2353913822.0000000004467000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2353913822.0000000004467000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:06:22
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe"
Imagebase:	0x440000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:06:22
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:06:22
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LJAGvecDW.exe"
Imagebase:	0x440000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:06:23
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:06:23
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LJAGvecDW" /XML "C:\Users\user\AppData\Local\Temp\tmp87CB.tmp"
Imagebase:	0x7e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:06:23
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:06:23
Start date:	26/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xd20000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2413879455.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2408863258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2408863258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2413879455.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2413879455.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2413879455.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:06:24
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 1400
Imagebase:	0x120000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:06:25
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Roaming\LJAGvecDW.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\LJAGvecDW.exe
Imagebase:	0x1c0000
File size:	881'664 bytes
MD5 hash:	840CBF490CE0600E1057F72949A37C73
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 45%, ReversingLabs Detection: 51%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:06:26
Start date:	26/04/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:06:33
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LJAGvecDW" /XML "C:\Users\user\AppData\Local\Temp\tmpA44C.tmp"
Imagebase:	0x7e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:06:33
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	10:06:33
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Imagebase:	0xf90000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	10:06:34
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	10:06:34
Start date:	26/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xa60000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.3497093745.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.3497093745.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.3497093745.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.3497093745.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	10:06:34
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 1760
Imagebase:	0x120000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	10:06:42
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Imagebase:	0xec0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	10:06:42
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1%
Total number of Nodes:	296
Total number of Limit Nodes:	18

Executed Functions

Function 0702A688 Relevance: 2.3, Strings: 1, Instructions: 1042
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&IH3, xrefs: 0702AA80

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID: &IH3
API String ID: 0-1546010026
Opcode ID: 9072ec282c29b832428f08cca20f214a1b9d7855ed4e1d2a1d6230e0b95afb21
Instruction ID: 6311f42cf228ac0fcee737e7cf2c36df0fbec893382b153c696bc3cf0b20c823
Opcode Fuzzy Hash: 9072ec282c29b832428f08cca20f214a1b9d7855ed4e1d2a1d6230e0b95afb21
Instruction Fuzzy Hash: 3DB2C4B5A00628CFDB54CF69C984AD9BBB2FF89304F1581E9D509AB325DB319E81DF40

Uniqueness

Uniqueness Score: -1.00%

Function 07349BC0 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

tIh, xrefs: 07349F75

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID: tIh
API String ID: 0-443931868
Opcode ID: e0d719d0a04e05b7e28ff7b1db305d444d7b12bdc44451d56bb14e86f382d1ad
Instruction ID: 623f4998e855dc8990e539b3994346ceabcfd7d5cbb8541a912c29171d8bce71
Opcode Fuzzy Hash: e0d719d0a04e05b7e28ff7b1db305d444d7b12bdc44451d56bb14e86f382d1ad
Instruction Fuzzy Hash: 0CD127B0E1420ADFEB18CF95C4859AEFBF6FF89300F109559D415AB254D738AA82CF94

Uniqueness

Uniqueness Score: -1.00%

Function 07347A20 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

)", xrefs: 07347ACA

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID: )"
API String ID: 0-4237191880
Opcode ID: 0eca520ec0a5423fda08c2bc63579cb60e00b9a6abe6d45a4cee880577cd4d87
Instruction ID: 0b7f82188630f8749585dde0b60e95ef5e1b59490ab07e0c82db7455b5274bfa
Opcode Fuzzy Hash: 0eca520ec0a5423fda08c2bc63579cb60e00b9a6abe6d45a4cee880577cd4d87
Instruction Fuzzy Hash: 0381C3B4E002099FDB08CFAAC984AEEBBF2FF89310F14952AD419AB354D7355945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 070239C0 Relevance: 1.0, Instructions: 975COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e1c376050e6a5fea27b929aadf050c8d56018007f117d9aa95e959c1deef8be
Instruction ID: 787c5beba856769328ffdb2aae28bb1bcf6e0c2fe3907e1957e57df3c5db2b24
Opcode Fuzzy Hash: 1e1c376050e6a5fea27b929aadf050c8d56018007f117d9aa95e959c1deef8be
Instruction Fuzzy Hash: 0372A071B002168FDB48AB78C85476E7BE6AFC8350F248569E506DB3A6CF34DC06DB91

Uniqueness

Uniqueness Score: -1.00%

Function 07026CD8 Relevance: .8, Instructions: 805COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7be21634a3e474a7694692c7ab8957ef5526ba6bffd90f753a25aa6f51b9d708
Instruction ID: 3bfb29531c10a44bac8521e7e9558d2b8c9ca3e1a704f5a4b8da353d1ee4f567
Opcode Fuzzy Hash: 7be21634a3e474a7694692c7ab8957ef5526ba6bffd90f753a25aa6f51b9d708
Instruction Fuzzy Hash: 86722D71A0021ACFCB54DF68C880AEDB7F1BF89310F1586AAD559AB351DB70AD85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 078FC550 Relevance: .7, Instructions: 668COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2368283913.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_78f0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea0c1440c5d66ba07913f118dfdf55e5fb48ecb1dd8ce050685116d59378464
Instruction ID: 639957d21f5acf575e8452d077688a48e59244870ea6d118c7b2d8b7aac42ce5
Opcode Fuzzy Hash: eea0c1440c5d66ba07913f118dfdf55e5fb48ecb1dd8ce050685116d59378464
Instruction Fuzzy Hash: D7521374600609CFDB14DF68C588AADBBF2BF88314F2585A8E50ADB761DB34ED42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05041808 Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2357320245.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5040000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b4febffb72f5b85d3daee8f27dc177e250cfbb5e370f69dbb9955fad3fa4e12
Instruction ID: 71aab1bbaa5bf960209e40049bb36d6a877bd5a6dfa20185222b611fdc24471e
Opcode Fuzzy Hash: 6b4febffb72f5b85d3daee8f27dc177e250cfbb5e370f69dbb9955fad3fa4e12
Instruction Fuzzy Hash: C0524E34A00306CFDB14DF28C844B99B7B2FF85314F2586A9D5596F3A2DBB5A982CF41

Uniqueness

Uniqueness Score: -1.00%

Function 050417F8 Relevance: .6, Instructions: 576COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2357320245.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5040000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e578c0fb623184749666fda23eb6a10eb2b2d0b76be94d8e81bc0756b877874
Instruction ID: 30444231815b0393a6eb510f6a9c6051bfa9b5c56358110dde1e1f6c22d6f96e
Opcode Fuzzy Hash: 1e578c0fb623184749666fda23eb6a10eb2b2d0b76be94d8e81bc0756b877874
Instruction Fuzzy Hash: 73525F34A00346CFDB14DF28C844B99B7B2FF85314F2586A9D5586F3A2DBB5A982CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0734C900 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97feb24d5ca409beae935dfb7e0f11b614ad602f1cf93655bbb09be4ca13c672
Instruction ID: b18ad8042ebcb357addf8fa1f325a4a1401d5881825524879eff80429a743b26
Opcode Fuzzy Hash: 97feb24d5ca409beae935dfb7e0f11b614ad602f1cf93655bbb09be4ca13c672
Instruction Fuzzy Hash: 068114B5E1521ADFDB44CFA9C8809EEFBF1FB89200F10A55AD419B7214D338A901CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 078FF508 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2368283913.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_78f0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5715e8d3158e3041aed2f4a429b7163ae0e795406eb5cfac35c0e6b3fac0d088
Instruction ID: c14dbc6c07d6089b49e62dc0a64764ba5d379b33c99053e65ffcf46f4cf30d3b
Opcode Fuzzy Hash: 5715e8d3158e3041aed2f4a429b7163ae0e795406eb5cfac35c0e6b3fac0d088
Instruction Fuzzy Hash: 605124717002428FCB259F74D45069E7BA2AF86320F2445AEE615CB3E1CB349D06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07029CB8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c1d61ffea590c6031938780f11585b046cae12fd599fef7681157bb11abac9
Instruction ID: 375fe39ccf330c1789020f44070b8e31a46952e4a62db0b9cadc02bb6e80a1fe
Opcode Fuzzy Hash: c8c1d61ffea590c6031938780f11585b046cae12fd599fef7681157bb11abac9
Instruction Fuzzy Hash: D6211DB1E146598BDB18CFABC8042DEBBF7AFC9300F04C17AC418AB658DB7519469F51

Uniqueness

Uniqueness Score: -1.00%

Function 07029CC8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 732890fbf78928f01f2da98f03c81dee6623fca3828236e19dc202aca61869e1
Instruction ID: a177b1111745e0aaa4a8d9c5151400665434f662b6632e276fee891ca22738fb
Opcode Fuzzy Hash: 732890fbf78928f01f2da98f03c81dee6623fca3828236e19dc202aca61869e1
Instruction Fuzzy Hash: 43111CB1E046188BEB1CCFABC90439EBAF7AFC9300F04C17A8418AA658DB7419469F50

Uniqueness

Uniqueness Score: -1.00%

Function 010BDF58 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 010BDFDE
GetCurrentThread.KERNEL32 ref: 010BE01B
GetCurrentProcess.KERNEL32 ref: 010BE058
GetCurrentThreadId.KERNEL32 ref: 010BE0B1

Memory Dump Source

Source File: 00000001.00000002.2352768501.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10b0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 533d48983d6bd1628fb97f999d43a3ff6f39e64a6a1bc026c9093ff6373bfc98
Instruction ID: d774ddd360ad812817e28fd1ad9cc13b3f9a2cbcb80f8c6410901630efdabbdb
Opcode Fuzzy Hash: 533d48983d6bd1628fb97f999d43a3ff6f39e64a6a1bc026c9093ff6373bfc98
Instruction Fuzzy Hash: E35165B090134ACFDB54CFA9D588BDEBBF0FF88314F208459E408AB260CB749984CB61

Uniqueness

Uniqueness Score: -1.00%

Function 010BDF60 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 010BDFDE
GetCurrentThread.KERNEL32 ref: 010BE01B
GetCurrentProcess.KERNEL32 ref: 010BE058
GetCurrentThreadId.KERNEL32 ref: 010BE0B1

Memory Dump Source

Source File: 00000001.00000002.2352768501.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10b0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 20aa8349038bf225a0a85362eb922c314ca1ad1c584a104073e34e3dfda9f744
Instruction ID: 129d33ac22913ae74a915577eeb22cb6ff5cb8c53b715316b789a647dc0b305f
Opcode Fuzzy Hash: 20aa8349038bf225a0a85362eb922c314ca1ad1c584a104073e34e3dfda9f744
Instruction Fuzzy Hash: FF5165B090134ACFDB54CFAAD588BDEBBF1FF88314F208459E409A7250DB74A984CB65

Uniqueness

Uniqueness Score: -1.00%

Function 073E612C Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073E636E

Memory Dump Source

Source File: 00000001.00000002.2368117805.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_73e0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: bd935cbfa5341e09139a92ea0694b3ea285b461e71d3c6d21e98bb125dbf9ce2
Instruction ID: e72cacb49903485596219c8e322baf7ce8b5f4ccc223c4277a7d68998d31cc9d
Opcode Fuzzy Hash: bd935cbfa5341e09139a92ea0694b3ea285b461e71d3c6d21e98bb125dbf9ce2
Instruction Fuzzy Hash: D2A160B1D0026ACFEF15CF68C8417DDBBB6BF48314F148169E848A7290D7759985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 073E6138 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073E636E

Memory Dump Source

Source File: 00000001.00000002.2368117805.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_73e0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5f2558fc92cb56f5e228a14b54bafbeda27a856a0f3f04a7bbd04a05232bc5d0
Instruction ID: 0395fca2b0e8d028e7e8bb3e525f7b75244af3febf6bb82f733a049d01941f21
Opcode Fuzzy Hash: 5f2558fc92cb56f5e228a14b54bafbeda27a856a0f3f04a7bbd04a05232bc5d0
Instruction Fuzzy Hash: 9C916EB1D0022ACFEF14CF68C941BDDBBB6BF48314F148169E818A7280DB759985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 010BBCB8 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010BBF1E

Memory Dump Source

Source File: 00000001.00000002.2352768501.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10b0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4afc8ffe1d2061b0d48784377a1480f55c811f4f24e9d3bfeb587cb46ff42921
Instruction ID: a28c470fbcf466dacb8b2650007e86801dc3a97bfc1cd917f678efc4ede42e56
Opcode Fuzzy Hash: 4afc8ffe1d2061b0d48784377a1480f55c811f4f24e9d3bfeb587cb46ff42921
Instruction Fuzzy Hash: 1A816770A00B058FD764DF29D48079ABBF1FF88304F00896ED58ADBA51EB79E805CB91

Uniqueness

Uniqueness Score: -1.00%

Function 073EB8FF Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 073EBB47

Memory Dump Source

Source File: 00000001.00000002.2368117805.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_73e0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5dfb598f4912302fe627df9e0890dff866eb33e9d47b65bf08e4c968333036fc
Instruction ID: cc1881099f28350e25b2796867365fc30a4b69f2d8b60a79ae40f1d5bb59bfdc
Opcode Fuzzy Hash: 5dfb598f4912302fe627df9e0890dff866eb33e9d47b65bf08e4c968333036fc
Instruction Fuzzy Hash: 04719FF1701616DFEB16DB79C450BAEBBFAAF89300F1445AAD1599B3A0DB30E801CB51

Uniqueness

Uniqueness Score: -1.00%

Function 010B5D0C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010B5DC9

Memory Dump Source

Source File: 00000001.00000002.2352768501.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10b0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c5f0e2557580de00fe469c13af3da422803554b39fbedecd10ee0ead07e3661a
Instruction ID: e95595520b44855b75160ad8695572be7b68dde383e1dd0a30fd7d0152d22417
Opcode Fuzzy Hash: c5f0e2557580de00fe469c13af3da422803554b39fbedecd10ee0ead07e3661a
Instruction Fuzzy Hash: 5D410370C00719CBEB25CFA9C8847CEBBF1BF48704F2081AAD448AB251DB716945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010B4538 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010B5DC9

Memory Dump Source

Source File: 00000001.00000002.2352768501.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10b0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6a87816ab0872b92b44ad2a2f14616e607c3aad5135e7227929e455a9d98cd9b
Instruction ID: 692efb904f36e9552dd07f21304a8aa266352361fbdb7c3d4a4b739c12e00c46
Opcode Fuzzy Hash: 6a87816ab0872b92b44ad2a2f14616e607c3aad5135e7227929e455a9d98cd9b
Instruction Fuzzy Hash: D841C070C00719CBEB24DFA9C98479EBBB5BF48704F2081AAD508AB255DB756945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 073E5AA8 Relevance: 1.6, APIs: 1, Instructions: 74
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073E5B40

Memory Dump Source

Source File: 00000001.00000002.2368117805.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_73e0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a4f6a95e29d7009956a8d167464162841b42068782a19387405cbc38b6b7693c
Instruction ID: 06946635f23d69497742eb38203769a43391ae549730a8f18c5f21db162306c1
Opcode Fuzzy Hash: a4f6a95e29d7009956a8d167464162841b42068782a19387405cbc38b6b7693c
Instruction Fuzzy Hash: F22137B590035A9FDB10CFA9C881BDEBBF5FF88314F148429E958A7240C7789954CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 078F9ED8 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 078F9F77

Memory Dump Source

Source File: 00000001.00000002.2368283913.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_78f0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 4ed0f38ce664d800f954018e53f661f1787993c66fa1e4b5fe6b8634f95a82a2
Instruction ID: 13d8635c26179ed4727b5aa37d22c4bb8cd44cad4210c35d3b52e91bbbc090d0
Opcode Fuzzy Hash: 4ed0f38ce664d800f954018e53f661f1787993c66fa1e4b5fe6b8634f95a82a2
Instruction Fuzzy Hash: F621C0B5D0020A9FDB10CF9AD980ADEBBF4FF58324F14842AE919E7210D774A954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 078F9EE0 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 078F9F77

Memory Dump Source

Source File: 00000001.00000002.2368283913.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_78f0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: d240f1488a41a1e8857550848ce17923ee3e443377ffd69679077211fc552306
Instruction ID: ba3e45332366a94406dd8aeaa8c4094a20561c51cca7f0ac258b93e3ab288369
Opcode Fuzzy Hash: d240f1488a41a1e8857550848ce17923ee3e443377ffd69679077211fc552306
Instruction Fuzzy Hash: 8221C0B5D0020A9FDB10CF9AD880A9EFBF4FF58324F14842AE919E7210D774A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 073E5AB0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073E5B40

Memory Dump Source

Source File: 00000001.00000002.2368117805.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_73e0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ffaff08af01df58f91f07daa49e5f400b390d7a0991b7ef632124f0a20ba278d
Instruction ID: 4f6cac4342bc1c0006fb03df9ab59bad8904424501bfb2dc16a36b96ddc8997e
Opcode Fuzzy Hash: ffaff08af01df58f91f07daa49e5f400b390d7a0991b7ef632124f0a20ba278d
Instruction Fuzzy Hash: 4D2126B190035A9FDF10CFA9C881BDEBBF5FF88314F108429E958A7240D7789950CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 010BE1A0 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010BE22F

Memory Dump Source

Source File: 00000001.00000002.2352768501.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10b0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c6b9da11b30adcd5fff00183cbc7bb7a812b38914a5ce32c8903ae279e58a04c
Instruction ID: 16a4a59c26895f0d1271a50f55a375a6044e67065943e088821dbe9adb255f99
Opcode Fuzzy Hash: c6b9da11b30adcd5fff00183cbc7bb7a812b38914a5ce32c8903ae279e58a04c
Instruction Fuzzy Hash: C021E4B5D002099FDB10CFAAD985ADEBFF4FB48324F14801AE958A7350D378A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 073E5B9A Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073E5C20

Memory Dump Source

Source File: 00000001.00000002.2368117805.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_73e0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6b54c71418241f4aa9e48e9ea5bfe232ba3aa4bef598be4246033be5fd6a6353
Instruction ID: 11dcf366596ab514932122c1cc599cd80465b62bd11819fef8188da79b94a3e5
Opcode Fuzzy Hash: 6b54c71418241f4aa9e48e9ea5bfe232ba3aa4bef598be4246033be5fd6a6353
Instruction Fuzzy Hash: DD2148B1C003599FDB10CFA9C881BEEBBF5FF88310F10842AE558A7250C7789950CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 073E5912 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073E5996

Memory Dump Source

Source File: 00000001.00000002.2368117805.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_73e0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b18b5e6d5dcbbf2f3aa3ff04e9eb7d33b726e02a14ec61ef29208ed546465962
Instruction ID: 20a6aeed3a96675fa8e15b28f422582cf697ef34eb854c8092f55a4c249b238b
Opcode Fuzzy Hash: b18b5e6d5dcbbf2f3aa3ff04e9eb7d33b726e02a14ec61ef29208ed546465962
Instruction Fuzzy Hash: C32159B1D003198FEB10CFA9C4817EEBBF4AF88324F14842AD559A7240C7789954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 073E5BA0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073E5C20

Memory Dump Source

Source File: 00000001.00000002.2368117805.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_73e0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9f11406c4d17103efb0edd2748be5747a1c7f0bed8174a87460b51b84ae836c7
Instruction ID: 10e1ad62e8235363fd7712be04874806a8c5e004a18a2662b613c56b14ccb266
Opcode Fuzzy Hash: 9f11406c4d17103efb0edd2748be5747a1c7f0bed8174a87460b51b84ae836c7
Instruction Fuzzy Hash: DC2128B1C003599FDB10DFAAC881BDEBBF5FF48314F108429E558A7240C7789950CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 073E5918 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073E5996

Memory Dump Source

Source File: 00000001.00000002.2368117805.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_73e0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 51e736d2d8c4afed6ef38fe1902fe7a97b729363a760d9eeb263f9755556fb04
Instruction ID: c9fe749364bd280158a1d63d10092d63136170ece1aa70adc5df70b3d5f302e7
Opcode Fuzzy Hash: 51e736d2d8c4afed6ef38fe1902fe7a97b729363a760d9eeb263f9755556fb04
Instruction Fuzzy Hash: 78214CB1D003198FDB10DFAAC4857EEBBF4EF88324F148429D559A7241C7789554CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 010BE1A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010BE22F

Memory Dump Source

Source File: 00000001.00000002.2352768501.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10b0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5c0c9358bcfdc799e3dd0b1b520f53e1286c62ddc704eb792d4e606084118288
Instruction ID: f4ef332cd034ced03d43324c58aac0a530171a8c564c259be62b2b16e4fceefe
Opcode Fuzzy Hash: 5c0c9358bcfdc799e3dd0b1b520f53e1286c62ddc704eb792d4e606084118288
Instruction Fuzzy Hash: 5121E4B59002099FDB10CF9AD984ADEBFF4FB48320F14801AE958A7350D378A950CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 073E59E8 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073E5A5E

Memory Dump Source

Source File: 00000001.00000002.2368117805.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_73e0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bd7c41272a80b17ab6b84d32f4b5aebb9cfcbd82b58fbc94d310d600be87b0a2
Instruction ID: 047b12dd2e6e6c3074199f20cd08752b314eb4f5dad8495abecdceb538e5ac98
Opcode Fuzzy Hash: bd7c41272a80b17ab6b84d32f4b5aebb9cfcbd82b58fbc94d310d600be87b0a2
Instruction Fuzzy Hash: A71147729002499FEB10CFA9C8447EEBFF5EF88324F148419E519A7250CB759950CF91

Uniqueness

Uniqueness Score: -1.00%

Function 010BB6C8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010BBF99,00000800,00000000,00000000), ref: 010BC1AA

Memory Dump Source

Source File: 00000001.00000002.2352768501.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10b0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 655ca26644a018d5bb590c2cd135bf10c91f03b869200249f5a0512921bd6488
Instruction ID: 43f2f0a19c8854ec94cb6d2d4df6b002a120ba9f830e6e4f50703872d6ce82e2
Opcode Fuzzy Hash: 655ca26644a018d5bb590c2cd135bf10c91f03b869200249f5a0512921bd6488
Instruction Fuzzy Hash: E41103B6C042099FEB14CF9AD984BDEFBF8EB89310F10842AE559B7200C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 010BC138 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010BBF99,00000800,00000000,00000000), ref: 010BC1AA

Memory Dump Source

Source File: 00000001.00000002.2352768501.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10b0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b7a237e7ac54fe777722f2c3e1d4f414a738759dfa4e1130607175042abb8983
Instruction ID: a40d4b2711b075ca3a2d34544e54587939d6344f4a6eb385edfcd88a5f1ec3f5
Opcode Fuzzy Hash: b7a237e7ac54fe777722f2c3e1d4f414a738759dfa4e1130607175042abb8983
Instruction Fuzzy Hash: 851147B6C002098FDB10CFAAC884BDEFBF4EB89310F14842AE558B7200C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 073E59F0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073E5A5E

Memory Dump Source

Source File: 00000001.00000002.2368117805.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_73e0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ec9fcc3bca44ab2b3f57be64de4409486fddc226355632774d58185344123194
Instruction ID: ce512438c1a101264582bf023e18672fb87084e2b8fb80da1320df328a736f89
Opcode Fuzzy Hash: ec9fcc3bca44ab2b3f57be64de4409486fddc226355632774d58185344123194
Instruction Fuzzy Hash: FD1156728002499FDB10CFAAC844BDFBBF5EF88324F148419E519A7250C775A550CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 073E5862 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 073E58CA

Memory Dump Source

Source File: 00000001.00000002.2368117805.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_73e0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d227d63bf8dc52a07e618714f63b3ff0587a176388272ae042c38d0de52e9868
Instruction ID: 5bd841193ee9f3c840b32203bdc57fc6178424443fc1f6839659c1017f7200d1
Opcode Fuzzy Hash: d227d63bf8dc52a07e618714f63b3ff0587a176388272ae042c38d0de52e9868
Instruction Fuzzy Hash: 3B116DB1D003598FDB20CFAAC4457EFFBF4AF88314F148429D159A7240CB75A545CB95

Uniqueness

Uniqueness Score: -1.00%

Function 073E5868 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 073E58CA

Memory Dump Source

Source File: 00000001.00000002.2368117805.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_73e0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1c030048ed310ac890bf94eaefa4620966a90d8e829762a02c4e99b0ac220de5
Instruction ID: e89d8bb0518becdd7223055e28eb05d4c7aa9cca9de147763a9d8fdb4905f92f
Opcode Fuzzy Hash: 1c030048ed310ac890bf94eaefa4620966a90d8e829762a02c4e99b0ac220de5
Instruction Fuzzy Hash: 80113AB1D003598FDB10DFAAC84579FFBF4AF88724F248819D519A7240CB75A544CB95

Uniqueness

Uniqueness Score: -1.00%

Function 010BBEB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010BBF1E

Memory Dump Source

Source File: 00000001.00000002.2352768501.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10b0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 783734846fda29b5d73e495c9336b8f3f520a431614598f91ef830ccbfcdd60e
Instruction ID: ac0609ab857c4f1a6df4f5f33e1c15364a09e3924ff222ff8e2853bc978219a8
Opcode Fuzzy Hash: 783734846fda29b5d73e495c9336b8f3f520a431614598f91ef830ccbfcdd60e
Instruction Fuzzy Hash: 941110B6C0034A8FDB10CF9AC484BDEFBF4AF88224F10846AD558A7210C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 073E5DF0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 073EB27D

Memory Dump Source

Source File: 00000001.00000002.2368117805.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_73e0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 669e5594b9e7bf6d6279f4b4c51439b4285cabf414bd620357b8f83e0e809bd2
Instruction ID: 0655ccc1aecc25682806390cfea8ba1b53e72133d04528094443270de83923e3
Opcode Fuzzy Hash: 669e5594b9e7bf6d6279f4b4c51439b4285cabf414bd620357b8f83e0e809bd2
Instruction Fuzzy Hash: 97110FB5800359DFDB10CF8AC484BAEBBF8EB48320F108419E958A7240C3B5A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 073EB218 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 073EB27D

Memory Dump Source

Source File: 00000001.00000002.2368117805.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_73e0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: bbd7f773fac5587d7e741307daf8e2e09b39ac08bedeabfa79042431d311eae2
Instruction ID: fe39b5952e24853086feac2821db0a5feeefe8f4d4ba9b6bb25fd1d0ca1a4053
Opcode Fuzzy Hash: bbd7f773fac5587d7e741307daf8e2e09b39ac08bedeabfa79042431d311eae2
Instruction Fuzzy Hash: FA1110B5800259DFDB10CF99C984BDEBFF8EB48320F24841AE558A7610C374A654CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 073EBB18 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 073EBB47

Memory Dump Source

Source File: 00000001.00000002.2368117805.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_73e0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: aba29ef62f13fdfddbc3cfa8f01ce4c53cd3c8493b9aee61018f9b9641031128
Instruction ID: 059fc7a0c6f88fc7e9a59f50971bec2663481ecb253cb54363d1971c3c678b52
Opcode Fuzzy Hash: aba29ef62f13fdfddbc3cfa8f01ce4c53cd3c8493b9aee61018f9b9641031128
Instruction Fuzzy Hash: 02F0D4B0C4135ADFDB44DFB8C805BAEBBB5AB05301F105669C418A3294D7B49A80CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0734C350 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

O};5, xrefs: 0734C388

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID: O};5
API String ID: 0-3558557551
Opcode ID: d69a740aed30a687808bc00536a0eea8c2ca9266b4c85ac58a5daf0ed8e23467
Instruction ID: 5b5295ea8f104569d81ce7a489bae8fc15bdaa018240e73ee06e5cb7eb7e453a
Opcode Fuzzy Hash: d69a740aed30a687808bc00536a0eea8c2ca9266b4c85ac58a5daf0ed8e23467
Instruction Fuzzy Hash: 6D41BFB0A11609DFDB48CFA5D5858AEFBF1FB89310F61D495C409A7314D338EA11CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0702084B Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8cc3bac56c701e9c4bfc8ad95228f9c60eafc17df6f8d58a21fdf3c4348382
Instruction ID: decd652e2543961820ca2b179939aedac0fc777f1ee06d4da4b27785aa7453a1
Opcode Fuzzy Hash: 5b8cc3bac56c701e9c4bfc8ad95228f9c60eafc17df6f8d58a21fdf3c4348382
Instruction Fuzzy Hash: AB020575600205DFDB58DF68D498AAD7BF2FF89314F5582A8E4099B362CB34EC86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07022768 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95140e84f18b2ca57cb71874e33d4ce23d0cc19c80c75a87f35a82679e57eb3
Instruction ID: 177115d19dfd2e5368c9e16e9d416e66daba370c3c5aab6fc1afb2404ac1b2bb
Opcode Fuzzy Hash: a95140e84f18b2ca57cb71874e33d4ce23d0cc19c80c75a87f35a82679e57eb3
Instruction Fuzzy Hash: F1C12675A00215CFCB55DFA8D594AADBBF1BF89310B1545A9E506EB3A1CB30EC42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07022F10 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d40322a5027d7dd6b207e66a1a650bf3aa51cc89eb6f64d653ab72aa43e2026
Instruction ID: b0dcbb6f953fb9c933a2f607910dc4f6dab0c3a9a7dac0074b54e90fdd6cc701
Opcode Fuzzy Hash: 9d40322a5027d7dd6b207e66a1a650bf3aa51cc89eb6f64d653ab72aa43e2026
Instruction Fuzzy Hash: EF61CA71B002059FCB58EBB4D4546AE7BA2AFC5310B2485AED409DB396CF35ED02DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0734F6F8 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f40a025a49fa1e8dce15e6455f4b886b50df98d1fa377ebafb0fd5399fce5e05
Instruction ID: a8dd4a23a4a34240d01174b1486acfdb460470bf617db1d2d3855b6a3046a56d
Opcode Fuzzy Hash: f40a025a49fa1e8dce15e6455f4b886b50df98d1fa377ebafb0fd5399fce5e05
Instruction Fuzzy Hash: 456139B4D1520ADFEB08CFA9D4446EEBBFAFF49300F189129E419AB655C7386942CF40

Uniqueness

Uniqueness Score: -1.00%

Function 07029F41 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd6d9ef54e0b4175aaccdf5bac419944314f70a5ac586603962b7b4b0871dce3
Instruction ID: e99116d11028174c1194c2be143fa793a46d4d0cc340de4e3408f82234e6ed62
Opcode Fuzzy Hash: dd6d9ef54e0b4175aaccdf5bac419944314f70a5ac586603962b7b4b0871dce3
Instruction Fuzzy Hash: 6D5117B5E04219CFDB60DFA8D845BEDB7F6BB49310F209229E809A7385CB385946DF50

Uniqueness

Uniqueness Score: -1.00%

Function 07023993 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952351b401e185c0722aa328308fad377a3a520c0371784faf7f22a32e3ca1a2
Instruction ID: ba7934dc9ccc5dd8145648acc16edcfd1c31dc8dd60e3ab15a5bf2ba1e085615
Opcode Fuzzy Hash: 952351b401e185c0722aa328308fad377a3a520c0371784faf7f22a32e3ca1a2
Instruction Fuzzy Hash: FC518B72600216CFDB59CF34C894BA9BBF1EF49704F1582AAE506DB261CB38EC46DB50

Uniqueness

Uniqueness Score: -1.00%

Function 07346D14 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2d7c8928dc8d08e01cd559f84416bda5f37ac3f42686e90da861dd96193a81
Instruction ID: 6ce0d0e7eebf19d2504940e3f257ea5b49df14e47eaeb57e755c739265d913e1
Opcode Fuzzy Hash: fa2d7c8928dc8d08e01cd559f84416bda5f37ac3f42686e90da861dd96193a81
Instruction Fuzzy Hash: 0451D371B002068FDB08EB79D8549BEBBF6FFC4260B148969E419DB351EF34AD068791

Uniqueness

Uniqueness Score: -1.00%

Function 07029D48 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b8603cf4205af04f6b145d4fae00d687bf3b5f473aca9cd3b7fd282d2ca1d6
Instruction ID: 53e2503022ef45e12331dd9aaf067192041dbdf9284253f228fc059e1166ba1a
Opcode Fuzzy Hash: 23b8603cf4205af04f6b145d4fae00d687bf3b5f473aca9cd3b7fd282d2ca1d6
Instruction Fuzzy Hash: B3513AF5A04219CFDB20DFA8D841BEDB7B6BB49310F209219E809A7385CA395A46DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0734FCF0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 874dfd0066dbdf0dd7e69dfd1c270fc705380203102a0e440f909cbc5facdf51
Instruction ID: 62118c7ddba58018daf6bbc85cbaa97f8c69516c57bf9e376763723117d745c2
Opcode Fuzzy Hash: 874dfd0066dbdf0dd7e69dfd1c270fc705380203102a0e440f909cbc5facdf51
Instruction Fuzzy Hash: 0F4194B1A0031A8FEB14EFA9C54469FBBF6FFC8250F148529E509E7340DB34A901CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07021360 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06cb086fe4fbbe7d9b74b712b7d5b26583a1a8037b763e3d4ae750f2a61d4172
Instruction ID: 25220d332d3830b3a27d24d0b0e53146af70a9087a69556b2549892abcc7b02f
Opcode Fuzzy Hash: 06cb086fe4fbbe7d9b74b712b7d5b26583a1a8037b763e3d4ae750f2a61d4172
Instruction Fuzzy Hash: E74174B1300615DFD764AB28C494B6EB3F2BF85315F104629D209CB690DBB5AC47DB92

Uniqueness

Uniqueness Score: -1.00%

Function 07021353 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94033d5a64ffe8f32f57c66072666ea5dfb0c898001dc4ab8cba925c3251966b
Instruction ID: 4a2e65e4d0e1e80bcb0c780b43d1328eae2582fe8377802e7f2e869da7ca7676
Opcode Fuzzy Hash: 94033d5a64ffe8f32f57c66072666ea5dfb0c898001dc4ab8cba925c3251966b
Instruction Fuzzy Hash: 3341B6B1300616CFC725AF28C494B6DB3F2BF85304F14466AD245CB2A1DBB5A847DB92

Uniqueness

Uniqueness Score: -1.00%

Function 07028C28 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4106e7a95e07f7c9e1a63a761b7fd09e8d671bf5a8ca36661c86ca740759da7e
Instruction ID: 2972cf20abc2dfd8bd5607bfd459abe52cdbc69a607ffe2c909485ee750e0d14
Opcode Fuzzy Hash: 4106e7a95e07f7c9e1a63a761b7fd09e8d671bf5a8ca36661c86ca740759da7e
Instruction Fuzzy Hash: 09414C75E001598BDB44DBA9D898AEEBBF2BF88310F24C169D511BB390CB709C46DF60

Uniqueness

Uniqueness Score: -1.00%

Function 07028B90 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c042d57f10cad6886899b1218935f9ea05efd49c0a8f1ff1326c5e93eeecf24
Instruction ID: 5bfd69f9a3d741bb9055328c8631e4043caf3b41884e2faa4db59f65b05a4ebf
Opcode Fuzzy Hash: 7c042d57f10cad6886899b1218935f9ea05efd49c0a8f1ff1326c5e93eeecf24
Instruction Fuzzy Hash: 2E31EF76E0525A8FCB45DBB9D8141EEBBF2EF89310F24816AD504F7250EB345D0A8B91

Uniqueness

Uniqueness Score: -1.00%

Function 0734E464 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42c072b743322ad1eccd376f77dc2bf4cc1e28f2966aa3b957155de101bf492f
Instruction ID: a2cadac055d27fb17d6f29b66761c9357b6bce300a67a075fc051ab98ed37c73
Opcode Fuzzy Hash: 42c072b743322ad1eccd376f77dc2bf4cc1e28f2966aa3b957155de101bf492f
Instruction Fuzzy Hash: 6E314DB69002099FDB14DFA9D884ADEBFF5FB49310F14842AE909E7210D774A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07023B8C Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7052103dbe14e11146c9bbfe2f92072a49196395f8c6a569a0bc9ec60b676aec
Instruction ID: 73756d98378a5dc11b35d13f4b7336963a3c2f7f2095ba432c81b620ee2584a4
Opcode Fuzzy Hash: 7052103dbe14e11146c9bbfe2f92072a49196395f8c6a569a0bc9ec60b676aec
Instruction Fuzzy Hash: E241A2712007018FC7599F34C848B597BE2BF85314F2586AAE15ACB3B2CF78A84BDB40

Uniqueness

Uniqueness Score: -1.00%

Function 07029D5F Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fea4e2061a0b6b77cba4a5461053a9ebe5a1e5a12495c8f3bdaebffbae7652e
Instruction ID: e4d7c946d52c6e3f6dc5411ed03f4e2935056a2d2b113098685c612b8eb6df56
Opcode Fuzzy Hash: 7fea4e2061a0b6b77cba4a5461053a9ebe5a1e5a12495c8f3bdaebffbae7652e
Instruction Fuzzy Hash: 5341B3B4E04228DFEB64DF64C944BADBBB2BB49300F1081D9E949A7345CB355E82DF52

Uniqueness

Uniqueness Score: -1.00%

Function 07024B13 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45bb8d48ac42383d7658f6afd39e9be96179b2e7f9f591871a7153a1a5765498
Instruction ID: f86f640d68d52ef9a0c1f76432bd89715f6ed4ef5da28fd024877e4e8745337e
Opcode Fuzzy Hash: 45bb8d48ac42383d7658f6afd39e9be96179b2e7f9f591871a7153a1a5765498
Instruction Fuzzy Hash: 4F317C767002259FCB05DF68D884AAE7BB6BF88320F114299F525CB2B1CB70DD02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 070220C8 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c9235866c309d58c9c91e413a3fbf1dc91a8b4e3d667e62986ae612001bab1
Instruction ID: a1802180dc03dfd2df30e8216c3cd67f17e2e8704cd5d13f63af934e365e2e5b
Opcode Fuzzy Hash: 02c9235866c309d58c9c91e413a3fbf1dc91a8b4e3d667e62986ae612001bab1
Instruction Fuzzy Hash: A03107713006128FD758DB69C884F6973E6BF99610F1681A9E61ACB361DE34E842DB90

Uniqueness

Uniqueness Score: -1.00%

Function 070220B8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62197cf5c59da510357859e6585ff1b0f5b3f31879b4b1e6a4b1a80fe2f87bb
Instruction ID: 273944a7b2ce9ec693ca682c9904758a35104b5185fe45591acca0b9e3ffc339
Opcode Fuzzy Hash: e62197cf5c59da510357859e6585ff1b0f5b3f31879b4b1e6a4b1a80fe2f87bb
Instruction Fuzzy Hash: 67312571300212CFD758DB68C884FA977E5BF99610F1681A9EA59CB361EF34EC42DB90

Uniqueness

Uniqueness Score: -1.00%

Function 07024B20 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e28266271cf4565006547a5c8d300da5295c0fd3aa5f01775627dacaf054df
Instruction ID: eb43472b9aa3f6a9c865a5ac354a6454a90ac3f49d97bef5067431a5465f47eb
Opcode Fuzzy Hash: c1e28266271cf4565006547a5c8d300da5295c0fd3aa5f01775627dacaf054df
Instruction Fuzzy Hash: 93311A757002159FCB15DF68D884AAE7BB6FF88720F114259F5258B2B1CB71DD02DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0702B918 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d8634aef21027ab2dd9e0be9e4bf2c04dcebb0924536a79e01345f1406b703
Instruction ID: 0c52c43d7826a7ea87fdac1ea1d6ad01d034040ca4cb6eeeb2c375ad61790ab7
Opcode Fuzzy Hash: c6d8634aef21027ab2dd9e0be9e4bf2c04dcebb0924536a79e01345f1406b703
Instruction Fuzzy Hash: C5316BF5918209CFCB04DFA8D841AFEBBF5EB4A300F10966AC414A3250EB351A42DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0702C7EA Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7af0c87558ff02cffb081d7bfa7289b5fa372f2c4bc2834b7400fc5ec9d6f8f
Instruction ID: 5c1529ff174c89fa31f3cc5bd7b9571dcf1ef10bb0b1475d08a42246afec2146
Opcode Fuzzy Hash: d7af0c87558ff02cffb081d7bfa7289b5fa372f2c4bc2834b7400fc5ec9d6f8f
Instruction Fuzzy Hash: 55316CB1D04259DFEB04CFA8D440AEFBBF5EB89310F01C26AC425A7251CB359942DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0702C7F8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b993c26083348a91f0ddc8960154b13761410820d34bdf1cacc0717e14267515
Instruction ID: ae1edabfa1dc216fe668ff002986af1b0b70ec7d9daf9090611eb37537c12cce
Opcode Fuzzy Hash: b993c26083348a91f0ddc8960154b13761410820d34bdf1cacc0717e14267515
Instruction Fuzzy Hash: 88316AB5E04219DFEB04DFA8D440AAFBBF6EB89310F01C269C425A7340CB359942DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 070225D4 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e51ed967666c1debb1e65d2b81251910566e727dde5ee3b9d70ee2091446382c
Instruction ID: 35b464fa9f90c5e231224ebc0b8fca974d8d85f5659a9649b86f2c41f3d45972
Opcode Fuzzy Hash: e51ed967666c1debb1e65d2b81251910566e727dde5ee3b9d70ee2091446382c
Instruction Fuzzy Hash: C7314D712006118FD7A49F28C848B56B7E5BF84324F608669E55A8B2B1DF79E88B9B40

Uniqueness

Uniqueness Score: -1.00%

Function 07022DA0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 659594624c191fbd9cdbf1a8e5def818c0582f040aa6d2b45256dd194a8e76d0
Instruction ID: 246db76d0f11272e3cb0e55ea44bfa0467e4955fbfbe409d22567ef5a01d98f7
Opcode Fuzzy Hash: 659594624c191fbd9cdbf1a8e5def818c0582f040aa6d2b45256dd194a8e76d0
Instruction Fuzzy Hash: 4321C5F27001229B4E556BBCA45423E3AD7BBC555570A1229EA02CB394EF68CC03B7D7

Uniqueness

Uniqueness Score: -1.00%

Function 07025CA1 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf9cc35943de5147b8dfb72258a4976603c970a2cf8d4be79f3840d25c015263
Instruction ID: 7fedd5194de3e71d0349001e07962c3afd6545ec986ae13114baa00d9c9f6b6c
Opcode Fuzzy Hash: bf9cc35943de5147b8dfb72258a4976603c970a2cf8d4be79f3840d25c015263
Instruction Fuzzy Hash: 2E21D572204355CFC721EF30C8504AA77F5BF422147A047BEE46696190EB35D8A7EB50

Uniqueness

Uniqueness Score: -1.00%

Function 07022A6D Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56ef147e9491e0619543454fdc87b3ad23104a0d4fad792c9fcbdfee79307777
Instruction ID: 9a3ea3e4b84720637e219c011d1264687039580ee376fe0e1b1fe14bfa72c2ae
Opcode Fuzzy Hash: 56ef147e9491e0619543454fdc87b3ad23104a0d4fad792c9fcbdfee79307777
Instruction Fuzzy Hash: FF316AB5600215CFDB65DFA8D444A9D7BF2FF88321F165168E901AB2A1CB30EC82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07022258 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2558eaa6c579b8680e6645fdb7eecb351ec8684b967ec2a9d400730e02b8efb
Instruction ID: 4ae0eb7866264b00f220bec343a1d830a0e413106c7dd19010f7348059d07578
Opcode Fuzzy Hash: e2558eaa6c579b8680e6645fdb7eecb351ec8684b967ec2a9d400730e02b8efb
Instruction Fuzzy Hash: 3B315C31200611CFC7559B38C848BA67BE1FF85314F1685AAE08ACB262DE75AC8ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 0734DDE0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65981e94bf50680245f717cde4e03e451d90b1b4a3326bee4b22db86b910e4cd
Instruction ID: 0f8d1d54c6780d528caddd6c4cb3eb19e7856244e65146b2b90201b4411a8341
Opcode Fuzzy Hash: 65981e94bf50680245f717cde4e03e451d90b1b4a3326bee4b22db86b910e4cd
Instruction Fuzzy Hash: 353129F4E0420ADFDB08DFA8D9416BEB7F6FB49300F108129D509A7744C7386A41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2352500459.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fcd000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e62cfa9ce1a06da17e4444627f37068bcb56568568be6b0df623164522c5b5c
Instruction ID: d98f873edbb7b6c2354b0edf42b346da412724fea075e0bf5f951daf38e72a89
Opcode Fuzzy Hash: 7e62cfa9ce1a06da17e4444627f37068bcb56568568be6b0df623164522c5b5c
Instruction Fuzzy Hash: 962128B6504245EFDB08DF14DAC1F2ABF65FB94324F20C17DDA090B256C336E856DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2352500459.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fcd000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a2451dceb57032807662bc921f008c1581756546581f884221bd24bab6e3ee
Instruction ID: 895de76f19a8ec2ac54bcf515337c038f7d11e89cc73881c605143245b30372c
Opcode Fuzzy Hash: 50a2451dceb57032807662bc921f008c1581756546581f884221bd24bab6e3ee
Instruction Fuzzy Hash: 16214872900241DFCB04DF14DAC1F2ABF65FB84328F24C97DD9090B256C336D816DAA1

Uniqueness

Uniqueness Score: -1.00%

Function 07027EA1 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee4a61f1673326cf00da523363d0fc285612172ea6a0224307dedeb3e3e6f154
Instruction ID: b8f142787710856c86eeb22a30091eb64850bdf0d17de18e6b34aea8cbd5d35b
Opcode Fuzzy Hash: ee4a61f1673326cf00da523363d0fc285612172ea6a0224307dedeb3e3e6f154
Instruction Fuzzy Hash: DA21AE70A493868FC705DF78D96058D7FB2AF82214B2481EAD048DF2E3DB358D0ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 07022D90 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aaa3681676905dbd5509a51608a966eae7e1736b983efdd79fc9a3c8b957dd3
Instruction ID: 31da18bb4f4bca660d6aa8276e915636b73e0f347061026936a21b13daec64c5
Opcode Fuzzy Hash: 7aaa3681676905dbd5509a51608a966eae7e1736b983efdd79fc9a3c8b957dd3
Instruction Fuzzy Hash: B4110AF23001229B8F556BB8955417E37D7BFC555570A021AE502CB395DF28CC03E793

Uniqueness

Uniqueness Score: -1.00%

Function 00FDD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2352559834.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fdd000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8612876a72c836eba7d8db9fad185ac33d0397c477029de6d8cfad2dd55650fd
Instruction ID: a747756751b646ffb810a197ffbdbec1925d832cd5937efe76fc7ee966285c56
Opcode Fuzzy Hash: 8612876a72c836eba7d8db9fad185ac33d0397c477029de6d8cfad2dd55650fd
Instruction Fuzzy Hash: B9212576504200DFCB14DF14D9C8B26BB66FBC4324F28C56ED90A0B35AC376D807DA61

Uniqueness

Uniqueness Score: -1.00%

Function 00FDD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2352559834.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fdd000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6435a074a8a3b5447c6eb20948403119d5985e25e859f57d1d81167f016d828f
Instruction ID: fa6698c5be1fcc4891d5642eb30617a01b5491cc3c922cf5809f47ba82dc2909
Opcode Fuzzy Hash: 6435a074a8a3b5447c6eb20948403119d5985e25e859f57d1d81167f016d828f
Instruction Fuzzy Hash: 71212676904304EFDB05DF14D9C0F26BBA6FB84324F28C56EE9094B392C776D846DA61

Uniqueness

Uniqueness Score: -1.00%

Function 07022268 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 960bdfcc306e9dae6f2cca0b65b2b26080a02e68b1280860a5b2e1b7eb67ceb5
Instruction ID: 6dead320dabab6c8d3c90a3eff2da6351a0fa8832e92156936c3334b1d2c9f88
Opcode Fuzzy Hash: 960bdfcc306e9dae6f2cca0b65b2b26080a02e68b1280860a5b2e1b7eb67ceb5
Instruction Fuzzy Hash: A7314B31210601CFC794DB68C848BAA77E6FF85311F5586A9E15ECB361DF75AC8ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 0734F9F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc44e2f93eb41c8deeb2761209eef871b649170b107926c81377ec40e840774
Instruction ID: 9e6b962354ec2afea42418e6d0ca545c8e7594ba9ea2a5ec71ff4388c3c00df7
Opcode Fuzzy Hash: efc44e2f93eb41c8deeb2761209eef871b649170b107926c81377ec40e840774
Instruction Fuzzy Hash: 6B110B727193849FE70ADB70CC5256D7BF4EF4210072804EAD885C3352EA34EE15C721

Uniqueness

Uniqueness Score: -1.00%

Function 0702F1B8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 140b6a5db38ab11456bc8aeec024655798d73eface5cfe1a7adefe1a5d6bfb19
Instruction ID: 6a87da5502a8b8c42b81d5d3f3422d1be0331e45f9736f2ee50a269ca4c14b44
Opcode Fuzzy Hash: 140b6a5db38ab11456bc8aeec024655798d73eface5cfe1a7adefe1a5d6bfb19
Instruction Fuzzy Hash: C52149F6D142598BEB08CFEAD8543EDBBF6AF89300F14812AC418AB354DB745946DB41

Uniqueness

Uniqueness Score: -1.00%

Function 0702FB28 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d9301a23c478f388cd41c229bad75ad6a016af16509087d7e866f5ae2d123e6
Instruction ID: aa091a50327fd2968f8baa91a4a319753ea670f551c7dfe3784f4c9a40b28623
Opcode Fuzzy Hash: 5d9301a23c478f388cd41c229bad75ad6a016af16509087d7e866f5ae2d123e6
Instruction Fuzzy Hash: DF213DB5E0821ACFCB41CFA4C1909AEBBF5EB4D340F509195D815A7311D330AE41DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0734E770 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32076d3c7e275c75a16895cd0b655de676cd9755297251878a9b56f8555bb25a
Instruction ID: 07bd86244bd465661fcd09d2e67b2d30c45c5409b797ac94a5003c6a7984fb36
Opcode Fuzzy Hash: 32076d3c7e275c75a16895cd0b655de676cd9755297251878a9b56f8555bb25a
Instruction Fuzzy Hash: 9C21DFB0C01258DFEB24CF99C588B8EBFF5BB48714F24802AE418BB240C7B56845CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0734C278 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 789532156de61c6ef9f101048de006c10406e84066bb5b8a098f7f5062256c4a
Instruction ID: 21283db6a64b68ccc17f8beea0e72c489070115ca3b4ef55badb6e1c215769a8
Opcode Fuzzy Hash: 789532156de61c6ef9f101048de006c10406e84066bb5b8a098f7f5062256c4a
Instruction Fuzzy Hash: CA2190B4A00A08DFC708DF9AE085999BFF1FF88321F5281D5D8489B265E735E990CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00FDD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2352559834.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fdd000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 207d102d9a1388d0602f1b29ac36618e1e5b6dfa17a885ebab3ea25aacb4bbfb
Instruction ID: 5f111bd2710432a7ff1bd7e4e0d5a209429fa21139937fef9946a4c630962cbf
Opcode Fuzzy Hash: 207d102d9a1388d0602f1b29ac36618e1e5b6dfa17a885ebab3ea25aacb4bbfb
Instruction Fuzzy Hash: 882153755093C08FC712CF24D594715BF71EB46314F29C5EBD8498B6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 07020700 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e4c4cc63f250067c641af99550f713de4011a9cc6cfec60a47726b2e3a5328a
Instruction ID: bf28e763f9e27c8304cbe86c8ff5846ab64863ab4847c2bcb6a6efae1f323462
Opcode Fuzzy Hash: 0e4c4cc63f250067c641af99550f713de4011a9cc6cfec60a47726b2e3a5328a
Instruction Fuzzy Hash: A6117FB0B01600CFC715EF79D89095ABBF2BF89214B24856DD115CB7A1DB75EC06CB52

Uniqueness

Uniqueness Score: -1.00%

Function 07022010 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0f2428861d055c65b3dad98769eec55fcfa8ced6b4582fce799702b699a0b3d
Instruction ID: 55b133d3f9e4fbe7d84ad9bc199050a1d94e64d463771f6d52d949df1a5f7e26
Opcode Fuzzy Hash: a0f2428861d055c65b3dad98769eec55fcfa8ced6b4582fce799702b699a0b3d
Instruction Fuzzy Hash: 95119D72700615CFC724EF78D49081AB7F6FF8621171102AEE106DB272DA32EC82CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0702FB38 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb89789dc491f3d75a724ced8ad0daa896cb6a3acd9db24f58d3a9ea6309792d
Instruction ID: 1474dd04595d8d57d2ffdbd2ca1310581e3ad4a564adfbe57c4253ceb48fdfd3
Opcode Fuzzy Hash: bb89789dc491f3d75a724ced8ad0daa896cb6a3acd9db24f58d3a9ea6309792d
Instruction Fuzzy Hash: 9E211AB5D0421ACFCB40CFA9C190AAEBBF5EB4D340F609195D819A7311D730AE41DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0734E0D8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ccfcd10991fc73df13afe24c208882ef12d00746f552f7910600cefb56aacea
Instruction ID: a66f775ba91ff842a5dbf3c010a5163ab0885379120e12ba4852b37f0b80b4b7
Opcode Fuzzy Hash: 6ccfcd10991fc73df13afe24c208882ef12d00746f552f7910600cefb56aacea
Instruction Fuzzy Hash: 30114F71F4024A8BDB18EBB9D8105EEB7F6BF8A211B1000AAC508E7244EB359D05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0702FBE1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5689230e48e153e025781e0fe94e9ddcd7976e27475a4bf1baa3fed0d9c1bba
Instruction ID: 5d12eb66eb68962ab00f7e58d665bc05b9ad8593065f57e76241c41868111728
Opcode Fuzzy Hash: c5689230e48e153e025781e0fe94e9ddcd7976e27475a4bf1baa3fed0d9c1bba
Instruction Fuzzy Hash: 78116DB1D0821ADFCB44DFA8C6405EDBBF4EB49310F109A96D818D7312D330AA42AF80

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2352500459.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fcd000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 2d5b7af0d135e0e06653f4e7c683d63feb125e01a0802f56e02599e92bc19414
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 0311D676904280CFCB15CF10D6C4B1ABF71FB94328F28C5ADD8490B656C336D456DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2352500459.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fcd000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 9b7b8d417c70b05c53d235ab030f640580351593a8f999ff92d6bff9323a2b6d
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 4E110676804240DFCB05CF00D6C0B1ABF71FB94324F24C2ADD9090B256C33AD456DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0734E474 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f9ca2ee15ee4aaeddf89b19bfa8d8cdcb598a60b38584a429121d25e3d8777d
Instruction ID: 0358b97b2337ab77c973176de7ac4e235f48ad7119af495a23322c917442aa57
Opcode Fuzzy Hash: 9f9ca2ee15ee4aaeddf89b19bfa8d8cdcb598a60b38584a429121d25e3d8777d
Instruction Fuzzy Hash: 022114B590034ADFDB10CF9AD884ADEBFF4FB49320F14841AE919A7200C374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0702B873 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ddd764018efce5b1a010567a01cc1f4ea303b8dce28f9e2e42d7b4808e9716f
Instruction ID: a4845c05b88462b7c0c4006bef70fe9d8494c57b1ad493f77a91f7b2ba85cdb7
Opcode Fuzzy Hash: 8ddd764018efce5b1a010567a01cc1f4ea303b8dce28f9e2e42d7b4808e9716f
Instruction Fuzzy Hash: 7E1149F4D09258DFCB00DFA8D9015BEBBF9FB49300F1082AAD419A3341EB340A01DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0702F268 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8eb4462ce90590ed40f5d42589edb1284f79be21269f20602173da17856b7c5
Instruction ID: e7fda577f4aa2a72b81ec2c5c5dc2fd7e012b231c7e694fa1264dbbbccf8cb2c
Opcode Fuzzy Hash: a8eb4462ce90590ed40f5d42589edb1284f79be21269f20602173da17856b7c5
Instruction Fuzzy Hash: 761121B9E19219CFCB04CFA5D540AEDB7F5BF4B340F609129E416A7355D734A906DB00

Uniqueness

Uniqueness Score: -1.00%

Function 0702F1C8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95f75a0af409de934c4f955ca41a1c1570975646f078ba6737bbac1cc555553
Instruction ID: 4c297d7b5d9bd1122166b91a578c8103871d24dbc2c0aa1fe4d684cafb1e2572
Opcode Fuzzy Hash: d95f75a0af409de934c4f955ca41a1c1570975646f078ba6737bbac1cc555553
Instruction Fuzzy Hash: 9C11E6B5D042598BDB08DFEAD8596EEFBFAAF89300F04C12AC419AB354DB7418068F51

Uniqueness

Uniqueness Score: -1.00%

Function 00FDD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2352559834.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fdd000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: a4452a44c18778fae68e0e27ac1721670873eb73251f16180a705027f90f5cbd
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 6B118B75904284DFCB15CF10D9C4B15BBB2FB84324F28C6AAD8494B7A6C33AD84ADB61

Uniqueness

Uniqueness Score: -1.00%

Function 07022001 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d1c2ec249a414e8a5d109a464696eae43c69bd96bcc63c169e41474f92310e
Instruction ID: f0185675fdf6885f2505ee0adf980d0e94df5e563ebdc6643ba78162ab8c6319
Opcode Fuzzy Hash: e5d1c2ec249a414e8a5d109a464696eae43c69bd96bcc63c169e41474f92310e
Instruction Fuzzy Hash: 4501F5B2204361CFC7149F78D490859BBF1FF9626171602AAE145CB272DA31DC42CB22

Uniqueness

Uniqueness Score: -1.00%

Function 0702FEE0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc4c910d92a36a16de1849c10a182b4ce84af1901da0edeb10daac2b2e83795
Instruction ID: 7b5e8662f139302f8a5f190101d0a1067740897fc049efdb99a6f8a01833260b
Opcode Fuzzy Hash: 5bc4c910d92a36a16de1849c10a182b4ce84af1901da0edeb10daac2b2e83795
Instruction Fuzzy Hash: ED116DB6D09209DFCB44DF64E0809ACBBB5FF4A310F1082A9D82997792D734AE42DF40

Uniqueness

Uniqueness Score: -1.00%

Function 07022D01 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc2d42b459c881054f50b5328c1411cce85b4ee7b843d0d15fbf67c1b2275cc
Instruction ID: 2c3cca76604ff1534a455166e0e96bf2b6bfef4062c5a4cc76bb2936ebe3a684
Opcode Fuzzy Hash: 7fc2d42b459c881054f50b5328c1411cce85b4ee7b843d0d15fbf67c1b2275cc
Instruction Fuzzy Hash: 711180722093D28FC7039B78D9606993FB5EF9726071A05DBD1C0CF1A7DA289D06D752

Uniqueness

Uniqueness Score: -1.00%

Function 0702F2C3 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21262f333d2bc4fad5ed71ceeb5f023645f8aeda483352bbf165d14d392f7e55
Instruction ID: 449c0841abe79ec7f6eb234353ad003ea1541486bcf9b77cede79fb53b539da1
Opcode Fuzzy Hash: 21262f333d2bc4fad5ed71ceeb5f023645f8aeda483352bbf165d14d392f7e55
Instruction Fuzzy Hash: C91182B9E1522ADFCB04CFA5D480AEDBBF5BF4A380F609219E415A7215D730680ADF00

Uniqueness

Uniqueness Score: -1.00%

Function 0702B880 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb4e2a7e5137747263d653a1902af996480401870f1a353f2512fd5b16debaf9
Instruction ID: 1e89a5757da123a5ac926eac2441dce8a4814cb70983ff90b785d15300e5b916
Opcode Fuzzy Hash: fb4e2a7e5137747263d653a1902af996480401870f1a353f2512fd5b16debaf9
Instruction Fuzzy Hash: EF1157F4D09219DFCB00EFA9D9446BEBBF9FB49300F1086A9C419A3340EB340A01DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0702F2B3 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4383528fbc32ad23191b068e8e56c8a7437de16e251f18f20da2de6a0cf45ad5
Instruction ID: 772c86b045928f87949f7a3599e32057e671732caeee79dee45a345cf2a9626e
Opcode Fuzzy Hash: 4383528fbc32ad23191b068e8e56c8a7437de16e251f18f20da2de6a0cf45ad5
Instruction Fuzzy Hash: 50116D75E002198FCF44DFE8D8849EDFBB2FB88310F20812AD919AB355C6316916DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0702FEF0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27b1649ff80a36772316e884a3e71aeaa4dd176fc6760f5c5b8f6bc80805e8c5
Instruction ID: 1f6e3a7cfa62988f9d02a1e8fe456c882b4dbb6eb05dfdeeed33afb7e6a8c55f
Opcode Fuzzy Hash: 27b1649ff80a36772316e884a3e71aeaa4dd176fc6760f5c5b8f6bc80805e8c5
Instruction Fuzzy Hash: 29012CB5E09209DFCB48DFA4D040AADBBB9FF4A300F1092A9D81997341D734AA42EF40

Uniqueness

Uniqueness Score: -1.00%

Function 07029058 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec180807f04afc890d016e8885266383d9052e6a00b55afa56c2c6f5ba765194
Instruction ID: fde96f6bc11d301ebc59eafbf1cb80ca3893f42e166a2cb34535f022d0dfb87d
Opcode Fuzzy Hash: ec180807f04afc890d016e8885266383d9052e6a00b55afa56c2c6f5ba765194
Instruction Fuzzy Hash: E5F090337042189BD764DA9AA841FEAF7EAEBC0370F24846FE18CD7241DD31A8019754

Uniqueness

Uniqueness Score: -1.00%

Function 07028400 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b284b4268a007928ab5aa905daa30a988459e0b533ac20db641dce4c871ea90
Instruction ID: e77c5fb98a725a1e960618fb059f8e935de5c8269e540ad61c4e8dbdace40db0
Opcode Fuzzy Hash: 4b284b4268a007928ab5aa905daa30a988459e0b533ac20db641dce4c871ea90
Instruction Fuzzy Hash: D7F0FFB6204322CFDB28CA15C4407AAB7E8EF45214F40866CD50A8B690EAB5E883C790

Uniqueness

Uniqueness Score: -1.00%

Function 070283F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a35ddae617cb2450f0c07336d252343e71b5815e5bdfdcf3c4f96f5af2384694
Instruction ID: 2a135fbeff6bfa8a534e077d9061f7fdaa0f7a22c00cfa41aacd303c7231dbf4
Opcode Fuzzy Hash: a35ddae617cb2450f0c07336d252343e71b5815e5bdfdcf3c4f96f5af2384694
Instruction Fuzzy Hash: A501F4B6209713CFD7658B20D4803A577F0EF05324F10866EC545875E1EBB8E883CB40

Uniqueness

Uniqueness Score: -1.00%

Function 070270B7 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 922e12a328040ef6f5212bdcac572450a8f1ea20d4cc77eda836aa361fad3662
Instruction ID: e63c22c0d0f2cdd0b8c27c81b9b7e4e4023c62c634667ec17d1b0d5466b01b75
Opcode Fuzzy Hash: 922e12a328040ef6f5212bdcac572450a8f1ea20d4cc77eda836aa361fad3662
Instruction Fuzzy Hash: A4F02B7360035ADFCF119E588C001DC3BB0EF05230B148622EEA4D6101D33CD966EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 07346808 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f982f0f49be4eb4949dc6eefedddf2fa587fd498ce2e12886e6fcf914bcb307
Instruction ID: d514d8e65a01ddcfa2dec7c60b0eaf3da0096e724f115d65949b58980aaa2776
Opcode Fuzzy Hash: 0f982f0f49be4eb4949dc6eefedddf2fa587fd498ce2e12886e6fcf914bcb307
Instruction Fuzzy Hash: 22F04FF4D18208DFDB04DFA9D4426AEBBF9EB4A300F0091AAC41D93701D7356A41CF80

Uniqueness

Uniqueness Score: -1.00%

Function 07028A4F Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f3e3b4a011b42879ef5a5072f56c55a92a9e09f323f7c86419b7bc18cee7cc
Instruction ID: 661a2f9fcab450aa488d667178394f790901dcfb7ba0c8c8bf38e7677d00e341
Opcode Fuzzy Hash: 70f3e3b4a011b42879ef5a5072f56c55a92a9e09f323f7c86419b7bc18cee7cc
Instruction Fuzzy Hash: 530128B4C1525ADFDB80CFA4D8445AEBBF5BB49310F1082AA9414E3290E7340A11CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0702E960 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a75377372378c265e3c74a07289cfd9b6631b3f99f437ab7d9065199bc885f
Instruction ID: 7f0f9654ffc0d49b7a20dc7e78d177fa4bd8ce85536e44fb579a42bf7428cbb5
Opcode Fuzzy Hash: 17a75377372378c265e3c74a07289cfd9b6631b3f99f437ab7d9065199bc885f
Instruction Fuzzy Hash: A9F044F194A129CBDB94DB54C8847EDB77ABB89304F1093A8D01DE7215DB30194ADB11

Uniqueness

Uniqueness Score: -1.00%

Function 0734AE20 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad6a97299dbee4b6106bb14195ffca95a09fc7819033f003a6f2b0674e4cd9a3
Instruction ID: 177bcb437276a92a29b1da47e640669befce491d8659c326e8d9e2afade7b9e0
Opcode Fuzzy Hash: ad6a97299dbee4b6106bb14195ffca95a09fc7819033f003a6f2b0674e4cd9a3
Instruction Fuzzy Hash: CF01C8B4D002599FCB44DFA8D4856AEBBF4BB08311F1186A9D958E3340D734AA81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07022D28 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55c64d0263fe0c4bfacee9e413efbe2cb4401d65c6b4650abb80473af01c2ce
Instruction ID: 0278591c61cf5254acfb6d1056dbbe3b8fda6c9c6611ea8975c428e1998568fe
Opcode Fuzzy Hash: a55c64d0263fe0c4bfacee9e413efbe2cb4401d65c6b4650abb80473af01c2ce
Instruction Fuzzy Hash: CEF0E2337101268FC61496BCD440B6E77EAFFC5651F460169D205CB324DEB49C02A792

Uniqueness

Uniqueness Score: -1.00%

Function 0734A2F8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a1cf475140393d3d5159afcafcacba994d0cc3e5b8ecff0543cb099a347a009
Instruction ID: 8202727280d0e92a9ebb2edc9b2a016a312184e00c9067519137dbff1441e63b
Opcode Fuzzy Hash: 8a1cf475140393d3d5159afcafcacba994d0cc3e5b8ecff0543cb099a347a009
Instruction Fuzzy Hash: 0501B274A00208EFDB04DFA9C589A9DBFF1EF48310F05C1A9E908AB365DA34EA40CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0702F238 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0b8c332e22700c16968333ce2e9c01f7495d7fe4a8e0609078b8e333c87428
Instruction ID: 18ef8b24dd5c625092116c26258de12682fff41acc5c44e1063ded29b862c0be
Opcode Fuzzy Hash: 8f0b8c332e22700c16968333ce2e9c01f7495d7fe4a8e0609078b8e333c87428
Instruction Fuzzy Hash: 43F017B9D186198BCB08DFE9D4554ECBBBAFF9A340B409119D91AAB305CB302807CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0702BB20 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0884775b738bb89746495381c8ed1b874c33b26ec343969d002b5527251464f9
Instruction ID: 4150021fad2ec1eb6382cf5962b1ed4ec805d0cf606b60aff80a3e4ba0a2746d
Opcode Fuzzy Hash: 0884775b738bb89746495381c8ed1b874c33b26ec343969d002b5527251464f9
Instruction Fuzzy Hash: CBF03AB0D09249DFCB81CFA4C44169CBBF0EB49214F1082EAC859D3351E2798E02DF41

Uniqueness

Uniqueness Score: -1.00%

Function 07028A60 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 356d186ebbd2cd4fb32e9ef65a00a6a7a5dbd29c7afd4daf96f244952b2361e6
Instruction ID: 4b5e8af8404d1374e69863d22e647596e78929c7f352b4405f1e37d2bcf47025
Opcode Fuzzy Hash: 356d186ebbd2cd4fb32e9ef65a00a6a7a5dbd29c7afd4daf96f244952b2361e6
Instruction Fuzzy Hash: C7F017B4D04209DFDB44DFA9D9046AEBBF5FB48300F1082AA9818E3340EB345A01DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0702C93F Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42e84ca289dcbcb63c5d58718031bec787e126fce975b78a0b0b4e50f82b2f36
Instruction ID: 60fe677a9d6fc3fe901f9296454755f4cacebd35582234c59756faa385bdbf07
Opcode Fuzzy Hash: 42e84ca289dcbcb63c5d58718031bec787e126fce975b78a0b0b4e50f82b2f36
Instruction Fuzzy Hash: 03F03AB5D19248DFC740DFA8C88169DBBF0AF4A200F2481EAC868D3341D2359A16DF51

Uniqueness

Uniqueness Score: -1.00%

Function 070270C8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 478e0bad9768733ffeeb5c5ee8c787f7aef79e48cad3cb7f6d9a9a54862d517e
Instruction ID: 43c1db27281adb2c11c98715e120bf1d826d19db69072e245a1a3da5d47c82f3
Opcode Fuzzy Hash: 478e0bad9768733ffeeb5c5ee8c787f7aef79e48cad3cb7f6d9a9a54862d517e
Instruction Fuzzy Hash: B3F0E57360022DEB4F10DE5C8C015DD37A4EF09234F008622FFA4D2200D335E961AB92

Uniqueness

Uniqueness Score: -1.00%

Function 0702B830 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c04b3c1e046698bed4af90c95feb51c8714a05939707d2fc91ac7f50362457
Instruction ID: eecde5801709a3d3dd49f3aba18ba8c0f363583f1b869933c9c9945480ebe871
Opcode Fuzzy Hash: e7c04b3c1e046698bed4af90c95feb51c8714a05939707d2fc91ac7f50362457
Instruction Fuzzy Hash: 94F0E5B0809345EFC701CBB0D450568BFF4EF46310F1281EEC84843242E7365E56DB41

Uniqueness

Uniqueness Score: -1.00%

Function 07025AA0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc31170b18f1fc34bc3fff1b590d34a7a68b22f1e45fa1f4d3e069870dd209db
Instruction ID: 8015a7210b0e78ff87250e0eb416311bd249c7941fccb92e861e71457a04d89a
Opcode Fuzzy Hash: fc31170b18f1fc34bc3fff1b590d34a7a68b22f1e45fa1f4d3e069870dd209db
Instruction Fuzzy Hash: 44E086723940109B9208665EA88487EB7CAEBCA674751857AF20DD7351CE619C065395

Uniqueness

Uniqueness Score: -1.00%

Function 0702BAD8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4381c7247832bc2ba4da52a553dd881110f17a8e49a1c7a6ec2eecfd2df1fa6
Instruction ID: a70442ec8fba756617de57f8f11ff4b05cc7a76e88a2663400efe33cf985cf45
Opcode Fuzzy Hash: e4381c7247832bc2ba4da52a553dd881110f17a8e49a1c7a6ec2eecfd2df1fa6
Instruction Fuzzy Hash: 9EE06DF240A249DFD742DFB084105AA7BF9DB06220F2147E2C040C3151EA7A0E19EB51

Uniqueness

Uniqueness Score: -1.00%

Function 0702F9D4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d73b6cf8d077286e07229fc0e3403454b35ceafa589d9907b45aafba27fa616d
Instruction ID: 9850b7724bae20f002d64af09c462242c1866ffb91bd502c05d7911639b323fc
Opcode Fuzzy Hash: d73b6cf8d077286e07229fc0e3403454b35ceafa589d9907b45aafba27fa616d
Instruction Fuzzy Hash: 16F05E3450921ADFD750CB6498498AD3B79EF4A331F1063A08C2A521D7C73819429A10

Uniqueness

Uniqueness Score: -1.00%

Function 07028468 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8abf531bf51e29ff977782cc651ba9ca0a235144d11cefbc9c1bea191489881d
Instruction ID: 20bcc818b8b985c03ee76bc6e2ef21edf433df72fe84811f394721f74002473e
Opcode Fuzzy Hash: 8abf531bf51e29ff977782cc651ba9ca0a235144d11cefbc9c1bea191489881d
Instruction Fuzzy Hash: 75E0D8713843429FC3051768E81189D77E6EFC66B471681BAE144C7662CF294C16C751

Uniqueness

Uniqueness Score: -1.00%

Function 0702A398 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 966cfd599ff517b598fda72b17868a3a1fdb8aab1a79307cf7533977f2859118
Instruction ID: bfab9afae53c1120095c0e19663ea52c0f33c95a52713744430dfcdf44510ced
Opcode Fuzzy Hash: 966cfd599ff517b598fda72b17868a3a1fdb8aab1a79307cf7533977f2859118
Instruction Fuzzy Hash: A8E022F2A09248EFC301DBA0880065E7BE9AB4A200F1186E2940483181FE794E10AB92

Uniqueness

Uniqueness Score: -1.00%

Function 0702EF6B Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe93fb9d66d65b28110e71f0cb3d7159ce1267e4a5173c80c050aebc85fa381
Instruction ID: 960d61637e2bd71e9b6540b004742ed845d7643f7a1ee397a11305a8ff6f5b42
Opcode Fuzzy Hash: 2fe93fb9d66d65b28110e71f0cb3d7159ce1267e4a5173c80c050aebc85fa381
Instruction Fuzzy Hash: 72E06DF5A8613BDBDB94CB44CCD4AACB77AAB45208F105368D01AD7221DE30598B9B02

Uniqueness

Uniqueness Score: -1.00%

Function 07346688 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fffc367c535dc6d550aac73d7070b0452946d769274df7f0ab3895e153e132a3
Instruction ID: fa8c899e6a333714e86f90f6bab5ab03a3edf52240bfce09a8610d56f74a8e52
Opcode Fuzzy Hash: fffc367c535dc6d550aac73d7070b0452946d769274df7f0ab3895e153e132a3
Instruction Fuzzy Hash: B6F0C9B5A04208FFDB04DF94D841AADBBB9EB49310F14C1A9EC1857350D636AA61DF80

Uniqueness

Uniqueness Score: -1.00%

Function 07022F01 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3cd6c7d4d326d2c7ea70b987f494eb0c2d7a1fd0d81d4f211bedbfd1cbe604b
Instruction ID: 81a5fe085264d5115da18c8c33069b6d094a87d10ea367f7104e44792531b9c8
Opcode Fuzzy Hash: d3cd6c7d4d326d2c7ea70b987f494eb0c2d7a1fd0d81d4f211bedbfd1cbe604b
Instruction Fuzzy Hash: 00E0867114A2918FC746CA68D8544923F61AF0623432907DBEC648F2B3C226DA53CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0702EEF4 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfc1fb94f155c8d424bc80c913f5dfc8536366edffd5d64d88a3c3c88a1677b9
Instruction ID: 9a0623fa33bfcf11eb07140355a64bba856c8582df55cfac41819019215603d8
Opcode Fuzzy Hash: bfc1fb94f155c8d424bc80c913f5dfc8536366edffd5d64d88a3c3c88a1677b9
Instruction Fuzzy Hash: ADE092F1947226CBDB94CB44C8C4AAC737AEB45204F1057A8D00AE3222DA701E8A9B01

Uniqueness

Uniqueness Score: -1.00%

Function 0702BB30 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783f6c4dffc9722f85e77b5939158871eb7a47684f332f50edde848f40cd566e
Instruction ID: 90ddcc4acab974b4ae87fa6c69b571ce2adb5beb156ee8377e5cafe8736f1a70
Opcode Fuzzy Hash: 783f6c4dffc9722f85e77b5939158871eb7a47684f332f50edde848f40cd566e
Instruction Fuzzy Hash: C6E0E5B4E05208EFCB84DFA8D4456ACFBF4EB48300F10C2E9882893341E6769A42DF81

Uniqueness

Uniqueness Score: -1.00%

Function 0702A3A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e7218201ec96b954a13e4087eb15ccff167fbf739b73105384e18323fdb879
Instruction ID: 62a7cf60888c98deaff3b9362f984da9c2a0f7681649a013a223abfbe5bbc891
Opcode Fuzzy Hash: d4e7218201ec96b954a13e4087eb15ccff167fbf739b73105384e18323fdb879
Instruction Fuzzy Hash: 4DE08CF2609218EBC700DFA0C40569EBBEDEB0A211F019AB6950593150EE754E10AB91

Uniqueness

Uniqueness Score: -1.00%

Function 0702BAE8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 774bb47a54d30d04b576bc613d9e4cc3977c4592e15e47d07fd9008ae915afd3
Instruction ID: 801c7b4747aaf50850931801a272af2a3b4ccfcb896c58d55c87925f29969541
Opcode Fuzzy Hash: 774bb47a54d30d04b576bc613d9e4cc3977c4592e15e47d07fd9008ae915afd3
Instruction Fuzzy Hash: FEE08CF2806108EBC741EFA48400AAE7BECDB0A200F0146A5840483150EAB24A14AB81

Uniqueness

Uniqueness Score: -1.00%

Function 07029F10 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c996ff8ef3ea4e75ed4d83f27d53bc3c120bcfe6db80755243f9fc7c4d48e3c2
Instruction ID: 248544ac6d2ad4776f819f4f6cd6d29e0bad915123e5aa516e433928690fba77
Opcode Fuzzy Hash: c996ff8ef3ea4e75ed4d83f27d53bc3c120bcfe6db80755243f9fc7c4d48e3c2
Instruction Fuzzy Hash: F6D012B6B00114CFDB10DF54E805AEDB7B5DB4D362F01C1A7D50A97244CB3956128FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0702E7C2 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2466811779971379f91f0f750d28623f11491550e2c78068868c49155aaaf0a
Instruction ID: 8f9a772b46ed1a77443188281f6e446c631c053f469ff75952124422b1a87984
Opcode Fuzzy Hash: a2466811779971379f91f0f750d28623f11491550e2c78068868c49155aaaf0a
Instruction Fuzzy Hash: 82D0A7B6006282CFD3169B60F84E3987FB4AF06315F2E0283D019C3152C37C9855DF22

Uniqueness

Uniqueness Score: -1.00%

Function 07346ED8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07825f2b69445247848993cdd03814120950c4c494a4b9367ac509549bffc6c2
Instruction ID: 3322726f2f58bc6079f5bb876563442f5e89bfcd74a12fe3ca16fe8e0b667ee3
Opcode Fuzzy Hash: 07825f2b69445247848993cdd03814120950c4c494a4b9367ac509549bffc6c2
Instruction Fuzzy Hash: 9DC012B15002489BD300DFF5D40A71976E8D706221F410294940883140DABA9580C6F5

Uniqueness

Uniqueness Score: -1.00%

Function 07029F74 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f76ee43705975bcc8489c0e51559780f1a86834d5a86634b781b2b96c38e5ee6
Instruction ID: d94387568ba84ce8ce61588a77e152a1b647bca20134a150b115831106faa7e5
Opcode Fuzzy Hash: f76ee43705975bcc8489c0e51559780f1a86834d5a86634b781b2b96c38e5ee6
Instruction Fuzzy Hash: 34E017B4E0422A8FCB20DF28D841BADB7B2FB48300F0042A9D419A3746E7356E42DF80

Uniqueness

Uniqueness Score: -1.00%

Function 0702A105 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5b3f08ce0cac0d922c5ca972cf0fc7b4d4a8c39fe824ea2b6a776f80916468
Instruction ID: c843aa0f81626b0ff4f2c981105861320ed2559bc492b4a111483dab5ebff608
Opcode Fuzzy Hash: db5b3f08ce0cac0d922c5ca972cf0fc7b4d4a8c39fe824ea2b6a776f80916468
Instruction Fuzzy Hash: 5CE0E278905229CBEB50CF60CD48B9CB7B0FB08300F0092A5C80EA7381DA386984CF10

Uniqueness

Uniqueness Score: -1.00%

Function 07029E33 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 576df311218d291ce4115b0b754d53982c433480e72e7507a279bd7437164b2c
Instruction ID: 62b73fc783822c617f192bee64bd4fce67109ae638e1c6821b89e8507ef6ed95
Opcode Fuzzy Hash: 576df311218d291ce4115b0b754d53982c433480e72e7507a279bd7437164b2c
Instruction Fuzzy Hash: F0D09E74914198CBCF40DF90D4955AC7BF5BB09311F109555940FA6245CA392985CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0702E7D0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68c1d6417919ac2cbefff8799baf96276dfa6a676d89792814027f14c5e5d9ef
Instruction ID: eaa55d39ceb33a4fd9f8e17c5bb73c12e33cb5ed3d883de9d3907c89f0a24505
Opcode Fuzzy Hash: 68c1d6417919ac2cbefff8799baf96276dfa6a676d89792814027f14c5e5d9ef
Instruction Fuzzy Hash: 63C08CB104220687E31867A5F40E3287BEC5704316F044250E40C410524BB86840DEA9

Uniqueness

Uniqueness Score: -1.00%

Function 0734E41C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc58bcaae12b330dae81fa115dce304f97b250ee61b4fa99d0d9ebd661f054c
Instruction ID: a7df037501c35222c4ed8b4d4305804357956dcb465c788b5943b416689fa6a1
Opcode Fuzzy Hash: cbc58bcaae12b330dae81fa115dce304f97b250ee61b4fa99d0d9ebd661f054c
Instruction Fuzzy Hash: 92B012E61E4201F6B50C6E74888082FBAD1FBB6B00F44AC05730C01450CCB49424D62F

Uniqueness

Uniqueness Score: -1.00%

Function 07027F60 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a395fa17e5ccc614d9133f09f2df3dfc1f53e91879dbc6656f804608b570d0fb
Instruction ID: 3b7de6b061446d60b7f8c9282ec3a45da301db3083e440000166a89c328ecda9
Opcode Fuzzy Hash: a395fa17e5ccc614d9133f09f2df3dfc1f53e91879dbc6656f804608b570d0fb
Instruction Fuzzy Hash: D1B09230190209CFC2009B58E448E6137E8AB08A04F0100F0E1088B632D621F8008A91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0702C388 Relevance: 5.3, Strings: 4, Instructions: 259COMMON

Download Yara Rule

Strings

]\`, xrefs: 0702C60A
[V~*, xrefs: 0702C4F4
T+-q, xrefs: 0702C6C2
[V~*, xrefs: 0702C4ED

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID: T+-q$[V~*$[V~*$]\`
API String ID: 0-1849991408
Opcode ID: 315946c1946b9ab78b3cd2366b4af6f53fd9fc4a4daaf71f38b265e99302c202
Instruction ID: 0b35722ebe2d0ec9dd39e037426d360766eba9860efba7c98ff9acdeef394157
Opcode Fuzzy Hash: 315946c1946b9ab78b3cd2366b4af6f53fd9fc4a4daaf71f38b265e99302c202
Instruction Fuzzy Hash: A0B12BB1E152699BDB04CFA9D9809AFFBF2BF89300F64D61AD415BB214D37099028F64

Uniqueness

Uniqueness Score: -1.00%

Function 0702C378 Relevance: 4.0, Strings: 3, Instructions: 260COMMON

Download Yara Rule

Strings

]\`, xrefs: 0702C60A
[V~*, xrefs: 0702C4F4
T+-q, xrefs: 0702C6C2

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID: T+-q$[V~*$]\`
API String ID: 0-3978741314
Opcode ID: b42d079fca1a17201172ca8859e0fa02d145784f9487d3c09b689327eca90e73
Instruction ID: 9d06e5775da0249fb205a58a803eae963d22565a4b0720f89be6f11acac3d42c
Opcode Fuzzy Hash: b42d079fca1a17201172ca8859e0fa02d145784f9487d3c09b689327eca90e73
Instruction Fuzzy Hash: A4B13CB1E152699FDB04CFA9D9808AFFBF2BF89300F64D666D415BB214D37099028F64

Uniqueness

Uniqueness Score: -1.00%

Function 073E7728 Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2368117805.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_73e0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f70576600a807a14f3261c52c5ff945d5eab2a29292da83c63c9d6ae4777bd1c
Instruction ID: 2150763284c2758d86548fa9f52d109f4adfdbca81df8131d324a40ecc934aa7
Opcode Fuzzy Hash: f70576600a807a14f3261c52c5ff945d5eab2a29292da83c63c9d6ae4777bd1c
Instruction Fuzzy Hash: 0A32F9B4B00115CFEB14DF69C594AADB7F6BF89710F2580A9E509AB3A1CB31ED41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 07027271 Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d69b1830d89a874b88bbcdcbef7ab9cefb5ce3f84d8afd7af3e6c2505b0fd7
Instruction ID: 2a696e2eaca3c1ba424af5c22513504c029dc75a42045732897b351d1d9bb679
Opcode Fuzzy Hash: 46d69b1830d89a874b88bbcdcbef7ab9cefb5ce3f84d8afd7af3e6c2505b0fd7
Instruction Fuzzy Hash: 8712C875D0071ACFCB15DF68C880AD9F7B1BF49310F1586AAD958AB211EB70AAC5CF80

Uniqueness

Uniqueness Score: -1.00%

Function 07027280 Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 763ad81f95ff7ce57cceb5c495f43ea90e65cafa53065d06aa675413cae050de
Instruction ID: cb4c082c55eeeb9a0fb09a42bd13d93e0a334bcfc7d19d35ab48883db5cbe43e
Opcode Fuzzy Hash: 763ad81f95ff7ce57cceb5c495f43ea90e65cafa53065d06aa675413cae050de
Instruction Fuzzy Hash: 9F12B875D0061ACFCB15DF68C880AD9F7B1BF49310F1586AAD958AB211EB70AAC5CF80

Uniqueness

Uniqueness Score: -1.00%

Function 073EB6F0 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 073EBB47

Memory Dump Source

Source File: 00000001.00000002.2368117805.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_73e0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 58755a74492422951f1187b7c9fa901a50366b77a3e3aa6654778750ac158fbc
Instruction ID: eac4fbd3a6cd695ae29d5e6df696d652f42281f94b2b29ddfa434ff1fd788a8c
Opcode Fuzzy Hash: 58755a74492422951f1187b7c9fa901a50366b77a3e3aa6654778750ac158fbc
Instruction Fuzzy Hash: 05C16AF17006268FEB2ADB75C450BEEB7EAAF89700F14446DD18A9B2D0CB35E901CB51

Uniqueness

Uniqueness Score: -1.00%

Function 073E3560 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2368117805.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_73e0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d09db7983e1a94a89e9c2cd78498665a3f4ee5c295bcb1a2924020eba0f63d
Instruction ID: e23ac1d8a9fa522d43b4c490826751946b3c71de8a028504678204d950a98d8d
Opcode Fuzzy Hash: 62d09db7983e1a94a89e9c2cd78498665a3f4ee5c295bcb1a2924020eba0f63d
Instruction Fuzzy Hash: 2DE120B4E002698FDB14DF99C590AAEFBF6FF89304F248269D418A7355D731A942CF60

Uniqueness

Uniqueness Score: -1.00%

Function 073E4C08 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2368117805.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_73e0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c36d961d0be0edfb893cb0a5c97e9de860caa2d19da0f4d5696b6ea347c07ffe
Instruction ID: 76ef7c837704f1aad00435db86b9b7c4bc422ea3c54801a641a83d9477cdb4cb
Opcode Fuzzy Hash: c36d961d0be0edfb893cb0a5c97e9de860caa2d19da0f4d5696b6ea347c07ffe
Instruction Fuzzy Hash: AFE11BB4E002698FDB14DFA8C590AAEFBF6FF89304F248259D418A7355D731A942CF61

Uniqueness

Uniqueness Score: -1.00%

Function 073E2CF0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2368117805.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_73e0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bacfa8d3f70f90db1fee128a9a453dafaa23fd7e51bcc72e48724694e3ad1ed
Instruction ID: c68e55a15e02aebec2bb0672ed2d0505426406dfa1da85977e32e2c9051b3bf0
Opcode Fuzzy Hash: 0bacfa8d3f70f90db1fee128a9a453dafaa23fd7e51bcc72e48724694e3ad1ed
Instruction Fuzzy Hash: ABE12AB4E006698FDB14DF99C590AAEFBB6FF89300F248269D418A7355C731AD42CF60

Uniqueness

Uniqueness Score: -1.00%

Function 073E3128 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2368117805.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_73e0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ed7928540eba6ee8185492cc8ea176a87a4959fa9fce29bc8dcf27ba3903dd
Instruction ID: 63a874ed8d2fcfffda79c938b74a33ab278b4788ff2e03df68d85ea9c41333f5
Opcode Fuzzy Hash: 58ed7928540eba6ee8185492cc8ea176a87a4959fa9fce29bc8dcf27ba3903dd
Instruction Fuzzy Hash: 28E11DB4E002698FDB14DFA9C590AAEFBF6FF89304F248259D418A7355D731A942CF60

Uniqueness

Uniqueness Score: -1.00%

Function 073E5040 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2368117805.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_73e0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5168eb32d7eaf32a47ed4aed6e9cd216231d01007b7e20154a17979376b23ccf
Instruction ID: f67e1e551ab33b33d9d77ca25102d8faf1f49116018ad6bd830553a50ab1d9e7
Opcode Fuzzy Hash: 5168eb32d7eaf32a47ed4aed6e9cd216231d01007b7e20154a17979376b23ccf
Instruction Fuzzy Hash: E2E12DB4E002698FDB14DF99C990AAEFBF6FF89304F248259D418A7355D731A942CF60

Uniqueness

Uniqueness Score: -1.00%

Function 078FE6F0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2368283913.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_78f0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7edafde29ba1c3010f918c9a4b61784eeca75b0493b1aed29fe3a50f34f7f9bf
Instruction ID: 8d7d0fe050209ade75b90990cec245ac519e8bf8a9050107a82fda3d8e2debf9
Opcode Fuzzy Hash: 7edafde29ba1c3010f918c9a4b61784eeca75b0493b1aed29fe3a50f34f7f9bf
Instruction Fuzzy Hash: C4A18570B002569FDB58BBB8881477F76A7AFC4740F14853D9106EB399CE389C4397A6

Uniqueness

Uniqueness Score: -1.00%

Function 0734F148 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44231d13fc6f3570a2818464e7a82de58cd6fa695cdd9d42d6b31df04d1af77
Instruction ID: 24503d06f83c267f99b08b5e927b80b2e4e707fb97c41686c979952a94307391
Opcode Fuzzy Hash: d44231d13fc6f3570a2818464e7a82de58cd6fa695cdd9d42d6b31df04d1af77
Instruction Fuzzy Hash: 7DD1F431D20B5BCADB10EB64D990A9DB7B1FF95300F10C79AE50977261EBB06AC5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0734AA60 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e557b37801a26745c0fabafb15eb40472533179a48fbc242a52f91fce067b3
Instruction ID: 86b7a5d2b0981843324973628656ffb64d0e8fb62179af48e089b9fb0ffc5c74
Opcode Fuzzy Hash: 85e557b37801a26745c0fabafb15eb40472533179a48fbc242a52f91fce067b3
Instruction Fuzzy Hash: 4381E2B4E50219CFCB48CF99C58499EFBF6FF89210F14955AD419AB360D334AA42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0702A3E0 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec8cd7e483d63167c384b609e2ad3b5283db343a7c9c6fb03d6a1d72568322d
Instruction ID: 533ebd1992ea096ffdd564644da192053af1d03bdc924bce779ac49e18d56de7
Opcode Fuzzy Hash: 8ec8cd7e483d63167c384b609e2ad3b5283db343a7c9c6fb03d6a1d72568322d
Instruction Fuzzy Hash: 99610E71900246CFDB48EF6AE98169ABFF3FBC4344F14C529D004AB259DBBA5916CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0734BED0 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9104e05727860647cf706bb0965d2432fa7fdb5c995d79a51a32d61d0560de18
Instruction ID: 1a7b11584f01a7c2c069430da88b7f6c1cd99df59ee56378b0e227a9867d90c4
Opcode Fuzzy Hash: 9104e05727860647cf706bb0965d2432fa7fdb5c995d79a51a32d61d0560de18
Instruction Fuzzy Hash: F36137F4A26A09DBEB08CFD1E086059BFF9FB89310F219595C08D93155DB7CA660CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0702A3F0 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2703c65e9956eaf75b4b632072aec137b901cb7e276bf8c57a45206e342d97
Instruction ID: c30d4913dce63e78061449f72d2fd883aca7d655f95619e17001d86f0421c87c
Opcode Fuzzy Hash: ca2703c65e9956eaf75b4b632072aec137b901cb7e276bf8c57a45206e342d97
Instruction Fuzzy Hash: C461FF71D00245CFDB48EF6AE981A9E7FF3FBC4304F14C529D004AB259DBBA59068B90

Uniqueness

Uniqueness Score: -1.00%

Function 0734D8A8 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f94e023b720cf4d2fc3e613824d53380155f97ba86cf143837fabea1e2d01b6
Instruction ID: 9d04795596704255a856ef28a416d971ed71ec116dc5c28e656cd7a7699eeb31
Opcode Fuzzy Hash: 2f94e023b720cf4d2fc3e613824d53380155f97ba86cf143837fabea1e2d01b6
Instruction Fuzzy Hash: C1513AB1E2520ADBDB08CFAAD4855AEFBF2AF89210F10902AD515B7354D7385A418FA4

Uniqueness

Uniqueness Score: -1.00%

Function 073E4BF8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2368117805.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_73e0000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e87ec7a160cf006974dd02295cb238236a9ea7624ac08cb2d96bd253d9004d5
Instruction ID: 2ca1bc3b607a86a7a32bd779e9d0d9430a67690857394aadcb2d88c9a778ec51
Opcode Fuzzy Hash: 0e87ec7a160cf006974dd02295cb238236a9ea7624ac08cb2d96bd253d9004d5
Instruction Fuzzy Hash: B5513EB4E002698FDB14CFA9C9905AEFBF6FF89300F248269D458A7356D7319942CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07340006 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c32e9364ea688daa5f16bcc55018fd3b74cc29e785d11bb1970a6897edc906f
Instruction ID: d6c836898cc4a3bfd89fdbb30d59d5d462a5b451c15aecbf2e3900ae4d69ba19
Opcode Fuzzy Hash: 2c32e9364ea688daa5f16bcc55018fd3b74cc29e785d11bb1970a6897edc906f
Instruction Fuzzy Hash: 8C417FB1D057588FEB5DCF6B8C4028AFBF3AFC5210F19C1BAC458AA225EB3509568F11

Uniqueness

Uniqueness Score: -1.00%

Function 07340040 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3bd2b645b7f9bc36ddcf856db6b773b3b7ecd2fccbcb1347fa7660badbe6c9f
Instruction ID: 07ab6446476376f6afce95c03d69791529e2328d97cfc19070cc401f1508fcbc
Opcode Fuzzy Hash: f3bd2b645b7f9bc36ddcf856db6b773b3b7ecd2fccbcb1347fa7660badbe6c9f
Instruction Fuzzy Hash: 334171B1E016588BEB1CCF6B8C4079EFAF7AFC8301F18C1BA841CAA254EB3415858F50

Uniqueness

Uniqueness Score: -1.00%

Function 0734BC88 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2361186141.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7340000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f369a8bd0165b2ec8efed1eabcef683dc951ac2646fe8281662caee1b6613897
Instruction ID: 5831fb6cff66d7661bb30e99d692c211f0fb71db9d03b34aa2695c1308cbbfbf
Opcode Fuzzy Hash: f369a8bd0165b2ec8efed1eabcef683dc951ac2646fe8281662caee1b6613897
Instruction Fuzzy Hash: 9C41C6F1D1420ADBEB08CFAAC4815AEFBF6FF89300F24D56AC419A7214D774AA518F54

Uniqueness

Uniqueness Score: -1.00%

Function 07025570 Relevance: 5.2, Strings: 4, Instructions: 184COMMON

Download Yara Rule

Strings

@, xrefs: 07025591
B, xrefs: 07025643
@, xrefs: 0702563E
B, xrefs: 07025596

Memory Dump Source

Source File: 00000001.00000002.2359248809.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7020000_DHL - OVERDUE ACCOUNT NOTICE - 1301669350.jbxd

Similarity

API ID:
String ID: @$@$B$B
API String ID: 0-685577651
Opcode ID: a6cbecb084335e7d7c4b3a2ef3e6aebd3d81cc147d3b09602cf3a212d75246fd
Instruction ID: 2792ad300d5dee99d4dcfe0ef81bf79f6123e53e18c5eee4f79ca8e26ec8d1c9
Opcode Fuzzy Hash: a6cbecb084335e7d7c4b3a2ef3e6aebd3d81cc147d3b09602cf3a212d75246fd
Instruction Fuzzy Hash: 7A51BFB67002168FC754DF68D88456EBBF2FF8922071482AAE419CB761DB30E812DB95

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exePID: 5560, Parent PID: 6532COMMON

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	152
Total number of Limit Nodes:	15

Executed Functions

Function 065229B6 Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06522A36
GetCurrentThread.KERNEL32 ref: 06522A73
GetCurrentProcess.KERNEL32 ref: 06522AB0
GetCurrentThreadId.KERNEL32 ref: 06522B09

Memory Dump Source

Source File: 00000009.00000002.2421257339.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6520000_RegSvcs.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 02e497e9bd3c66f3b6fbca466fed79b8af3685a5418cff6c702eac07a4773740
Instruction ID: 0f69bcc8a2bf509108bac67db2bc249c2a66788d6d21575c14c8efd8de4c06db
Opcode Fuzzy Hash: 02e497e9bd3c66f3b6fbca466fed79b8af3685a5418cff6c702eac07a4773740
Instruction Fuzzy Hash: 6F5155B090034A8FEB54CFA9D948BEEBBF1FF88314F248059E119A7290DB749944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 065229B8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06522A36
GetCurrentThread.KERNEL32 ref: 06522A73
GetCurrentProcess.KERNEL32 ref: 06522AB0
GetCurrentThreadId.KERNEL32 ref: 06522B09

Memory Dump Source

Source File: 00000009.00000002.2421257339.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6520000_RegSvcs.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3b35a02b43e38e2e258e221f2c14800b475a99a2296d5a8f6bc1884d2d849b71
Instruction ID: 0ba5ddac01a187189e85e8182d7226793be0f6c7b98f9b5b62e6fce64b9dba64
Opcode Fuzzy Hash: 3b35a02b43e38e2e258e221f2c14800b475a99a2296d5a8f6bc1884d2d849b71
Instruction Fuzzy Hash: BB5155B090034A8FEB54CFA9D948BAEBBF1FF88314F248059E119A7290DB749944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0652AEB8 Relevance: 1.7, APIs: 1, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0652B11E

Memory Dump Source

Source File: 00000009.00000002.2421257339.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6520000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5bf75b018aca98f4da5abe391c5794f7662bf9fc62cb0395f09f4e495ca4c81d
Instruction ID: 220faa36721077d0f4bd6eb57e2544d551b171e4d12a7bbffa2ca07446f76861
Opcode Fuzzy Hash: 5bf75b018aca98f4da5abe391c5794f7662bf9fc62cb0395f09f4e495ca4c81d
Instruction Fuzzy Hash: 2B8123B0A00B168FD7A4DF69D44479ABBF1FF89204F008A2DE496D7A80DB75E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0652D065 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0652D1C2

Memory Dump Source

Source File: 00000009.00000002.2421257339.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6520000_RegSvcs.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 405cba95b34af183380284f14ead96a455cfe469b07b012613e7a05468caa93e
Instruction ID: fc2c027ae24d2641cd4f21f3ceca6dbc5c8a1b8e5d20e7875bc4e81c6f24d3ed
Opcode Fuzzy Hash: 405cba95b34af183380284f14ead96a455cfe469b07b012613e7a05468caa93e
Instruction Fuzzy Hash: 5E51F3B1C00259EFDF15CF99C884ADEBFB5BF49310F14816AE918AB260D7719855CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0653E640 Relevance: 1.6, APIs: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2421323475.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6530000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb12571f44bba02b7d1aaff92e5089bca52e65348185cd7b0bc2308b0398a123
Instruction ID: b96c265f7bb90a2355fe91a27a9a937182d44ab25689e0bf2635d3f34ff83da5
Opcode Fuzzy Hash: cb12571f44bba02b7d1aaff92e5089bca52e65348185cd7b0bc2308b0398a123
Instruction Fuzzy Hash: 89413772D083A68FCB14CF69D8442AEBBF5BFC9610F14856BD504E7241EB74A841CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0652D0A4 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0652D1C2

Memory Dump Source

Source File: 00000009.00000002.2421257339.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6520000_RegSvcs.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e086aa6ffd6c4cbcb3744225259bd9daa7b800303eae6af303037639a1f789bf
Instruction ID: a0d0c7f22651bbd005ca87a9f306b0dd192c49cf50e5529dc8f9796b60b35840
Opcode Fuzzy Hash: e086aa6ffd6c4cbcb3744225259bd9daa7b800303eae6af303037639a1f789bf
Instruction Fuzzy Hash: 2D51CFB1D003599FDB14CF99D884ADEBFB5BF49310F24822AE819AB250D775A885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0652D0B0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0652D1C2

Memory Dump Source

Source File: 00000009.00000002.2421257339.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6520000_RegSvcs.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b66c46b84f574a690c35befda199c7df6b0f20c1656456865ce66192e66fa98c
Instruction ID: 99435770012e16365e99e8fb752a63a3e0c7349e942a212fe3968fc15e5f6e2c
Opcode Fuzzy Hash: b66c46b84f574a690c35befda199c7df6b0f20c1656456865ce66192e66fa98c
Instruction Fuzzy Hash: 0241C0B1D003599FDB14CF99D884ADEBBB5BF49310F24822AE819AB250D771A885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0652A32C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0652F8B1

Memory Dump Source

Source File: 00000009.00000002.2421257339.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6520000_RegSvcs.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: e83b44142530b4e293a631f7bbc65b0b6bd91a06f2bb9576d80e2875e59da9bd
Instruction ID: 2b6d5b8ed4d1b67a335b8ea884bd11650e02dd2c9af7c1d8ea08c66a552eec43
Opcode Fuzzy Hash: e83b44142530b4e293a631f7bbc65b0b6bd91a06f2bb9576d80e2875e59da9bd
Instruction Fuzzy Hash: F8416AB490031ADFDB44CF9AC448AAAFBF5FF89314F248458D519AB361C774A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06522BF8 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06522C87

Memory Dump Source

Source File: 00000009.00000002.2421257339.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6520000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 87be99a159c43231e94be8b4dbe00db9e3a79fcc9bf9da3d7db5c5fa84a47103
Instruction ID: d572077c94863c3a06551627361a665d7706aa37724596eb6dfec30bb4985b68
Opcode Fuzzy Hash: 87be99a159c43231e94be8b4dbe00db9e3a79fcc9bf9da3d7db5c5fa84a47103
Instruction Fuzzy Hash: 2C21D4B5D00259AFDB10CFAAD984AEEBBF9FB48310F14801AE914A3350D374A950CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06522C00 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06522C87

Memory Dump Source

Source File: 00000009.00000002.2421257339.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6520000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 297a6c49a41f683266afcf910b5f88daa3e5154c8dff0da61633b12c14eaa584
Instruction ID: d8de1b644661d7b319d848016428079bc2a64865004ff2492de4c3adc5019ffc
Opcode Fuzzy Hash: 297a6c49a41f683266afcf910b5f88daa3e5154c8dff0da61633b12c14eaa584
Instruction Fuzzy Hash: E121E4B5900259EFDB10CF9AD984ADEBBF4FB48320F14801AE918B3350D374A950CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01317348 Relevance: 1.6, APIs: 1, Instructions: 58
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000), ref: 013173C0

Memory Dump Source

Source File: 00000009.00000002.2412270078.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1310000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: a8f66b4ce3f57af94761f8464ce44696a0929a07e92122a14e956a8207820d65
Instruction ID: 5164a15245b6881dc8470fef069a50126fb943f91290cfe263338a89792574ca
Opcode Fuzzy Hash: a8f66b4ce3f57af94761f8464ce44696a0929a07e92122a14e956a8207820d65
Instruction Fuzzy Hash: 2A2156B2C0065A9FCB14CF9AD445BEEFBB4FF48320F14852AD918A7240D778A940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01317350 Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000), ref: 013173C0

Memory Dump Source

Source File: 00000009.00000002.2412270078.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1310000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 51587313e15f17233ed302a2fe810a29d12856b84f6f2e907e6e52fbdea657c2
Instruction ID: c002734248bccf3fac70b3b1efc8a06c17b1de35973888320a28c7871d754153
Opcode Fuzzy Hash: 51587313e15f17233ed302a2fe810a29d12856b84f6f2e907e6e52fbdea657c2
Instruction Fuzzy Hash: E21156B1C0061A8BCB14CF9AC445B9EFBB4BF48320F14852AD918A3240D378A900CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0652A0C8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0652B199,00000800,00000000,00000000), ref: 0652B38A

Memory Dump Source

Source File: 00000009.00000002.2421257339.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6520000_RegSvcs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7bece3e50def91375cc31f6bf32b2d4fbb221c8e7440cb0071f32535c6f75b4c
Instruction ID: d9065d43b6d70e0d80d8ee2c91f9e7e51b014c3b934431faa3cb09eb27cb3107
Opcode Fuzzy Hash: 7bece3e50def91375cc31f6bf32b2d4fbb221c8e7440cb0071f32535c6f75b4c
Instruction Fuzzy Hash: F81114B6C003198FDB10CF9AD844B9EFBF4FB49314F10842AE519A7240C375A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0652B31A Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0652B199,00000800,00000000,00000000), ref: 0652B38A

Memory Dump Source

Source File: 00000009.00000002.2421257339.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6520000_RegSvcs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6a93b39b04540104142ac915fae5f4f288aaea67f974459d17d6cb91e8d288eb
Instruction ID: 268b5489da7f313ddf7bb9980a31a45371065d923ad77bf67abe32494c00e53f
Opcode Fuzzy Hash: 6a93b39b04540104142ac915fae5f4f288aaea67f974459d17d6cb91e8d288eb
Instruction Fuzzy Hash: 5E1123B6C003099FDB10CFAAD844ADEFBF8FB98724F10842AE519A7240C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0653D7F4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0653E692), ref: 0653E77F

Memory Dump Source

Source File: 00000009.00000002.2421323475.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6530000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 0a6d7ddc4c198bb7c7189c16536e2e6e5614ab987b8afac8f6fa1dfa5571ad95
Instruction ID: 210b71aa810e5fb6f77e4e00b5200dd3ce05b4aa9c029b5cb5c9a54e83a1af40
Opcode Fuzzy Hash: 0a6d7ddc4c198bb7c7189c16536e2e6e5614ab987b8afac8f6fa1dfa5571ad95
Instruction Fuzzy Hash: 971106B1C006699BDB10CF9AC84579EFBF4BF48620F14816AE918A7241D378A950CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 0653E710 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0653E692), ref: 0653E77F

Memory Dump Source

Source File: 00000009.00000002.2421323475.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6530000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 00cc93f0d8dc2106b4d9406ba04431e7782704ca545c077929cd7146165d7bc1
Instruction ID: 7fd3506d0fe6a66e490943075ac8d297f61d3af9323987e10c74fe192c1297c8
Opcode Fuzzy Hash: 00cc93f0d8dc2106b4d9406ba04431e7782704ca545c077929cd7146165d7bc1
Instruction Fuzzy Hash: EE1133B1C0066A8FCB10CF9AC44479EFBF4BF48320F14816AE818A7240D378A910CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0652B0B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0652B11E

Memory Dump Source

Source File: 00000009.00000002.2421257339.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6520000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1bd53ded3f3221fb47d49e41d2479bd19fa0ac9e15d2568d2eaf14eaa2756542
Instruction ID: c9fd0e988f3e0245f0092263eed222a3a14d56494d30f96e6184c8ba3ac20487
Opcode Fuzzy Hash: 1bd53ded3f3221fb47d49e41d2479bd19fa0ac9e15d2568d2eaf14eaa2756542
Instruction Fuzzy Hash: C8110FB6C0025A8FCB10CF9AD844A9EFBF4BB88224F10841AD828A7240D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012BD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2410473666.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12bd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0456dfa74ad0b3fc1f4653b0ac6c6f92daaa03927114b4808930f00eb7fca94b
Instruction ID: e9d129aa6d9049754263bdfbc7b7144ebc2d18ea42f7b5c0a944afd08fe79236
Opcode Fuzzy Hash: 0456dfa74ad0b3fc1f4653b0ac6c6f92daaa03927114b4808930f00eb7fca94b
Instruction Fuzzy Hash: FE212575514208DFDB15DF54D5C0BA6BF61FB84398F24C96DDA0A0B252C37AD407CA61

Uniqueness

Uniqueness Score: -1.00%

Function 012BD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2410473666.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12bd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95720e7f6eb0dd15adb1d057807895d52c5e1fc28633b34c0f5cccd6ff5a3504
Instruction ID: 1b5869b288da62a887a8dcbf49ad6aab6f7030d66946add05e22b8a11b077e8a
Opcode Fuzzy Hash: 95720e7f6eb0dd15adb1d057807895d52c5e1fc28633b34c0f5cccd6ff5a3504
Instruction Fuzzy Hash: 5E217F755083849FCB02CF64D994B51BF71EB46318F28C5DAD9498B2A7C33A981ACB62

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: LJAGvecDW.exePID: 2744, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	496
Total number of Limit Nodes:	21

Executed Functions

Function 06DB9BC0 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

tIh, xrefs: 06DB9F75

Memory Dump Source

Source File: 0000000D.00000002.2452662796.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6db0000_LJAGvecDW.jbxd

Similarity

API ID:
String ID: tIh
API String ID: 0-443931868
Opcode ID: 0018aa5c238d90504dcd5059f0f184c2acc40e8982cb90253520628450742ab3
Instruction ID: ae33eaa616fac9a2361070f3c4638305e9d0c8d18f9df3e2ed32756735f841b5
Opcode Fuzzy Hash: 0018aa5c238d90504dcd5059f0f184c2acc40e8982cb90253520628450742ab3
Instruction Fuzzy Hash: CAD12670E0424ADFDB44CF95D5908EEFBB2FF89300B20A559D556AB228D734EA42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06DB7A20 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

)", xrefs: 06DB7ACA

Memory Dump Source

Source File: 0000000D.00000002.2452662796.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6db0000_LJAGvecDW.jbxd

Similarity

API ID:
String ID: )"
API String ID: 0-4237191880
Opcode ID: 44b82ecd04f5dbc7a88b0282b11a548e972b1078ad75bcc73b8b1de78ad0a851
Instruction ID: 179a2d3103cc7ccc85b019e645cc52599abc60fe4d8e8f71829808142c1498e0
Opcode Fuzzy Hash: 44b82ecd04f5dbc7a88b0282b11a548e972b1078ad75bcc73b8b1de78ad0a851
Instruction Fuzzy Hash: 6F81B574E04209DFDB44CFAAC944AEEBBB2FF88300F24942AD51AAB358D7359945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 06DBC900 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2452662796.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6db0000_LJAGvecDW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01707b91547cdbd058fbfabe63199325323ac0b5795691ef4689b1237c5d8160
Instruction ID: 63588c824694bf583988bbf8e85f082ef400a964a281de861f42353cc9dc69d8
Opcode Fuzzy Hash: 01707b91547cdbd058fbfabe63199325323ac0b5795691ef4689b1237c5d8160
Instruction Fuzzy Hash: 4D811174E14219DFDF44CFA9C980AEEFBB2FB88201F10A51AD456B7218D3349902CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00AFDF58 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00AFDFDE
GetCurrentThread.KERNEL32 ref: 00AFE01B
GetCurrentProcess.KERNEL32 ref: 00AFE058
GetCurrentThreadId.KERNEL32 ref: 00AFE0B1

Memory Dump Source

Source File: 0000000D.00000002.2443785235.0000000000AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_af0000_LJAGvecDW.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4f05c9b9e63ce4261d70a3ed4a0d514db47ab9b316b6d7bf061937557590d3c8
Instruction ID: 437cf08e04d87c8328a190ccba03948629c28e4ccc02e4c2b8d8407e1401dc19
Opcode Fuzzy Hash: 4f05c9b9e63ce4261d70a3ed4a0d514db47ab9b316b6d7bf061937557590d3c8
Instruction Fuzzy Hash: 955154B090124ACFDB14CFAAD548BEEFBF1FF88314F208459E509A7260DBB59944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00AFDF60 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00AFDFDE
GetCurrentThread.KERNEL32 ref: 00AFE01B
GetCurrentProcess.KERNEL32 ref: 00AFE058
GetCurrentThreadId.KERNEL32 ref: 00AFE0B1

Memory Dump Source

Source File: 0000000D.00000002.2443785235.0000000000AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_af0000_LJAGvecDW.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2b2ce0683ef5a08480fee1362855ae9223234e2d1090e7784931867b5932a6b3
Instruction ID: 5c7bf45972262c9ef63f9d81e9efd64d0f005cad141d79cc0bf79e181969c69a
Opcode Fuzzy Hash: 2b2ce0683ef5a08480fee1362855ae9223234e2d1090e7784931867b5932a6b3
Instruction Fuzzy Hash: F65134B090134A8FDB14CFAAD548BEEFBF1FF88314F208459E509A7260DBB59944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 084B612C Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 084B636E

Memory Dump Source

Source File: 0000000D.00000002.2452917737.00000000084B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_84b0000_LJAGvecDW.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9cf7e8aa688f2614f18ccc1f76ed83d10c604991fdd0ce66d4ef29956f0b575c
Instruction ID: a8b38256ae1d3b5bbd7635f18816484459af5700e5a9de2c93af8a78adb03ef5
Opcode Fuzzy Hash: 9cf7e8aa688f2614f18ccc1f76ed83d10c604991fdd0ce66d4ef29956f0b575c
Instruction Fuzzy Hash: F9A16D71D00619CFEF14DFA8C9417EEBBB2BF48311F1581AAE808A7250DB749985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 084B6138 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 084B636E

Memory Dump Source

Source File: 0000000D.00000002.2452917737.00000000084B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_84b0000_LJAGvecDW.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0c4ef1656bc2d9363ccaf5a6bb8743d7a69626a1647d572de5ad5f02ecd5552c
Instruction ID: 275550d0dff8ff8fd8dc996e4a01aee0cee097eee2659eb55365a5cf715551cc
Opcode Fuzzy Hash: 0c4ef1656bc2d9363ccaf5a6bb8743d7a69626a1647d572de5ad5f02ecd5552c
Instruction Fuzzy Hash: 26915C71D00619CFEF24DFA8C9417EEBBB2BF48315F15816AE808A7240DB759985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AFBCB8 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00AFBF1E

Memory Dump Source

Source File: 0000000D.00000002.2443785235.0000000000AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_af0000_LJAGvecDW.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6d2ebe39efcdda65b715f237ca00865a985af37f0aca563d9a87ccd03ffae014
Instruction ID: 3baff4e4e8e0f76da2224d852dd474a020a52b5823829a9e15b9f48b83277fd5
Opcode Fuzzy Hash: 6d2ebe39efcdda65b715f237ca00865a985af37f0aca563d9a87ccd03ffae014
Instruction Fuzzy Hash: E4817970A00B098FDB64CF69D4457AABBF1FF88304F00892DE586D7A51DB74E805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 025C2804 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 025C2922

Memory Dump Source

Source File: 0000000D.00000002.2446332103.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_25c0000_LJAGvecDW.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 17a50f379483379693fa30156d3938735503d521a2edecf60de38c37237237db
Instruction ID: c65ccaf6af19880c23752283d95658b9f3ad5dcb6c46b7c6add1e0c9742a11f2
Opcode Fuzzy Hash: 17a50f379483379693fa30156d3938735503d521a2edecf60de38c37237237db
Instruction Fuzzy Hash: C351CFB1D003499FDB14CFA9C884ADEBFF5BF48314F24812AE819AB210D7759885CF94

Uniqueness

Uniqueness Score: -1.00%

Function 025C2810 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 025C2922

Memory Dump Source

Source File: 0000000D.00000002.2446332103.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_25c0000_LJAGvecDW.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 637f712606f07c84d01d33a94105a96ac8f3375e2ab00bcfdf84c2f72d515ae4
Instruction ID: 3d0e3363708d3d2e3a79aeb65766ffcbb9a67e0e4c0936710ba659ecd5de4625
Opcode Fuzzy Hash: 637f712606f07c84d01d33a94105a96ac8f3375e2ab00bcfdf84c2f72d515ae4
Instruction Fuzzy Hash: 1041ADB1D003499FDB14CF9AC884ADEBBF5BF48310F24912AE919AB210D775A885CF94

Uniqueness

Uniqueness Score: -1.00%

Function 025C1DC4 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 025C4EA1

Memory Dump Source

Source File: 0000000D.00000002.2446332103.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_25c0000_LJAGvecDW.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: fc481adcb12dd58e554ce06c990a5d23e4eecd7ff0984ed97e67458d0bbbbe1f
Instruction ID: 1aa0c2a1ca227ca9594f770b794efd73c18ae052d12e8622159e3f823465b8b9
Opcode Fuzzy Hash: fc481adcb12dd58e554ce06c990a5d23e4eecd7ff0984ed97e67458d0bbbbe1f
Instruction Fuzzy Hash: 2B4117B8A00209CFDB14CF99C448BABBBF5FB88314F25C859D519A7321E775A840CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00AF4538 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00AF5DC9

Memory Dump Source

Source File: 0000000D.00000002.2443785235.0000000000AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_af0000_LJAGvecDW.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c23f1704a89e7fbcc4c170a15086b51d981fdd8805845dc35fc60f451355e7c2
Instruction ID: a6c5698caebce7649ea7a666177e10f1a539f2b873d4f1117d69ad46da95117d
Opcode Fuzzy Hash: c23f1704a89e7fbcc4c170a15086b51d981fdd8805845dc35fc60f451355e7c2
Instruction Fuzzy Hash: ED41BF70C0471DCBEB24CFA9C944B9EFBB5BF48704F20816AE608AB255DB756945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00AF5D0D Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00AF5DC9

Memory Dump Source

Source File: 0000000D.00000002.2443785235.0000000000AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_af0000_LJAGvecDW.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9db7ba519429533a839a5e551ab6bdf354728c02c25750ade9aa736a8f29c085
Instruction ID: e4658e216f10b1587d2e27b512fac2e172ae7c2c85fb9ae577fb86da5f8c023a
Opcode Fuzzy Hash: 9db7ba519429533a839a5e551ab6bdf354728c02c25750ade9aa736a8f29c085
Instruction Fuzzy Hash: 9041EFB0C0071DCBEB24CFA9C844BDEBBB5BF89304F20816AD508AB251DB756946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04D39ED8 Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,04D39EC5,?,?), ref: 04D39F77

Memory Dump Source

Source File: 0000000D.00000002.2451002409.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4d30000_LJAGvecDW.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: fce7140179d7eee40ca704b432160a9570957842b11f01bda065337621b256c2
Instruction ID: 900efb464732ca44db26ef65fec9629bc5d35e16d12a6c24cfd99b12ee31bba7
Opcode Fuzzy Hash: fce7140179d7eee40ca704b432160a9570957842b11f01bda065337621b256c2
Instruction Fuzzy Hash: 4231C0B69002499FDB10CF9AD880ADEBBF5FF58320F14846AE919A7310D775A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04D381EC Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,04D39EC5,?,?), ref: 04D39F77

Memory Dump Source

Source File: 0000000D.00000002.2451002409.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4d30000_LJAGvecDW.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 8b27fc47a2e7506bc100524e74062e47be01af6c4a321213eadebe34a768edb9
Instruction ID: 72058672081cba041faaf8023c297c8b89fe6c54e3b5335cfb0d40d2dd7fb0bf
Opcode Fuzzy Hash: 8b27fc47a2e7506bc100524e74062e47be01af6c4a321213eadebe34a768edb9
Instruction Fuzzy Hash: B431E2B59002099FDB10CF9AD884A9EBBF4FF48320F14846AE919A7310D7B4A940CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 084B5AA8 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 084B5B40

Memory Dump Source

Source File: 0000000D.00000002.2452917737.00000000084B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_84b0000_LJAGvecDW.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: dc5ab7c8be26e271fd7089704cb7930f085bd04242aa63eaff016bd87807b149
Instruction ID: d72156e9e278ba12e18fd3f433631b7297ec33f231b13310b4e9bb90c30c197b
Opcode Fuzzy Hash: dc5ab7c8be26e271fd7089704cb7930f085bd04242aa63eaff016bd87807b149
Instruction Fuzzy Hash: E9211571900349DFDB10CFA9C885BEEBBF1FF88310F14842AE659A7250C7789954CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 084B5AB0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 084B5B40

Memory Dump Source

Source File: 0000000D.00000002.2452917737.00000000084B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_84b0000_LJAGvecDW.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f8d13ddf58701412fa92cb0c842f5553d0eef5de05d56d6efea50899cfb02c32
Instruction ID: 0064089e15a41d87005e317622a8c06d3ce3a3c30b9297eda8b48a28b5f75914
Opcode Fuzzy Hash: f8d13ddf58701412fa92cb0c842f5553d0eef5de05d56d6efea50899cfb02c32
Instruction Fuzzy Hash: DF2124719003499FDB10CFAAC881BDEBBF5FF88310F10842AEA18A7240C7789950CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00AFE1A0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00AFE22F

Memory Dump Source

Source File: 0000000D.00000002.2443785235.0000000000AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_af0000_LJAGvecDW.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 21ef2b215f8e9712fde67205deef7a023e04d7ccf8f665192e6d6bc60ebd27f8
Instruction ID: 67cd5bae2a095f090d098566a5e944c59ef34a013cd9e880a288e061aad758d2
Opcode Fuzzy Hash: 21ef2b215f8e9712fde67205deef7a023e04d7ccf8f665192e6d6bc60ebd27f8
Instruction Fuzzy Hash: F52105B59002489FDB10CFA9D885AEEBFF8FF48320F14801AE954A3311D778A955CF60

Uniqueness

Uniqueness Score: -1.00%

Function 084B5918 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 084B5996

Memory Dump Source

Source File: 0000000D.00000002.2452917737.00000000084B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_84b0000_LJAGvecDW.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c628e5e9e4b1a74df982a62a95a6f26dd258b369ae560a46614464d26c794141
Instruction ID: c2cd08823c39163cf71e50b0e07ae10de7adee7f5262d2fdd1aae262896346a1
Opcode Fuzzy Hash: c628e5e9e4b1a74df982a62a95a6f26dd258b369ae560a46614464d26c794141
Instruction Fuzzy Hash: DD210471D003098FDB10DFAAC4857EEBBF4AF88324F14842ED559A7241DB78A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 084B5915 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 084B5996

Memory Dump Source

Source File: 0000000D.00000002.2452917737.00000000084B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_84b0000_LJAGvecDW.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f58037935a64e4a864b7c80ecd93af288b09cc2fa687ed7ba31229ac122213f6
Instruction ID: f0051edf741e5c689bc36aa8b99909dafe9a80c5c475d7e1fa8b161642381888
Opcode Fuzzy Hash: f58037935a64e4a864b7c80ecd93af288b09cc2fa687ed7ba31229ac122213f6
Instruction Fuzzy Hash: 2B213471D003098FDB50CFAAC485BEEBBF1AF88324F14842ED559A7240CB789944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 084B5B9D Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 084B5C20

Memory Dump Source

Source File: 0000000D.00000002.2452917737.00000000084B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_84b0000_LJAGvecDW.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 33d251c5ae6759092f317f8d80935508efd42a7cb16baa87e20f8941e7827e36
Instruction ID: 9e12e02d3afffbc6ade480f441603fbeeaeef78312625dc88b7305180b6b7f63
Opcode Fuzzy Hash: 33d251c5ae6759092f317f8d80935508efd42a7cb16baa87e20f8941e7827e36
Instruction Fuzzy Hash: C32114B1D003499FDB10CFAAC881BEEBBF1FF88310F10842AE518A7240C7799950CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 084B5BA0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 084B5C20

Memory Dump Source

Source File: 0000000D.00000002.2452917737.00000000084B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_84b0000_LJAGvecDW.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c186e59ff1f107b569bf2d7fa9f7b7c42a0feb034feb3c3ed84afcce2a6be071
Instruction ID: 92a4fa64fc5399a992cb1f9da1810d9f0dddf11eb6ab42e6aac847b1c5818f8b
Opcode Fuzzy Hash: c186e59ff1f107b569bf2d7fa9f7b7c42a0feb034feb3c3ed84afcce2a6be071
Instruction Fuzzy Hash: B321E4B19003499FDB10DFAAC881BEEFBF5FF48320F10842AE559A7240D7799950DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00AFE1A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00AFE22F

Memory Dump Source

Source File: 0000000D.00000002.2443785235.0000000000AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_af0000_LJAGvecDW.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 85b95d19de9eac2f3a90022ba98a83dd223c5e4444a7b74b40cddd30ec21d4b5
Instruction ID: 3ae13139f21bd56d4a24bb2f4a8a9ef073b5b939f3afd0788e0325dfc9e5d5b2
Opcode Fuzzy Hash: 85b95d19de9eac2f3a90022ba98a83dd223c5e4444a7b74b40cddd30ec21d4b5
Instruction Fuzzy Hash: BF21C4B5900249DFDB10CF9AD984AEEBBF8FB48320F14841AE954A3351D374A954CF65

Uniqueness

Uniqueness Score: -1.00%

Function 084B59E8 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 084B5A5E

Memory Dump Source

Source File: 0000000D.00000002.2452917737.00000000084B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_84b0000_LJAGvecDW.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6861994aede3fc7502c8049396cbab984f394c1ff863f0905ad6bcf470d73adb
Instruction ID: 29997029eff85d5938a2d8c41fb2544e7514afc03e86688ba47be230d78cb345
Opcode Fuzzy Hash: 6861994aede3fc7502c8049396cbab984f394c1ff863f0905ad6bcf470d73adb
Instruction Fuzzy Hash: 361136729002499FDB10DFA9C844BEEBFF5EF88324F24841AE559A7250C7759950CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AFB6C8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00AFBF99,00000800,00000000,00000000), ref: 00AFC1AA

Memory Dump Source

Source File: 0000000D.00000002.2443785235.0000000000AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_af0000_LJAGvecDW.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b90337b5bd6dfbdd33fc08c031ca3f4fc36960b41499df666af865b7b5d17a7e
Instruction ID: abd3d23dabff87451c16d382f3ee7531d9c10ccf5c113c37607a784b5198ecf5
Opcode Fuzzy Hash: b90337b5bd6dfbdd33fc08c031ca3f4fc36960b41499df666af865b7b5d17a7e
Instruction Fuzzy Hash: 4E1117B680430D9FDB10CF9AD544BEEFBF4EB48320F10851AE515A7201C375A955CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00AFC138 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00AFBF99,00000800,00000000,00000000), ref: 00AFC1AA

Memory Dump Source

Source File: 0000000D.00000002.2443785235.0000000000AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_af0000_LJAGvecDW.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fa5b32fbf1c11d2378dc5d9731c34ace505fcdbd5a6091779936f404fdd5e5d4
Instruction ID: ef19f51b60a1d265c9eedbe8799e73b682984dc4a67e4be70ece206d2bef33db
Opcode Fuzzy Hash: fa5b32fbf1c11d2378dc5d9731c34ace505fcdbd5a6091779936f404fdd5e5d4
Instruction Fuzzy Hash: 851117B68002499FDB10CF9AC944BDEFBF4EB48320F14852AE955A7201C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 084B59F0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 084B5A5E

Memory Dump Source

Source File: 0000000D.00000002.2452917737.00000000084B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_84b0000_LJAGvecDW.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2b0a5d448332194b5ea02a91058c3934456e402d42f9159a6eb87e33f2b40ff8
Instruction ID: fff3bb274fbf051672cbc800427d953467e899fca09d5df149d742b47a407098
Opcode Fuzzy Hash: 2b0a5d448332194b5ea02a91058c3934456e402d42f9159a6eb87e33f2b40ff8
Instruction Fuzzy Hash: 331156728003499FDB10DFAAC845BDFBBF5EF88320F24841AE519A7250C775A550CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 084B5868 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 084B58CA

Memory Dump Source

Source File: 0000000D.00000002.2452917737.00000000084B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_84b0000_LJAGvecDW.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1ceada3e01152fc1ef1b8d481f72a0f262b4d783c02c6d5d4157d4c40a0950aa
Instruction ID: f3f9037c279c80d1c634a239c7890d07012f4ce8f1e5bcb98c344c5e47dd163a
Opcode Fuzzy Hash: 1ceada3e01152fc1ef1b8d481f72a0f262b4d783c02c6d5d4157d4c40a0950aa
Instruction Fuzzy Hash: 711125B1D003498FDB20DFAAC4457DEFBF4EF88724F24881AD519A7240CB79A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 084B5865 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 084B58CA

Memory Dump Source

Source File: 0000000D.00000002.2452917737.00000000084B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_84b0000_LJAGvecDW.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 13a31a72432fe349d0bfa99805a25309f2e7aa41f8db4c7e3002f9f196de479a
Instruction ID: 85e8d07ea1b63d54211eb90a332d5e260b2c076612eac59167ae66f4be1fd945
Opcode Fuzzy Hash: 13a31a72432fe349d0bfa99805a25309f2e7aa41f8db4c7e3002f9f196de479a
Instruction Fuzzy Hash: C2112871D00349CFDB10DFAAC4457EEFBF5AF88324F24881AD519A7240C775A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 084BA228 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 084BA28D

Memory Dump Source

Source File: 0000000D.00000002.2452917737.00000000084B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_84b0000_LJAGvecDW.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c7be3c776f3b092c2ffc479f39b715cbeef58fa5370b650b613b02cdb64ea158
Instruction ID: 3509ad16de4cad19bf8893331fcdab4201171c537c17f90a553e67be22494029
Opcode Fuzzy Hash: c7be3c776f3b092c2ffc479f39b715cbeef58fa5370b650b613b02cdb64ea158
Instruction Fuzzy Hash: 741122B58013499FCB10CF9AC585BEEBFF4EB48320F20844AE558A7711D3B5A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 084B5E54 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 084BA28D

Memory Dump Source

Source File: 0000000D.00000002.2452917737.00000000084B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_84b0000_LJAGvecDW.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1694f3208d44709485a1c5b96034ab7270329d973db6c04bb834e4a6d6a6dabf
Instruction ID: f8cfdb9da57e0470e9eadc1dca8501b4c9862af82b5b699b5e8beb849d3532c0
Opcode Fuzzy Hash: 1694f3208d44709485a1c5b96034ab7270329d973db6c04bb834e4a6d6a6dabf
Instruction Fuzzy Hash: 0F11E0B5804359DFDB10DF9AC445BEEBBF8EB48320F20841AE558A7300D3B5A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00AFBEB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00AFBF1E

Memory Dump Source

Source File: 0000000D.00000002.2443785235.0000000000AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_af0000_LJAGvecDW.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 507999b4f2483480277b5d5243270763b0e571837907ea199e340f51d38a22d0
Instruction ID: 60850e8c8d08e180d45c2c88041a0991b47cb51e38850480eb7b1ad3bd35a9d3
Opcode Fuzzy Hash: 507999b4f2483480277b5d5243270763b0e571837907ea199e340f51d38a22d0
Instruction Fuzzy Hash: D411DFB6C006498FDB10CF9AD844B9EFBF4AB88324F14841AE519A7210D3B9A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06DBC350 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

O};5, xrefs: 06DBC388

Memory Dump Source

Source File: 0000000D.00000002.2452662796.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6db0000_LJAGvecDW.jbxd

Similarity

API ID:
String ID: O};5
API String ID: 0-3558557551
Opcode ID: ba3a9c720cc468d5d102bb1f438cf24a1edea2553c68326be67309a8e87f89df
Instruction ID: adea139602441f01694d4e10692635fbd035054c1ea098f04c98b68ee8d49620
Opcode Fuzzy Hash: ba3a9c720cc468d5d102bb1f438cf24a1edea2553c68326be67309a8e87f89df
Instruction Fuzzy Hash: 73416D70A24609DFDB84CFA9D6849AEFBB2FF89300BA09495C446A7318D735DE21CB54

Uniqueness

Uniqueness Score: -1.00%

Function 06DBF6F8 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2452662796.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6db0000_LJAGvecDW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2f4f4d9eead96d0095cfdf79897afffe6da179481ae55ca85ef86c6f2bcce9
Instruction ID: 94818c7c1ddb124204903bc3648490c1bb7094cf7a67732171463d259a5b554a
Opcode Fuzzy Hash: 9f2f4f4d9eead96d0095cfdf79897afffe6da179481ae55ca85ef86c6f2bcce9
Instruction Fuzzy Hash: 9D612674D09209DFEB54CFA9D9446EEBBBAFF89300F10A029D41AA7319D7749942CF80

Uniqueness

Uniqueness Score: -1.00%

Function 06DBED88 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2452662796.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6db0000_LJAGvecDW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52bc6a78c2391878d991c341d8d466bf0186f28e3c888e5c5dc59b889c2bd13f
Instruction ID: 72bbbb3964d5f2d1f83d43f5892021de9372d8cb3a9fde38831df54452b8f16e
Opcode Fuzzy Hash: 52bc6a78c2391878d991c341d8d466bf0186f28e3c888e5c5dc59b889c2bd13f
Instruction Fuzzy Hash: 61613831A00619DFDB54DFA8C894ADDBBB1FF88350F208169E50AAB364DB71ED41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06DB6D14 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2452662796.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6db0000_LJAGvecDW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d311401882549da11d50bb40cef4c057c022139a704dbde741f2bb112d9b6d
Instruction ID: 867f0284cec88a70163951ecc7aa9391e0c20f3202dbdee43e70c5a256edbf2a
Opcode Fuzzy Hash: 83d311401882549da11d50bb40cef4c057c022139a704dbde741f2bb112d9b6d
Instruction Fuzzy Hash: 4351C031B002058FDB14DB79D8449BFBBF6EFC42647148969E42ADB355EB30DD0587A1

Uniqueness

Uniqueness Score: -1.00%

Function 06DBFCF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2452662796.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6db0000_LJAGvecDW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40321e7fbdb722d27ddcdc7209e22a0dab24a6fd8ff4dfd1f42582e06bc86516
Instruction ID: 126cd0b7f73de8c51a526c83731cb5262a4a42b4a38ce4f28a8252cd490e44c2
Opcode Fuzzy Hash: 40321e7fbdb722d27ddcdc7209e22a0dab24a6fd8ff4dfd1f42582e06bc86516
Instruction Fuzzy Hash: B9419D71A002198FDB54EFA9D8446EFBBF6FBC8250F10842AE516E7344DB349D01CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 06DBE464 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2452662796.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6db0000_LJAGvecDW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099bb33467be652419b4c25beafa968ed3ddafbce6e699482102114df54263cf
Instruction ID: 1d7809f8784e868e87751f27e928b2f1bc4197c9e51d7aaca43bffb08884caa6
Opcode Fuzzy Hash: 099bb33467be652419b4c25beafa968ed3ddafbce6e699482102114df54263cf
Instruction Fuzzy Hash: 273139B1900209DFDB54DFA9D884ADEBFF5EB48320F10846AE905A7310D775A950CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 06DBDDE0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2452662796.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6db0000_LJAGvecDW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00d84bfaf7dbecc0d04137995e3fac142df05798ce698ac7acbf916604e5c0d
Instruction ID: b48823101f27f05f7ada0b9aac02fc93d7f6ccd67c625437b36c297d3a7d5335
Opcode Fuzzy Hash: f00d84bfaf7dbecc0d04137995e3fac142df05798ce698ac7acbf916604e5c0d
Instruction Fuzzy Hash: 0D312974E04209DFEB48DFA9D9446EEBBB6FB59300F009129D546E3348CB34AA01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0087D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2443185534.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_87d000_LJAGvecDW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d11e9a591763628372a19b94d54cfb4d4f100ec47ba0fedf71cd68513e610544
Instruction ID: 3ce8d93c4dbbb0b22dfddd04752332ab0177a5140918a265dcf34127f0f356f2
Opcode Fuzzy Hash: d11e9a591763628372a19b94d54cfb4d4f100ec47ba0fedf71cd68513e610544
Instruction Fuzzy Hash: D7210372504344EFDB05DF14D9C0B26BF75FF88328F24C569E9098B25AC336D856CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0088D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2443264185.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_88d000_LJAGvecDW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb80cdcb75bc43b16576edc68c2484671befbda53146d5780c5d109fc3fb80fe
Instruction ID: 06a7ffbdef936e43738242a8604f0b9f263937c2d74c4d7a114f27d25b11dac2
Opcode Fuzzy Hash: eb80cdcb75bc43b16576edc68c2484671befbda53146d5780c5d109fc3fb80fe
Instruction Fuzzy Hash: ED212275604704EFDB14EF14D9C0B26BB61FB84318F20C56DD90A8B292C77AD807CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0088D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2443264185.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_88d000_LJAGvecDW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddee8dcda59ababad74b68dcd8730be3ae70e716b71919ff33f52441ac927cb4
Instruction ID: 68b577111404216bba1d6b2a318f186ee986d0e05baf02560070ae5e41a23986
Opcode Fuzzy Hash: ddee8dcda59ababad74b68dcd8730be3ae70e716b71919ff33f52441ac927cb4
Instruction Fuzzy Hash: 9521F275504304EFDB15EF14D9C0B26BBA5FB84318F20C66DE9098B292C77AE846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06DBF9F8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2452662796.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6db0000_LJAGvecDW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 831fd08e1c0b57f7aaceb797b47c5f60c7c3bdd5f7634f75d0ae5734556ecf80
Instruction ID: a209de8c1e4f751b9979527e76c8961872c49189d1122ad7e86b5488dd7b187a
Opcode Fuzzy Hash: 831fd08e1c0b57f7aaceb797b47c5f60c7c3bdd5f7634f75d0ae5734556ecf80
Instruction Fuzzy Hash: 6411C261A19344EFDB49DB70CC46AEE7BF8DB45204F1488EAD845D3352E935DE11C721

Uniqueness

Uniqueness Score: -1.00%

Function 06DBE770 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2452662796.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6db0000_LJAGvecDW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ab63a0b7e5e4945aeb7c90ac8adb3bf5b44b32cf867cade850206bd5427bc0
Instruction ID: 7c8abe7bad883f3f7074e873a252cab653492ec5f1e5e241e9350a9ff5c188cf
Opcode Fuzzy Hash: a6ab63a0b7e5e4945aeb7c90ac8adb3bf5b44b32cf867cade850206bd5427bc0
Instruction Fuzzy Hash: 6521DDB4C01218DFEB60CF9AC988BDEBFF4BB48714F24901AE409BB241C7B55845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DBC278 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2452662796.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6db0000_LJAGvecDW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb72f71b9eedbbae3088984363dcf8c3de63971cf9e1adf4cf6a4f5ced7f1b8d
Instruction ID: ace40607afe44384aa35108dec30e7711b64722f84a01343c3ca46758bb4f771
Opcode Fuzzy Hash: eb72f71b9eedbbae3088984363dcf8c3de63971cf9e1adf4cf6a4f5ced7f1b8d
Instruction Fuzzy Hash: 6C2190B4A00A08DFC754DF5AE188999BFF1FF89310F5280D5D8489B365E776E991CB01

Uniqueness

Uniqueness Score: -1.00%

Function 06DBE0D8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2452662796.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6db0000_LJAGvecDW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a38805672fe391afd96815747870129c10681dfca776454897d50ba4c34ba487
Instruction ID: 761b3b2768d9a18bbe757e3191c449f73bc5d399c559867d981d9984f1b60d0c
Opcode Fuzzy Hash: a38805672fe391afd96815747870129c10681dfca776454897d50ba4c34ba487
Instruction Fuzzy Hash: 4C111C32F002198BCB54EBB998106EEB7B6AF89291B24406AC505E7344EB358D11CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0087D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2443185534.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_87d000_LJAGvecDW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: f581b6f17666608e887f3ba2a8fd7d51f24045ed6395839eb161c12777b34d7f
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 5911AF76504280CFCB15CF10D5C4B16BF71FB94328F24C6A9D8494B65AC33AD856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DBE474 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2452662796.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6db0000_LJAGvecDW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0880735f3d7730bef060d6f4a6d1fe24d8af373db09eee38f542a632e13e7e0
Instruction ID: 0ad34773061ac591f8f9d33beba8163ac280d4127eeef5ec703247a91cffc168
Opcode Fuzzy Hash: a0880735f3d7730bef060d6f4a6d1fe24d8af373db09eee38f542a632e13e7e0
Instruction Fuzzy Hash: 1421D0B5900349DFDB60CF9AD884ADEBBF4FB48320F10841AE919A7311C375A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0088D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2443264185.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_88d000_LJAGvecDW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 37ac3c49312cd80355170ce80ae18c26df23436e2f2e00be7c1d251bc724ad01
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 02118B75504384DFCB15DF14D6C4B15BBA2FB84314F24C6A9D8498B6A6C33AE84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0088D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2443264185.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_88d000_LJAGvecDW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 0a6accbe13e996f5790325fb727a78ed91788e841d46eb23e77d665ddeaf8bae
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 5A11BB75504784CFCB11DF10D5C4B15BBA2FB84314F24C6AAD8498B696C33AD80ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 06DB6808 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2452662796.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6db0000_LJAGvecDW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7ce081c4e11e9987964e9bfb9dbf741ffdd3285a8915397e11efb0fb40343e3
Instruction ID: 30cf5c533aedf9d6883be5a7de8d2e9d8df47522ed893197430989d3b2517d43
Opcode Fuzzy Hash: f7ce081c4e11e9987964e9bfb9dbf741ffdd3285a8915397e11efb0fb40343e3
Instruction Fuzzy Hash: 12F03C78D09248DFDB44DFA9D5406EEBBB8FB4A300F00A1AAD419A3349D770DA00CF81

Uniqueness

Uniqueness Score: -1.00%

Function 06DBAE20 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2452662796.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6db0000_LJAGvecDW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e0cb547cadb38cfa218bfff4a98d9c51f6b803b6711a328b10ba3176134fbe
Instruction ID: d42f7599e09d38570e435bb453e7aa451bc87055e0741f0829bacbe3530089fb
Opcode Fuzzy Hash: e1e0cb547cadb38cfa218bfff4a98d9c51f6b803b6711a328b10ba3176134fbe
Instruction Fuzzy Hash: 7001A2B4D002599FCB50DFA8D5956AEBBF4FB08300F2486AAD954E3344D7349A81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06DBA2F8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2452662796.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6db0000_LJAGvecDW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84a8d1d9bd5300772579a79495623fb10943087094459fa1edce4209935c9ce8
Instruction ID: f13394500ec72bda217e7c029d5812009e49972f56242fa1ce0b1f052a81ef54
Opcode Fuzzy Hash: 84a8d1d9bd5300772579a79495623fb10943087094459fa1edce4209935c9ce8
Instruction Fuzzy Hash: 9501AF74A00208EFCB44DFA9C598A9DBBF1EF48210F09C0A9E9089B365D635EA41CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06DB6688 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2452662796.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6db0000_LJAGvecDW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4005a9d07acffe0fd2da9293fe109ba0a3cc40cdce437b8787cb172955a0510f
Instruction ID: 48502f2c3681bf8f2bdda9adf9496b0c801130b05bab18af125f2e37e39d5bf0
Opcode Fuzzy Hash: 4005a9d07acffe0fd2da9293fe109ba0a3cc40cdce437b8787cb172955a0510f
Instruction Fuzzy Hash: 02F0C275904248EFCB44DF98D940AADBBB9FB48310F14C1A9EC1957350D632DA61EF80

Uniqueness

Uniqueness Score: -1.00%

Function 06DB6ED8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2452662796.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6db0000_LJAGvecDW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac2e00bda4eceedfe92e308939308366b26a9bf15d79d6dd54b372682509cad
Instruction ID: 6cffda58f8bf76ade62365815a3aeec89e1ffad77c3f850a30787816b2a9d295
Opcode Fuzzy Hash: fac2e00bda4eceedfe92e308939308366b26a9bf15d79d6dd54b372682509cad
Instruction Fuzzy Hash: 23C012714042489BC350DBB5D91875976A9D709111F404154D809C3240DAB69980D6A5

Uniqueness

Uniqueness Score: -1.00%

Function 06DBE41C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2452662796.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6db0000_LJAGvecDW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b731a8e437ccc1eb9bcb6583694581d2b7dfb1824d104b64041dd04ab5c45b
Instruction ID: 060d757ae71ca3761ea7bea04d2f6c6cd95ad428ae77aa723d568da4dfee8403
Opcode Fuzzy Hash: f6b731a8e437ccc1eb9bcb6583694581d2b7dfb1824d104b64041dd04ab5c45b
Instruction Fuzzy Hash: 39B012661B4200EAB6886F744C40CAFFA51FBBA700B00BC45B35611058CCA0C424D63F

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: boqXv.exePID: 5264, Parent PID: 4004COMMON

Executed Functions

Function 01911340 Relevance: .5, Instructions: 529COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2405168626.0000000001910000.00000040.00000800.00020000.00000000.sdmp, Offset: 01910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1910000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed3abc94243cc6af5d7843e7eaae5f3585546b90a06f365c0780a3298c8a582f
Instruction ID: 3335c5bf9881f67a0c958a85fde37dac517d4dfa5d2114266a7ffab6fdf0fe40
Opcode Fuzzy Hash: ed3abc94243cc6af5d7843e7eaae5f3585546b90a06f365c0780a3298c8a582f
Instruction Fuzzy Hash: 99222C30700606DBD724DF34D99063A77AAFB88351F50897DDA1A87399DB36EC81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 01910BC0 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2405168626.0000000001910000.00000040.00000800.00020000.00000000.sdmp, Offset: 01910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1910000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c90990b117a9182eb610b4d5c9496ad4e01414f5ba870d429d495e399e6af7
Instruction ID: 4fe7888452bee3bddd6007f32c9fd31de528be7e79431ec46d63c4edab1544ab
Opcode Fuzzy Hash: 21c90990b117a9182eb610b4d5c9496ad4e01414f5ba870d429d495e399e6af7
Instruction Fuzzy Hash: 4A81A035A00305DFEB259B74C4186AEBBB6EF88310F18856DE50A67268DF76ACC5CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01911230 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2405168626.0000000001910000.00000040.00000800.00020000.00000000.sdmp, Offset: 01910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1910000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c7634a7a48d0acf8d93767a0dcea95316c5bfd0f17502aba11c9cf7d3c681a7
Instruction ID: 8313509dbad2d428f741b467aff7348787bb8aa62d6b854b99dba97f6da2970a
Opcode Fuzzy Hash: 1c7634a7a48d0acf8d93767a0dcea95316c5bfd0f17502aba11c9cf7d3c681a7
Instruction Fuzzy Hash: C731F635701211CFC759AB38C45881D7BE6AF8A71636118B8E606CF3B6DA76DC82CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01911240 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2405168626.0000000001910000.00000040.00000800.00020000.00000000.sdmp, Offset: 01910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1910000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 819ca2b961e4cac53526aec18324d8780a00142dbaf3b505c8b9a9428e556aa3
Instruction ID: 33ca28938bbc7a82ac9955be7a8f3e8abee53c9caa5090122b0652de8ca0d4be
Opcode Fuzzy Hash: 819ca2b961e4cac53526aec18324d8780a00142dbaf3b505c8b9a9428e556aa3
Instruction Fuzzy Hash: 7021E935701211CFC759AB79C45881D7BE6AF8A71636118B8EA06CF3B5DE76DC82CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01911AE0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2405168626.0000000001910000.00000040.00000800.00020000.00000000.sdmp, Offset: 01910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1910000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbf6a975ce037544bfd6e0dd91166d2031b6ec3424c82d6800ad8431a024e0d8
Instruction ID: 7407cbce79831a2876ffc422bd7e3d8a1a0b44be10a05861aceff354e8e20d50
Opcode Fuzzy Hash: dbf6a975ce037544bfd6e0dd91166d2031b6ec3424c82d6800ad8431a024e0d8
Instruction Fuzzy Hash: 6511D335B00209AFC714EFB8E4506AD77BAFF88300F1044A9DA09AB394DF759D06CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01911C00 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2405168626.0000000001910000.00000040.00000800.00020000.00000000.sdmp, Offset: 01910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1910000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67ddfb7c331bb2d500707023645f4ddb5200bef4b20631ff722fd6a5bea8e7a
Instruction ID: 9894b3475e743fba72b8b8fccceca0819df4f10b437367f11cda549ba3dbffc9
Opcode Fuzzy Hash: b67ddfb7c331bb2d500707023645f4ddb5200bef4b20631ff722fd6a5bea8e7a
Instruction Fuzzy Hash: 31117076E002059FCB14DFB4D9809AFBBF5FF8D30071181AAE61597221E735A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01911C10 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2405168626.0000000001910000.00000040.00000800.00020000.00000000.sdmp, Offset: 01910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1910000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e51fb09723d0c2354742f31c9f4847f7c5c40fe12a2153c68e52accd952b49
Instruction ID: 90f1f71930e0d3d7beed80163515a4f30b54ed181b27fdb230944ff465df3120
Opcode Fuzzy Hash: 12e51fb09723d0c2354742f31c9f4847f7c5c40fe12a2153c68e52accd952b49
Instruction Fuzzy Hash: 9F019236E0020A9FCB10DFB4D9408AFFBF5FF8C310710816AE61997220E735A901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01910880 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2405168626.0000000001910000.00000040.00000800.00020000.00000000.sdmp, Offset: 01910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1910000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc578a8e944535df7537d2d06e37ce3ec1a0a94cd25f8c032f697b6ef159ac52
Instruction ID: b8aef91fa4b749d55ced852cf6b98d9f8e78bb6099f707892461c67a124be3f9
Opcode Fuzzy Hash: cc578a8e944535df7537d2d06e37ce3ec1a0a94cd25f8c032f697b6ef159ac52
Instruction Fuzzy Hash: 83F06D71D0E3899FCB12DBB8DC4118E7FF4AE46200B0904E6D889D7222E2356924CBE3

Uniqueness

Uniqueness Score: -1.00%

Function 01910F9D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2405168626.0000000001910000.00000040.00000800.00020000.00000000.sdmp, Offset: 01910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1910000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb02501390c17bf235a947170b313ae44c0c3a6c349f39e704ecb750fac661ce
Instruction ID: f29dd914b373eec5dff2b84321cde20d4eb248f71a1ad8cd5a7ab6962fbff5ce
Opcode Fuzzy Hash: bb02501390c17bf235a947170b313ae44c0c3a6c349f39e704ecb750fac661ce
Instruction Fuzzy Hash: CAF01C74904309DFDB24DB74C45979DBBB0BB48715F240868D506AB264CBB598C4CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019108A8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2405168626.0000000001910000.00000040.00000800.00020000.00000000.sdmp, Offset: 01910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1910000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 636536d1e666d86127237155e763069101a8effb942ac40b93ab5f7a7567cb5e
Instruction ID: 7ba7809664cd0e53c8b1596180a8e82b15a15e73abacb3d3d6015cbf3a2e1fad
Opcode Fuzzy Hash: 636536d1e666d86127237155e763069101a8effb942ac40b93ab5f7a7567cb5e
Instruction Fuzzy Hash: 37D017B1D0521DAF8B40EFB899051DEBBF8EE08250B0045A6D90AE3204E2714A108BD1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exePID: 5656, Parent PID: 2744COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	150
Total number of Limit Nodes:	15

Executed Functions

Function 063A29AE Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 063A2A2E
GetCurrentThread.KERNEL32 ref: 063A2A6B
GetCurrentProcess.KERNEL32 ref: 063A2AA8
GetCurrentThreadId.KERNEL32 ref: 063A2B01

Memory Dump Source

Source File: 00000014.00000002.3506740526.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_63a0000_RegSvcs.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 56a70f82827ce18a36913d90e7f44422a604540e13b9ccc709a5e7026681af70
Instruction ID: 79045f8fa6776470422a74e33ae0992e2b497092caee053587f2f343e8c34833
Opcode Fuzzy Hash: 56a70f82827ce18a36913d90e7f44422a604540e13b9ccc709a5e7026681af70
Instruction Fuzzy Hash: 535175B0D003498FDB54DFAAD948BEEBBF1FF88314F248019E409A7290DB745944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 063A29B0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 063A2A2E
GetCurrentThread.KERNEL32 ref: 063A2A6B
GetCurrentProcess.KERNEL32 ref: 063A2AA8
GetCurrentThreadId.KERNEL32 ref: 063A2B01

Memory Dump Source

Source File: 00000014.00000002.3506740526.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_63a0000_RegSvcs.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 320c84637c324d019c78013bd4bddd0158dda69edc76712e5c1ee4beb10971cc
Instruction ID: 0ae70e4a0cc4974018d914e1d6a55736271a11e9fcfd38a3d5d0fd786a9a552a
Opcode Fuzzy Hash: 320c84637c324d019c78013bd4bddd0158dda69edc76712e5c1ee4beb10971cc
Instruction Fuzzy Hash: CA5175B09003498FDB54DFAAD948BEEBBF1FF88314F248019E409A7290DB745944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 063AAEB8 Relevance: 1.7, APIs: 1, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 063AB11E

Memory Dump Source

Source File: 00000014.00000002.3506740526.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_63a0000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c554d57ab265491c5ef5399dff2376d3019aec54b1e18168093ae6651d39a8ab
Instruction ID: 3a69c2e51e8d159a396534c06aa80a158d68fe05939a65146c1c2d229301e3ec
Opcode Fuzzy Hash: c554d57ab265491c5ef5399dff2376d3019aec54b1e18168093ae6651d39a8ab
Instruction Fuzzy Hash: 9D8147B0A00B058FD7A8DF29D44579ABBF1FF88304F00892DE49AD7A40DB75E849CB91

Uniqueness

Uniqueness Score: -1.00%

Function 063AD065 Relevance: 1.6, APIs: 1, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 063AD1C2

Memory Dump Source

Source File: 00000014.00000002.3506740526.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_63a0000_RegSvcs.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5532b438074935f82d1252f3a6f51f1f01e12e527bced73a00eed74eca302cbc
Instruction ID: 0f145ca8c2ac9500418237d7fbefa4dce52c3c4a848664d9869fb49e8c3c9d2f
Opcode Fuzzy Hash: 5532b438074935f82d1252f3a6f51f1f01e12e527bced73a00eed74eca302cbc
Instruction Fuzzy Hash: FC51DCB1C00349AFDF15CF99C984A9EBFB5BF48310F14816AE918AB220D7719845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 063BE629 Relevance: 1.6, APIs: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.3506858723.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_63b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68fc683c8528c93ae7fd80599b943fe5f963e127074e1a10a3c7b99196c9c55e
Instruction ID: ff2e6429b64eab5b88edc80f4bbc93c8f6b401a19cf245069e251226c45eea5e
Opcode Fuzzy Hash: 68fc683c8528c93ae7fd80599b943fe5f963e127074e1a10a3c7b99196c9c55e
Instruction Fuzzy Hash: 59413372E143958FCB14CFA9D8142EEBBF1AF89310F14856ADA05A7281DB749845CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 063AD0A4 Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 063AD1C2

Memory Dump Source

Source File: 00000014.00000002.3506740526.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_63a0000_RegSvcs.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5506ac3b3f45a111e4c1abe6aed7f3cb145f8feb06eb05ad19dc52c86e14812f
Instruction ID: c38089b5b84eb00b3ffff9c7a1ffecec36baef80c062d92952e14220e8cddef2
Opcode Fuzzy Hash: 5506ac3b3f45a111e4c1abe6aed7f3cb145f8feb06eb05ad19dc52c86e14812f
Instruction Fuzzy Hash: CA51CEB1D00349AFDB54CF9AD984ADEBFB5FF48310F24812AE819AB210D771A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 063AD0B0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 063AD1C2

Memory Dump Source

Source File: 00000014.00000002.3506740526.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_63a0000_RegSvcs.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: dc5e670e96dfeb660aa3e4257b5575f100152fed42d6e34f808c2fb180f877ec
Instruction ID: c7628389298dcb8149428eb7ca238560f1d0af4827a67a64dc2063ebf1678f9f
Opcode Fuzzy Hash: dc5e670e96dfeb660aa3e4257b5575f100152fed42d6e34f808c2fb180f877ec
Instruction Fuzzy Hash: 1C41AEB1D003499FDF54CF9AD984ADEBBB5FF48310F24852AE819AB210D775A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 063AE01C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 063AF8B1

Memory Dump Source

Source File: 00000014.00000002.3506740526.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_63a0000_RegSvcs.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: d2fd2087169ed0cf0ffd447ebacf9a6cf700d03a0ae6939177fed2dd9a6458c4
Instruction ID: affe80923b443d6c7d98250f8c945ed4cd17e74b977adad24e6d2d4915767d0a
Opcode Fuzzy Hash: d2fd2087169ed0cf0ffd447ebacf9a6cf700d03a0ae6939177fed2dd9a6458c4
Instruction Fuzzy Hash: 89415AB5900309DFDB54CF5AC488AAABBF9FF88314F24845DD519AB321D775A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 063A2BF0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 063A2C7F

Memory Dump Source

Source File: 00000014.00000002.3506740526.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_63a0000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 269e3e374cc42dd2e25d02b7346d9caed85c4475651a42229f181defa8d81faf
Instruction ID: b495f89a9026d2cff11737115d09ea19b304c5e737f7eb7f91ef491ba1293b7d
Opcode Fuzzy Hash: 269e3e374cc42dd2e25d02b7346d9caed85c4475651a42229f181defa8d81faf
Instruction Fuzzy Hash: C921D4B5D00349AFDB10CFAAD984ADEBBF4EB48320F14841AE958A7210D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 063A2BF8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 063A2C7F

Memory Dump Source

Source File: 00000014.00000002.3506740526.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_63a0000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d7b038483b4e83afcd23d73cff6e1ad1a75eef7de2f33300781de0c2166ea236
Instruction ID: ef39d22fc6ef051638e9848ae1cc7d43ba54a19c24de03184b0bbfcb2695006a
Opcode Fuzzy Hash: d7b038483b4e83afcd23d73cff6e1ad1a75eef7de2f33300781de0c2166ea236
Instruction Fuzzy Hash: 1921B3B5D003499FDB10CF9AD984ADEBBF4FB48320F14841AE918A7350D375A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 051E7348 Relevance: 1.6, APIs: 1, Instructions: 58
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000), ref: 051E73C0

Memory Dump Source

Source File: 00000014.00000002.3503654592.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_51e0000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 6c0f12c9707b00054596ba4adc905a5c292555337f1fb3909b3df33bf27fe963
Instruction ID: 25145cd2bdcc3b955c5318cecdb10d7f541b81719e506db92c55f27053d20237
Opcode Fuzzy Hash: 6c0f12c9707b00054596ba4adc905a5c292555337f1fb3909b3df33bf27fe963
Instruction Fuzzy Hash: 782147B2C0065A9BDB10CF9AD545B9EFBB4FF48320F14851AD918A7240D778A900CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 063AB31A Relevance: 1.6, APIs: 1, Instructions: 57
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,063AB199,00000800,00000000,00000000), ref: 063AB38A

Memory Dump Source

Source File: 00000014.00000002.3506740526.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_63a0000_RegSvcs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f287b076841734df561db614daa00eca863ae7d5541eafc1da9b2e1c6de2f533
Instruction ID: 473f4c54d583efd4083623b6d134a3582c798aeede2b294e6e1ba0ce4f466b84
Opcode Fuzzy Hash: f287b076841734df561db614daa00eca863ae7d5541eafc1da9b2e1c6de2f533
Instruction Fuzzy Hash: 0911D3B68003499FDB20CF9AD844ADEFBF4EB88720F14842AE559A7240C775A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 051E7350 Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000), ref: 051E73C0

Memory Dump Source

Source File: 00000014.00000002.3503654592.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_51e0000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 8cd7549923136330a25988bd6b9bc5fc012314658e11e2a9c7bf523397f4566e
Instruction ID: f2cab97de82e81402cd0da16baabe8f816d66b984705661c89e01b9d56465f58
Opcode Fuzzy Hash: 8cd7549923136330a25988bd6b9bc5fc012314658e11e2a9c7bf523397f4566e
Instruction Fuzzy Hash: 161133B2C00A5A9BDB14CF9AC544B9EFBB4FF48720F14812AD918A7240D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 063A9EB0 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,063AB199,00000800,00000000,00000000), ref: 063AB38A

Memory Dump Source

Source File: 00000014.00000002.3506740526.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_63a0000_RegSvcs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5da0d0fe271a4da7a4ce2048c8cda6df6e5c88849efc34091c00287ad2969305
Instruction ID: 0725444b8cc94548ffc645d17161e2cc1081c0686bdc6e8408c159ba8631ff2d
Opcode Fuzzy Hash: 5da0d0fe271a4da7a4ce2048c8cda6df6e5c88849efc34091c00287ad2969305
Instruction Fuzzy Hash: F41114B6C003099FDB10CF9AC844B9EFBF4EB48320F14842AE959A7240C3B5A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 063BE710 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 063BE777

Memory Dump Source

Source File: 00000014.00000002.3506858723.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_63b0000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 3591c5ad174b856a9b469768331a33fcbae4f821adce372c61efdcc43b6976c0
Instruction ID: 3871ac84441045e67376e1b82e174ce1554bbe93906fbe593742ec88af61a399
Opcode Fuzzy Hash: 3591c5ad174b856a9b469768331a33fcbae4f821adce372c61efdcc43b6976c0
Instruction Fuzzy Hash: 611112B2C0065A9BCB10CF9AC544BDEFBF4BF48320F15812AD918A7241D3B8A954CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 063AB0B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 063AB11E

Memory Dump Source

Source File: 00000014.00000002.3506740526.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_63a0000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f43ad39ae1b680e725368cb3fc5659aa7b649e4bfe301ad4419e63ffb54cd561
Instruction ID: 3911e59bbd1080109ad5116fed332e120becb17c285566fc3db428395d2abaaf
Opcode Fuzzy Hash: f43ad39ae1b680e725368cb3fc5659aa7b649e4bfe301ad4419e63ffb54cd561
Instruction Fuzzy Hash: 8811E0B6C007498FDB10CF9AD944BDEFBF4EF88224F14842AD419A7210D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F3D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3495224346.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_f3d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c31eda73de7ed948f3b9a12557074ea2565ee5a67351b5614df54aabe7ce0176
Instruction ID: b180c117aaa891a9b3fa9809b1b127abd4fee3a4ced3c8ca80ebe570aa5e2110
Opcode Fuzzy Hash: c31eda73de7ed948f3b9a12557074ea2565ee5a67351b5614df54aabe7ce0176
Instruction Fuzzy Hash: A92137B6504300DFCB18DF14E5C0B26BB65FB84B34F20C56DD90A0B25AC376D807DA61

Uniqueness

Uniqueness Score: -1.00%

Function 00F3D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3495224346.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_f3d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26639fbe52dfdec78a14b713164022d2678610e211d670dad5030763924b9a6d
Instruction ID: dc5868d6041561fb1208e0fe85d3ea7e3542e36b667f46c4a95ce9165700b573
Opcode Fuzzy Hash: 26639fbe52dfdec78a14b713164022d2678610e211d670dad5030763924b9a6d
Instruction Fuzzy Hash: 03217F755093808FCB06CF24D990715BF71AB46624F28C5EAD8498B2A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: boqXv.exePID: 2360, Parent PID: 4004COMMON

Executed Functions

Function 01541340 Relevance: .6, Instructions: 598COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2484077760.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1540000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da948cf865fd8a8e9ef2562bccaef04e27c6773d06d5a57e9ebd811427cb4bd
Instruction ID: d18649dd267f792d6ffe7c535556351d3a2c922f171e7005769d92e3a7c20158
Opcode Fuzzy Hash: 1da948cf865fd8a8e9ef2562bccaef04e27c6773d06d5a57e9ebd811427cb4bd
Instruction Fuzzy Hash: 7D323B34701A02DFDB54DF78E4D067A77A6FB88344B148969C5068B399DF3AEC82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01540BC0 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2484077760.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1540000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2369b55cce798bed8be0f50c433e18abd5abcd9fb03a4094365e7ae63c12aaed
Instruction ID: ea3361a3eab543776a2446e9f83c2dab44d40e4a092bf7c312f8871c721bb3d3
Opcode Fuzzy Hash: 2369b55cce798bed8be0f50c433e18abd5abcd9fb03a4094365e7ae63c12aaed
Instruction Fuzzy Hash: F681C135A00301CFDB259BB4D4986AEBBF2FF88314F18856EE5425B2A5DF75AC85CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01541230 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2484077760.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1540000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f7032b9c22c338ce16658cb788befcd49d152c47b17b62de5852f1a46d0c35f
Instruction ID: fcf1822861233ca9352493b68f4ee4cd179fa51a2daaafa6353b01ac908bcb48
Opcode Fuzzy Hash: 9f7032b9c22c338ce16658cb788befcd49d152c47b17b62de5852f1a46d0c35f
Instruction Fuzzy Hash: D0311630741610CFC759AB38D49886D3BE2AF8A71536108B8E502CF372DA76DC82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01541240 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2484077760.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1540000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c686c08d53025e53573bc6253eaa2eda4a4b217becbfc40a2c93a9554e9779
Instruction ID: db7348c49e46b748f2537d08839dcd41355bf34cd2db57d92bc49b7213a3fc01
Opcode Fuzzy Hash: e7c686c08d53025e53573bc6253eaa2eda4a4b217becbfc40a2c93a9554e9779
Instruction Fuzzy Hash: E7211634701611CFC758AB39C49881D7BE2AF8A71636118B8EA06CF371DE76DC82CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01541C00 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2484077760.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1540000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dddcaa3d403c256a530055b266172a5494561dc966942aade1961156b9a3f70
Instruction ID: f462e5496b31e8462e148bce8a69b13b05f7c3b126f0f5c295f8b9700557da19
Opcode Fuzzy Hash: 4dddcaa3d403c256a530055b266172a5494561dc966942aade1961156b9a3f70
Instruction Fuzzy Hash: 88115E76E002069FCB44DFB4D8808EFBBF5FF8931071186AAE515A7221EB759D05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01541C10 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2484077760.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1540000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fa9c4b0fc865abc154a9a22f0bdc65b98bed909e1a6e3451da5c0fe1793b8d5
Instruction ID: 22892dbf9c8a976b9ab04d511c946d5bfae1b559c04e23e536b83497f5597870
Opcode Fuzzy Hash: 6fa9c4b0fc865abc154a9a22f0bdc65b98bed909e1a6e3451da5c0fe1793b8d5
Instruction Fuzzy Hash: E0012D76E002069FCB44DFA4D8848AFFBB5FF8D310710856AE51597220EB75A915CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01540880 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2484077760.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1540000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c06dae6b3537935d4701ba6b3410641ae909534c3f5c0bfdee7f19a03d75e5b7
Instruction ID: a98932a7405a98558b8b7895774581ea76d02fd578901c334b6260fc14e76e52
Opcode Fuzzy Hash: c06dae6b3537935d4701ba6b3410641ae909534c3f5c0bfdee7f19a03d75e5b7
Instruction Fuzzy Hash: 3BF08C7090A3A5AFC7529BB8AC500DB7FF4EE43324B0504ABE484D7112E2380D14CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 01540F9D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2484077760.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1540000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 341b6c96a7078d1aad8238170760bdf146f2f3074294f2d10810de5634360c2a
Instruction ID: 220e9c2090612b31112646ccf1b36d53af1ff4fa530f89a81dec9229933fcdfa
Opcode Fuzzy Hash: 341b6c96a7078d1aad8238170760bdf146f2f3074294f2d10810de5634360c2a
Instruction Fuzzy Hash: E7F01C74900715CFDB24DB68C19C79D7BF0BB48718F240858D502AB2A1DBB49884CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01541AE0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2484077760.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1540000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a52824a8baf937d91b023fe841a1c49f373bbe29015a1866c6bf45d4f6d266b
Instruction ID: 1dbb60516a04badd3e6c6f1bed3c40ca771cf420840cbd24be6133c021d322db
Opcode Fuzzy Hash: 7a52824a8baf937d91b023fe841a1c49f373bbe29015a1866c6bf45d4f6d266b
Instruction Fuzzy Hash: 63D05B357002149FC710DB79E949A553B7CEF0D711F514095EA04CB250EB72EC14CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 015408A8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2484077760.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1540000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 463d974db67f69d3871b946ba144d799cb4676e7e8d360008925b7b380775be9
Instruction ID: 54852a5c2b2f70e6984d0d257125bfae16d3f67d676a212c411e876c03b0747b
Opcode Fuzzy Hash: 463d974db67f69d3871b946ba144d799cb4676e7e8d360008925b7b380775be9
Instruction Fuzzy Hash: 8FD017B1D01229AF8B40EFB899051DEBBF8FE08250B100566D90AE3200E2704A108BE1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_KN5M2K4GWI0PYGPD_7bface649acb4a5ac8b8c5eb3fa345c55bbcc55f_6ddcc831_e065b1b5-2f12-4cbf-afc1-37e3179d3098\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LJAGvecDW.exe_832a725c84dc7e8e3d76e7274e65236eca5dcd_4d380c1c_19f9609d-8e2b-4b9e-a3c0-f528eeb6c484\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D7D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER706C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER70BB.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER93E1.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER96FF.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER975D.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LJAGvecDW.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\boqXv.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmpcqmml.uam.psm1

Windows Analysis Report
DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre