Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe

Overview

General Information

Sample Name:DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Analysis ID:383902
MD5:4ffb9ee56baeed64d186d62de5c56a05
SHA1:2982ad3dd5578b7595a8a2ce6dff5f7bcc9a1140
SHA256:79614387d51e432e6681d699a42018ddb1a91106b47fb2ede9bac493dd5814f5
Tags:DHLexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe (PID: 5644 cmdline: 'C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe' MD5: 4FFB9EE56BAEED64D186D62DE5C56A05)
    • cmd.exe (PID: 5784 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 5424 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • Files.exe (PID: 6860 cmdline: 'C:\Users\user\AppData\Roaming\Files.exe' MD5: 4FFB9EE56BAEED64D186D62DE5C56A05)
      • AcroRd32.exe (PID: 5288 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\AppData\Roaming\DHL Overdue Account Notice - 1301356423.PDF' MD5: B969CF0C7B2C443A99034881E8C8740A)
        • AcroRd32.exe (PID: 5336 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\AppData\Roaming\DHL Overdue Account Notice - 1301356423.PDF' MD5: B969CF0C7B2C443A99034881E8C8740A)
        • RdrCEF.exe (PID: 4880 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043 MD5: 9AEBA3BACD721484391D15478A4080C7)
          • RdrCEF.exe (PID: 5024 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1732,14640126625900119066,9769525679105844933,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=2690794570082519975 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2690794570082519975 --renderer-client-id=2 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)
          • RdrCEF.exe (PID: 5632 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1732,14640126625900119066,9769525679105844933,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=7685701926627287920 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 MD5: 9AEBA3BACD721484391D15478A4080C7)
          • RdrCEF.exe (PID: 6736 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1732,14640126625900119066,9769525679105844933,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=6749621257665537764 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6749621257665537764 --renderer-client-id=4 --mojo-platform-channel-handle=1852 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)
          • RdrCEF.exe (PID: 6852 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1732,14640126625900119066,9769525679105844933,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=7499266669204803197 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7499266669204803197 --renderer-client-id=5 --mojo-platform-channel-handle=1864 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)
          • RdrCEF.exe (PID: 1332 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1732,14640126625900119066,9769525679105844933,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=6985995476041547175 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6985995476041547175 --renderer-client-id=6 --mojo-platform-channel-handle=2148 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)
      • InstallUtil.exe (PID: 5248 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • Files.exe (PID: 6804 cmdline: 'C:\Users\user\AppData\Roaming\Files.exe' MD5: 4FFB9EE56BAEED64D186D62DE5C56A05)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "sammorris@askoblue.comP)RTDOg8mail.privateemail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.310359944.000000000425A000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.311089829.0000000004309000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000014.00000002.509008335.0000000003A9F000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.311979523.00000000044CF000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000001A.00000002.493944777.00000000034C1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            20.2.Files.exe.382ae38.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              20.2.Files.exe.3a9f6da.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.436444a.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.44cf3fa.6.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.44cf3fa.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 26.2.InstallUtil.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "sammorris@askoblue.comP)RTDOg8mail.privateemail.com"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\Files.exeReversingLabs: Detection: 18%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeReversingLabs: Detection: 18%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\Files.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeJoe Sandbox ML: detected
                      Source: 26.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.280846251.00000000071DB000.00000004.00000001.sdmp, InstallUtil.exe, 0000001A.00000002.486763522.0000000000F02000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
                      Source: Binary string: InstallUtil.pdb source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.280846251.00000000071DB000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe.0.dr
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 4x nop then jmp 06C75E31h0_2_06C755B8
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_06C7AED0
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h20_2_06624900
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h20_2_066248FA
                      Source: Joe Sandbox ViewIP Address: 80.0.0.0 80.0.0.0
                      Source: InstallUtil.exe, 0000001A.00000002.493944777.00000000034C1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: InstallUtil.exe, 0000001A.00000002.493944777.00000000034C1000.00000004.00000001.sdmpString found in binary or memory: http://BHuYlB.com
                      Source: InstallUtil.exe, 0000001A.00000002.493944777.00000000034C1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: AcroRd32.exe, 0000001B.00000002.510621344.000000000850D000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: AcroRd32.exe, 0000001B.00000002.510621344.000000000850D000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                      Source: AcroRd32.exe, 0000001B.00000002.510621344.000000000850D000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                      Source: AcroRd32.exe, 0000001B.00000002.510621344.000000000850D000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                      Source: AcroRd32.exe, 0000001B.00000002.524330147.000000000AE76000.00000004.00000001.sdmpString found in binary or memory: http://cipa.jp/exif/1.0/
                      Source: AcroRd32.exe, 0000001B.00000002.524330147.000000000AE76000.00000004.00000001.sdmpString found in binary or memory: http://cipa.jp/exif/1.0/1.0//
                      Source: AcroRd32.exe, 0000001B.00000002.524330147.000000000AE76000.00000004.00000001.sdmpString found in binary or memory: http://cipa.jp/exif/1.0/ER
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.304457566.00000000013B5000.00000004.00000020.sdmp, Files.exe, 00000013.00000002.326525547.000000000293F000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.304457566.00000000013B5000.00000004.00000020.sdmp, Files.exe, 00000013.00000002.326525547.000000000293F000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
                      Source: AcroRd32.exe, 0000001B.00000002.510621344.000000000850D000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                      Source: AcroRd32.exe, 0000001B.00000002.510621344.000000000850D000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                      Source: AcroRd32.exe, 0000001B.00000002.510621344.000000000850D000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.304457566.00000000013B5000.00000004.00000020.sdmp, Files.exe, 00000013.00000002.326612107.0000000002975000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: AcroRd32.exe, 0000001B.00000002.510621344.000000000850D000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                      Source: AcroRd32.exe, 0000001B.00000002.510621344.000000000850D000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: AcroRd32.exe, 0000001B.00000002.510621344.000000000850D000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                      Source: AcroRd32.exe, 0000001B.00000002.510621344.000000000850D000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                      Source: AcroRd32.exe, 0000001B.00000002.510621344.000000000850D000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                      Source: Files.exe, 00000013.00000002.326612107.0000000002975000.00000004.00000001.sdmpString found in binary or memory: http://dual-a-0001.a-msedge.net
                      Source: AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
                      Source: AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/d
                      Source: AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
                      Source: AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/C
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.235184419.0000000007583000.00000004.00000001.sdmp, Files.exe, 00000014.00000003.336321572.0000000006B23000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.316330391.0000000007583000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g%%4C
                      Source: AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpString found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
                      Source: AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpString found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/o
                      Source: AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpString found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/q
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.304457566.00000000013B5000.00000004.00000020.sdmp, Files.exe, 00000013.00000002.326612107.0000000002975000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: AcroRd32.exe, 0000001B.00000002.510621344.000000000850D000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                      Source: AcroRd32.exe, 0000001B.00000002.510621344.000000000850D000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0H
                      Source: AcroRd32.exe, 0000001B.00000002.510621344.000000000850D000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                      Source: AcroRd32.exe, 0000001B.00000002.510621344.000000000850D000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.304457566.00000000013B5000.00000004.00000020.sdmp, Files.exe, 00000013.00000002.326612107.0000000002975000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.304457566.00000000013B5000.00000004.00000020.sdmp, Files.exe, 00000013.00000002.326525547.000000000293F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.304457566.00000000013B5000.00000004.00000020.sdmp, Files.exe, 00000013.00000002.326525547.000000000293F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.304457566.00000000013B5000.00000004.00000020.sdmp, Files.exe, 00000013.00000002.326525547.000000000293F000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.305771748.000000000320E000.00000004.00000001.sdmp, Files.exe, 00000013.00000002.326525547.000000000293F000.00000004.00000001.sdmp, Files.exe, 00000014.00000002.494449872.00000000027F4000.00000004.00000001.sdmp, Files.exe, 00000014.00000002.494358171.00000000027DD000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.305685765.00000000031E1000.00000004.00000001.sdmp, Files.exe, 00000013.00000002.326495352.0000000002911000.00000004.00000001.sdmp, Files.exe, 00000014.00000002.494308195.00000000027B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
                      Source: AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/extension/0
                      Source: AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/field#
                      Source: AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/field#x
                      Source: AcroRd32.exe, 0000001B.00000002.524330147.000000000AE76000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
                      Source: AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/property#
                      Source: AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
                      Source: AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/schema#;
                      Source: AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/type#
                      Source: AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/type#ty#
                      Source: AcroRd32.exe, 0000001B.00000002.524330147.000000000AE76000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfe/ns/id/
                      Source: AcroRd32.exe, 0000001B.00000002.510621344.000000000850D000.00000002.00000001.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                      Source: Files.exe, 00000013.00000002.326525547.000000000293F000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com
                      Source: AcroRd32.exe, 0000001B.00000002.524330147.000000000AE76000.00000004.00000001.sdmpString found in binary or memory: http://www.npes.org/pdfx/ns/id/
                      Source: AcroRd32.exe, 0000001B.00000002.503177904.0000000007650000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/default/1.0%http://www.osmf.org/mediatype/default
                      Source: AcroRd32.exe, 0000001B.00000002.503177904.0000000007650000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/drm/default
                      Source: AcroRd32.exe, 0000001B.00000002.503177904.0000000007650000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/elementId%http://www.osmf.org/temporal/embedded$http://www.osmf.org/temporal/dyn
                      Source: AcroRd32.exe, 0000001B.00000002.503177904.0000000007650000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/layout/anchor
                      Source: AcroRd32.exe, 0000001B.00000002.503177904.0000000007650000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/layout/padding%http://www.osmf.org/layout/attributes
                      Source: AcroRd32.exe, 0000001B.00000002.503177904.0000000007650000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/region/target#http://www.osmf.org/layout/renderer#http://www.osmf.org/layout/abs
                      Source: AcroRd32.exe, 0000001B.00000002.503177904.0000000007650000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/subclip/1.0
                      Source: AcroRd32.exe, 0000001B.00000002.503177904.0000000007650000.00000002.00000001.sdmpString found in binary or memory: http://www.quicktime.com.Acrobat
                      Source: AcroRd32.exe, 0000001B.00000002.523338894.000000000AC91000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/
                      Source: AcroRd32.exe, 0000001B.00000002.523338894.000000000AC91000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/S
                      Source: AcroRd32.exe, 0000001B.00000002.525869035.000000000B118000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/
                      Source: AcroRd32.exe, 0000001B.00000002.525869035.000000000B118000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/&
                      Source: AcroRd32.exe, 0000001B.00000002.525869035.000000000B118000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/D
                      Source: AcroRd32.exe, 0000001B.00000002.525869035.000000000B118000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/J
                      Source: AcroRd32.exe, 0000001B.00000002.525869035.000000000B118000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/P
                      Source: AcroRd32.exe, 0000001B.00000002.531632601.000000000D663000.00000004.00000001.sdmpString found in binary or memory: https://api.echosign.com
                      Source: AcroRd32.exe, 0000001B.00000002.531632601.000000000D663000.00000004.00000001.sdmpString found in binary or memory: https://api.echosign.com6
                      Source: AcroRd32.exe, 0000001B.00000002.524330147.000000000AE76000.00000004.00000001.sdmpString found in binary or memory: https://api.echosign.comaS
                      Source: InstallUtil.exe, 0000001A.00000002.493944777.00000000034C1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: AcroRd32.exe, 0000001B.00000002.511106540.00000000085B0000.00000004.00000001.sdmpString found in binary or memory: https://ims-na1.adobelogin.com
                      Source: AcroRd32.exe, 0000001B.00000002.531082050.000000000D477000.00000004.00000001.sdmp, AcroRd32.exe, 0000001B.00000002.524330147.000000000AE76000.00000004.00000001.sdmpString found in binary or memory: https://mybill.dhl.com/
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.304457566.00000000013B5000.00000004.00000020.sdmp, Files.exe, 00000013.00000002.326525547.000000000293F000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
                      Source: AcroRd32.exe, 0000001B.00000002.510621344.000000000850D000.00000002.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.305685765.00000000031E1000.00000004.00000001.sdmp, Files.exe, 00000013.00000002.326495352.0000000002911000.00000004.00000001.sdmp, Files.exe, 00000014.00000002.494308195.00000000027B1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.305685765.00000000031E1000.00000004.00000001.sdmp, Files.exe, 00000013.00000002.326732971.0000000002A31000.00000004.00000001.sdmp, Files.exe, 00000014.00000002.494308195.00000000027B1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.311089829.0000000004309000.00000004.00000001.sdmp, Files.exe, 00000014.00000002.509008335.0000000003A9F000.00000004.00000001.sdmp, InstallUtil.exe, 0000001A.00000002.485878265.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: InstallUtil.exe, 0000001A.00000002.493944777.00000000034C1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, Jq0j/Ze1s.csLarge array initialization: .cctor: array initializer size 2488
                      Source: Files.exe.0.dr, Jq0j/Ze1s.csLarge array initialization: .cctor: array initializer size 2488
                      Source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.e20000.0.unpack, Jq0j/Ze1s.csLarge array initialization: .cctor: array initializer size 2488
                      Source: 0.0.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.e20000.0.unpack, Jq0j/Ze1s.csLarge array initialization: .cctor: array initializer size 2488
                      Source: 19.0.Files.exe.5a0000.0.unpack, Jq0j/Ze1s.csLarge array initialization: .cctor: array initializer size 2488
                      Source: 19.2.Files.exe.5a0000.0.unpack, Jq0j/Ze1s.csLarge array initialization: .cctor: array initializer size 2488
                      Source: 20.2.Files.exe.340000.0.unpack, Jq0j/Ze1s.csLarge array initialization: .cctor: array initializer size 2488
                      Source: 20.0.Files.exe.340000.0.unpack, Jq0j/Ze1s.csLarge array initialization: .cctor: array initializer size 2488
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 20_2_06627D24 CreateProcessAsUserW,20_2_06627D24
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_018ADB400_2_018ADB40
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_018AE8280_2_018AE828
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C755B80_2_06C755B8
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C700400_2_06C70040
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C73E380_2_06C73E38
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 19_2_00FCA45019_2_00FCA450
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 19_2_00FCDB4019_2_00FCDB40
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 19_2_00FCE82819_2_00FCE828
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 19_2_0653004019_2_06530040
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 19_2_065323CA19_2_065323CA
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 19_2_06533E3819_2_06533E38
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 19_2_06533E2819_2_06533E28
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 20_2_0276DB4020_2_0276DB40
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 20_2_0276E82820_2_0276E828
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 20_2_06629E4920_2_06629E49
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 20_2_0662DF6220_2_0662DF62
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 20_2_0662736820_2_06627368
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 20_2_06628B1F20_2_06628B1F
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 20_2_0662802820_2_06628028
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 20_2_0662C03A20_2_0662C03A
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 20_2_0662B8CF20_2_0662B8CF
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 20_2_0662F6F920_2_0662F6F9
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 20_2_0662D73220_2_0662D732
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 20_2_0662D73820_2_0662D738
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 20_2_06624C0020_2_06624C00
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 20_2_06624C1020_2_06624C10
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 20_2_0662EA1020_2_0662EA10
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 20_2_0662D2C020_2_0662D2C0
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 20_2_0662D2BA20_2_0662D2BA
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 20_2_0662735820_2_06627358
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 20_2_066700C820_2_066700C8
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 20_2_06670CE820_2_06670CE8
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 20_2_066700B820_2_066700B8
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 26_2_00F020B026_2_00F020B0
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 26_2_033946A026_2_033946A0
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 26_2_0339467226_2_03394672
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 26_2_0339469026_2_03394690
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 26_2_0339D30026_2_0339D300
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 26_2_065794F826_2_065794F8
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 26_2_0657753826_2_06577538
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 26_2_0657692026_2_06576920
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 26_2_06576C6826_2_06576C68
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.304030954.0000000000EEE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameabbc.exeH vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.315714750.0000000006F90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.311089829.0000000004309000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamegJXtAEencRYFIZTxBNckJHYqrAmfI.exe4 vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.315839238.0000000007010000.00000002.00000001.sdmpBinary or memory string: originalfilename vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.315839238.0000000007010000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.316575725.0000000007BF0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.315329822.0000000006C80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.280846251.00000000071DB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInstallUtil.exeT vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeBinary or memory string: OriginalFilenameabbc.exeH vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@27/54@0/2
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile created: C:\Users\user\AppData\Roaming\Files.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5056:120:WilError_01
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeReversingLabs: Detection: 18%
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile read: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe 'C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe'
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe'
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe'
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\AppData\Roaming\DHL Overdue Account Notice - 1301356423.PDF'
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\AppData\Roaming\DHL Overdue Account Notice - 1301356423.PDF'
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1732,14640126625900119066,9769525679105844933,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=2690794570082519975 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2690794570082519975 --renderer-client-id=2 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job /prefetch:1
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1732,14640126625900119066,9769525679105844933,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=7685701926627287920 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1732,14640126625900119066,9769525679105844933,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=6749621257665537764 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6749621257665537764 --renderer-client-id=4 --mojo-platform-channel-handle=1852 --allow-no-sandbox-job /prefetch:1
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1732,14640126625900119066,9769525679105844933,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=7499266669204803197 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7499266669204803197 --renderer-client-id=5 --mojo-platform-channel-handle=1864 --allow-no-sandbox-job /prefetch:1
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1732,14640126625900119066,9769525679105844933,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=6985995476041547175 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6985995476041547175 --renderer-client-id=6 --mojo-platform-channel-handle=2148 --allow-no-sandbox-job /prefetch:1
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe' Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\AppData\Roaming\DHL Overdue Account Notice - 1301356423.PDF'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\AppData\Roaming\DHL Overdue Account Notice - 1301356423.PDF'Jump to behavior
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043Jump to behavior
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1732,14640126625900119066,9769525679105844933,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=2690794570082519975 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2690794570082519975 --renderer-client-id=2 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job /prefetch:1
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1732,14640126625900119066,9769525679105844933,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=7685701926627287920 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1732,14640126625900119066,9769525679105844933,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=6749621257665537764 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6749621257665537764 --renderer-client-id=4 --mojo-platform-channel-handle=1852 --allow-no-sandbox-job /prefetch:1
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1732,14640126625900119066,9769525679105844933,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=7499266669204803197 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7499266669204803197 --renderer-client-id=5 --mojo-platform-channel-handle=1864 --allow-no-sandbox-job /prefetch:1
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1732,14640126625900119066,9769525679105844933,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=6985995476041547175 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6985995476041547175 --renderer-client-id=6 --mojo-platform-channel-handle=2148 --allow-no-sandbox-job /prefetch:1
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32Jump to behavior
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile opened: C:\Windows\SysWOW64\Msftedit.dll
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.280846251.00000000071DB000.00000004.00000001.sdmp, InstallUtil.exe, 0000001A.00000002.486763522.0000000000F02000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
                      Source: Binary string: InstallUtil.pdb source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.280846251.00000000071DB000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe.0.dr
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_00E22080 push edi; ret 0_2_00E22082
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 19_2_005A2080 push edi; ret 19_2_005A2082
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 19_2_06532202 push es; retf 19_2_06532220
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 19_2_06532332 push es; retf 19_2_06532350
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 19_2_065311E8 push es; retf 19_2_0653208C
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 20_2_00342080 push edi; ret 20_2_00342082
                      Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 20_2_0276A450 push eax; ret 20_2_0276A569
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 26_2_0657A61F push es; iretd 26_2_0657A63C
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 26_2_06578542 push es; ret 26_2_06578550
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile created: C:\Users\user\AppData\Roaming\Files.exeJump to dropped file
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FilesJump to behavior
                      Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FilesJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile opened: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe\:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeFile opened: C:\Users\user\AppData\Roaming\Files.exe\:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\Files.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeWindow / User API: threadDelayed 5265Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeWindow / User API: threadDelayed 4235Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeWindow / User API: threadDelayed 2657Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeWindow / User API: threadDelayed 3459Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 1147
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 8699
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe TID: 5364Thread sleep time: -23058430092136925s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe TID: 4840Thread sleep count: 5265 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe TID: 4840Thread sleep count: 4235 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe TID: 6072Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe TID: 4196Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6988Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exe TID: 7104Thread sleep count: 175 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exe TID: 7104Thread sleep count: 63 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6932Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6852Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exe TID: 7076Thread sleep time: -20291418481080494s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exe TID: 7156Thread sleep count: 2657 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exe TID: 7156Thread sleep count: 3459 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exe TID: 5244Thread sleep count: 51 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exe TID: 5244Thread sleep time: -51000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 6048Thread sleep time: -12912720851596678s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4228Thread sleep count: 1147 > 30
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4228Thread sleep count: 8699 > 30
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\Files.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\Files.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
                      Source: reg.exe, 00000005.00000002.257789535.0000000002D00000.00000002.00000001.sdmp, InstallUtil.exe, 0000001A.00000002.504449810.0000000006410000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
                      Source: reg.exe, 00000005.00000002.257789535.0000000002D00000.00000002.00000001.sdmp, InstallUtil.exe, 0000001A.00000002.504449810.0000000006410000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: reg.exe, 00000005.00000002.257789535.0000000002D00000.00000002.00000001.sdmp, InstallUtil.exe, 0000001A.00000002.504449810.0000000006410000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.304457566.00000000013B5000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: reg.exe, 00000005.00000002.257789535.0000000002D00000.00000002.00000001.sdmp, InstallUtil.exe, 0000001A.00000002.504449810.0000000006410000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeCode function: 27_2_00632050 LdrInitializeThunk,27_2_00632050
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\AppData\Roaming\Files.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\AppData\Roaming\Files.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 438000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 43A000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 10F7008Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe' Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\AppData\Roaming\DHL Overdue Account Notice - 1301356423.PDF'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
                      Source: Files.exe, 00000014.00000002.492990868.00000000011B0000.00000002.00000001.sdmp, InstallUtil.exe, 0000001A.00000002.492973656.0000000001E80000.00000002.00000001.sdmp, AcroRd32.exe, 0000001B.00000002.494253115.00000000051C0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: Files.exe, 00000014.00000002.492990868.00000000011B0000.00000002.00000001.sdmp, InstallUtil.exe, 0000001A.00000002.492973656.0000000001E80000.00000002.00000001.sdmp, AcroRd32.exe, 0000001B.00000002.494253115.00000000051C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Files.exe, 00000014.00000002.492990868.00000000011B0000.00000002.00000001.sdmp, InstallUtil.exe, 0000001A.00000002.492973656.0000000001E80000.00000002.00000001.sdmp, AcroRd32.exe, 0000001B.00000002.494253115.00000000051C0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: Files.exe, 00000014.00000002.492990868.00000000011B0000.00000002.00000001.sdmp, InstallUtil.exe, 0000001A.00000002.492973656.0000000001E80000.00000002.00000001.sdmp, AcroRd32.exe, 0000001B.00000002.494253115.00000000051C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Users\user\AppData\Roaming\Files.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Users\user\AppData\Roaming\Files.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 26_2_06572654 GetUserNameW,26_2_06572654
                      Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000000.00000002.310359944.000000000425A000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.311089829.0000000004309000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.509008335.0000000003A9F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.311979523.00000000044CF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.493944777.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Files.exe PID: 6860, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5248, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe PID: 5644, type: MEMORY
                      Source: Yara matchFile source: 20.2.Files.exe.382ae38.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Files.exe.3a9f6da.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.436444a.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.44cf3fa.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.44cf3fa.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.4419c3a.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.43bf04a.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.425ab58.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Files.exe.398f32a.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Files.exe.39e9f1a.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Files.exe.393472a.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.436444a.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.425ab58.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.43bf04a.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Files.exe.398f32a.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Files.exe.39e9f1a.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Files.exe.3a9f6da.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.4419c3a.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Files.exe.382ae38.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Files.exe.393472a.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5248, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000000.00000002.310359944.000000000425A000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.311089829.0000000004309000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.509008335.0000000003A9F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.311979523.00000000044CF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.493944777.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Files.exe PID: 6860, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5248, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe PID: 5644, type: MEMORY
                      Source: Yara matchFile source: 20.2.Files.exe.382ae38.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Files.exe.3a9f6da.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.436444a.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.44cf3fa.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.44cf3fa.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.4419c3a.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.43bf04a.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.425ab58.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Files.exe.398f32a.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Files.exe.39e9f1a.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Files.exe.393472a.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.436444a.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.425ab58.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.43bf04a.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Files.exe.398f32a.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Files.exe.39e9f1a.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Files.exe.3a9f6da.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.4419c3a.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Files.exe.382ae38.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Files.exe.393472a.6.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1Windows Management Instrumentation211Valid Accounts1Valid Accounts1Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder1Access Token Manipulation1Valid Accounts1LSASS MemorySecurity Software Discovery221Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Process Injection212Modify Registry1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Access Token Manipulation1NTDSVirtualization/Sandbox Evasion141Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDisable or Modify Tools1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion141Cached Domain CredentialsAccount Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection212DCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Obfuscated Files or Information2/etc/passwd and /etc/shadowFile and Directory Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Software Packing1Network SniffingSystem Information Discovery113Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 383902 Sample: DHL_Express_Shipment_Invoic... Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 61 Found malware configuration 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 Yara detected AgentTesla 2->65 67 3 other signatures 2->67 9 DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe 15 7 2->9         started        13 Files.exe 14 3 2->13         started        process3 file4 43 C:\Users\user\AppData\Roaming\Files.exe, PE32 9->43 dropped 45 C:\Users\user\AppData\...\InstallUtil.exe, PE32 9->45 dropped 47 C:\Users\user\...\Files.exe:Zone.Identifier, ASCII 9->47 dropped 49 DHL_Express_Shipme...4700456XXXX.exe.log, ASCII 9->49 dropped 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->73 15 Files.exe 3 4 9->15         started        19 cmd.exe 1 9->19         started        75 Multi AV Scanner detection for dropped file 13->75 77 Machine Learning detection for dropped file 13->77 signatures5 process6 dnsIp7 53 192.168.2.1 unknown unknown 15->53 55 Writes to foreign memory regions 15->55 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->57 59 Injects a PE file into a foreign processes 15->59 21 InstallUtil.exe 15->21         started        24 AcroRd32.exe 39 15->24         started        26 conhost.exe 19->26         started        28 reg.exe 1 1 19->28         started        signatures8 process9 signatures10 69 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->69 71 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->71 30 RdrCEF.exe 24->30         started        32 AcroRd32.exe 24->32         started        process11 process12 34 RdrCEF.exe 30->34         started        37 RdrCEF.exe 30->37         started        39 RdrCEF.exe 30->39         started        41 2 other processes 30->41 dnsIp13 51 80.0.0.0 NTLGB United Kingdom 34->51

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe19%ReversingLabsWin32.Trojan.Woreflint
                      DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\Files.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%ReversingLabs
                      C:\Users\user\AppData\Roaming\Files.exe19%ReversingLabsWin32.Trojan.Woreflint

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      26.2.InstallUtil.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/D0%Avira URL Cloudsafe
                      https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/P0%Avira URL Cloudsafe
                      https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/J0%Avira URL Cloudsafe
                      https://api.echosign.com60%Avira URL Cloudsafe
                      http://www.osmf.org/region/target#http://www.osmf.org/layout/renderer#http://www.osmf.org/layout/abs0%URL Reputationsafe
                      http://www.osmf.org/region/target#http://www.osmf.org/layout/renderer#http://www.osmf.org/layout/abs0%URL Reputationsafe
                      http://www.osmf.org/region/target#http://www.osmf.org/layout/renderer#http://www.osmf.org/layout/abs0%URL Reputationsafe
                      http://cipa.jp/exif/1.0/0%URL Reputationsafe
                      http://cipa.jp/exif/1.0/0%URL Reputationsafe
                      http://cipa.jp/exif/1.0/0%URL Reputationsafe
                      http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/d0%Avira URL Cloudsafe
                      http://ns.adobe.c/g0%URL Reputationsafe
                      http://ns.adobe.c/g0%URL Reputationsafe
                      http://ns.adobe.c/g0%URL Reputationsafe
                      http://www.osmf.org/default/1.0%http://www.osmf.org/mediatype/default0%URL Reputationsafe
                      http://www.osmf.org/default/1.0%http://www.osmf.org/mediatype/default0%URL Reputationsafe
                      http://www.osmf.org/default/1.0%http://www.osmf.org/mediatype/default0%URL Reputationsafe
                      https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/S0%Avira URL Cloudsafe
                      http://ns.useplus.org/ldf/xmp/1.0/q0%Avira URL Cloudsafe
                      https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/0%Avira URL Cloudsafe
                      http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                      http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                      http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                      http://www.npes.org/pdfx/ns/id/0%URL Reputationsafe
                      http://www.npes.org/pdfx/ns/id/0%URL Reputationsafe
                      http://www.npes.org/pdfx/ns/id/0%URL Reputationsafe
                      http://www.osmf.org/drm/default0%URL Reputationsafe
                      http://www.osmf.org/drm/default0%URL Reputationsafe
                      http://www.osmf.org/drm/default0%URL Reputationsafe
                      http://www.osmf.org/elementId%http://www.osmf.org/temporal/embedded$http://www.osmf.org/temporal/dyn0%URL Reputationsafe
                      http://www.osmf.org/elementId%http://www.osmf.org/temporal/embedded$http://www.osmf.org/temporal/dyn0%URL Reputationsafe
                      http://www.osmf.org/elementId%http://www.osmf.org/temporal/embedded$http://www.osmf.org/temporal/dyn0%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://ns.useplus.org/ldf/xmp/1.0/o0%Avira URL Cloudsafe
                      http://BHuYlB.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.osmf.org/subclip/1.00%URL Reputationsafe
                      http://www.osmf.org/subclip/1.00%URL Reputationsafe
                      http://www.osmf.org/subclip/1.00%URL Reputationsafe
                      http://cipa.jp/exif/1.0/1.0//0%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://ns.useplus.org/ldf/xmp/1.0/0%URL Reputationsafe
                      http://ns.useplus.org/ldf/xmp/1.0/0%URL Reputationsafe
                      http://ns.useplus.org/ldf/xmp/1.0/0%URL Reputationsafe
                      https://api.echosign.comaS0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://iptc.org/std/Iptc4xmpExt/2008-02-29/0%URL Reputationsafe
                      http://iptc.org/std/Iptc4xmpExt/2008-02-29/0%URL Reputationsafe
                      http://iptc.org/std/Iptc4xmpExt/2008-02-29/0%URL Reputationsafe
                      http://www.osmf.org/layout/anchor0%URL Reputationsafe
                      http://www.osmf.org/layout/anchor0%URL Reputationsafe
                      http://www.osmf.org/layout/anchor0%URL Reputationsafe
                      http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/0%URL Reputationsafe
                      http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/0%URL Reputationsafe
                      http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/0%URL Reputationsafe
                      http://ns.adobe.c/g%%4C0%Avira URL Cloudsafe
                      http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                      http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                      http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                      https://pki.goog/repository/00%URL Reputationsafe
                      https://pki.goog/repository/00%URL Reputationsafe
                      https://pki.goog/repository/00%URL Reputationsafe
                      http://iptc.org/std/Iptc4xmpExt/2008-02-29/C0%Avira URL Cloudsafe
                      https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/&0%Avira URL Cloudsafe
                      http://cipa.jp/exif/1.0/ER0%URL Reputationsafe
                      http://cipa.jp/exif/1.0/ER0%URL Reputationsafe
                      http://cipa.jp/exif/1.0/ER0%URL Reputationsafe
                      http://www.osmf.org/layout/padding%http://www.osmf.org/layout/attributes0%URL Reputationsafe
                      http://www.osmf.org/layout/padding%http://www.osmf.org/layout/attributes0%URL Reputationsafe
                      http://www.osmf.org/layout/padding%http://www.osmf.org/layout/attributes0%URL Reputationsafe
                      https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/0%Avira URL Cloudsafe
                      http://www.quicktime.com.Acrobat0%URL Reputationsafe
                      http://www.quicktime.com.Acrobat0%URL Reputationsafe
                      http://www.quicktime.com.Acrobat0%URL Reputationsafe
                      http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                      http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                      http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1InstallUtil.exe, 0000001A.00000002.493944777.00000000034C1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/DAcroRd32.exe, 0000001B.00000002.525869035.000000000B118000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/PAcroRd32.exe, 0000001B.00000002.525869035.000000000B118000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.aiim.org/pdfa/ns/schema#AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpfalse
                        		high
                        https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/JAcroRd32.exe, 0000001B.00000002.525869035.000000000B118000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        https://api.echosign.com6AcroRd32.exe, 0000001B.00000002.531632601.000000000D663000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.osmf.org/region/target#http://www.osmf.org/layout/renderer#http://www.osmf.org/layout/absAcroRd32.exe, 0000001B.00000002.503177904.0000000007650000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://cipa.jp/exif/1.0/AcroRd32.exe, 0000001B.00000002.524330147.000000000AE76000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/dAcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ns.adobe.c/gDHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.235184419.0000000007583000.00000004.00000001.sdmp, Files.exe, 00000014.00000003.336321572.0000000006B23000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.osmf.org/default/1.0%http://www.osmf.org/mediatype/defaultAcroRd32.exe, 0000001B.00000002.503177904.0000000007650000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/SAcroRd32.exe, 0000001B.00000002.523338894.000000000AC91000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://schema.org/WebPageDHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.305771748.000000000320E000.00000004.00000001.sdmp, Files.exe, 00000013.00000002.326525547.000000000293F000.00000004.00000001.sdmp, Files.exe, 00000014.00000002.494449872.00000000027F4000.00000004.00000001.sdmp, Files.exe, 00000014.00000002.494358171.00000000027DD000.00000004.00000001.sdmpfalse
                          		high
                          http://www.aiim.org/pdfa/ns/type#AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpfalse
                            		high
                            http://ns.useplus.org/ldf/xmp/1.0/qAcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.echosign.comAcroRd32.exe, 0000001B.00000002.531632601.000000000D663000.00000004.00000001.sdmpfalse
                              		high
                              https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/AcroRd32.exe, 0000001B.00000002.525869035.000000000B118000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://crl.pki.goog/GTS1O1core.crl0DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.304457566.00000000013B5000.00000004.00000020.sdmp, Files.exe, 00000013.00000002.326525547.000000000293F000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.npes.org/pdfx/ns/id/AcroRd32.exe, 0000001B.00000002.524330147.000000000AE76000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.aiim.org/pdfa/ns/type#ty#AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpfalse
                                		high
                                http://www.osmf.org/drm/defaultAcroRd32.exe, 0000001B.00000002.503177904.0000000007650000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.osmf.org/elementId%http://www.osmf.org/temporal/embedded$http://www.osmf.org/temporal/dynAcroRd32.exe, 0000001B.00000002.503177904.0000000007650000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://api.ipify.org%GETMozilla/5.0InstallUtil.exe, 0000001A.00000002.493944777.00000000034C1000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		low
                                https://mybill.dhl.com/AcroRd32.exe, 0000001B.00000002.531082050.000000000D477000.00000004.00000001.sdmp, AcroRd32.exe, 0000001B.00000002.524330147.000000000AE76000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.aiim.org/pdfa/ns/extension/AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpfalse
                                    		high
                                    http://ns.useplus.org/ldf/xmp/1.0/oAcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.305685765.00000000031E1000.00000004.00000001.sdmp, Files.exe, 00000013.00000002.326495352.0000000002911000.00000004.00000001.sdmp, Files.exe, 00000014.00000002.494308195.00000000027B1000.00000004.00000001.sdmpfalse
                                      		high
                                      http://BHuYlB.comInstallUtil.exe, 0000001A.00000002.493944777.00000000034C1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipDHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.311089829.0000000004309000.00000004.00000001.sdmp, Files.exe, 00000014.00000002.509008335.0000000003A9F000.00000004.00000001.sdmp, InstallUtil.exe, 0000001A.00000002.485878265.0000000000402000.00000040.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.osmf.org/subclip/1.0AcroRd32.exe, 0000001B.00000002.503177904.0000000007650000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://cipa.jp/exif/1.0/1.0//AcroRd32.exe, 0000001B.00000002.524330147.000000000AE76000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.aiim.org/pdfa/ns/property#AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpfalse
                                        		high
                                        http://DynDns.comDynDNSInstallUtil.exe, 0000001A.00000002.493944777.00000000034C1000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://ns.useplus.org/ldf/xmp/1.0/AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.aiim.org/pdfa/ns/id/AcroRd32.exe, 0000001B.00000002.524330147.000000000AE76000.00000004.00000001.sdmpfalse
                                          		high
                                          https://api.echosign.comaSAcroRd32.exe, 0000001B.00000002.524330147.000000000AE76000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haInstallUtil.exe, 0000001A.00000002.493944777.00000000034C1000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://iptc.org/std/Iptc4xmpExt/2008-02-29/AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.osmf.org/layout/anchorAcroRd32.exe, 0000001B.00000002.503177904.0000000007650000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.aiim.org/pdfe/ns/id/AcroRd32.exe, 0000001B.00000002.524330147.000000000AE76000.00000004.00000001.sdmpfalse
                                            		high
                                            http://ns.adobe.c/g%%4CDHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.316330391.0000000007583000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://pki.goog/gsr2/GTS1O1.crt0DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.304457566.00000000013B5000.00000004.00000020.sdmp, Files.exe, 00000013.00000002.326525547.000000000293F000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://pki.goog/repository/0DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.304457566.00000000013B5000.00000004.00000020.sdmp, Files.exe, 00000013.00000002.326525547.000000000293F000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://iptc.org/std/Iptc4xmpExt/2008-02-29/CAcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.aiim.org/pdfa/ns/schema#;AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.aiim.org/pdfa/ns/field#xAcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpfalse
                                                		high
                                                https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/&AcroRd32.exe, 0000001B.00000002.525869035.000000000B118000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                http://cipa.jp/exif/1.0/ERAcroRd32.exe, 0000001B.00000002.524330147.000000000AE76000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.aiim.org/pdfa/ns/field#AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.osmf.org/layout/padding%http://www.osmf.org/layout/attributesAcroRd32.exe, 0000001B.00000002.503177904.0000000007650000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/AcroRd32.exe, 0000001B.00000002.523338894.000000000AC91000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://www.aiim.org/pdfa/ns/extension/0AcroRd32.exe, 0000001B.00000002.531562783.000000000D613000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.quicktime.com.AcrobatAcroRd32.exe, 0000001B.00000002.503177904.0000000007650000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://ims-na1.adobelogin.comAcroRd32.exe, 0000001B.00000002.511106540.00000000085B0000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://crl.pki.goog/gsr2/gsr2.crl0?DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.304457566.00000000013B5000.00000004.00000020.sdmp, Files.exe, 00000013.00000002.326525547.000000000293F000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown

                                                      Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      80.0.0.0
                                                      		unknownUnited Kingdom
                                                      		5089NTLGBfalse

                                                      Private

                                                      IP
                                                      192.168.2.1

                                                      General Information

                                                      Joe Sandbox Version:31.0.0 Emerald
                                                      Analysis ID:383902
                                                      Start date:08.04.2021
                                                      Start time:12:06:34
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 14m 19s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Sample file name:DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:40
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.evad.winEXE@27/54@0/2
                                                      EGA Information:Failed
                                                      HDC Information:
                                                      • Successful, ratio: 0.7% (good quality ratio 0.3%)
                                                      • Quality average: 29.8%
                                                      • Quality standard deviation: 36.3%
                                                      HCA Information:
                                                      • Successful, ratio: 96%
                                                      • Number of executed functions: 167
                                                      • Number of non-executed functions: 4
                                                      Cookbook Comments:
                                                      • Adjust boot time
                                                      • Enable AMSI
                                                      • Found application associated with file extension: .exe
                                                      Warnings:
                                                      Show All
                                                      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                      • Excluded IPs from analysis (whitelisted): 104.42.151.234, 52.147.198.201, 23.54.113.53, 172.217.168.4, 204.79.197.200, 13.107.21.200, 40.88.32.150, 95.100.54.203, 104.43.193.48, 20.50.102.62, 23.0.174.200, 23.0.174.185, 23.10.249.26, 23.10.249.43, 104.43.139.144, 20.54.26.129, 23.10.249.187, 23.0.174.233, 23.54.113.182
                                                      • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, e4578.dscb.akamaiedge.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, acroipm2.adobe.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, a122.dscd.akamai.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, www.google.com, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, acroipm2.adobe.com.edgesuite.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, ssl.adobe.com.edgekey.net, a-0001.a-afdentry.net.trafficmanager.net, armmf.adobe.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                                      • VT rate limit hit for: /opt/package/joesandbox/database/analysis/383902/sample/DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      12:07:48API Interceptor46x Sleep call for process: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe modified
                                                      12:07:50AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Files C:\Users\user\AppData\Roaming\Files.exe
                                                      12:07:58AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Files C:\Users\user\AppData\Roaming\Files.exe
                                                      12:08:19API Interceptor29x Sleep call for process: Files.exe modified
                                                      12:08:56API Interceptor3x Sleep call for process: RdrCEF.exe modified
                                                      12:09:22API Interceptor73x Sleep call for process: InstallUtil.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      80.0.0.0DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exeGet hashmaliciousBrowse
                                                        DHL_Express_Shipment_Confirmation_BKKR005545473_88700456XXXX.exeGet hashmaliciousBrowse
                                                          APRILQUOTATION#QQO2103060_SAMPLES_KHANG HY_CO_CORPORATION.exeGet hashmaliciousBrowse
                                                            #U260f8284.HTMLGet hashmaliciousBrowse
                                                              HunpuKMHQt.exeGet hashmaliciousBrowse
                                                                JbQoNNPVOk.exeGet hashmaliciousBrowse
                                                                  _vm583573758.htmGet hashmaliciousBrowse
                                                                    March 17, 2021, 101142 AM.HTMGet hashmaliciousBrowse
                                                                      message_zdm.htmlGet hashmaliciousBrowse
                                                                        0000001_Carved.pdfGet hashmaliciousBrowse
                                                                          BWKPI3LiLi.jarGet hashmaliciousBrowse
                                                                            BWKPI3LiLi.jarGet hashmaliciousBrowse
                                                                              fakeadmin.pdfGet hashmaliciousBrowse
                                                                                x4F1uS8nAq.exeGet hashmaliciousBrowse
                                                                                  vUp5vjYOoL.exeGet hashmaliciousBrowse
                                                                                    2021-02-15__Mail-Degroof-Petercam_ENC.docxGet hashmaliciousBrowse
                                                                                      InformaAllSecure_Enhanced_Health_Safety_Standards_2021.docmGet hashmaliciousBrowse
                                                                                        Swift.pdf.jarGet hashmaliciousBrowse
                                                                                          0001.jarGet hashmaliciousBrowse
                                                                                            FedEx-Shipment-90161131174.jarGet hashmaliciousBrowse

                                                                                              Domains

                                                                                              No context

                                                                                              ASN

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                              NTLGBDHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exeGet hashmaliciousBrowse
                                                                                              • 80.0.0.0
                                                                                              DHL_Express_Shipment_Confirmation_BKKR005545473_88700456XXXX.exeGet hashmaliciousBrowse
                                                                                              • 80.0.0.0
                                                                                              APRILQUOTATION#QQO2103060_SAMPLES_KHANG HY_CO_CORPORATION.exeGet hashmaliciousBrowse
                                                                                              • 80.0.0.0
                                                                                              #U260f8284.HTMLGet hashmaliciousBrowse
                                                                                              • 80.0.0.0
                                                                                              HunpuKMHQt.exeGet hashmaliciousBrowse
                                                                                              • 80.0.0.0
                                                                                              1.shGet hashmaliciousBrowse
                                                                                              • 62.254.90.3
                                                                                              PDFXCview.exeGet hashmaliciousBrowse
                                                                                              • 82.38.144.251
                                                                                              JbQoNNPVOk.exeGet hashmaliciousBrowse
                                                                                              • 80.0.0.0
                                                                                              _vm583573758.htmGet hashmaliciousBrowse
                                                                                              • 80.0.0.0
                                                                                              March 17, 2021, 101142 AM.HTMGet hashmaliciousBrowse
                                                                                              • 80.0.0.0
                                                                                              message_zdm.htmlGet hashmaliciousBrowse
                                                                                              • 80.0.0.0
                                                                                              0000001_Carved.pdfGet hashmaliciousBrowse
                                                                                              • 80.0.0.0
                                                                                              BWKPI3LiLi.jarGet hashmaliciousBrowse
                                                                                              • 80.0.0.0
                                                                                              BWKPI3LiLi.jarGet hashmaliciousBrowse
                                                                                              • 80.0.0.0
                                                                                              2ojdmC51As.exeGet hashmaliciousBrowse
                                                                                              • 62.30.7.67
                                                                                              fakeadmin.pdfGet hashmaliciousBrowse
                                                                                              • 80.0.0.0
                                                                                              8dazsN65iH.exeGet hashmaliciousBrowse
                                                                                              • 80.193.200.66
                                                                                              Y17R73rU50.exeGet hashmaliciousBrowse
                                                                                              • 92.239.246.126
                                                                                              x4F1uS8nAq.exeGet hashmaliciousBrowse
                                                                                              • 80.0.0.0
                                                                                              delZYToJxe.exeGet hashmaliciousBrowse
                                                                                              • 92.239.246.126

                                                                                              JA3 Fingerprints

                                                                                              No context

                                                                                              Dropped Files

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                              C:\Users\user\AppData\Local\Temp\InstallUtil.exeDHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exeGet hashmaliciousBrowse
                                                                                                Sample Qoutation List.exeGet hashmaliciousBrowse
                                                                                                  DHL_Express_Shipment_Confirmation_BKKR005545473_88700456XXXX.exeGet hashmaliciousBrowse
                                                                                                    APRILQUOTATION#QQO2103060_SAMPLES_KHANG HY_CO_CORPORATION.exeGet hashmaliciousBrowse
                                                                                                      Thalesnano.exeGet hashmaliciousBrowse
                                                                                                        DHL_SHIPMENT_ADDRESS_CONFIRMATION_00000001.exeGet hashmaliciousBrowse
                                                                                                          RFQ#040820.exeGet hashmaliciousBrowse
                                                                                                            payment swift copy.exeGet hashmaliciousBrowse
                                                                                                              I201002X430 CIF #20210604.exeGet hashmaliciousBrowse
                                                                                                                PO#29710634.exeGet hashmaliciousBrowse
                                                                                                                  PO_6620200947535257662_Arabico.PDF.exeGet hashmaliciousBrowse
                                                                                                                    payment notification.exeGet hashmaliciousBrowse
                                                                                                                      Payment Notification.exeGet hashmaliciousBrowse
                                                                                                                        s.exeGet hashmaliciousBrowse
                                                                                                                          MV.exeGet hashmaliciousBrowse
                                                                                                                            e.exeGet hashmaliciousBrowse
                                                                                                                              SL_PO8192.PDF.exeGet hashmaliciousBrowse
                                                                                                                                QUOTATIONs#280321_RFQ_PRODUCTS_ENQUIRY_TRINITY_VIETNAM_CO.exeGet hashmaliciousBrowse
                                                                                                                                  RFQ9088QTY.exeGet hashmaliciousBrowse
                                                                                                                                    NEWQUOTATION#280321_RFQ_PRODUCTS_ENQUIRY_TRINITY_VIETNAM_CO.exeGet hashmaliciousBrowse

                                                                                                                                      Created / dropped Files

                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):615
                                                                                                                                      Entropy (8bit):5.635800606437158
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:vDRM906ZiE5DRM9QCUeZiERDRM9a3ZiE:7rnEdDEFzAE
                                                                                                                                      MD5:F434E1C732245B76DEF197BD60AC16B3
                                                                                                                                      SHA1:34EA677CADEE67F095863114D9079CC410331775
                                                                                                                                      SHA-256:A586EE166BBF158BBED1C55BBE1FCC62735B343686187F85E30078DD19F38792
                                                                                                                                      SHA-512:F4AF1AC92F1AE2502875673764D295EEC0E8B2C2FBD0E0E7C1F45E69254A71E80E77471F5543B4B152618C7ADD60F6287575C18BFC60C3CF8480080333F98BCC
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......M..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/reviews/js/plugin.js ......./....."#.D...6...A....d.{v.^.G...d.W.:...P..k%..A..Eo...................A..Eo.......uS.........0\r..m......M..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/reviews/js/plugin.js ..V/.../....."#.DTrM7...A....d.{v.^.G...d.W.:...P..k%..A..Eo...................A..Eo......V..(........0\r..m......M..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/reviews/js/plugin.js ...W.../....."#.D.0.7...A....d.{v.^.G...d.W.:...P..k%..A..Eo...................A..Eo.......OH8........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):696
                                                                                                                                      Entropy (8bit):5.6308436748735815
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:V9zRDi9PQv9z0JLX9PQz9zLri9PQ59znl9PQk:XzI9PQlz0JLX9PQRzLri9PQjzl9PQk
                                                                                                                                      MD5:23A112570EBE8410ECBBD632BDCC4B84
                                                                                                                                      SHA1:DE23CD2BCBD36B5F51A701CFB98441FC2E5BD7E8
                                                                                                                                      SHA-256:FD86F7B533680463CE979D387C10D4CA3BCF1A2FE0E5D300E4F2A2C66461864B
                                                                                                                                      SHA-512:9A53081CA86D81F71EE5040648D65479ED49F6E9AE4C4092FA21AA3717127B763DF37A3FE74E301790B6758F988E6BF4146D3AFA104A65E0DEE4ACC083792EAA
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m............,....._keyhttps://rna-resource.acrobat.com/init.js ..(D.../....."#.DZ.i3...A.1.x.'.vI..*|Z..o...+.4....0..A..Eo...................A..Eo........N........0\r..m............,....._keyhttps://rna-resource.acrobat.com/init.js .&...../....."#.DeU.4...A.1.x.'.vI..*|Z..o...+.4....0..A..Eo...................A..Eo.......#qA........0\r..m............,....._keyhttps://rna-resource.acrobat.com/init.js ......./....."#.D..6...A.1.x.'.vI..*|Z..o...+.4....0..A..Eo...................A..Eo......X.+E........0\r..m............,....._keyhttps://rna-resource.acrobat.com/init.js ...:.../....."#.D.tl7...A.1.x.'.vI..*|Z..o...+.4....0..A..Eo...................A..Eo........*.........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):738
                                                                                                                                      Entropy (8bit):5.590037872122861
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:DyeRVFAFjVFAFdlUo6jA5yeRVFAFjVFAFQxlUo6jUSyeRVFAFjVFAF07lUo6j:tB4v4dSBA3B4v4QxSBUSB4v4+SB
                                                                                                                                      MD5:9E11070B91A726C74C025A91A2805E79
                                                                                                                                      SHA1:50D1698FA46456415949CD608C9688F2ED85BF7E
                                                                                                                                      SHA-256:E1446F84BAAD737A0ECA35AFAC04BC783DDA51557BA49B2423BA6C4A47F85481
                                                                                                                                      SHA-512:4B9518C5C82B3318F8E2A5B9C12482EA0448033A0BD2DA1B5AFE85EE132900647D448F6854561429B45AADA71EF4E3E14EF287A57CD9503D9462DD3EE3243D21
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......v...n......._keyhttps://rna-resource.acrobat.com/static/js/plugins/tracked-send/js/plugins/tracked-send/js/home-view/selector.js ..|..../....."#.DD..6...A..hvDO.N.t@.....n.*...... ....A..Eo...................A..Eo.......b5.........0\r..m......v...n......._keyhttps://rna-resource.acrobat.com/static/js/plugins/tracked-send/js/plugins/tracked-send/js/home-view/selector.js .../.../....."#.D..K7...A..hvDO.N.t@.....n.*...... ....A..Eo...................A..Eo.......a:.........0\r..m......v...n......._keyhttps://rna-resource.acrobat.com/static/js/plugins/tracked-send/js/plugins/tracked-send/js/home-view/selector.js ..|T.../....."#.D.".7...A..hvDO.N.t@.....n.*...... ....A..Eo...................A..Eo......`.>)........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0ace9ee3d914a5c0_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):232
                                                                                                                                      Entropy (8bit):5.64562470639347
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:mNtVYOFLvEWdFCi5RsFCJiWulHyA1TK6ti:IbRkiDNoWuss
                                                                                                                                      MD5:03CEA3F22798C3F2ABD2A04592703148
                                                                                                                                      SHA1:8E98F928C9F0C7B0A22FF1FEAA4A7607891214E3
                                                                                                                                      SHA-256:D01339B9B6A2F7543782454E6B2060DE7E132CCFA160ED9266DF62DA608D5D93
                                                                                                                                      SHA-512:EC74B138405CAF7ACEFE259DEEBE4974DF87B897EEF39D72A9847F550C245A881C870785220111A5E8E31EAA2EF34E41C27F74EA19C838A0B9DBC9CF0BBE4C92
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......h.....'....._keyhttps://rna-resource.acrobat.com/static/js/plugins/aicuc/js/plugins/rhp/exportpdf-rna-tool-view.js ...>.../....."#.DV.7...A..8 P..a...R..Y....7.@..2Dm{..A..Eo...................A..Eo.................
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):420
                                                                                                                                      Entropy (8bit):5.630726623968926
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:m+yiXYOFLvEWd7VIGXVuv07KazOVVyh9PT41TK6tXllE+yiXYOFLvEWd7VIGXVuc:pyixRuAQV41TEp/zyixRuKwkV41TE
                                                                                                                                      MD5:57B4603676DE181B1632CC1B2C226526
                                                                                                                                      SHA1:12A2E9177FF2FAD71DFA754C9C7B72353F0F8811
                                                                                                                                      SHA-256:AB04AB755A0A1DD0224BE09CDCDFCEDFB7DA934D00BFC1D81DA74CDAB0E7522C
                                                                                                                                      SHA-512:7A707EC336EE3F7B369C2A5721B44F92436202B1FE444073BF4116B59E644F35E68FAD4DB05A3E2995216F4238FDB30676A2782C6899AD2B9D5CF2B2BB602312
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......R...kP]g...._keyhttps://rna-resource.acrobat.com/static/js/plugins/app-center/js/selector.js .N...../....."#.D..6...Ak.Q.....-_..y.....O...>..1....A..Eo...................A..Eo......."..........0\r..m......R...kP]g...._keyhttps://rna-resource.acrobat.com/static/js/plugins/app-center/js/selector.js .I|V.../....."#.D...7...Ak.Q.....-_..y.....O...>..1....A..Eo...................A..Eo........U.........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):432
                                                                                                                                      Entropy (8bit):5.629069229869171
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:mvYOFLvEWdhwjQwlbNLZIl6P41TK6tXCvYOFLvEWdhwjQaJNLZIl6P41TK6tM:0RhknlbNLZCR4RhkJJNLZC
                                                                                                                                      MD5:4319A39BD72B2D68239D0D377362CBE7
                                                                                                                                      SHA1:354F33FC7EF22E05EB3C25D1F87B5EEDE804C26D
                                                                                                                                      SHA-256:5C99B08298B032E83DB656FC797FF25FF46CE7725C5A5071847F8F178277235C
                                                                                                                                      SHA-512:57DD3275011201D9969F651C750B6FB0F688FC892E363FC5FD10C77C72AB3054B048DAD970075FCE8D21B8AFA61337C6E79B7784FEAA9C87B947CA8A8AF0FB2A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......X.....V....._keyhttps://rna-resource.acrobat.com/static/js/plugins/sign-services-auth/js/plugin.js ......./....."#.D_.y5...A.].>....uUf..N...k......c..l.A..Eo...................A..Eo..................0\r..m......X.....V....._keyhttps://rna-resource.acrobat.com/static/js/plugins/sign-services-auth/js/plugin.js .^.N.../....."#.D.>.7...A.].>....uUf..N...k......c..l.A..Eo...................A..Eo......+...........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2798067b152b83c7_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):418
                                                                                                                                      Entropy (8bit):5.576941520647967
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:mJYOFLvEWdGQRQOdQNL86g1TK6tlEJYOFLvEWdGQRQOdQ8JaE96g1TK6tpl:2RHRQC6o1ERHRQCpn91
                                                                                                                                      MD5:8ACCAB8446F1CE037C0840150ACD1E4D
                                                                                                                                      SHA1:3E4A74650611DF0B220F1A4ED265B8B6EE7AFD31
                                                                                                                                      SHA-256:222EE1B16EF2B3E2F9B173A91BF67EA50A0EE5FE2C4B3632EC60D9A0EC44BA20
                                                                                                                                      SHA-512:D0CC27EF61F03238DCDE38BBD91E2D929A6D634201DC336DEC3E7B3CF6BC9D83D88407340FD9EE77BECDD16928FDAF521FA7A2F749C18144470949F05B188253
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......Q..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/my-computer/js/plugin.js .+...../....."#.D...6...A..c..y/L....|y.n..C/I.....X7-ne.A..Eo...................A..Eo.................0\r..m......Q..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/my-computer/js/plugin.js ..V.../....."#.D...7...A..c..y/L....|y.n..C/I.....X7-ne.A..Eo...................A..Eo.........*........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):716
                                                                                                                                      Entropy (8bit):5.6108427126335
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:Z5MJ13hMuR/EN5MkMuR/E1dB5MChMuR/Eu5MEoDhMuR/EA:ZS7muR/ENS9uR/EhSCmuR/EuSD6uR/EA
                                                                                                                                      MD5:3215BB3454A769DE5B581837B78C4A06
                                                                                                                                      SHA1:A6FB7833AC0985BC67DB77E4288DAEAA0EB7A21F
                                                                                                                                      SHA-256:BC76879644DF0D00F9A541F87090BE5B0D14F84B65585B116CA43B59866052B2
                                                                                                                                      SHA-512:24D344C1C4D681825E4422246D1E6C18F06D2C7E17BA088F80B2B41FDD113CDD381DC7B6A77DC553E3CE555A8D8B4874A24542A09E804B2E3A8CC71468D4D90E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......3....<lb...._keyhttps://rna-resource.acrobat.com/base_uris.js .&-D.../....."#.D,.i3...A.y...L<?W.Xi..A\Q3...J.}...d..~G.A..Eo...................A..Eo................0\r..m......3....<lb...._keyhttps://rna-resource.acrobat.com/base_uris.js ......./....."#.D){.4...A.y...L<?W.Xi..A\Q3...J.}...d..~G.A..Eo...................A..Eo..................0\r..m......3....<lb...._keyhttps://rna-resource.acrobat.com/base_uris.js ......./....."#.D...6...A.y...L<?W.Xi..A\Q3...J.}...d..~G.A..Eo...................A..Eo......{...........0\r..m......3....<lb...._keyhttps://rna-resource.acrobat.com/base_uris.js .'M:.../....."#.D.7m7...A.y...L<?W.Xi..A\Q3...J.}...d..~G.A..Eo...................A..Eo..................
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\39c14c1f4b086971_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):212
                                                                                                                                      Entropy (8bit):5.579550237103362
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:mGpYOFLvEWdzAAuUU07K/sm0bbsIDMGH41TK6t9:XfRMOU0O/XKsIZE
                                                                                                                                      MD5:CBE31ACA699EEBD37703CFD7011205BF
                                                                                                                                      SHA1:994B116E11770F64012006F1656FB2EC888B86BA
                                                                                                                                      SHA-256:C1AD4E7025284938A5BE274D428B0E2908C6D022280697978CAA20B16711B30E
                                                                                                                                      SHA-512:933ECD9E9DB65E3B6FD8EC888AB925EBD4047160B152F26FA17B90D210AB29F7E015D7EBD1E2F6BC5EE9D643E657108859BEDD6C0558815EE608BDECE4819E4F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......T....,.^...._keyhttps://rna-resource.acrobat.com/static/js/plugins/walk-through/js/selector.js .h.".../....."#.D,*.7...A..`.....^....L>..Xa./......C.y.A..Eo...................A..Eo.........e........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\3a4ae3940784292a_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):428
                                                                                                                                      Entropy (8bit):5.550243101685875
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:m4fPYOFLvEWdtuKvMby0zBUKSAA1TK6tc4fPYOFLvEWdtuNMby0zBUKSAA1TK6tm:pR9Mbe5RSMbe
                                                                                                                                      MD5:A945C5C03E3DFDA250FA12840F97E94F
                                                                                                                                      SHA1:B258AB37EE5357072EBF2030847483F813214AFF
                                                                                                                                      SHA-256:A93477E427C316B407DA51502F7F4FC30A97D30FBD2A70DBE102F685EAA6E647
                                                                                                                                      SHA-512:203CA0864CF534F4F78B866D334AC1702FC2B8F7C9A219CB13E03306C042AD50D6559884BB0629F870F604B2A231E22FC17BDC1052BC0659AD24C55E42BE194A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......V..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/search-summary/js/selector.js .5...../....."#.D.m.6...AQ..E.=....=h`t..t..3%A.F$..w..A..Eo...................A..Eo........r.........0\r..m......V..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/search-summary/js/selector.js ..1X.../....."#.D~7.7...AQ..E.=....=h`t..t..3%A.F$..w..A..Eo...................A..Eo..................
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):708
                                                                                                                                      Entropy (8bit):5.593680028722721
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:KkXxKMSCvActUl4wkXxKMSCvXbtUlikXxKMSCvLtUlhwkXxKMSCvlXtUl:KkXxiC/W4wkXxiCDWikXxiCzWmkXxiCo
                                                                                                                                      MD5:E6DD0FF4828F37ED362AF52065FD03A4
                                                                                                                                      SHA1:11ECAC1D098D8576DDBD51B521D31C1C6561E0FF
                                                                                                                                      SHA-256:434972F36526DE8BADAE1B55B99B69985F35A8305C508145B0E5856FB22C9981
                                                                                                                                      SHA-512:60CC1309FA953189D879C9A1821460FB104198EC3E2DCF0270F72ED6A36B38266DC1CE400D5A953994F80C6F4C599BFF53F43DA009AA295009EF21C826676474
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......1......5...._keyhttps://rna-resource.acrobat.com/plugins.js .>+D.../....."#.Dd.i3...A.PU ....t^.....a.k..u.7.M.BW6#}..A..Eo...................A..Eo......J.ZF........0\r..m......1......5...._keyhttps://rna-resource.acrobat.com/plugins.js ...../....."#.D.m.4...A.PU ....t^.....a.k..u.7.M.BW6#}..A..Eo...................A..Eo......|..C........0\r..m......1......5...._keyhttps://rna-resource.acrobat.com/plugins.js ......./....."#.D...6...A.PU ....t^.....a.k..u.7.M.BW6#}..A..Eo...................A..Eo.......%N.........0\r..m......1......5...._keyhttps://rna-resource.acrobat.com/plugins.js . K:.../....."#.DG.m7...A.PU ....t^.....a.k..u.7.M.BW6#}..A..Eo...................A..Eo......v..2........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):748
                                                                                                                                      Entropy (8bit):5.630349041096794
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:5h6OLKSakFjh6OL+iJnkzh6OLtEdjkJBh6OLXGkvH:5h6nG5h6pzh60EGJBh6Cj
                                                                                                                                      MD5:137A35F904681835A1A39B871E72AEDA
                                                                                                                                      SHA1:700C7AD1EB8B0A1815F606BE9C4DA432DE1A8BE1
                                                                                                                                      SHA-256:78CFFA3708E61C77C759B483CA9AEDF8EC07C33A89B0DEE5A71F3031C1B28EB4
                                                                                                                                      SHA-512:521C9ADB73D5673A8CF933EC0394DB56ADCCB43674487EB958AB64E81FE725E12B99A6691F7093A5376719B0DC5B4B34F00ACA2422A96A16E151D86A823BEEBC
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......;...I......._keyhttps://rna-resource.acrobat.com/static/js/desktop.js .7.\.../....."#.D.2.3...A..q.O...j....._y..L^z...?..@N..A..Eo...................A..Eo.........0........0\r..m......;...I......._keyhttps://rna-resource.acrobat.com/static/js/desktop.js ..*..../....."#.D.a$5...A..q.O...j....._y..L^z...?..@N..A..Eo...................A..Eo......!.9.........0\r..m......;...I......._keyhttps://rna-resource.acrobat.com/static/js/desktop.js .s. .../....."#.D...7...A..q.O...j....._y..L^z...?..@N..A..Eo...................A..Eo......2..C........0\r..m......;...I......._keyhttps://rna-resource.acrobat.com/static/js/desktop.js ...J.../....."#.D..7...A..q.O...j....._y..L^z...?..@N..A..Eo...................A..Eo......l..L........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\56c4cd218555ae2b_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):732
                                                                                                                                      Entropy (8bit):5.671971589599088
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:URVFAFjVFAFdGwSeKaTLnN8RVFAFjVFAFnwSeKaTLnhORVFAFjVFAFLBm+wSeKa3:UB4v4owzXLnGB4v4nwzXLnQB4v4LZwzz
                                                                                                                                      MD5:D11EAF1E347123151FE599B4FF159B1C
                                                                                                                                      SHA1:1F949FC4079568C3A2DB52D0A66E473D0CF239C1
                                                                                                                                      SHA-256:6C16D2F01D36EF0E10441455F9C75F3BE55F6119B7C0A28A7DB9E3EE8F460561
                                                                                                                                      SHA-512:1630E5DE37D39E134AC454576EDADC1EA1C3DD7848398899885B8F9B2516290C45BA528199D7E81B719D78600B1F2A9B8052D2C2B325CEF2160BE7C86278A590
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......t...R.1<...._keyhttps://rna-resource.acrobat.com/static/js/plugins/tracked-send/js/plugins/tracked-send/js/home-view/plugin.js ..`..../....."#.D.F.6...A......H...{...2../.k`..r4.C. .A..Eo...................A..Eo......)I'G........0\r..m......t...R.1<...._keyhttps://rna-resource.acrobat.com/static/js/plugins/tracked-send/js/plugins/tracked-send/js/home-view/plugin.js ...1.../....."#.D.fU7...A......H...{...2../.k`..r4.C. .A..Eo...................A..Eo......'B..........0\r..m......t...R.1<...._keyhttps://rna-resource.acrobat.com/static/js/plugins/tracked-send/js/plugins/tracked-send/js/home-view/plugin.js ..}V.../....."#.D...7...A......H...{...2../.k`..r4.C. .A..Eo...................A..Eo......]Xz;........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\6267ed4d4a13f54b_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):210
                                                                                                                                      Entropy (8bit):5.5252538061218335
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:mq9YOFLvEWdzAHdQEpaGX5GFCaa+41TK6tc:NRMHd/aA5Gda+E
                                                                                                                                      MD5:02AA0DD39E5741CB6B04980B6DBE4654
                                                                                                                                      SHA1:7DBB554FB50639233ADD1150C7D652723AF39B35
                                                                                                                                      SHA-256:CA051D8A10E14CBBF1A2F361FF5695CFB95CC4617ABD73CFD35F44277DD1FA64
                                                                                                                                      SHA-512:EAD74E5808890E5AF91EEA8F093A93D27BCB43896C95A2E1474F51C1E89FFEB84A0E37017BB07242A677864AA6E0DEEDA365F2C7998E9CB1FF8F55F88B6E7794
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......R....L......_keyhttps://rna-resource.acrobat.com/static/js/plugins/walk-through/js/plugin.js ...".../....."#.DI..7...A...G.3D.....Q.g0...._.Q.........A..Eo...................A..Eo..................
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\6fb6d030c4ebbc21_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):422
                                                                                                                                      Entropy (8bit):5.557797913075811
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:ms2VYOFLvEWdvBIEGdeXurFD11TK6tPeMs2VYOFLvEWdvBIEGdeXuCyJR11TK6tK:BsR2EseoFBysR2Ese6FU
                                                                                                                                      MD5:AD8E5AE899F53B8572E50835618D675F
                                                                                                                                      SHA1:B14302388AFC55E196057A47907902E3754DED4C
                                                                                                                                      SHA-256:81DCB469AE73D80D8D4A8AE3C9C60264DF2AB088E944CB6087E55A47D5D35016
                                                                                                                                      SHA-512:F7B1CFA1F15772539C41D66B7DB5A3580649D90467EEA0501B4430C06FF9EA4602568FA3BC1671F31B78887504808B04CA34F216FD8E5B8D8FB7010FF135A246
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......S...]......._keyhttps://rna-resource.acrobat.com/static/js/plugins/add-account/js/selector.js .$1..../....."#.D.+.6...A.A.o]@r..Q.....<w.....].n\....A..Eo...................A..Eo......S...........0\r..m......S...]......._keyhttps://rna-resource.acrobat.com/static/js/plugins/add-account/js/selector.js .z-U.../....."#.D@..7...A.A.o]@r..Q.....<w.....].n\....A..Eo...................A..Eo......8...........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\7120c35b509b0fae_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):404
                                                                                                                                      Entropy (8bit):5.683681693450438
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:maVYOFLvEWdwAPCQSrRx4B7OhKlvA1TK6txLaVYOFLvEWdwAPCQI0O0x4B7OhKlM:RbR16fF+BJkSbR16YO0+BJk
                                                                                                                                      MD5:88D7108B998FCB9A57F299545F81866A
                                                                                                                                      SHA1:072BFD49CE5F72F7E5E100A6945956B08B7C308E
                                                                                                                                      SHA-256:93A47773EE2735BB23327FE799710ACC53DBE37E4432EA6907436472E911AA58
                                                                                                                                      SHA-512:7EFF11DF300762A472A01F03F7040B5C3C350629978D223B2F0D734EE7FF2F2AB69DE0824D281523D6F57ACCA206C947377DE2B9788FE9C6C2C684FBFCB52C6B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......J......{...._keyhttps://rna-resource.acrobat.com/static/js/plugins/home/js/plugin.js ....../....."#.DN.x5...A..4T].....Tw.....(..b...EO....9.A..Eo...................A..Eo........j.........0\r..m......J......{...._keyhttps://rna-resource.acrobat.com/static/js/plugins/home/js/plugin.js .B.N.../....."#.D...7...A..4T].....Tw.....(..b...EO....9.A..Eo...................A..Eo.......E?'........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\71febec55d5c75cd_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):422
                                                                                                                                      Entropy (8bit):5.600342521671527
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:ms2gEYOFLvEWdGQRQVuQzQdFt1TK6tE8s2gEYOFLvEWdGQRQVuKlSvQdFt1TK6t:B2geRHRQJ0ir2geRHRQDli0
                                                                                                                                      MD5:78DAE877BD510F82D92DC999D09B72AC
                                                                                                                                      SHA1:DF30C16D2EDBE2CBB3BFD13CC45C2E2EBFEE4BB9
                                                                                                                                      SHA-256:FF28F4F40E0030FC799CD86D0317CDACC13FBF722BF6983A14FFA8F736E0546C
                                                                                                                                      SHA-512:4E672211D63C95704187F1DB7263FC49B6E76F5587C274355E452DA4FD9725F623B5EFD6BAC378DB846E71400CA6881B25373D0A72A4165C0D706ADAA04D7D93
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......S...W.%z...._keyhttps://rna-resource.acrobat.com/static/js/plugins/my-computer/js/selector.js ......./....."#.D!!.6...A@..{o]...9o|..qY....T....{..u.b..A..Eo...................A..Eo.......W 0........0\r..m......S...W.%z...._keyhttps://rna-resource.acrobat.com/static/js/plugins/my-computer/js/selector.js ...T.../....."#.Dd..7...A@..{o]...9o|..qY....T....{..u.b..A..Eo...................A..Eo..................
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\86b8040b7132b608_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):824
                                                                                                                                      Entropy (8bit):5.661389543444589
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:WyeRl7Et1wZyeRlSoRt1wrlMyeRl+rAt1wMyeRlYpt1wO:WJTEfwZJ6Ufwr+JJfwMJQpfw
                                                                                                                                      MD5:47F1EB9BA042E2F5F0CDDA940EE09DC4
                                                                                                                                      SHA1:C9558BB99FB64CC2CCB35BA51CE51EB3950D15BB
                                                                                                                                      SHA-256:EA9FAE2E9AD52B507DDDD56E9D782D6F50D2DF8FEFE802EA0BB4ADE8B672ECD3
                                                                                                                                      SHA-512:98CE8C20AA688446117648B0B608B99BEA8E4F68742A16A9DB9EC1F63ABD0278B772C3297A0CE6DB7779F4356BA0C26F490CC1E7065D9BDDBBFEDCFAF6707CA6
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......N..../......_keyhttps://rna-resource.acrobat.com/static/js/plugins/my-files/js/plugin.js .6C`.../....."#.Dy..3...A.t\a......x5.'OuE.C..@......x..A..Eo...................A..Eo......dQd.........0\r..m......N..../......_keyhttps://rna-resource.acrobat.com/static/js/plugins/my-files/js/plugin.js .&H..../....."#.D..U5...A.t\a......x5.'OuE.C..@......x..A..Eo...................A..Eo........|\........0\r..m......N..../......_keyhttps://rna-resource.acrobat.com/static/js/plugins/my-files/js/plugin.js .nX%.../....."#.D...7...A.t\a......x5.'OuE.C..@......x..A..Eo...................A..Eo.......a.........0\r..m......N..../......_keyhttps://rna-resource.acrobat.com/static/js/plugins/my-files/js/plugin.js ..lL.../....."#.D...7...A.t\a......x5.'OuE.C..@......x..A..Eo...................A..Eo......@'"~........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c159cc5880890bc_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):436
                                                                                                                                      Entropy (8bit):5.599077139770709
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:mnYOFLvEWdhwyuLilwrqwK+41TK6t0enYOFLvEWdhwyu/JAiwrqwK+41TK6t:wRh8ewK+EhRhqASwK+E
                                                                                                                                      MD5:D872BFFA7E5D4B3FFF9E413FE8C87CA5
                                                                                                                                      SHA1:9423D31FED96923E27CDE57DE4E5A157EE3931DC
                                                                                                                                      SHA-256:E811DA9B3CCDE0C2C612D7260D632A829C3A9D22F5EB898807EAD6B7A25DE2BF
                                                                                                                                      SHA-512:E4C4F6B3AE9FB4E94744420EA6CB5615EEF6F6C293E9796AC6D845BA69F2CCD025BC7FD2EDD48FCE899CA5216864583886DE952A1AC5FBD5BA7B24B7F1D2823D
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......Z.........._keyhttps://rna-resource.acrobat.com/static/js/plugins/sign-services-auth/js/selector.js ....../....."#.D..x5...A.......7...o..a=.98I......(3.$G.A..Eo...................A..Eo......,y.{........0\r..m......Z.........._keyhttps://rna-resource.acrobat.com/static/js/plugins/sign-services-auth/js/selector.js ..%N.../....."#.Dx..7...A.......7...o..a=.98I......(3.$G.A..Eo...................A..Eo.......KTA........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c84d92a9dbce3e0_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):920
                                                                                                                                      Entropy (8bit):5.662354143416874
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:/RrROk/ElWIfLEmRrROk/7nIfLEHCvRrROk/8fLEkVRrROk/BMfLE:/PJ/E0I4mPJ/7I4HGPJ/84kVPJ/m4
                                                                                                                                      MD5:55746FE1AEBF73F23A5DAC5B8CF88634
                                                                                                                                      SHA1:07F421CA196BDBE7C102CC8F2B706E5112FA71C4
                                                                                                                                      SHA-256:BDFD32BBFCE5ACB9ED8FA8AF83340CD2AC54F8D9790BC61841E6DB775BAB3507
                                                                                                                                      SHA-512:3D2C0F4591A307B5DB2A36B2B21A3B10984BE4B89C740AB584BBB698AECBB4A3E1DE77C608072CB6539FA8F1D587795AA7197FEA84AE46CF6BC6149F45DB89AA
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......f...F......._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files-select/js/selector.js .M._.../....."#.D.w.3...A..~..rw.+[....!.)?..f.U..(=.=.A..Eo...................A..Eo......b...........0\r..m......f...F......._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files-select/js/selector.js ..-..../....."#.D..T5...A..~..rw.+[....!.)?..f.U..(=.=.A..Eo...................A..Eo......]..@........0\r..m......f...F......._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files-select/js/selector.js ..T%.../....."#.DD..7...A..~..rw.+[....!.)?..f.U..(=.=.A..Eo...................A..Eo..................0\r..m......f...F......._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files-select/js/selector.js ..iL.../....."#.D..7...A..~..rw.+[....!.)?..f.U..(=.=.A..Eo...................A..Eo......UT}.........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8e417e79df3bf0e9_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):744
                                                                                                                                      Entropy (8bit):5.64396843418981
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:xqTk5CPLnZqTdUCPLnL2TqTR/PCPLnOqTo4CPLn:AA5MnoBUMnLRFPMnhbMn
                                                                                                                                      MD5:1896BD90A2A4B60DB25C248DFA516B73
                                                                                                                                      SHA1:973CB4D874CB8BA6BC028D0B80027D1BEA448984
                                                                                                                                      SHA-256:ED40F40DCB10DBE21D3C20859567F084AB1FF446CFD331D758F7688F9CC0E5B9
                                                                                                                                      SHA-512:C37EE10347C8367A2532EFF0F344C169FA42E1B3F987330930F6A02F07776E1DEC3A879133605C31964B4DE54014D929AD32850535654F5CB4984EC6504149EC
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......:....f......_keyhttps://rna-resource.acrobat.com/static/js/config.js ..9\.../....."#.D.).3...A..~]...%s..<...n.f..<.....1#..U..A..Eo...................A..Eo........!7........0\r..m......:....f......_keyhttps://rna-resource.acrobat.com/static/js/config.js .e...../....."#.DWZ$5...A..~]...%s..<...n.f..<.....1#..U..A..Eo...................A..Eo.......Av........0\r..m......:....f......_keyhttps://rna-resource.acrobat.com/static/js/config.js ... .../....."#.D\..7...A..~]...%s..<...n.f..<.....1#..U..A..Eo...................A..Eo......D.=.........0\r..m......:....f......_keyhttps://rna-resource.acrobat.com/static/js/config.js .g.J.../....."#.D.k.7...A..~]...%s..<...n.f..<.....1#..U..A..Eo...................A..Eo.......0.........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\91cec06bb2836fa5_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):621
                                                                                                                                      Entropy (8bit):5.62547705918076
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:m52YOFLvEWdMAutrJTLG/sEJ41TK6t/oW/lM52YOFLvEWdMAuWKkllfsEJ41TK6h:zRMTtG/sDlblZRMrYsDbRMhsD
                                                                                                                                      MD5:CE10371D24A3AD218CC61AA574AE5167
                                                                                                                                      SHA1:B9E97D4E2190F1DDDC6F457BB9787045F7AFEB2E
                                                                                                                                      SHA-256:6DA4400C39156CBF372C46654F8F6C786E37E96D2132876EB0BE691F5B54F625
                                                                                                                                      SHA-512:34EED70F76D3129B7170479D7C64523BE4E768B83DA1824E5736621A2B001B25C87BC58FC88789E26D4484727CC0B45DE8FBA8D8A0447B986CFEB1F3E1BCE554
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......O...a.Y....._keyhttps://rna-resource.acrobat.com/static/js/plugins/reviews/js/selector.js ."...../....."#.Db..6...A..z._a...'.v.......4p3..1.']...A..Eo...................A..Eo.......f.k........0\r..m......O...a.Y....._keyhttps://rna-resource.acrobat.com/static/js/plugins/reviews/js/selector.js .../.../....."#.D.EK7...A..z._a...'.v.......4p3..1.']...A..Eo...................A..Eo......4..!........0\r..m......O...a.Y....._keyhttps://rna-resource.acrobat.com/static/js/plugins/reviews/js/selector.js .x.U.../....."#.DV(.7...A..z._a...'.v.......4p3..1.']...A..Eo...................A..Eo......x.]C........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\927a1596c37ebe5e_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):630
                                                                                                                                      Entropy (8bit):5.62793551032962
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:mYilPYOFLvEWd8CAdAu+5saT9Y2Fong1TK6tFl/MYilPYOFLvEWd8CAdAuQvxM2/:6lJRdG2FoMBUlJRZvFFoMDlJROviFoM
                                                                                                                                      MD5:529CDD0C9C9FF9C7A5F0E95EA2B7CAB8
                                                                                                                                      SHA1:7D4EFB3C2EEC456C5C5A695B3718A5A1E9357212
                                                                                                                                      SHA-256:757BB58E5D4DF784CFD5AED27D1D2581FE12A1A1F941D426C972DB90E44C11F2
                                                                                                                                      SHA-512:519EEAF738E26E4637109BC0A784E8B6BBB7554725655B3932A0CC7F405A1F2BC04814E7F9712BC0F9DB3FFBC2AE9B820E28AF4761846F4F31D0E3396BD14C50
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......R....|....._keyhttps://rna-resource.acrobat.com/static/js/plugins/signatures/js/selector.js ......./....."#.D..6...Ac}.H7M=M..-.....Ix..R.l...}Rl.$q.A..Eo...................A..Eo.......F..........0\r..m......R....|....._keyhttps://rna-resource.acrobat.com/static/js/plugins/signatures/js/selector.js .{./.../....."#.DyxK7...Ac}.H7M=M..-.....Ix..R.l...}Rl.$q.A..Eo...................A..Eo........yN........0\r..m......R....|....._keyhttps://rna-resource.acrobat.com/static/js/plugins/signatures/js/selector.js ..uV.../....."#.D.S.7...Ac}.H7M=M..-.....Ix..R.l...}Rl.$q.A..Eo...................A..Eo........k.........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\92c56fa2a6c4d5ba_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):892
                                                                                                                                      Entropy (8bit):5.627746480316712
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:UPJ/WvN28PJ/dN2UPJ/6N2ccPJ/0ZEN2h:cJkE0JlEcJiEcUJ8SE
                                                                                                                                      MD5:AAEC06E0773B5FADB67BBDFEC0878B9B
                                                                                                                                      SHA1:D4A7FD954814F0E1F4BA20536B311153D3697E02
                                                                                                                                      SHA-256:BF38516788A58251A1CAD8CD27BF6C1319384EFBEE276A51CCAC95B63463FA98
                                                                                                                                      SHA-512:F700AA0B678A9E7533472BFC4FF3A1680448CEECA4D08BD865124ECC74CD5E6952CEBBB1724CD8D29D621985DFE3698FCD8DF5171FF4A4DBD7624B79D184947E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......_...h......_keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files/js/selector.js .i._.../....."#.D.E.3...A..%.k.SZ..~W.....:)'B..ad......A..Eo...................A..Eo..................0\r..m......_...h......_keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files/js/selector.js .A...../....."#.Dh .5...A..%.k.SZ..~W.....:)'B..ad......A..Eo...................A..Eo.......x .........0\r..m......_...h......_keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files/js/selector.js ...$.../....."#.D...7...A..%.k.SZ..~W.....:)'B..ad......A..Eo...................A..Eo......^..k........0\r..m......_...h......_keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files/js/selector.js .X.L.../....."#.D..7...A..%.k.SZ..~W.....:)'B..ad......A..Eo...................A..Eo......R...........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\946896ee27df7947_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):852
                                                                                                                                      Entropy (8bit):5.699670903567938
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:ehRce5CirNJICehRcG+yRrNJICFhRc6rNJICAhRcKZcrNJIC:ehZ4GJICehnZJICFhBJICAhVgJIC
                                                                                                                                      MD5:A85E2A5D927BAFB7348E00652EB300A7
                                                                                                                                      SHA1:F025644EDCCD8FBA5227272B581E021FC86D49FB
                                                                                                                                      SHA-256:A2074549875C6323605F311FB9A9B1F9DEB648C7E1DA4DE9DD7A0FC8738C843F
                                                                                                                                      SHA-512:D526C3ACCF51EAA832BA6C8A60DFC9CC049560FB7765F924AFD66D89810C955B8274EBEB3F75BE8A8B4C49B2C4ECD80281EDEA12055672ACA21848E85E00EB9B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......U..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/my-files-select/js/plugin.js ..F`.../....."#.D...3...A.;"./N_.,.:C..2....9L.H...3:...A..Eo...................A..Eo.......7gf........0\r..m......U..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/my-files-select/js/plugin.js ..n..../....."#.DfiU5...A.;"./N_.,.:C..2....9L.H...3:...A..Eo...................A..Eo......+...........0\r..m......U..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/my-files-select/js/plugin.js .(.%.../....."#.Dq..7...A.;"./N_.,.:C..2....9L.H...3:...A..Eo...................A..Eo.......c..........0\r..m......U..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/my-files-select/js/plugin.js .aoL.../....."#.DO$.7...A.;"./N_.,.:C..2....9L.H...3:...A..Eo...................A..Eo.......%..........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\983b7a3da8f39a46_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):832
                                                                                                                                      Entropy (8bit):5.653765513440349
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:mOEYOFLvEWdrIhugE3ypZLzgm2d/1TK6t0OEYOFLvEWdrIhugOLQqpZLzgm2d/1Z:0RW7RResRj3RRe0R2OpRReiRCrORRe1
                                                                                                                                      MD5:3E0D2D18B24B752803DCCE61D3F31FBA
                                                                                                                                      SHA1:A551C3DAC92A02216007439A5B522D8269D8F3E6
                                                                                                                                      SHA-256:A356920821004B6D358CA3C9E854F083A0B422B8EDC5727BD2228C4F231A1119
                                                                                                                                      SHA-512:973E854AEB5F4A55B0D4BDE4B56D285950991C38A52C7FA057CB1D5B5B61555ECF81A06DBA20F22566DA5C50EE67289DA3B64F94F348ECB57BF1BC4989F13977
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......P....r......_keyhttps://rna-resource.acrobat.com/static/js/plugins/my-files/js/selector.js .{9_.../....."#.D...3...AZ.Z}Q..4.o....0+..[|..n:*..U.W.A..Eo...................A..Eo......D'.y........0\r..m......P....r......_keyhttps://rna-resource.acrobat.com/static/js/plugins/my-files/js/selector.js .H...../....."#.D..-5...AZ.Z}Q..4.o....0+..[|..n:*..U.W.A..Eo...................A..Eo.......u..........0\r..m......P....r......_keyhttps://rna-resource.acrobat.com/static/js/plugins/my-files/js/selector.js ...$.../....."#.D...7...AZ.Z}Q..4.o....0+..[|..n:*..U.W.A..Eo...................A..Eo.................0\r..m......P....r......_keyhttps://rna-resource.acrobat.com/static/js/plugins/my-files/js/selector.js ...K.../....."#.Dm..7...AZ.Z}Q..4.o....0+..[|..n:*..U.W.A..Eo...................A..Eo........s........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\aba6710fde0876af_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):752
                                                                                                                                      Entropy (8bit):5.676151940721472
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:mAElVYOFLvEW1KBoWnkx56uvp1TK6tuMAElVYOFLvEW1KAIkx56uvp1TK6tpSeAB:6JJKBot1JJKAfPPJJKCRKJJKSk96
                                                                                                                                      MD5:4A9E77CDBA823E011C084314ADB3800D
                                                                                                                                      SHA1:5729E2A6A4EDF63FE8025600890EB29991C21D26
                                                                                                                                      SHA-256:B19F5AD4FAF6560AE15DBB7171352EDCE32808C0AB6B72D17C38233DBB0B3E64
                                                                                                                                      SHA-512:3C36A0AD55E4614A1866E9A6A4FBE939A236CF0C79455028618FD54E9D5C353D021ED448B4FA0FC13EB23997EDCF96663181E694D8FEDA128EE08D26F707A5B4
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......<...)6......_keyhttps://rna-resource.acrobat.com/static/js/rna-main.js ..EM.../....."#.D..3...Az?...SwC...^..y.....V..7R-O.....A..Eo...................A..Eo.........9........0\r..m......<...)6......_keyhttps://rna-resource.acrobat.com/static/js/rna-main.js ......./....."#.D...4...Az?...SwC...^..y.....V..7R-O.....A..Eo...................A..Eo......W./........0\r..m......<...)6......_keyhttps://rna-resource.acrobat.com/static/js/rna-main.js ..]..../....."#.Dl..6...Az?...SwC...^..y.....V..7R-O.....A..Eo...................A..Eo.......=.N........0\r..m......<...)6......_keyhttps://rna-resource.acrobat.com/static/js/rna-main.js ..O>.../....."#.D...7...Az?...SwC...^..y.....V..7R-O.....A..Eo...................A..Eo........K.........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\b6d5deb4812ac6e9_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):428
                                                                                                                                      Entropy (8bit):5.637188232554711
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:mWYOFLvEWdBJvvuVt07Ka7rhUDLYtmOZn1TK6tiN/EWYOFLvEWdBJvvuA59ghUDm:xRBJnqDcFZLSLRBJLDDcFZL
                                                                                                                                      MD5:4619F702C5F70CF315F82E1627DE17ED
                                                                                                                                      SHA1:7604E205F04BD53F4ACCB38D47D92F54206EB26E
                                                                                                                                      SHA-256:7E0191EA3FDD28CD3F26E0795DB95E5ED85E8A96F6D412DF1E66E217B7C28DFD
                                                                                                                                      SHA-512:09933C87EADA3779A2C42303EC63924F2CC9C977C5F1E49F6B5274FBFE7B43D969EA8470B7287E0896FB9D6FBABECCDBB0E5498105CD83F07A46C9079CDC733C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......V.....h....._keyhttps://rna-resource.acrobat.com/static/js/plugins/activity-badge/js/selector.js ..7..../....."#.D.D.6...A....t.q..W.EZ....1...[.zC.7mD..A..Eo...................A..Eo......x...........0\r..m......V.....h....._keyhttps://rna-resource.acrobat.com/static/js/plugins/activity-badge/js/selector.js ..0U.../....."#.D...7...A....t.q..W.EZ....1...[.zC.7mD..A..Eo...................A..Eo......y.........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):844
                                                                                                                                      Entropy (8bit):5.659478442590167
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:msRPYOFLvEWIa7zp7wEVPu1TK6tdsRPYOFLvEWIa7zp7zMCVPu1TK6tjO98sRPY8:BPHBcwPH6CcpO9rPHtOoscGZPHr4HcQ
                                                                                                                                      MD5:B91232700EE4F6FB155A8957D9784A83
                                                                                                                                      SHA1:5077A574B2E857C2BC117B9923A804D64D32CEFA
                                                                                                                                      SHA-256:ECFF64513DC05983129727B4D5CE126C5C29018C6884DA2A2D03ED0744060AFD
                                                                                                                                      SHA-512:F583FCB3D0C5FD8A4708DC53EC80BA976747D8745B8E4DCD669C11CF8883BE4C1CA402F6E92A54545EE220A95693A9A5D26D21BB661E31A00C47F62AB6F9D73C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......S...{.j....._keyhttps://rna-resource.acrobat.com/static/js/libs/require/2.1.15/require.min.js ../D.../....."#.DV.j3...A...L...Im.@.........E.nW...IP..A..Eo...................A..Eo......$.{.........0\r..m......S...{.j....._keyhttps://rna-resource.acrobat.com/static/js/libs/require/2.1.15/require.min.js ....../....."#.D..4...A...L...Im.@.........E.nW...IP..A..Eo...................A..Eo.......V.........0\r..m......S...{.j....._keyhttps://rna-resource.acrobat.com/static/js/libs/require/2.1.15/require.min.js ......./....."#.D.M.6...A...L...Im.@.........E.nW...IP..A..Eo...................A..Eo......i=..........0\r..m......S...{.j....._keyhttps://rna-resource.acrobat.com/static/js/libs/require/2.1.15/require.min.js ..N:.../....."#.D.nm7...A...L...Im.@.........E.nW...IP..A..Eo...................A..Eo........An........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bf0ac66ae1eb4a7f_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):416
                                                                                                                                      Entropy (8bit):5.619900621198067
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:mKPYOFLvEWdENU9Ql7KZlCGswiM3Y1TK6ty+KPYOFLvEWdENU9QYOPwiM3Y1TK6S:bJRT99iwr0cJRT9Qwr0O9
                                                                                                                                      MD5:725FF7E8923E26F6E5D7538F84F9CB47
                                                                                                                                      SHA1:736A1599092BA754CF2A636040FF2485DEA6F0CE
                                                                                                                                      SHA-256:B45CB77B57225E12707A8671806EAA3692BE21548284EA95A36C84A2267797A8
                                                                                                                                      SHA-512:411576937C2449CF9D57B45F217F78355C5A0C5A81D59CDFE1F352BAEA2596C216293A00CF8DB934F1B7528065B1D134D02570762EB84BDEC18F265ACE56C87E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......P...Yft....._keyhttps://rna-resource.acrobat.com/static/js/plugins/uss-search/js/plugin.js ......./....."#.D.5...A...M....m+lS..e.....<7.U.P8*.0K.A..Eo...................A..Eo........h~........0\r..m......P...Yft....._keyhttps://rna-resource.acrobat.com/static/js/plugins/uss-search/js/plugin.js ...N.../....."#.D.(.7...A...M....m+lS..e.....<7.U.P8*.0K.A..Eo...................A..Eo........(Y........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\cf3e34002cde7e9c_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):416
                                                                                                                                      Entropy (8bit):5.609392356648242
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:mQt6EYOFLvEWdccAHQ8p+2jBRCh/41TK6tiEQt6EYOFLvEWdccAHQRMb2jBRCh/Z:XRc9x82Di/EUJRc9MMb2Di/EW
                                                                                                                                      MD5:CE382C012C2873EAC963F3F6E4D2768C
                                                                                                                                      SHA1:7D242935777EFC4472CA5F4EDE4429C9FD04DE4C
                                                                                                                                      SHA-256:44CCCFAE383CF59E84E166904BF63822E3046B5FBA6F0DD968214FC0D8E26624
                                                                                                                                      SHA-512:D0B8F4CF55F3EF27766EACC10DDFB3F03DD5D1134BD71C58DD5B4A88410CE7A1F8E554BFD36E936C5213F7AD73CC57D25F805CBA7FE08E6D68A83BFDF4EBEB22
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......P...W3......_keyhttps://rna-resource.acrobat.com/static/js/plugins/scan-files/js/plugin.js ..e..../....."#.D9..6...APJm...0x.x..RD...BB!@5..<..]....A..Eo...................A..Eo........f........0\r..m......P...W3......_keyhttps://rna-resource.acrobat.com/static/js/plugins/scan-files/js/plugin.js ..~V.../....."#.D.i.7...APJm...0x.x..RD...BB!@5..<..]....A..Eo...................A..Eo......u.y.........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\d449e58cb15daaf1_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):462
                                                                                                                                      Entropy (8bit):5.587723540501075
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:mqs6XYOFLvEWdFCi5mhuXlCwVULlF4r1TK6ti8qs6XYOFLvEWdFCi5mhuwu1uVUH:bs6xRkiFlCZLlF4nEs6xRkiKuZLlF4n
                                                                                                                                      MD5:4D6206E459D5B809AA1E2E1B2C8CC3A8
                                                                                                                                      SHA1:D4F9369CD236BF7179CABBA235947B3DD9B6398D
                                                                                                                                      SHA-256:043B37AA44B7709ACC09878F520F38DBFDF9042860FBD3FAC1BB93312ACF3E9C
                                                                                                                                      SHA-512:C661A4FD1199AC75D1159DCF1E1F283DC810639B59A3811F6C8321A9E415AEDD3693C9CCE90ED7626FE6221C44412DFD926F87E86EE341CD7A11BB5A6E2E810A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......g...~.I?...._keyhttps://rna-resource.acrobat.com/static/js/plugins/aicuc/js/plugins/rhp/exportpdf-rna-selector.js .e.c.../....."#.D.Y.3...A.P...#4..l....5...5..).w.. .h.~..A..Eo...................A..Eo......n#6.........0\r..m......g...~.I?...._keyhttps://rna-resource.acrobat.com/static/js/plugins/aicuc/js/plugins/rhp/exportpdf-rna-selector.js ...&.../....."#.D..#7...A.P...#4..l....5...5..).w.. .h.~..A..Eo...................A..Eo........4I........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\d88192ac53852604_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):430
                                                                                                                                      Entropy (8bit):5.551280679729311
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:mhYOFLvEWd/aFunp90EN941TK6tS2hYOFLvEWd/aFufplEN941TK6to9:WRJgY9E8mRRY9E
                                                                                                                                      MD5:51E2736354ECC588A7933BF71015E512
                                                                                                                                      SHA1:B311327A70166CB6556244794E89C8514991F767
                                                                                                                                      SHA-256:4F808C6DCCE21BCE74269A138E568E6A50D8411F85536AB9C9EA89A13EFD6EC3
                                                                                                                                      SHA-512:2DC37D7C0BB0E9A8571E9E945ADE4F1C1C9CE0878F130A911765C124C891D77FF178B295781499C4CE8895071473EA77B0079AB92D95E3D442A3F00F4CFC5114
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......W....w.m...._keyhttps://rna-resource.acrobat.com/static/js/plugins/my-recent-files/js/selector.js .(!..../....."#.D.}.6...A...a.f.m.i.o.p..3U5.....^...I.A..Eo...................A..Eo........u.........0\r..m......W....w.m...._keyhttps://rna-resource.acrobat.com/static/js/plugins/my-recent-files/js/selector.js .jBX.../....."#.D.I.7...A...a.f.m.i.o.p..3U5.....^...I.A..Eo...................A..Eo........ .........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\de789e80edd740d6_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):416
                                                                                                                                      Entropy (8bit):5.59177473695395
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:mR9YOFLvEWd7VIGXOdQ8KB9ZoBMqVd3G4K41TK6tjG9//MR9YOFLvEWd7VIGXOdQ:2DRuRuyB9Vd2kYXIDRuRUB9Vd2kZ
                                                                                                                                      MD5:FD25240E375762B496D76872957BA603
                                                                                                                                      SHA1:27B4F743F3B8AA6AB5438568E8DAB6B764BD6ED9
                                                                                                                                      SHA-256:447214E5FE1450C9509772EBCAB35324A0815E0A2BDD07381B0640725A842DD2
                                                                                                                                      SHA-512:351F4CB62950DD692531EC87C30DDD306F0AA30777D90A0D1E15ACE0B9C0EEA9648E800E8D34E6A2A9A06C75254B6E20359CFD5FC60BDB1751368C34DBAA34B2
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......P...y.p....._keyhttps://rna-resource.acrobat.com/static/js/plugins/app-center/js/plugin.js ..P..../....."#.D.L.6...A..y.$..$.v5j...T...z.]..._S....A..Eo...................A..Eo..................0\r..m......P...y.p....._keyhttps://rna-resource.acrobat.com/static/js/plugins/app-center/js/plugin.js ...W.../....."#.D...7...A..y.$..$.v5j...T...z.]..._S....A..Eo...................A..Eo........4.........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f0cf6dfa8a1afa3d_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):624
                                                                                                                                      Entropy (8bit):5.632746038815
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:mkqYOFLvEWd8CAd9QPyplmuA424r1TK6tBXEkqYOFLvEWd8CAd9QQOl+DtuA424i:+RQnRrnLURQNK+DcrnwsRQrscrn
                                                                                                                                      MD5:E5027F184BEFFD3DABD042E66D76B2B5
                                                                                                                                      SHA1:AEFF8848773DC1425DF16D99889721C1EEA8A651
                                                                                                                                      SHA-256:060501AA1A2E2FC8850E23F4CB788B7AC3E5B9A6119506BD24A2C8EA92D95DB3
                                                                                                                                      SHA-512:128E6E11E48D9AB88160E1A83FCDCCED73C6176E33101C7548C892BE432FDE1E2E7F0528A7E4A9E891F523B711464C9B15DC849D42C7FAA7D34F032DD05DEBE4
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......P...gT....._keyhttps://rna-resource.acrobat.com/static/js/plugins/signatures/js/plugin.js .h...../....."#.D(|.6...A#..@..k(v.8g..5.~_....]Pj.*..6.A..Eo...................A..Eo......J|?.........0\r..m......P...gT....._keyhttps://rna-resource.acrobat.com/static/js/plugins/signatures/js/plugin.js ...1.../....."#.D|.Q7...A#..@..k(v.8g..5.~_....]Pj.*..6.A..Eo...................A..Eo.........e........0\r..m......P...gT....._keyhttps://rna-resource.acrobat.com/static/js/plugins/signatures/js/plugin.js ..W.../....."#.D...7...A#..@..k(v.8g..5.~_....]Pj.*..6.A..Eo...................A..Eo........8.........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f4a0d4ca2f3b95da_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):420
                                                                                                                                      Entropy (8bit):5.608867335884761
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:moXXYOFLvEWdENUAu9syC8n1TK6txEoXXYOFLvEWdENUAuyomuyC8n1TK6t/:xhRTU7Qn7hRTwu7QV
                                                                                                                                      MD5:0E9DF55AC17982FE6CDDEAFFE5048AC0
                                                                                                                                      SHA1:C4D90D1A16FA5404C187CCC055F6187449117B94
                                                                                                                                      SHA-256:14749286A3D496949735863BD3BF4428F831A2549BD430AE66730143679E269C
                                                                                                                                      SHA-512:5E223BC3924155370F32CE5FD427237CB78E3CEBBFA65518FDDFDEAEC8AE7446C80FFCB2C4D1A302CAC888BB9F61919FFD5C4E1ACCC08D0A66C780C797B612BD
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......R..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/uss-search/js/selector.js .l..../....."#.Duxx5...A8.../...;.\\o....1..........+..A..Eo...................A..Eo.................0\r..m......R..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/uss-search/js/selector.js ..#N.../....."#.D..7...A8.../...;.\\o....1..........+..A..Eo...................A..Eo........L~........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f941376b2efdd6e6_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):884
                                                                                                                                      Entropy (8bit):5.6523900434560215
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:nRrROk/VdmZRrROk/VWKwmilRrROk/VwiVmXRrROk/VuVmCf:nPJ/mZPJ/PFGPJ/qigXPJ/wgC
                                                                                                                                      MD5:0F05F668837716B0EBE9E646E373D237
                                                                                                                                      SHA1:752CB348161E47EF07EEE6CFE79A0CBB3CA0F1B3
                                                                                                                                      SHA-256:794518E57B14CB296287EAF06CCBC8288307F947A1CC22FDCA47FF71FF3E90AC
                                                                                                                                      SHA-512:F81D80D9930D5323B59420A8891E0C0491A710DFBD2766F264486DD862267253875C367024072AC9DF66ED43A73AA97870942D320C9909E7DE5C5AFE7CE7ABCA
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......]......,...._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files/js/plugin.js ..M`.../....."#.D"..3...A ./.ev......N~..6.b.....$.j;:C...A..Eo...................A..Eo.......;.i........0\r..m......]......,...._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files/js/plugin.js .br..../....."#.D.sV5...A ./.ev......N~..6.b.....$.j;:C...A..Eo...................A..Eo........o........0\r..m......]......,...._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files/js/plugin.js ...%.../....."#.D...7...A ./.ev......N~..6.b.....$.j;:C...A..Eo...................A..Eo......@pb.........0\r..m......]......,...._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files/js/plugin.js ...L.../....."#.D..7...A ./.ev......N~..6.b.....$.j;:C...A..Eo...................A..Eo........N.........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f971b7eda7fa05c3_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):420
                                                                                                                                      Entropy (8bit):5.610193605785719
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:mZ/lXYOFLvEWdccAWujqksNk+Adm9741TK6tsZ/lXYOFLvEWdccAWujOOsAdm97R:qxRch0BAdu7E6xRcpUAdu7E
                                                                                                                                      MD5:2077402C86C23EC52D32AE88E2AA524E
                                                                                                                                      SHA1:4C8AE341A3AD79380076E61D6718860B54010020
                                                                                                                                      SHA-256:248617C21EB0B7CE50E4062285C45160BAB99EB81DB94ACD6FA8EC7C6F5AE61D
                                                                                                                                      SHA-512:10A78B2A53CF43C3FF545139BE834BC8DEC4D3CB4C73310426A8F300449B2CF6C754A8F0AA98B77B5F08F3462490F71C0CCE5943C032FA4273533338A32FF1C6
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......R...F......._keyhttps://rna-resource.acrobat.com/static/js/plugins/scan-files/js/selector.js ......./....."#.D...6...A...U...I.>P...X...x..0U.~;m.x.k.A..Eo...................A..Eo........."........0\r..m......R...F......._keyhttps://rna-resource.acrobat.com/static/js/plugins/scan-files/js/selector.js ...T.../....."#.D...7...A...U...I.>P...X...x..0U.~;m.x.k.A..Eo...................A..Eo.......k.........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\fd17b2d8331c91e8_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):408
                                                                                                                                      Entropy (8bit):5.598655394138875
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:mMOYOFLvEWdwAPVuoiJn1TK6tIEMOYOFLvEWdwAPVuCCarJn1TK6t+:2R1WLW0R11L
                                                                                                                                      MD5:975ED5336C1EEABAE7980B100B4562CC
                                                                                                                                      SHA1:DCFDC07DEABDDFD537EAC6EEA58DE292821723F8
                                                                                                                                      SHA-256:A80007EAC9562C04A360482B2DDF0F4992AA300761E3338E8CFAD7BD503BA1C7
                                                                                                                                      SHA-512:8E956E5DE4FEC00B2C36AD90CC5B8320766CADCBCBEA12586161A930541DB054BC171B8C767752EF8E656B7393EC449A9DFCF5A342D2CAA8CE2CE267D2063147
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......L....Ey....._keyhttps://rna-resource.acrobat.com/static/js/plugins/home/js/selector.js .d...../....."#.D.Yx5...A.....k....F..D..O.n;[.1m.....=..A..Eo...................A..Eo......v..Q........0\r..m......L....Ey....._keyhttps://rna-resource.acrobat.com/static/js/plugins/home/js/selector.js .{"N.../....."#.Da..7...A.....k....F..D..O.n;[.1m.....=..A..Eo...................A..Eo....../\a7........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\fdd733564de6fbcb_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:modified
                                                                                                                                      Size (bytes):424
                                                                                                                                      Entropy (8bit):5.637257560918759
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:m3PXYOFLvEWdBJvYQfhoG2zhcsBXIh1TK6ta3PXYOFLvEWdBJvYQklv2zhcsBXIR:mxRBJQwodDB08xRBJQhMDB0X
                                                                                                                                      MD5:93C1DF33B4CCB48370C980A07AD308EE
                                                                                                                                      SHA1:5B058F6C542E7AA1DCDF1A6B34B0490F5F6B90F0
                                                                                                                                      SHA-256:825E39D85A7AB02637D76402221049FCDAD3C2116C7BCC43C4E288E50F313B72
                                                                                                                                      SHA-512:E54B2293BAECA8A48D9EC09FF63FD72B7D8D1583A1309D4C5A6436A2AD1085E6D6071E80506AC2407C78E13BA6D70BB17EFA35DA0E620CAF28F4C7E1A63F8DDF
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......T......z...._keyhttps://rna-resource.acrobat.com/static/js/plugins/activity-badge/js/plugin.js ......./....."#.D...6...A...k..`..N3.... ..d..$[.....{.A..Eo...................A..Eo.........y........0\r..m......T......z...._keyhttps://rna-resource.acrobat.com/static/js/plugins/activity-badge/js/plugin.js .0.W.../....."#.DTn.7...A...k..`..N3.... ..d..$[.....{.A..Eo...................A..Eo......iJ..........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\febb41df4ea2b63a_0
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):912
                                                                                                                                      Entropy (8bit):5.620966123705577
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:3RrROk/srDcOFRrROk/sYscoRrROk/sGcLRrROk/stVc:3PJ/7iPJ/ZoPJ/MLPJ/Ye
                                                                                                                                      MD5:B010C5C5F3A7D6F9D7E447D4E869B72A
                                                                                                                                      SHA1:4A1662E7A9E73F0FBDC98E8969C5E6E808ECE609
                                                                                                                                      SHA-256:0A09732B79979DAB381525D85BF61BAFDA96D7F865E74C198922934B9CE65CE8
                                                                                                                                      SHA-512:B293C39A369C693D1B468CF3569EF5408EFE23EE3CFADD45D0B5E4C75349B03F85B6ACEFAD255981EDA289EC3344EE88D7D9CC6F9EE250630D017B8479C3F77E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0\r..m......d...<.s....._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files-select/js/plugin.js ./h`.../....."#.D...3...A.....9Q].8O.z....=..:.N.{....N{.A..Eo...................A..Eo......J.zX........0\r..m......d...<.s....._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files-select/js/plugin.js ..`..../....."#.D[.V5...A.....9Q].8O.z....=..:.N.{....N{.A..Eo...................A..Eo........m.........0\r..m......d...<.s....._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files-select/js/plugin.js ...%.../....."#.DN."7...A.....9Q].8O.z....=..:.N.{....N{.A..Eo...................A..Eo.........q........0\r..m......d...<.s....._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files-select/js/plugin.js ...L.../....."#.D..7...A.....9Q].8O.z....=..:.N.{....N{.A..Eo...................A..Eo........r/........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\temp-index
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):984
                                                                                                                                      Entropy (8bit):5.040251725706932
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:MeVl/9l/gLnl/2+/l/KLvyl/CAl/q5tbyl/iil/iHl/OHl/Wyl/jl/lsl/lA2l/I:Mfg1zZFufGMisp6r6C9QPr
                                                                                                                                      MD5:9B90244F9985CBA4985897217DD7C7AB
                                                                                                                                      SHA1:9BC5919E96D2A3CE20322AADC162056A6B6FE7EC
                                                                                                                                      SHA-256:E44D4707C1D938DE3374B96940F3B6AB183AEEDDFC92C1B25617C57337E95941
                                                                                                                                      SHA-512:15C4CB9E0569A8B9A35F369364B2C4312DF76EF721A8DA8C3CEEB4A289D5DE061D0D14EF2C0D35A1DD3FD12014BA67243DB65124376144BE2D2943FFAB742F36
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ....h...oy retne....'........'............;.y~A..z.B_./...........*...z.B_./..............oB*.8.B_./............#...(...A_./.............k7A..z.B_./.............D.4..z.B_./..........[.i..%..z.B_./.........<...W..J.8.B_./.........,+..._.#.z.B_./..........J..j....z.B_./...........6<|....8.B_./.........A?.2:...z.B_./..........+.{..'.z.B_./.........*)....J:.z.B_./...........2q.....z.B_./...........P....V.z.B_./.........+.U.!..V.z.B_./............P[. q.z.B_./.........!...0.o.z.B_./..........u\]..q.z.B_./.................z.B_./...........*.....z.B_./..........o..k...z.B_./.........^.~..z..z.B_./.............o..z.B_./.........Gy.'.h..z.B_./.........F..=z;..z.B_./...........3....z.B_./..........v...q...8.B_./..........C..M.....A_./...........a.....8.B_./..........~.,.4>..z.B_./..........&.S.....z.B_./..........@..x..z.B_./.........=....m...z.B_./..........;/....z.B_./..............q..z.B_./............MV3...z.B_./.........:..N.A...z.B_./............B_./.
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:ASCII text
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):292
                                                                                                                                      Entropy (8bit):5.177660037147739
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:m1IgYyq2PWXp+N2nKuAl9OmbnIFUtpkIpa1ZmwPkIRlRkwOWXp+N2nKuAl9Ombjd:CvaHAahFUtpe1/Pr5fHAaSJ
                                                                                                                                      MD5:8B17662B08835BE6D5182DBF2B9E8A19
                                                                                                                                      SHA1:76FFC66D5133CE27121E4F64879DA9A80CBDDEE0
                                                                                                                                      SHA-256:79C3AF7F150063028EBD1D78BB97385078BA312A6972F5086B8D9038AF8DCB92
                                                                                                                                      SHA-512:17A609A3D886EB08F6D5A68835A7693B89F3D56A04B232AB47A082034DF1BBFE19E1CE9D0FF64E29C33C60DA003BC863AA9262F47FF5D03F4C447AB9022E75B4
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 2021/04/08-12:09:02.676 1ae0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2021/04/08-12:09:02.677 1ae0 Recovering log #3.2021/04/08-12:09:02.681 1ae0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1703936
                                                                                                                                      Entropy (8bit):0.008870353771030707
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:TGEiaGEiCsMiCsMiCsMi9sMhC9sMhC9sMhCAsMhCrNsMhCrNsMhCr+sMhCDo+sMB:dKKnono
                                                                                                                                      MD5:95D2D3702D0EC36BC6F781E804CCFB32
                                                                                                                                      SHA1:61EE347472500434A9BE50F864C4562EC52C9A54
                                                                                                                                      SHA-256:7E3C9563DA1084EE239D2429E2243F27B99E7F7DE6778CDC74175AACD34FD1A4
                                                                                                                                      SHA-512:4595411031E1308D3DC040814E996D0B5476B7B3E9B92ED03FF5AE75C2B7559C4611B590616BC6BD1C9334BC7E038EA09401E3BDEAEB822F34A41B41F608CAB6
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: VLnk.....?.......Tq.>..j................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-210408190856Z-251.bmp
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                                                                      File Type:PC bitmap, Windows 3.x format, 107 x -152 x 32
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):65110
                                                                                                                                      Entropy (8bit):2.308739914604857
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:lUzgM3fdU9rd/pIpotZ0deVfa0hLSPOhqLjo4jb6FeiRzHh/uKl+0fr5qta+OOfr:KiS0d6M+P6FvBHxN14/sMCsNj
                                                                                                                                      MD5:7CAFDE4EA3C84220C4E669A1D2DA08D2
                                                                                                                                      SHA1:16588A00CCAEB9D616DBC1B7BB885EA2AC189AEB
                                                                                                                                      SHA-256:C7B3A1B95190596236F26A416CD32B0F40C80D819BAA8EC148E9872FB361365E
                                                                                                                                      SHA-512:E116DEF7BF4391BE0B7656C1E917AE17FBD57DAB6793CF3C1492842DEF5F987B11AC63D94F17257EFCEBA463117243FB964FF2913360E90ADD11137D8EDEABFD
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: BMV.......6...(...k...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3024000
                                                                                                                                      Category:modified
                                                                                                                                      Size (bytes):32768
                                                                                                                                      Entropy (8bit):3.386618445800535
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:iR49IVXEBodRBkQgOhFVCsL49IVXEBodRBkRbgOhAVCs749IVXEBodRBklbgOhBf:iGedRBoedRB+edRBtedRBr
                                                                                                                                      MD5:27BFBAEB6E132E17D30771ED105F45C3
                                                                                                                                      SHA1:B23BBF1D7C6E4FD7BD777C330A6A727D514F34D5
                                                                                                                                      SHA-256:D72FD3646B9201E2B6D17974B8789800F3CEB24DF21B62461CBF03B820CC7783
                                                                                                                                      SHA-512:56C4EBEF83D93DF6FDEC8E806E65656C863B89D18C004609F53F8E3E7954372EFA33CB870B7C61B66837DF3DA4105E246124CEF949A10364F2E1E0F008DCBE86
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: SQLite format 3......@ ..........................................................................$.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):34928
                                                                                                                                      Entropy (8bit):3.2000455844552476
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:X7OhFVCP9949IVXEBodRBkS6gOhFVCsHLR49IVXEBodRBksbgOhAVCs9d49IVXE2:XZiedRBnULGedRBiCedRBuyedRBe
                                                                                                                                      MD5:B05C5E8D023ABA2BB85A66BE2BC901F3
                                                                                                                                      SHA1:C0DA8A7354B1D097820481C01343E0E5348057B0
                                                                                                                                      SHA-256:FFE88F91976E47413E89FDD062FEC5D7EE319C3C5AB3AA2381879B5011D7E998
                                                                                                                                      SHA-512:389C0A59F111BC330633898B1A5719E2942947E64B32115CB037713D226AA0ED1AD806648A6AC80BDEE245D1BDA9F35A4F5D58211184E83DCD6FA278E607F1E0
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ............p>.9...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................X...h...y................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.5336
                                                                                                                                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                                                                      File Type:PostScript document text
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):157443
                                                                                                                                      Entropy (8bit):5.172039478677
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:amNTjRlaRlQShhp2VpMKRhWa11quVJzlzofqG9Z0ADWp1ttawvayKLWbVG3+2:RNj3aRlQShhp2VpMKRhWa11quVJX2
                                                                                                                                      MD5:A2C6972A1A9506ACE991068D7AD37098
                                                                                                                                      SHA1:BF4D2684587CF034BCFC6F74CED551F9E5316440
                                                                                                                                      SHA-256:0FB687D20C49DDBADD42ABB489C3B492B5A1893352E2F4B6AA1247EFE7363F65
                                                                                                                                      SHA-512:4D03884CA5D1652A79E6D55D8F92F4D138C47D462E05C3E6A685DA6742E98841D9C63720727203B913A179892C413BFB33C05416E1675E0CF80DA98BE90BA5E4
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: %!Adobe-FontList 1.16.%Locale:0x409..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Marlett.FamilyName:Marlett.StyleName:Regular.MenuName:Marlett.StyleBits:0.WeightClass:500.WidthClass:5.AngleClass:0.FullName:Marlett.WritingScript:Roman.WinName:Marlett.FileLength:27724.NameArray:0,Win,1,Marlett.NameArray:0,Mac,4,Marlett.NameArray:0,Win,1,Marlett.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:ArialMT.FamilyName:Arial.StyleName:Regular.MenuName:Arial.StyleBits:0.WeightClass:400.WidthClass:5.AngleClass:0.FullName:Arial.WritingScript:Roman.WinName:Arial.FileLength:1036584.NameArray:0,Win,1,Arial.NameArray:0,Mac,4,Arial.NameArray:0,Win,1,Arial.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Arial-BoldMT.FamilyName:Arial.StyleName:Bold.MenuName:Arial.StyleBits:2.WeightClass:700.WidthClass:5.AngleClass:0.FullName:Arial Bold.WritingScript:Roman.WinName:Arial Bold.FileLength:980756.NameArray:0,Win,1,Arial.NameArray:0,Mac,4,Arial Bold.NameAr
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.log
                                                                                                                                      Process:C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                      Category:modified
                                                                                                                                      Size (bytes):1402
                                                                                                                                      Entropy (8bit):5.338819835253785
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4x84bE4KnKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7csXE8:MIHK5HKXE1qHxvbHKnYHKhQnoPtHoxHH
                                                                                                                                      MD5:3E457A94831A76170EF8D114082063EE
                                                                                                                                      SHA1:96C395587FE41523FADB9A9AC2853DF90BD530A3
                                                                                                                                      SHA-256:4728D230B92E50D7F01F3E1AD3E95D02B075178AFB80890274A59D3094F48299
                                                                                                                                      SHA-512:1507FF7C5E13DA5299E30ADC5C9137ED9A9BE3DD255925732A9C0D35C355DD5D626D72D23C8858F119A6DFC737818B84E984D6921FA227203E4EA1AB33FE5F70
                                                                                                                                      Malicious:true
                                                                                                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configu
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Files.exe.log
                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Files.exe
                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1402
                                                                                                                                      Entropy (8bit):5.338819835253785
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4x84bE4KnKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7csXE8:MIHK5HKXE1qHxvbHKnYHKhQnoPtHoxHH
                                                                                                                                      MD5:3E457A94831A76170EF8D114082063EE
                                                                                                                                      SHA1:96C395587FE41523FADB9A9AC2853DF90BD530A3
                                                                                                                                      SHA-256:4728D230B92E50D7F01F3E1AD3E95D02B075178AFB80890274A59D3094F48299
                                                                                                                                      SHA-512:1507FF7C5E13DA5299E30ADC5C9137ED9A9BE3DD255925732A9C0D35C355DD5D626D72D23C8858F119A6DFC737818B84E984D6921FA227203E4EA1AB33FE5F70
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configu
                                                                                                                                      C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                                                      Process:C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):41064
                                                                                                                                      Entropy (8bit):6.164873449128079
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                                                                                                      MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                                                                                                      SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                                                                                                      SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                                                                                                      SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Joe Sandbox View:
                                                                                                                                      • Filename: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: Sample Qoutation List.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: DHL_Express_Shipment_Confirmation_BKKR005545473_88700456XXXX.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: APRILQUOTATION#QQO2103060_SAMPLES_KHANG HY_CO_CORPORATION.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: Thalesnano.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: DHL_SHIPMENT_ADDRESS_CONFIRMATION_00000001.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: RFQ#040820.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: payment swift copy.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: I201002X430 CIF #20210604.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: PO#29710634.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: PO_6620200947535257662_Arabico.PDF.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: payment notification.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: Payment Notification.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: s.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: MV.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: e.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: SL_PO8192.PDF.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: QUOTATIONs#280321_RFQ_PRODUCTS_ENQUIRY_TRINITY_VIETNAM_CO.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: RFQ9088QTY.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: NEWQUOTATION#280321_RFQ_PRODUCTS_ENQUIRY_TRINITY_VIETNAM_CO.exe, Detection: malicious, Browse
                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                                                                                                                                      C:\Users\user\AppData\Roaming\DHL Overdue Account Notice - 1301356423.PDF
                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Files.exe
                                                                                                                                      File Type:PDF document, version 1.3
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):149430
                                                                                                                                      Entropy (8bit):5.992880402670265
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:WXGnpGkkQ5KXOAEM3pqfGkkQ5KXO3GkkQ5KXOJa+Ur+KFg+jBfMev0CSrSmq:WXMFAEMOrJRUSTC
                                                                                                                                      MD5:CBAF67B05E781DEE65A10D6459DA8E2F
                                                                                                                                      SHA1:29E06F15D8D14745EEEBA6F9EC502FFC3F4B27B4
                                                                                                                                      SHA-256:BC4D8009C636CCCA89801D5FCEA5BA5370070B9F0777B11B1B0AF46A61D8BAB5
                                                                                                                                      SHA-512:5389614083FE85074EE0A266BA4E8867A69D5A84AE834ECBF7A7C85503313FD223297A6638C9532B7C3F5D58447FCDFABF63CD09E02B2130631AFF8E45D0C52E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: %PDF-1.3..%......%RSTXPDF3 Parameters: DJRSTXh..%Devtype ZPDFUC Font HELVE normal Lang EN Script: 0 ->/C001..2 0 obj..<<../Type /FontDescriptor../Ascent 718../CapHeight 718../Descent -207../Flags 32../FontBBox [-166 -225 1000 931]../FontName /Helvetica../ItalicAngle 0../StemV 105..>>..endobj..3 0 obj../WinAnsiEncoding..endobj..4 0 obj..<<../Type /Font../Subtype /Type1../BaseFont /Helvetica../Name /C001../Encoding 3 0 R../Widths..[ 0275 0275 0354 0554 0554 0888 0667 0192 0333 0333 0388 0583 0275 0333 0275 0275 0554 0554 0554 0554 0554 0554 0554 0554 0554 0554 0275 0275 0583 0583 0583 0554 1017 0667 0667 0721 0721 0667 0608 0775 0721 0275 0500 0667 0554 0833 0721 0775 0667 0775.. 0721 0667 0608 0721 0667 0942 0667 0667 0608 0275 0275 0275 0471 0554 0333 0554 0554 0500 0554 0554 0275 0554 0554 0221 0221 0500 0221 0833 0554 0554 0554 0554 0333 0500 0275 0554 0500 0721 0500 0500 0500 0333 0258 0333 0583]../FirstChar 32../LastChar 126../FontDescriptor 2 0 R..>>..endobj..%Devtype ZPDFUC
                                                                                                                                      C:\Users\user\AppData\Roaming\Files.exe
                                                                                                                                      Process:C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):887296
                                                                                                                                      Entropy (8bit):6.554991291217796
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:yaY2pIV1Fn6OAVo1TniJM8R0aVEu0AxTd9lB3pa77FMHK25PPlXU:y65o12MCPWbAd7pk7F+K25ZU
                                                                                                                                      MD5:4FFB9EE56BAEED64D186D62DE5C56A05
                                                                                                                                      SHA1:2982AD3DD5578B7595A8A2CE6DFF5F7BCC9A1140
                                                                                                                                      SHA-256:79614387D51E432E6681D699A42018DDB1A91106B47FB2EDE9BAC493DD5814F5
                                                                                                                                      SHA-512:C0A9BD2EC83F4D8ED9207AD8FB36EB4B9EDC2B7CC116158B685F0759D356332DB0AB491D36644C17CA42ADE1E78E260940444A37371D72DBD771B102EBC77305
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 19%
                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....hOM............................N.... ........@.. ....................................`.....................................O.................................................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................0.......H........\...n......1....G..B....................................................m.+.P.;..d.N.c.-y...-..U.~....?^.l...{`W...1..g.[...Y.....)1N.%./.......5m.R......0_.#.G..-.o.."...W.\....'..-._F.T.}r.o.S.......I%$...&...........2;.....X...-.9F9"...v.s..fS..Q...ic%6.*.8.,.T.../.7.qW.v.D.9..........=.F%.v......s....5V%.9.!.......'W(..+2h.w\.|s.....E...f.&%..f..U.ogJ.%..U.JPJ...I..{.u.........K.j...2.*..[....x....*.........)...................|?!.J.'<"8j......
                                                                                                                                      C:\Users\user\AppData\Roaming\Files.exe:Zone.Identifier
                                                                                                                                      Process:C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):26
                                                                                                                                      Entropy (8bit):3.95006375643621
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:ggPYV:rPYV
                                                                                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                      Malicious:true
                                                                                                                                      Preview: [ZoneTransfer]....ZoneId=0

                                                                                                                                      Static File Info

                                                                                                                                      General

                                                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                      Entropy (8bit):6.554991291217796
                                                                                                                                      TrID:
                                                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                      File name:DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                                                                                                                                      File size:887296
                                                                                                                                      MD5:4ffb9ee56baeed64d186d62de5c56a05
                                                                                                                                      SHA1:2982ad3dd5578b7595a8a2ce6dff5f7bcc9a1140
                                                                                                                                      SHA256:79614387d51e432e6681d699a42018ddb1a91106b47fb2ede9bac493dd5814f5
                                                                                                                                      SHA512:c0a9bd2ec83f4d8ed9207ad8fb36eb4b9edc2b7cc116158b685f0759d356332db0ab491d36644c17ca42ade1e78e260940444a37371d72dbd771b102ebc77305
                                                                                                                                      SSDEEP:12288:yaY2pIV1Fn6OAVo1TniJM8R0aVEu0AxTd9lB3pa77FMHK25PPlXU:y65o12MCPWbAd7pk7F+K25ZU
                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....hOM............................N.... ........@.. ....................................`................................

                                                                                                                                      File Icon

                                                                                                                                      Icon Hash:eaee8e96b2a8e0b2

                                                                                                                                      Static PE Info

                                                                                                                                      General

                                                                                                                                      Entrypoint:0x4ccb4e
                                                                                                                                      Entrypoint Section:.text
                                                                                                                                      Digitally signed:false
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      Subsystem:windows gui
                                                                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                                                                                      Time Stamp:0x4D4F68B1 [Mon Feb 7 03:36:17 2011 UTC]
                                                                                                                                      TLS Callbacks:
                                                                                                                                      CLR (.Net) Version:v4.0.30319
                                                                                                                                      OS Version Major:4
                                                                                                                                      OS Version Minor:0
                                                                                                                                      File Version Major:4
                                                                                                                                      File Version Minor:0
                                                                                                                                      Subsystem Version Major:4
                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                      Entrypoint Preview

                                                                                                                                      Instruction
                                                                                                                                      jmp dword ptr [00402000h]
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al

                                                                                                                                      Data Directories

                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xccafc0x4f.text
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xce0000xd8da.rsrc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xdc0000xc.reloc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                      Sections

                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                      .text0x20000xcab540xcac00False0.617873863286data6.57591670371IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                      .rsrc0xce0000xd8da0xda00False0.0915818520642data3.77481945423IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                      .reloc0xdc0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                      Resources

                                                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                                                      RT_ICON0xce1300xd228data
                                                                                                                                      RT_GROUP_ICON0xdb3580x14data
                                                                                                                                      RT_VERSION0xdb36c0x384data
                                                                                                                                      RT_MANIFEST0xdb6f00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                                      Imports

                                                                                                                                      DLLImport
                                                                                                                                      mscoree.dll_CorExeMain

                                                                                                                                      Version Infos

                                                                                                                                      DescriptionData
                                                                                                                                      Translation0x0000 0x04b0
                                                                                                                                      LegalCopyrightCopyright 2008 <2EFC?D72:9;F96>6826?
                                                                                                                                      Assembly Version1.0.0.0
                                                                                                                                      InternalNameabbc.exe
                                                                                                                                      FileVersion6.9.12.15
                                                                                                                                      CompanyName<2EFC?D72:9;F96>6826?
                                                                                                                                      Comments7B?F?DA@6BHE@H==D
                                                                                                                                      ProductNameDA4;=?2EI7C=FF5JCG
                                                                                                                                      ProductVersion6.9.12.15
                                                                                                                                      FileDescriptionDA4;=?2EI7C=FF5JCG
                                                                                                                                      OriginalFilenameabbc.exe

                                                                                                                                      Network Behavior

                                                                                                                                      Network Port Distribution

                                                                                                                                      UDP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Apr 8, 2021 12:07:16.850224972 CEST4919953192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:07:16.863722086 CEST53491998.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:07:17.778130054 CEST5062053192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:07:17.790688992 CEST53506208.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:07:19.989392042 CEST6493853192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:07:20.008362055 CEST53649388.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:07:28.127562046 CEST6015253192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:07:28.167560101 CEST53601528.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:07:28.438071966 CEST5754453192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:07:28.466216087 CEST53575448.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:07:28.487775087 CEST5598453192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:07:28.500979900 CEST53559848.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:07:29.315218925 CEST6418553192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:07:29.329554081 CEST53641858.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:07:47.464927912 CEST6511053192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:07:47.477982998 CEST53651108.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:07:48.817303896 CEST5836153192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:07:48.831751108 CEST53583618.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:07:49.468297005 CEST6349253192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:07:49.481710911 CEST53634928.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:07:50.287034035 CEST6083153192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:07:50.299288988 CEST53608318.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:07:51.004914999 CEST6010053192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:07:51.019094944 CEST53601008.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:07:51.445460081 CEST5319553192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:07:51.485548973 CEST53531958.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:07:52.017590046 CEST5014153192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:07:52.047310114 CEST53501418.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:07:52.905920982 CEST5302353192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:07:52.918490887 CEST53530238.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:07:53.664814949 CEST4956353192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:07:53.677771091 CEST53495638.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:07:55.551908016 CEST5135253192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:07:55.566189051 CEST53513528.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:07:56.030512094 CEST5934953192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:07:56.042367935 CEST53593498.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:08:09.881002903 CEST5708453192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:08:09.893765926 CEST53570848.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:08:10.302892923 CEST5882353192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:08:10.316248894 CEST53588238.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:08:10.349073887 CEST5756853192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:08:10.361949921 CEST53575688.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:08:12.422161102 CEST5054053192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:08:12.448431015 CEST53505408.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:08:12.802336931 CEST5436653192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:08:12.815521955 CEST53543668.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:08:12.861136913 CEST5303453192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:08:12.888497114 CEST53530348.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:08:13.339987993 CEST5776253192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:08:13.352734089 CEST53577628.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:08:15.949263096 CEST5543553192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:08:15.962547064 CEST53554358.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:08:18.422380924 CEST5071353192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:08:18.434819937 CEST53507138.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:08:19.975502968 CEST5613253192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:08:19.988317013 CEST53561328.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:08:23.361908913 CEST5898753192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:08:23.380319118 CEST53589878.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:08:24.471626043 CEST5657953192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:08:24.484843016 CEST53565798.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:08:25.244359970 CEST6063353192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:08:25.256722927 CEST53606338.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:08:35.188877106 CEST6129253192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:08:35.221174002 CEST53612928.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:08:35.969105959 CEST6361953192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:08:35.982182980 CEST53636198.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:08:42.666764975 CEST6493853192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:08:42.685354948 CEST53649388.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:09:03.190666914 CEST6194653192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:09:03.193145037 CEST6491053192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:09:03.211342096 CEST53619468.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:09:03.214662075 CEST53649108.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:09:04.206573963 CEST6194653192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:09:04.206692934 CEST6491053192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:09:04.221847057 CEST53649108.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:09:04.225342035 CEST53619468.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:09:05.222249031 CEST6491053192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:09:05.222362995 CEST6194653192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:09:05.234791994 CEST53619468.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:09:05.234875917 CEST53649108.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:09:07.225281000 CEST6194653192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:09:07.225343943 CEST6491053192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:09:07.238141060 CEST53649108.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:09:07.238471985 CEST53619468.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:09:13.201883078 CEST6491053192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:09:13.202337980 CEST6194653192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:09:13.216866970 CEST53619468.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:09:13.220603943 CEST53649108.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:09:22.358563900 CEST5212353192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:09:22.374238968 CEST53521238.8.8.8192.168.2.3
                                                                                                                                      Apr 8, 2021 12:09:25.308048964 CEST5613053192.168.2.38.8.8.8
                                                                                                                                      Apr 8, 2021 12:09:25.341161966 CEST53561308.8.8.8192.168.2.3

                                                                                                                                      Code Manipulations

                                                                                                                                      Statistics

                                                                                                                                      CPU Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      Memory Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      High Level Behavior Distribution

                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                      Behavior

                                                                                                                                      Click to jump to process

                                                                                                                                      System Behavior

                                                                                                                                      Analysis Process: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe PID: 5644 Parent PID: 5656

                                                                                                                                      General

                                                                                                                                      Start time:12:07:26
                                                                                                                                      Start date:08/04/2021
                                                                                                                                      Path:C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:'C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe'
                                                                                                                                      Imagebase:0xe20000
                                                                                                                                      File size:887296 bytes
                                                                                                                                      MD5 hash:4FFB9EE56BAEED64D186D62DE5C56A05
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.310359944.000000000425A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.311089829.0000000004309000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.311979523.00000000044CF000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                      Reputation:low

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: cmd.exe PID: 5784 Parent PID: 5644

                                                                                                                                      General

                                                                                                                                      Start time:12:07:47
                                                                                                                                      Start date:08/04/2021
                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
                                                                                                                                      Imagebase:0xbd0000
                                                                                                                                      File size:232960 bytes
                                                                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: conhost.exe PID: 5056 Parent PID: 5784

                                                                                                                                      General

                                                                                                                                      Start time:12:07:47
                                                                                                                                      Start date:08/04/2021
                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      Imagebase:0x7ff6b2800000
                                                                                                                                      File size:625664 bytes
                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: reg.exe PID: 5424 Parent PID: 5784

                                                                                                                                      General

                                                                                                                                      Start time:12:07:47
                                                                                                                                      Start date:08/04/2021
                                                                                                                                      Path:C:\Windows\SysWOW64\reg.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
                                                                                                                                      Imagebase:0xca0000
                                                                                                                                      File size:59392 bytes
                                                                                                                                      MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: Files.exe PID: 6804 Parent PID: 3388

                                                                                                                                      General

                                                                                                                                      Start time:12:08:07
                                                                                                                                      Start date:08/04/2021
                                                                                                                                      Path:C:\Users\user\AppData\Roaming\Files.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:'C:\Users\user\AppData\Roaming\Files.exe'
                                                                                                                                      Imagebase:0x5a0000
                                                                                                                                      File size:887296 bytes
                                                                                                                                      MD5 hash:4FFB9EE56BAEED64D186D62DE5C56A05
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                      Antivirus matches:
                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                      • Detection: 19%, ReversingLabs
                                                                                                                                      Reputation:low

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: Files.exe PID: 6860 Parent PID: 5644

                                                                                                                                      General

                                                                                                                                      Start time:12:08:09
                                                                                                                                      Start date:08/04/2021
                                                                                                                                      Path:C:\Users\user\AppData\Roaming\Files.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:'C:\Users\user\AppData\Roaming\Files.exe'
                                                                                                                                      Imagebase:0x340000
                                                                                                                                      File size:887296 bytes
                                                                                                                                      MD5 hash:4FFB9EE56BAEED64D186D62DE5C56A05
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.509008335.0000000003A9F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                      Reputation:low

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: AcroRd32.exe PID: 5288 Parent PID: 6860

                                                                                                                                      General

                                                                                                                                      Start time:12:08:45
                                                                                                                                      Start date:08/04/2021
                                                                                                                                      Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\AppData\Roaming\DHL Overdue Account Notice - 1301356423.PDF'
                                                                                                                                      Imagebase:0xf00000
                                                                                                                                      File size:2571312 bytes
                                                                                                                                      MD5 hash:B969CF0C7B2C443A99034881E8C8740A
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:moderate

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: InstallUtil.exe PID: 5248 Parent PID: 6860

                                                                                                                                      General

                                                                                                                                      Start time:12:08:46
                                                                                                                                      Start date:08/04/2021
                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                                                      Imagebase:0xf00000
                                                                                                                                      File size:41064 bytes
                                                                                                                                      MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000002.493944777.00000000034C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                      Antivirus matches:
                                                                                                                                      • Detection: 0%, Metadefender, Browse
                                                                                                                                      • Detection: 0%, ReversingLabs
                                                                                                                                      Reputation:moderate

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: AcroRd32.exe PID: 5336 Parent PID: 5288

                                                                                                                                      General

                                                                                                                                      Start time:12:08:47
                                                                                                                                      Start date:08/04/2021
                                                                                                                                      Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\AppData\Roaming\DHL Overdue Account Notice - 1301356423.PDF'
                                                                                                                                      Imagebase:0xf00000
                                                                                                                                      File size:2571312 bytes
                                                                                                                                      MD5 hash:B969CF0C7B2C443A99034881E8C8740A
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:moderate

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: RdrCEF.exe PID: 4880 Parent PID: 5288

                                                                                                                                      General

                                                                                                                                      Start time:12:08:55
                                                                                                                                      Start date:08/04/2021
                                                                                                                                      Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043
                                                                                                                                      Imagebase:0x220000
                                                                                                                                      File size:9475120 bytes
                                                                                                                                      MD5 hash:9AEBA3BACD721484391D15478A4080C7
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:moderate

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: RdrCEF.exe PID: 5024 Parent PID: 4880

                                                                                                                                      General

                                                                                                                                      Start time:12:08:58
                                                                                                                                      Start date:08/04/2021
                                                                                                                                      Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1732,14640126625900119066,9769525679105844933,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=2690794570082519975 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2690794570082519975 --renderer-client-id=2 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job /prefetch:1
                                                                                                                                      Imagebase:0x220000
                                                                                                                                      File size:9475120 bytes
                                                                                                                                      MD5 hash:9AEBA3BACD721484391D15478A4080C7
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:moderate

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: RdrCEF.exe PID: 5632 Parent PID: 4880

                                                                                                                                      General

                                                                                                                                      Start time:12:08:59
                                                                                                                                      Start date:08/04/2021
                                                                                                                                      Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1732,14640126625900119066,9769525679105844933,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=7685701926627287920 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
                                                                                                                                      Imagebase:0x220000
                                                                                                                                      File size:9475120 bytes
                                                                                                                                      MD5 hash:9AEBA3BACD721484391D15478A4080C7
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:moderate

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: RdrCEF.exe PID: 6736 Parent PID: 4880

                                                                                                                                      General

                                                                                                                                      Start time:12:09:02
                                                                                                                                      Start date:08/04/2021
                                                                                                                                      Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1732,14640126625900119066,9769525679105844933,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=6749621257665537764 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6749621257665537764 --renderer-client-id=4 --mojo-platform-channel-handle=1852 --allow-no-sandbox-job /prefetch:1
                                                                                                                                      Imagebase:0x220000
                                                                                                                                      File size:9475120 bytes
                                                                                                                                      MD5 hash:9AEBA3BACD721484391D15478A4080C7
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:moderate

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: RdrCEF.exe PID: 6852 Parent PID: 4880

                                                                                                                                      General

                                                                                                                                      Start time:12:09:04
                                                                                                                                      Start date:08/04/2021
                                                                                                                                      Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1732,14640126625900119066,9769525679105844933,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=7499266669204803197 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7499266669204803197 --renderer-client-id=5 --mojo-platform-channel-handle=1864 --allow-no-sandbox-job /prefetch:1
                                                                                                                                      Imagebase:0x220000
                                                                                                                                      File size:9475120 bytes
                                                                                                                                      MD5 hash:9AEBA3BACD721484391D15478A4080C7
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: RdrCEF.exe PID: 1332 Parent PID: 4880

                                                                                                                                      General

                                                                                                                                      Start time:12:09:06
                                                                                                                                      Start date:08/04/2021
                                                                                                                                      Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1732,14640126625900119066,9769525679105844933,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=6985995476041547175 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6985995476041547175 --renderer-client-id=6 --mojo-platform-channel-handle=2148 --allow-no-sandbox-job /prefetch:1
                                                                                                                                      Imagebase:0x220000
                                                                                                                                      File size:9475120 bytes
                                                                                                                                      MD5 hash:9AEBA3BACD721484391D15478A4080C7
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                      Chronological Activities

                                                                                                                                      Disassembly

                                                                                                                                      Code Analysis

                                                                                                                                      Reset < >

                                                                                                                                        Analysis Process: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe PID: 5644 Parent PID: 5656 DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCOMMON

                                                                                                                                        Executed Functions

                                                                                                                                        Function 06C70040, Relevance: 7.8, Strings: 6, Instructions: 260COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.315294691.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: $,l$$,l$$,l$48l$48l$D0l
                                                                                                                                        • API String ID: 0-996485634
                                                                                                                                        • Opcode ID: a85daa6127c3e3841a1b82346fe43c31601b6084b4d7da443164618b6244bf81
                                                                                                                                        • Instruction ID: fdc63f6e8f0f667f0e39fd37551a8a1ad937cf4962a09eb4d2c5c147d8254b6e
                                                                                                                                        • Opcode Fuzzy Hash: a85daa6127c3e3841a1b82346fe43c31601b6084b4d7da443164618b6244bf81
                                                                                                                                        • Instruction Fuzzy Hash: 5B81CD75B042189BDB18ABB9945867E77B7BFC8310F15C82EE106E7388DF349C028791
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 018ADB40, Relevance: 4.7, Strings: 3, Instructions: 972COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305315233.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: D0l$D0l$D0l
                                                                                                                                        • API String ID: 0-195073329
                                                                                                                                        • Opcode ID: 1e41b1bed13cbb408add1ef174c2d2c9258eb9a87a9c391d1f6a3e5e88d28be3
                                                                                                                                        • Instruction ID: 1779f4183a8bf5c710097271728f0a54f3810603f404c788b78122e4a63a0c1e
                                                                                                                                        • Opcode Fuzzy Hash: 1e41b1bed13cbb408add1ef174c2d2c9258eb9a87a9c391d1f6a3e5e88d28be3
                                                                                                                                        • Instruction Fuzzy Hash: 1682B270A002199FEB14DFA9C884AAEBBF6FF88304F558969E505DB361DB30DD41CB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06C755B8, Relevance: 3.0, Strings: 2, Instructions: 473COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.315294691.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: xl$xl
                                                                                                                                        • API String ID: 0-977793732
                                                                                                                                        • Opcode ID: c6aab6664622b97a5a5bf2b797492f89fb9d99a48a7e531f5f91e1232ff14dd8
                                                                                                                                        • Instruction ID: 454aab5fe319451bbbaf9f4d2268ed1de075eafca4c488eab70c8a09be36e5d6
                                                                                                                                        • Opcode Fuzzy Hash: c6aab6664622b97a5a5bf2b797492f89fb9d99a48a7e531f5f91e1232ff14dd8
                                                                                                                                        • Instruction Fuzzy Hash: 4232B174D01228CFDB65DF65D985BA9BBB2FF89301F2084A9E40AA7350DB359E81DF10
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06C73E38, Relevance: .5, Instructions: 460COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.315294691.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 707d88d7a74939525308e072310dd2b77223b82ee746616ce324dbf7f7d67552
                                                                                                                                        • Instruction ID: e5895fdfffae081e6c429ff5c09477d95f29c56e3bebb504b4bc85573811c7d5
                                                                                                                                        • Opcode Fuzzy Hash: 707d88d7a74939525308e072310dd2b77223b82ee746616ce324dbf7f7d67552
                                                                                                                                        • Instruction Fuzzy Hash: 1A22C175A00218DFDB69CFA9C984F99BBB2FF48304F1580E9E509AB261CB319D91DF50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06C7AED0, Relevance: .3, Instructions: 292COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.315294691.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: d029502ecac030f866c8f34eac26146bb8e339ea1dfda02af94f717f2f325869
                                                                                                                                        • Instruction ID: e1e069b2cca25c63330917c749d73770ad38865ce712bac1b6e63d06f63c1dc7
                                                                                                                                        • Opcode Fuzzy Hash: d029502ecac030f866c8f34eac26146bb8e339ea1dfda02af94f717f2f325869
                                                                                                                                        • Instruction Fuzzy Hash: 5CB13B70E002089FCB54DFA9C494A9EBBF1FF89314F248529D419BB350DB30A945CF91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 018AD158, Relevance: 3.0, Strings: 2, Instructions: 454COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305315233.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: Xcl$Xcl
                                                                                                                                        • API String ID: 0-2795669184
                                                                                                                                        • Opcode ID: ef331fa96f35e529010aeba00e237edff932986fd7896946ba957b45efab1995
                                                                                                                                        • Instruction ID: db4c75ac287d2ca3b7ebe982e3426854b3061a3cf38ce61f08a4d368217ab1ea
                                                                                                                                        • Opcode Fuzzy Hash: ef331fa96f35e529010aeba00e237edff932986fd7896946ba957b45efab1995
                                                                                                                                        • Instruction Fuzzy Hash: A6F1E0307002149FEB199BA9C898B7E7BA7EF88305FA48528E506CB784DF74DD42C791
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 018AD7A8, Relevance: 2.7, Strings: 2, Instructions: 242COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305315233.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: Xcl$Xcl
                                                                                                                                        • API String ID: 0-2795669184
                                                                                                                                        • Opcode ID: 14ed7ca1a9011ce9520eea5d89482c558f4e811a8f601af3953db2d2df077a88
                                                                                                                                        • Instruction ID: 9035acc708f7db5a513eac875609945ee4b79d7f6c470b9ed6378fc34bfbb9f9
                                                                                                                                        • Opcode Fuzzy Hash: 14ed7ca1a9011ce9520eea5d89482c558f4e811a8f601af3953db2d2df077a88
                                                                                                                                        • Instruction Fuzzy Hash: 3391E234B00505CFEB14CFADC484AADBBF6BF89304B988669D509DBB62DB30E941CB51
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06C73654, Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.315294691.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DeleteFile
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4033686569-0
                                                                                                                                        • Opcode ID: 56c6210906fd0abd4dbb05951d5a8480c585840d250c63eb04d2002bc6a637b2
                                                                                                                                        • Instruction ID: 18099ddf0563cd1e6a1cbe45388239447671fb40709f2862b0eec85e859453bd
                                                                                                                                        • Opcode Fuzzy Hash: 56c6210906fd0abd4dbb05951d5a8480c585840d250c63eb04d2002bc6a637b2
                                                                                                                                        • Instruction Fuzzy Hash: 3831BBB4D056589FCB10CFA9D984AEEFBF5BB49314F14806AE404B7320DB74AA45CBA4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 018AF610, Relevance: .4, Instructions: 355COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305315233.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e1264b480d072e83c9722da3f382d9b901bb46c8c346e157e78f5e3e2c95b5a0
                                                                                                                                        • Instruction ID: 86480be7056a84959b34446ebf96da39aad0b54217edf94dce97e641da0bb8c7
                                                                                                                                        • Opcode Fuzzy Hash: e1264b480d072e83c9722da3f382d9b901bb46c8c346e157e78f5e3e2c95b5a0
                                                                                                                                        • Instruction Fuzzy Hash: B5E11971E006149FDB14DF6CC4849ADBBF6BF88310B6A8495E655EB361DB30ED81CB90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 018ABC10, Relevance: .3, Instructions: 255COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305315233.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: a81e263749086353f18d684442a86ed09c10eead4e18abce1f2b43e26970a5af
                                                                                                                                        • Instruction ID: 051814502866a7b1bf13726739c9069e99e71278a0a603e72341ec041c9f629c
                                                                                                                                        • Opcode Fuzzy Hash: a81e263749086353f18d684442a86ed09c10eead4e18abce1f2b43e26970a5af
                                                                                                                                        • Instruction Fuzzy Hash: 4791B230B04208DFE714DBA8D855B6EB7A7AF89314F698428E612DB385DB31DD41CB92
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 018AB350, Relevance: .1, Instructions: 141COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305315233.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: ef79788fe36abcd0d78181966510a57406b9ad9d4eae9ffcef9e35564fa205ce
                                                                                                                                        • Instruction ID: 8ff7b44bf82a0ef0aa3991f3db9859e3ec4062c5b2906a7bfb704fa54cc42c3d
                                                                                                                                        • Opcode Fuzzy Hash: ef79788fe36abcd0d78181966510a57406b9ad9d4eae9ffcef9e35564fa205ce
                                                                                                                                        • Instruction Fuzzy Hash: 80512531B04344CBE704DBB9C44567FBBA6EB85304F61866AE52ADB391DB34ED80CB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 018AF458, Relevance: .1, Instructions: 97COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305315233.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 011d12796c92c5de8eff9dcf05cf1d2225fd493aaa422fa83717328923f0c17a
                                                                                                                                        • Instruction ID: 17a2f60e14dbbf30842461c0e6a44d7fdd9862f97e7b62d141a0fc7f9c5cf876
                                                                                                                                        • Opcode Fuzzy Hash: 011d12796c92c5de8eff9dcf05cf1d2225fd493aaa422fa83717328923f0c17a
                                                                                                                                        • Instruction Fuzzy Hash: B031D3317042049FDB189B78D855BAE7BB7AF89310F658029E616EB390CF35AC01CBA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 018AFD98, Relevance: .1, Instructions: 96COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305315233.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 972219070ed5a33a38df5cb3381e6809b8704f3088f91cf71502ebd54f7d176a
                                                                                                                                        • Instruction ID: 71063044ab7e88977a3f0e692063a5486a587c09698b78714bc5bd37cf0fd890
                                                                                                                                        • Opcode Fuzzy Hash: 972219070ed5a33a38df5cb3381e6809b8704f3088f91cf71502ebd54f7d176a
                                                                                                                                        • Instruction Fuzzy Hash: F331C135A08749CBEB128FBDC8802BEFBB4EF05714F84456BD766DB252D2349A50C792
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 018AC518, Relevance: .1, Instructions: 95COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305315233.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 3596230b58229c3d57ddb33a1b8085d3f46222fd85782fed026eba7092ae3b4d
                                                                                                                                        • Instruction ID: 747c3344b8efd45f6e370dbee4b0a7cb142ebac5f429077b8b947da55b3cd54f
                                                                                                                                        • Opcode Fuzzy Hash: 3596230b58229c3d57ddb33a1b8085d3f46222fd85782fed026eba7092ae3b4d
                                                                                                                                        • Instruction Fuzzy Hash: 31317E356001099FDB059F59D8846BE3BB2FF98310F948428F906CB354CB35DD61EB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 018AA450, Relevance: .1, Instructions: 79COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305315233.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 085e2505df67bf0299c6157e735a395bf59eedb8e56065fff83940f7b3460806
                                                                                                                                        • Instruction ID: 6a7aef67e4e03db5ef0b6b72193c724c40440ebb1ffaefe08377f3646f1d1e44
                                                                                                                                        • Opcode Fuzzy Hash: 085e2505df67bf0299c6157e735a395bf59eedb8e56065fff83940f7b3460806
                                                                                                                                        • Instruction Fuzzy Hash: 32212931A09249CBF31C8BADD8842BAFB79EB82300F944167F555CBA81C774CB85C366
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 017BD0EC, Relevance: .1, Instructions: 75COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305021604.00000000017BD000.00000040.00000001.sdmp, Offset: 017BD000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 599bffb0116d4f2f3ed6ca899c1a0de34d582acb1c482fdb4738d1f56f03c371
                                                                                                                                        • Instruction ID: 24e7c570e7cf2299c322abd59c20aa60c2e9737014b5c31fe5972858bddc3e97
                                                                                                                                        • Opcode Fuzzy Hash: 599bffb0116d4f2f3ed6ca899c1a0de34d582acb1c482fdb4738d1f56f03c371
                                                                                                                                        • Instruction Fuzzy Hash: D02137B1504248DFDB15DF94D8C0B66FF66FB88328F25C5A9E9090B247C336D846C7A1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 017BD4A0, Relevance: .1, Instructions: 75COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305021604.00000000017BD000.00000040.00000001.sdmp, Offset: 017BD000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6157314034fe9286e9f5d782ff5f6b8a3a43ed4eebe16f5069ff4f136e639247
                                                                                                                                        • Instruction ID: 3a42d122ef35e3ff1e83eedf6790298100332806002a97a809df7ea5a14ef189
                                                                                                                                        • Opcode Fuzzy Hash: 6157314034fe9286e9f5d782ff5f6b8a3a43ed4eebe16f5069ff4f136e639247
                                                                                                                                        • Instruction Fuzzy Hash: 082106B1504240DFDB25DF94D8C0BA6FF65FB8832CF34C5A9E9094A246C336D845CBA2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 018AA578, Relevance: .1, Instructions: 72COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305315233.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 43d9ea3cafe7a7efa285bb7564463309ef3416ca083a9ee072ebaf4cd0f64d3e
                                                                                                                                        • Instruction ID: f1aff9a8579ca9bc62102dcebabf419ed98c407efed2f86af1e98ec0633a76fb
                                                                                                                                        • Opcode Fuzzy Hash: 43d9ea3cafe7a7efa285bb7564463309ef3416ca083a9ee072ebaf4cd0f64d3e
                                                                                                                                        • Instruction Fuzzy Hash: 7611D631708118C7F7089AEDC8406BAB7AAEBCC324F958136F566C7A50D738DB44C755
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 018ABB18, Relevance: .1, Instructions: 64COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305315233.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 59a96e666a53b74da941e35ac0ff9272ec52589dd3a79fb9b3b3ddfe0587a31a
                                                                                                                                        • Instruction ID: cbfd49a8043b71eb301f75420fd481b6aa8b57bc5a68980838ffc7f339d29ee8
                                                                                                                                        • Opcode Fuzzy Hash: 59a96e666a53b74da941e35ac0ff9272ec52589dd3a79fb9b3b3ddfe0587a31a
                                                                                                                                        • Instruction Fuzzy Hash: E711CE32608118C7FB709EAD98517BAF2AAEBC0314FD04127D51AC7648DA30DB438B96
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 018AC428, Relevance: .1, Instructions: 61COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305315233.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: d59d32a2241f7dbacbf6eecde0e546d7489a0d8fb54ba896d7c186459395bb0e
                                                                                                                                        • Instruction ID: c4bd675c955e7ad0246823503f71426b197c3b8c4073495a2d7a7eaa9bcdf081
                                                                                                                                        • Opcode Fuzzy Hash: d59d32a2241f7dbacbf6eecde0e546d7489a0d8fb54ba896d7c186459395bb0e
                                                                                                                                        • Instruction Fuzzy Hash: F7119E3260642DDBFB109E59D8806BBB7A6EBC8304FD04166FA16C3350C735DB618BD6
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 018A7060, Relevance: .1, Instructions: 61COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305315233.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: c1f6b50657694643a96b8edf1f71dfce0471502c614a9d14ce7dfb7268a65bf4
                                                                                                                                        • Instruction ID: b0eda48ba727031393f8e4f1b8783b03d29bd56f32e23e9e2e40260a8f6cae2b
                                                                                                                                        • Opcode Fuzzy Hash: c1f6b50657694643a96b8edf1f71dfce0471502c614a9d14ce7dfb7268a65bf4
                                                                                                                                        • Instruction Fuzzy Hash: 2511B478A44144CBF7108B7CD80536A7BA1EB41309F54C07AE149CA281DB3BCE42EB52
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 017BD0E7, Relevance: .1, Instructions: 56COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305021604.00000000017BD000.00000040.00000001.sdmp, Offset: 017BD000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 475f330473868ad3c29f7e884537fa5e2c046c0b54d26c118bd7d839c6bfe152
                                                                                                                                        • Instruction ID: 55a8737b2b75dc5702b9275ae12bcff7be5e3de3bc9e0171421311797c8a4d22
                                                                                                                                        • Opcode Fuzzy Hash: 475f330473868ad3c29f7e884537fa5e2c046c0b54d26c118bd7d839c6bfe152
                                                                                                                                        • Instruction Fuzzy Hash: 5011AC76504284CFDB16CF54D9C4B56FF72FB84324F2886A9D8080B656C33AD45ACBA2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 017BD49B, Relevance: .1, Instructions: 56COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305021604.00000000017BD000.00000040.00000001.sdmp, Offset: 017BD000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 475f330473868ad3c29f7e884537fa5e2c046c0b54d26c118bd7d839c6bfe152
                                                                                                                                        • Instruction ID: 0dd8b25aa8e12556ecf52fc60da65d2db2a19c91376381a0ab871239d02912b9
                                                                                                                                        • Opcode Fuzzy Hash: 475f330473868ad3c29f7e884537fa5e2c046c0b54d26c118bd7d839c6bfe152
                                                                                                                                        • Instruction Fuzzy Hash: DC11AF76504280CFDB12CF54D5C4B56FF61FB84328F3886A9D9050B657C336D55ACBA2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 017BD819, Relevance: .0, Instructions: 45COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305021604.00000000017BD000.00000040.00000001.sdmp, Offset: 017BD000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 990c661d874088f87aad82916418531fbc098e50c8f653b0cb832ce6547b732c
                                                                                                                                        • Instruction ID: 74c267db0185cb649265b7e2ce9c32542f17283a369398a56bcb3e7d6c58443d
                                                                                                                                        • Opcode Fuzzy Hash: 990c661d874088f87aad82916418531fbc098e50c8f653b0cb832ce6547b732c
                                                                                                                                        • Instruction Fuzzy Hash: BB01F771448740AAE7304A9ADCC47A7FB98DF4167DF18C45AEE085B287C7749844CAB1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 018A3E42, Relevance: .0, Instructions: 45COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305315233.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: da1825e55743a617d39f42392a3adae9d6c5b804255d1b3e23d4e748e1018c70
                                                                                                                                        • Instruction ID: 69c68e0e589fd3299b0b5a501c8d158a7a9df798616b716f5003eeecc46f5cec
                                                                                                                                        • Opcode Fuzzy Hash: da1825e55743a617d39f42392a3adae9d6c5b804255d1b3e23d4e748e1018c70
                                                                                                                                        • Instruction Fuzzy Hash: BA013971E0820DAFCB40DFE9C9416DEBBB1FB45704F1285A9C615EB3A4EB309A459B81
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 018AA380, Relevance: .0, Instructions: 40COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305315233.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 93486d29cbfffaf076b16c340f6aa1533eb48bb228cd1529db487405e61ccfc8
                                                                                                                                        • Instruction ID: 17f05fd0887eda42f9bedca9a702c04bc25fd68b6e84e4ddc39553005e0d94f1
                                                                                                                                        • Opcode Fuzzy Hash: 93486d29cbfffaf076b16c340f6aa1533eb48bb228cd1529db487405e61ccfc8
                                                                                                                                        • Instruction Fuzzy Hash: AE01D631F44219DBEB249E99984527EBA75E701B04F518026E605DBA81D7F48B04D7D2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 018A3E50, Relevance: .0, Instructions: 39COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305315233.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 93737ef46167f1f135d4d22f2497532fec164ee2cfbaf517d39a26fb02aea27e
                                                                                                                                        • Instruction ID: 4641cac2efdfd4ed882740cc527a96598e8796c91e5b71c824ee5d219e08935f
                                                                                                                                        • Opcode Fuzzy Hash: 93737ef46167f1f135d4d22f2497532fec164ee2cfbaf517d39a26fb02aea27e
                                                                                                                                        • Instruction Fuzzy Hash: 8A01E971E0820DAFCB40EFE9C4515DEBBF1FF45304F1285AAC615AB264EB319E449B81
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 017BD818, Relevance: .0, Instructions: 36COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305021604.00000000017BD000.00000040.00000001.sdmp, Offset: 017BD000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 8a68f71a2a157c493caf2faad0eae2250a92fe83167025f924eb113fd0b5d9ba
                                                                                                                                        • Instruction ID: 1e112c2df788fff7d9ae1d5c3babbc29d0257738321c27729010e3f2ebda02f9
                                                                                                                                        • Opcode Fuzzy Hash: 8a68f71a2a157c493caf2faad0eae2250a92fe83167025f924eb113fd0b5d9ba
                                                                                                                                        • Instruction Fuzzy Hash: 42F06271404244AAE7258A5ADCC4BA2FFA8EF41779F18C45AED085B287C3799844CAB1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 018A3EDC, Relevance: .0, Instructions: 29COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305315233.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 1d8fd9332f14120732c0d2919600e437d2726fbdb585e034af35d84991bdf2a6
                                                                                                                                        • Instruction ID: 5024475bf33e8eb2bb5b58d19cb6bb3c6598d88a0e7b91823ae0e1f868a47208
                                                                                                                                        • Opcode Fuzzy Hash: 1d8fd9332f14120732c0d2919600e437d2726fbdb585e034af35d84991bdf2a6
                                                                                                                                        • Instruction Fuzzy Hash: 70F0B47194E2D89FCB028BB5CC904AEBFB0FE42604B4581CAD641CF5B1EB319A04C790
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 018ADA58, Relevance: .0, Instructions: 12COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305315233.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 66ade4d1e2f4bd80d09b23fffffa770bb2b538269d3ae5174f620d2db949438e
                                                                                                                                        • Instruction ID: db11197e4fb53f605f0871a271d2ae39e11880c2e97b4f814a2751eed8b00885
                                                                                                                                        • Opcode Fuzzy Hash: 66ade4d1e2f4bd80d09b23fffffa770bb2b538269d3ae5174f620d2db949438e
                                                                                                                                        • Instruction Fuzzy Hash: 3FC012742546094AC545ABB3E88656D335FEB90A0A3D0C824A2054D1A4FF745C858699
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 018A4EB0, Relevance: .0, Instructions: 10COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305315233.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: f55df90ff5eeae7b09d70c4f6f0200f610e96ce368dfd7928d74b81cee34f7aa
                                                                                                                                        • Instruction ID: a3efadf15b455aa10aff8ad59967cbc95fc688d1dc2ba16f6cf490896528591f
                                                                                                                                        • Opcode Fuzzy Hash: f55df90ff5eeae7b09d70c4f6f0200f610e96ce368dfd7928d74b81cee34f7aa
                                                                                                                                        • Instruction Fuzzy Hash: 28C08C1044DBC21DEF0317340820081AF241C1353038EC3E2C2F0CF4E3D0064428C351
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 018AE828, Relevance: 1.0, Instructions: 951COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305315233.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 950b11f6804a9fe0eed411e75ec9594bc5e812d45a2f94862dc2e71e90ee0339
                                                                                                                                        • Instruction ID: c1bb545976f6fab26f26e48b7174bbc2dcfb013f56841e06f389a5d3ca2846a7
                                                                                                                                        • Opcode Fuzzy Hash: 950b11f6804a9fe0eed411e75ec9594bc5e812d45a2f94862dc2e71e90ee0339
                                                                                                                                        • Instruction Fuzzy Hash: E3825E30A00609DFEB25CF68C484AAEBBF2FF48314F658959E605DB2A1D771EE41CB51
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 018AD6F0, Relevance: 5.1, Strings: 4, Instructions: 59COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.305315233.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: Kl$Kl$Kl$Kl
                                                                                                                                        • API String ID: 0-3565144343
                                                                                                                                        • Opcode ID: d0574eb8ae8b2bb6c4e34672608f37364e06edeab6dd8331a9d24ddc5c119a06
                                                                                                                                        • Instruction ID: a19cfc06aa0f3dcb1f358b6d71209b480127b2dcd6fdd1180395896e0c401409
                                                                                                                                        • Opcode Fuzzy Hash: d0574eb8ae8b2bb6c4e34672608f37364e06edeab6dd8331a9d24ddc5c119a06
                                                                                                                                        • Instruction Fuzzy Hash: C111C2743046015F9344AFBAD094B29BBE6EF89354390047DE509CF761DF61EC0487A1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Analysis Process: Files.exe PID: 6804 Parent PID: 3388 Files.exeCOMMON

                                                                                                                                        Executed Functions

                                                                                                                                        Function 06530040, Relevance: 7.8, Strings: 6, Instructions: 260COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330510869.0000000006530000.00000040.00000001.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: $,l$$,l$$,l$48l$48l$D0l
                                                                                                                                        • API String ID: 0-996485634
                                                                                                                                        • Opcode ID: 4296cbcf649dea0320a01bd71739f7c47ee7c6f10087ed2ddf38fdd1e3c0e943
                                                                                                                                        • Instruction ID: 811079f8d9fcf89b641eb6c771fdbd0cfbb578613a6dd4768a4a212f728cbfa2
                                                                                                                                        • Opcode Fuzzy Hash: 4296cbcf649dea0320a01bd71739f7c47ee7c6f10087ed2ddf38fdd1e3c0e943
                                                                                                                                        • Instruction Fuzzy Hash: CA818D30B04228CFDB48ABB9985477E77B7BBC9714B15882EE506E7784DF349C0287A1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FCDB40, Relevance: 4.7, Strings: 3, Instructions: 977COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.326321992.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: D0l$D0l$D0l
                                                                                                                                        • API String ID: 0-195073329
                                                                                                                                        • Opcode ID: 1606a4298007268e2b0e10a97409752638d5b76bf38c834bc947777473aa7cd9
                                                                                                                                        • Instruction ID: 2d7d0441c07ca162e79503027c008bd0c208d4ccd903ba358c6ef616306c0b30
                                                                                                                                        • Opcode Fuzzy Hash: 1606a4298007268e2b0e10a97409752638d5b76bf38c834bc947777473aa7cd9
                                                                                                                                        • Instruction Fuzzy Hash: 97827C71A0020A9FCB14DF69C985BAEBBB6BF89314F158069E405DB3A1DB34DD41EB90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FCA450, Relevance: .2, Instructions: 176COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.326321992.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 7eda74defb4679cc43da64e348597f14c3c4baa9050f5653ad023b805c2d3a81
                                                                                                                                        • Instruction ID: 28000dc558021b20c63c2290ad442d68a1b20bb28e88e22547a40fdbe9d262d8
                                                                                                                                        • Opcode Fuzzy Hash: 7eda74defb4679cc43da64e348597f14c3c4baa9050f5653ad023b805c2d3a81
                                                                                                                                        • Instruction Fuzzy Hash: FC512722A0910E8BC304C768DA06BBAFBA5DB95318F29C56FD415CB291D274E945E353
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FCD158, Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.326321992.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: Xcl$Xcl
                                                                                                                                        • API String ID: 0-2795669184
                                                                                                                                        • Opcode ID: 2b9308a6edd07211967adc8fc839d489b34d11aefcc1e9b6ac12e7a6863edb70
                                                                                                                                        • Instruction ID: 3f4b30e771e60f8688ede27f16870129f3fa7c298d3c067c409902f60bb0a3b2
                                                                                                                                        • Opcode Fuzzy Hash: 2b9308a6edd07211967adc8fc839d489b34d11aefcc1e9b6ac12e7a6863edb70
                                                                                                                                        • Instruction Fuzzy Hash: AAE1DD31B042059FDB18AB64D856B7E77A6EBC8355F14843CE9069B384CF34EC42E791
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FCD7A8, Relevance: 2.7, Strings: 2, Instructions: 229COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.326321992.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: Xcl$Xcl
                                                                                                                                        • API String ID: 0-2795669184
                                                                                                                                        • Opcode ID: 172d4a4161d60a51ab4732403c88eff60af9fe863550841d3e69ba79c1960749
                                                                                                                                        • Instruction ID: cce26b47c1ed20b371f4078ea6753162e4d60da9d7b973bdcf030743c3d54f62
                                                                                                                                        • Opcode Fuzzy Hash: 172d4a4161d60a51ab4732403c88eff60af9fe863550841d3e69ba79c1960749
                                                                                                                                        • Instruction Fuzzy Hash: AD819D39A005068FCB18CF68C686F6EB7B2AF89314B25817DD416EB761DB31EC41EB51
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 065338E3, Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330510869.0000000006530000.00000040.00000001.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: T\l
                                                                                                                                        • API String ID: 0-2387598413
                                                                                                                                        • Opcode ID: 0518c9bd9cbfe973f76e0a62f2c0e603f791ffd33b183faffee6db2b70ff5b04
                                                                                                                                        • Instruction ID: fb4452d4687fcf68ec78cb5696c56da09da5b1186845c975128c7b06c9dccf54
                                                                                                                                        • Opcode Fuzzy Hash: 0518c9bd9cbfe973f76e0a62f2c0e603f791ffd33b183faffee6db2b70ff5b04
                                                                                                                                        • Instruction Fuzzy Hash: D221DE73A18169CFE790CFADD8817BBBBB4FB44610F104577E16AD6280EA34C54587E1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FCF610, Relevance: .4, Instructions: 354COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.326321992.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: b5d7ca63aca071737091246752a3bb068598887a5c6b7c2532bf37ae34b39089
                                                                                                                                        • Instruction ID: 46672c2f99134a66d8dfa0fe2f9fa4dd82d999b26e942a129d234486799191ce
                                                                                                                                        • Opcode Fuzzy Hash: b5d7ca63aca071737091246752a3bb068598887a5c6b7c2532bf37ae34b39089
                                                                                                                                        • Instruction Fuzzy Hash: A0E1F975E005159FCB04DFA8C985E9DBBF6FF88314B268069E415AB361CB34EC85DB90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FCBC10, Relevance: .3, Instructions: 255COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.326321992.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: bbae01c5a0ac9cb47f945a02a5765aa997cfff828a7618ec2ae994e9c87a37f2
                                                                                                                                        • Instruction ID: 185fc9a61aac3bff72dadd76be9c6dff86e059677f29c81874c564628c566176
                                                                                                                                        • Opcode Fuzzy Hash: bbae01c5a0ac9cb47f945a02a5765aa997cfff828a7618ec2ae994e9c87a37f2
                                                                                                                                        • Instruction Fuzzy Hash: BC91CF38B04205DBDB04DBA4CA53F6EB3A3AB89711F25842CE516AB395DB30DC41EB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FCB350, Relevance: .1, Instructions: 141COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.326321992.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 649b15124ef54156ff2d02ffada469f9b7d7d576c14c250faa9db1b1c21dad54
                                                                                                                                        • Instruction ID: d2479b2ea031a574f1f2741d95a1d63ce1e889c73da2c4c1537f3b989e57457b
                                                                                                                                        • Opcode Fuzzy Hash: 649b15124ef54156ff2d02ffada469f9b7d7d576c14c250faa9db1b1c21dad54
                                                                                                                                        • Instruction Fuzzy Hash: 90512339B08245CBD700DB78D947B6EB6B2EB85310F21866AD009DB385DB30EC81D791
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0653455F, Relevance: .1, Instructions: 113COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330510869.0000000006530000.00000040.00000001.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 3ddd7458426c2ef9f6d4cc513d7a62f36454f87271ced0017e2b9ebb26eca7c8
                                                                                                                                        • Instruction ID: a698cdc9b02164c027845e0b483f9ee7f79bf4be353d288667f7b173f4482c08
                                                                                                                                        • Opcode Fuzzy Hash: 3ddd7458426c2ef9f6d4cc513d7a62f36454f87271ced0017e2b9ebb26eca7c8
                                                                                                                                        • Instruction Fuzzy Hash: B4410674E04208CFDB44DFA8D4946ADBBF2FF89305F14842AD819AB395DB35A946DF40
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06534570, Relevance: .1, Instructions: 110COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330510869.0000000006530000.00000040.00000001.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: eb31f1d242529a308a8936d15c72d29bd2bd00dbc98cc2d151035dff713565b0
                                                                                                                                        • Instruction ID: e20d12b6f21cc4b227fe6d647d7659e1832c77b0db31a110746e9bc052126f79
                                                                                                                                        • Opcode Fuzzy Hash: eb31f1d242529a308a8936d15c72d29bd2bd00dbc98cc2d151035dff713565b0
                                                                                                                                        • Instruction Fuzzy Hash: 5141E238E04208CFDB44DFA8D494AADBBF2FF89305F148029D819AB395DB35A946DF50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06533C18, Relevance: .1, Instructions: 100COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330510869.0000000006530000.00000040.00000001.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 464225563ea673b367eaee7c9965c83175127dbb91eaa3d9f775b7ca5ea893d3
                                                                                                                                        • Instruction ID: 97bc5374241d072bf40aa48bbd34c4c156dcf00356a110497d9b4609d1ad99c9
                                                                                                                                        • Opcode Fuzzy Hash: 464225563ea673b367eaee7c9965c83175127dbb91eaa3d9f775b7ca5ea893d3
                                                                                                                                        • Instruction Fuzzy Hash: 07416B34E08258CFDB40DFA8D4946AEBBB1FF89311F148869D829A7384D7359A42EF50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FCF458, Relevance: .1, Instructions: 97COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.326321992.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: a3a9329160a5413c1844b188d9f9e204a6c0e6442a8e0a58cb8105251a49ee74
                                                                                                                                        • Instruction ID: 7f6946c13dc7465d2b3ef8d0abfe46c4c81e6ac70fcf212fc994e62a6069f68d
                                                                                                                                        • Opcode Fuzzy Hash: a3a9329160a5413c1844b188d9f9e204a6c0e6442a8e0a58cb8105251a49ee74
                                                                                                                                        • Instruction Fuzzy Hash: 6C31E431B042449FCB059B24D855BAEBBB7EBC9310F144079E606EB390CF34AC05C7A1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06533C28, Relevance: .1, Instructions: 97COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330510869.0000000006530000.00000040.00000001.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 8280ec005cff73931065d9e03bb34554d24f74f7caaf96630fb78d5d676438e3
                                                                                                                                        • Instruction ID: 74ad2a0f5b76f9ff2d1fc2d1131bc23ce8b477b014981d5e5e0082f59eb27e75
                                                                                                                                        • Opcode Fuzzy Hash: 8280ec005cff73931065d9e03bb34554d24f74f7caaf96630fb78d5d676438e3
                                                                                                                                        • Instruction Fuzzy Hash: 73314B34E0825CCFDB40DFA9D4846AEBBB1FF89315F148869D819A7384D7319A42DF50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FCC518, Relevance: .1, Instructions: 95COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.326321992.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 7008e58ba434fc2baf1f84175d143cd1a5298cde0d8e0cf21e26c8594a4db935
                                                                                                                                        • Instruction ID: 343d6af5296e9afeecd398ac0abee79fb46324850c2440b82917333f9d77ee8b
                                                                                                                                        • Opcode Fuzzy Hash: 7008e58ba434fc2baf1f84175d143cd1a5298cde0d8e0cf21e26c8594a4db935
                                                                                                                                        • Instruction Fuzzy Hash: 2A31A335B001099FDB05AF64E545B6E3BA2FFC4350F048428F9099B354CB34ED51EB90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06532CF8, Relevance: .1, Instructions: 95COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330510869.0000000006530000.00000040.00000001.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: b3ef0fd18e71b3c3c4bd78e768ad436d38cc38924284b8da35948c8b473e7c20
                                                                                                                                        • Instruction ID: ddf2d4e1721eaae3d4f2aa1c77279b4dca068fe8dda9da6c851edf6accda82f0
                                                                                                                                        • Opcode Fuzzy Hash: b3ef0fd18e71b3c3c4bd78e768ad436d38cc38924284b8da35948c8b473e7c20
                                                                                                                                        • Instruction Fuzzy Hash: D0312531A04915CFE7408FA8C8017AAB7B5FF84B01F118C26D411DB2A4CB38DA438BD2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FCFD98, Relevance: .1, Instructions: 90COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.326321992.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 8ddb3085a95b56b2e3d5e0a35b383fda247997561ba002b30a40454964bf9ae8
                                                                                                                                        • Instruction ID: ac036834cddd5db9633447de4aed2226ddc2bdf70895a65f67749f6d8fbf89e4
                                                                                                                                        • Opcode Fuzzy Hash: 8ddb3085a95b56b2e3d5e0a35b383fda247997561ba002b30a40454964bf9ae8
                                                                                                                                        • Instruction Fuzzy Hash: F931F636A08747CBCB108FBDCA82BAAFBB6EB45310F60453FD017D6252D2349948E752
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06530C48, Relevance: .1, Instructions: 85COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330510869.0000000006530000.00000040.00000001.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 2cfdb70a759f7bc3fe822f0db80e8b52d61bf872b2a5e0df8a38c6694fd38162
                                                                                                                                        • Instruction ID: 92d5b2b0abe18a2ea28922a6391e9e860d5d1fac7e511bb6844c93a866db8a21
                                                                                                                                        • Opcode Fuzzy Hash: 2cfdb70a759f7bc3fe822f0db80e8b52d61bf872b2a5e0df8a38c6694fd38162
                                                                                                                                        • Instruction Fuzzy Hash: 8721B57560472DCFE7A08A59C8807AAF7A5FB88A10F148526E566CB3C1C678D941C7B1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06530C38, Relevance: .1, Instructions: 81COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330510869.0000000006530000.00000040.00000001.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: bdd15215864b3c9758eb075ac2f7a310c95127ddff1fb3250dd3e84b58983c10
                                                                                                                                        • Instruction ID: ccce117092f8debdf68bde71d46db758f1db95620e3e11628a6fc47ca882f24b
                                                                                                                                        • Opcode Fuzzy Hash: bdd15215864b3c9758eb075ac2f7a310c95127ddff1fb3250dd3e84b58983c10
                                                                                                                                        • Instruction Fuzzy Hash: DF21D67160472DCFE7A0CFA8D8807AAF7B5FB84A10F198922E555C72C1C238D940C7B1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06533A10, Relevance: .1, Instructions: 76COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330510869.0000000006530000.00000040.00000001.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: abec8b41f2a3f0657d1afb0cb830dc771576c8c531e4b65ff4598fa83a9284aa
                                                                                                                                        • Instruction ID: 4ca8d2df0cfef1009c35e4525c8f2509f601929acf0214b46afd13f16ba275ba
                                                                                                                                        • Opcode Fuzzy Hash: abec8b41f2a3f0657d1afb0cb830dc771576c8c531e4b65ff4598fa83a9284aa
                                                                                                                                        • Instruction Fuzzy Hash: 7F11B131B042E1AFEFB449A548937367363B785E10F258479960A8F684DE71D845CAE2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06530EB0, Relevance: .1, Instructions: 72COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330510869.0000000006530000.00000040.00000001.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: edf2ebc1f7f836c6d49676cfa4df04b54083de04bb2d514d477a024324217f55
                                                                                                                                        • Instruction ID: dd4765cb06d19c87dbe8f243083b625b76ae52aecc160fdfb3fe5f2e9b239acd
                                                                                                                                        • Opcode Fuzzy Hash: edf2ebc1f7f836c6d49676cfa4df04b54083de04bb2d514d477a024324217f55
                                                                                                                                        • Instruction Fuzzy Hash: 8921E47170436ACFE7908B69CC007ABB3A5FB84A11F044922E5A5D73C0E278D942E2A2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06532D58, Relevance: .1, Instructions: 72COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330510869.0000000006530000.00000040.00000001.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: a20ddec756c8e56b738945eecdecc7012064afa2936306e3e8c97376145576c5
                                                                                                                                        • Instruction ID: 1fe4325cdc185a9e6adcfb45c7abc0ee96a07dff31f7ffef218a98007116d447
                                                                                                                                        • Opcode Fuzzy Hash: a20ddec756c8e56b738945eecdecc7012064afa2936306e3e8c97376145576c5
                                                                                                                                        • Instruction Fuzzy Hash: 50219271A049269FE780CF5DC8416AAF7B5FF88B00F104D26D516D7354D778DA428BD2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06530EC0, Relevance: .1, Instructions: 71COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330510869.0000000006530000.00000040.00000001.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: f764b0a381aa402439aeacbcf2e5fb712e21caa23818d10dfa0cb7ef36caea46
                                                                                                                                        • Instruction ID: 4e77b71206880075de537ee88f005850cf999e34dd93ffd2f782eb3ebf236c01
                                                                                                                                        • Opcode Fuzzy Hash: f764b0a381aa402439aeacbcf2e5fb712e21caa23818d10dfa0cb7ef36caea46
                                                                                                                                        • Instruction Fuzzy Hash: CE11873170437ACFE7948B59C8007A7B3A5FB84B11F144922E555D73C0E274D942E6A6
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06533A00, Relevance: .1, Instructions: 68COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330510869.0000000006530000.00000040.00000001.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: f3bee4af93d9b03c68f39a4a25ba3be3854bc6fe672b2305f0667df53045b2af
                                                                                                                                        • Instruction ID: 373295319a61d5b2491190ee7b43964f1d881c7d94868b565bbf4793b0b490d0
                                                                                                                                        • Opcode Fuzzy Hash: f3bee4af93d9b03c68f39a4a25ba3be3854bc6fe672b2305f0667df53045b2af
                                                                                                                                        • Instruction Fuzzy Hash: 2B113632B043F0DFFF7049A19C83B267323B781E11F158576E9069B284DA71C845CA92
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FCBB18, Relevance: .1, Instructions: 64COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.326321992.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 5fbd0b55dd79de05cd58a6ed8014c02e3ddb5070d0e7f73a0a4c6ed834eee1e2
                                                                                                                                        • Instruction ID: 5abb30987dfc982821e327bd8f10d052d28a753210dbea669987781bc8323fae
                                                                                                                                        • Opcode Fuzzy Hash: 5fbd0b55dd79de05cd58a6ed8014c02e3ddb5070d0e7f73a0a4c6ed834eee1e2
                                                                                                                                        • Instruction Fuzzy Hash: 1E11A03BA0811787DB649E6D9A53FBAF2AAEBC0310F20412ED41AC7248DB30DD41B357
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FCC428, Relevance: .1, Instructions: 61COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.326321992.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 07ec94be95afe654523645182ef606bca5942bf60f779dbce9b87f3d92bd9c24
                                                                                                                                        • Instruction ID: 0aad27674d0071399c93030c90174cfeac8c178d1911f831acc7f571aa393743
                                                                                                                                        • Opcode Fuzzy Hash: 07ec94be95afe654523645182ef606bca5942bf60f779dbce9b87f3d92bd9c24
                                                                                                                                        • Instruction Fuzzy Hash: CE11C43360401AC7EB08DE59DD12BBBB7A6EBC4310F64816AFA19C3250C634D951B7D2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FC7060, Relevance: .1, Instructions: 61COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.326321992.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: ef9faab438885525dd693145a9b2ea019ccb4ea41d63e716909427a5d2d12252
                                                                                                                                        • Instruction ID: 5735bc1ed3814226bd6c2e93ff2f4c5ec5d13859a236b53fac8701a90c85ddd8
                                                                                                                                        • Opcode Fuzzy Hash: ef9faab438885525dd693145a9b2ea019ccb4ea41d63e716909427a5d2d12252
                                                                                                                                        • Instruction Fuzzy Hash: 7811B470A48341CBD700BB79D906B697B61EB41305F24807ED149CA285DB7A8D43EF52
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06533B73, Relevance: .1, Instructions: 60COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330510869.0000000006530000.00000040.00000001.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 2b38d2bd8de1eac550afdf0d8c601ff00e2f95bb284387dccf6f423f8a62503e
                                                                                                                                        • Instruction ID: db57642dd9719e07d9e77bc82a983bb872ebebe302b1546f75c38693343968aa
                                                                                                                                        • Opcode Fuzzy Hash: 2b38d2bd8de1eac550afdf0d8c601ff00e2f95bb284387dccf6f423f8a62503e
                                                                                                                                        • Instruction Fuzzy Hash: 9911E6316045A9CFEB51CF68D860BAABBB1FF08B00F058B66E516CF191C331D851CB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06530FC9, Relevance: .1, Instructions: 58COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330510869.0000000006530000.00000040.00000001.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e4fcf59710a00ec0af00b240c096494c67f160da49b9f360d6578fc6da27b62f
                                                                                                                                        • Instruction ID: f2c5db49e757d464c7782a559e8777692141d8696d336e28b0b1bdaa4e6ad059
                                                                                                                                        • Opcode Fuzzy Hash: e4fcf59710a00ec0af00b240c096494c67f160da49b9f360d6578fc6da27b62f
                                                                                                                                        • Instruction Fuzzy Hash: 96018931B081908FD3141636AC5467BBB9FEFCA251F15847BD506C7385DD2CCC0683A0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06532728, Relevance: .0, Instructions: 47COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330510869.0000000006530000.00000040.00000001.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: dd49511bc5a282d6451f67d0f3d9876bc4aa82345aed68e1d7496382df011947
                                                                                                                                        • Instruction ID: e03e661aab178db272544209da670acf37fcbbdc87976f7f9771b37b185acd50
                                                                                                                                        • Opcode Fuzzy Hash: dd49511bc5a282d6451f67d0f3d9876bc4aa82345aed68e1d7496382df011947
                                                                                                                                        • Instruction Fuzzy Hash: 13014971604524EBCB08CA8DD450AAEB7AAFF88331F18C5B7F4198B341CA30EA418B90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06533830, Relevance: .0, Instructions: 45COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330510869.0000000006530000.00000040.00000001.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 1bb45c612749d30f4c7fcc5e5da24f425a111ee0dc30d7a2286673f521f399df
                                                                                                                                        • Instruction ID: ea335ea9bf18b6ee188db613b72e33953d562f4d6d4db5d19eb740ea264cf021
                                                                                                                                        • Opcode Fuzzy Hash: 1bb45c612749d30f4c7fcc5e5da24f425a111ee0dc30d7a2286673f521f399df
                                                                                                                                        • Instruction Fuzzy Hash: 5A0121703053506BE7022368A8267AE779ADBC2B01F01083AF106CB6C0DE698E064382
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06533840, Relevance: .0, Instructions: 41COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330510869.0000000006530000.00000040.00000001.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 2826c756c8da36c13dc83b15486e710135ebc1d67ee9c6066f5cabe4697013f7
                                                                                                                                        • Instruction ID: 8d3ac0033f8e727cbfe9fd3175808aba7067622bdb51c7123a1d6a1291e8732f
                                                                                                                                        • Opcode Fuzzy Hash: 2826c756c8da36c13dc83b15486e710135ebc1d67ee9c6066f5cabe4697013f7
                                                                                                                                        • Instruction Fuzzy Hash: 23F02B3034535067EB012378AC157AE765ED7C5B51F00083EF106CB7C0DE698E464395
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FCA380, Relevance: .0, Instructions: 40COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.326321992.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 4fdafc11a47d634809225a17a24af7f2d332cdab527e8b3a59b92365675c6ee3
                                                                                                                                        • Instruction ID: 2905bc04677db2b39f9cd8af4803cecbbcbcc2bfcf81d6710dcf765039d8a9ca
                                                                                                                                        • Opcode Fuzzy Hash: 4fdafc11a47d634809225a17a24af7f2d332cdab527e8b3a59b92365675c6ee3
                                                                                                                                        • Instruction Fuzzy Hash: 9501F932F0421DDBDB10DB949A0ABBAB664E741B14F11802AD605DB290C7B4EE01ABD3
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 065337B8, Relevance: .0, Instructions: 26COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330510869.0000000006530000.00000040.00000001.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 8c2717b480d069f585d3e964d3ab132be9fd066b332b17a1ff35d380963a1e33
                                                                                                                                        • Instruction ID: 8f90ee03c10c2f7bc43e0219cf07a9b67400950a166286c38ec3c51953a851b1
                                                                                                                                        • Opcode Fuzzy Hash: 8c2717b480d069f585d3e964d3ab132be9fd066b332b17a1ff35d380963a1e33
                                                                                                                                        • Instruction Fuzzy Hash: C2F0ED303082949BDB02AAB0E8657583B36E781651F90886AD906CF7C2DD6D8A0BC791
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 068D0045, Relevance: .0, Instructions: 18COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330736166.00000000068D0000.00000040.00000001.sdmp, Offset: 068D0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 3c4a479d828041d9fc4c0f2cd8a96e565f20bbcb3bf924213bc0155d653637c2
                                                                                                                                        • Instruction ID: 18a4efa83e7bafbe974d08c881eaa4a8582e493b63c92f5bde1bf66787b7ea1b
                                                                                                                                        • Opcode Fuzzy Hash: 3c4a479d828041d9fc4c0f2cd8a96e565f20bbcb3bf924213bc0155d653637c2
                                                                                                                                        • Instruction Fuzzy Hash: A8E0E230D12208EFCB44EFB8E19539CBBB1EB44205F6041A9C90896380EB358E86CB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 068D0048, Relevance: .0, Instructions: 17COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330736166.00000000068D0000.00000040.00000001.sdmp, Offset: 068D0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 030c3d5782ed6e13502ec4f1a9073570e53d161ee3b99ad001da2b09703508cd
                                                                                                                                        • Instruction ID: bae8130c9ec98ab82d5aef274a0d25145c72201879b4276ef69e9624f7b8fd7c
                                                                                                                                        • Opcode Fuzzy Hash: 030c3d5782ed6e13502ec4f1a9073570e53d161ee3b99ad001da2b09703508cd
                                                                                                                                        • Instruction Fuzzy Hash: 3FE0E230D1130CEFCB44EFB8A55479DBBB5AB04205FA040A9C90892380EB359E85CB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06534BC0, Relevance: .0, Instructions: 14COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330510869.0000000006530000.00000040.00000001.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 8ca75a3ed491b7367efacf7e17e9288305af605993b3abb39b1dcbccc480bc59
                                                                                                                                        • Instruction ID: c896dab6fc4f3ba0bda27d163c3e2183241d16a26d616140ce43bde423538165
                                                                                                                                        • Opcode Fuzzy Hash: 8ca75a3ed491b7367efacf7e17e9288305af605993b3abb39b1dcbccc480bc59
                                                                                                                                        • Instruction Fuzzy Hash: C1D0A70084F3C809CB1152A1B8947E97F78E781504FC4008AC14816883D4680845D351
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06533D72, Relevance: .0, Instructions: 13COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330510869.0000000006530000.00000040.00000001.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 564ce7441e61e080b6c2f6f893d4546ce24a6bb1b974e74e6c056ae18ff6a076
                                                                                                                                        • Instruction ID: 93c6506378dc4043da68f5a1ca9a13638e0c489fa37ab0e2560ae70af93adb63
                                                                                                                                        • Opcode Fuzzy Hash: 564ce7441e61e080b6c2f6f893d4546ce24a6bb1b974e74e6c056ae18ff6a076
                                                                                                                                        • Instruction Fuzzy Hash: FCD022224816884FE3186680F82833A3758F38038FF484898C109926C1D6ACD882EA92
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FCDA58, Relevance: .0, Instructions: 12COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.326321992.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 094534bb9e69cabbb0343ce6ea91dac39807077d72ba9d0a7c625abb86700d29
                                                                                                                                        • Instruction ID: b1ea7c385ca8a3858cd5397ccec2df86f143010faf18306dbf0b72b84d474f41
                                                                                                                                        • Opcode Fuzzy Hash: 094534bb9e69cabbb0343ce6ea91dac39807077d72ba9d0a7c625abb86700d29
                                                                                                                                        • Instruction Fuzzy Hash: 8EC0123559D6494AC540BB70F85245F335AAAC1B09380C8249A084D079EFB46D88C695
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FC4EB0, Relevance: .0, Instructions: 10COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.326321992.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 3367ca1a3f22b1902055b4e678836e531ebaae4b42ea0c0ee8b416a8ae785fe4
                                                                                                                                        • Instruction ID: 6f635623afb58fe8fc9b924c1db86a3c8ae959865c5154dfff5f36dee96e5ad0
                                                                                                                                        • Opcode Fuzzy Hash: 3367ca1a3f22b1902055b4e678836e531ebaae4b42ea0c0ee8b416a8ae785fe4
                                                                                                                                        • Instruction Fuzzy Hash: 7AC09B918581904FDB02533054793C13F34D712646F4501C5E9C4C7593C02C1D0EDF33
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06534BD0, Relevance: .0, Instructions: 10COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330510869.0000000006530000.00000040.00000001.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 2649d08cff926dec2660d40360e77e82ff4a6d06ae58b616729612f5155b7cf7
                                                                                                                                        • Instruction ID: fc5067d304a48dcc9eb573c57214268a8a003fe3709bcab37acc74ce84a4f82e
                                                                                                                                        • Opcode Fuzzy Hash: 2649d08cff926dec2660d40360e77e82ff4a6d06ae58b616729612f5155b7cf7
                                                                                                                                        • Instruction Fuzzy Hash: 10B02B1184630C05C15421C1B424779738C73C0504FC00014C10C025C1093C5CC0C091
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06533D80, Relevance: .0, Instructions: 10COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.330510869.0000000006530000.00000040.00000001.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: fa752c3aad7417601d89b22c6b97c8c2026f1bb0871dc0094cdc338293420d9c
                                                                                                                                        • Instruction ID: 5e60362e881c33889c8c116b9792c052257d3d65e292de0d12179073699737ef
                                                                                                                                        • Opcode Fuzzy Hash: fa752c3aad7417601d89b22c6b97c8c2026f1bb0871dc0094cdc338293420d9c
                                                                                                                                        • Instruction Fuzzy Hash: 4DC02B3040170C8FC31866C0B42C37B335CF380246F840410C10E015C09BBC4CC0D9D2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 00FCD6F0, Relevance: 5.1, Strings: 4, Instructions: 59COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.326321992.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: Kl$Kl$Kl$Kl
                                                                                                                                        • API String ID: 0-3565144343
                                                                                                                                        • Opcode ID: 23350a1f1117417c062c89a855d25cfa8861c1e728a898572cac569d2e5fa930
                                                                                                                                        • Instruction ID: a0fee99f18ac42c5d646edd35311eddbdd5dbc39c1802c0b85410bbb400140fd
                                                                                                                                        • Opcode Fuzzy Hash: 23350a1f1117417c062c89a855d25cfa8861c1e728a898572cac569d2e5fa930
                                                                                                                                        • Instruction Fuzzy Hash: 1011C2393002025F8300AF7AD196B29B3E5EFC9394324047DE90ACB7A1DE71EC0497A1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Analysis Process: Files.exe PID: 6860 Parent PID: 5644 Files.exeCOMMON

                                                                                                                                        Executed Functions

                                                                                                                                        Function 0276DB40, Relevance: 4.7, Strings: 3, Instructions: 981COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.493851800.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: D0l$D0l$D0l
                                                                                                                                        • API String ID: 0-195073329
                                                                                                                                        • Opcode ID: aa09112e374c2f0f671faf2300ab6c18376a37de1aec4bc281f30cb77a39fa66
                                                                                                                                        • Instruction ID: c7e6230e8c5130a78992572654a31d183a593b7f5f57b666e908f2b8029a9ad1
                                                                                                                                        • Opcode Fuzzy Hash: aa09112e374c2f0f671faf2300ab6c18376a37de1aec4bc281f30cb77a39fa66
                                                                                                                                        • Instruction Fuzzy Hash: D1825D74A002199FCB15DF69C898AAEBBF2FF89304F158069E915EB361DB34DC41CB61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06627D24, Relevance: 1.8, APIs: 1, Instructions: 253processCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,0662F085,?,?,?), ref: 0662F2EC
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512906173.0000000006620000.00000040.00000001.sdmp, Offset: 06620000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateProcessUser
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2217836671-0
                                                                                                                                        • Opcode ID: 5547ecf449e2869d4525c5dbfc1ba4a7aae9e486264f4c60234276b584fd32e3
                                                                                                                                        • Instruction ID: fd8c0bfe6c780edf516ca9f2cab063182f515a4ef5edca8c11f06be264a97d05
                                                                                                                                        • Opcode Fuzzy Hash: 5547ecf449e2869d4525c5dbfc1ba4a7aae9e486264f4c60234276b584fd32e3
                                                                                                                                        • Instruction Fuzzy Hash: A291CFB5D0426D9FCB65CFA4C880BDDBBB5BB09304F1490AAE549B7210DB70AA85CF94
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0276D158, Relevance: 3.0, Strings: 2, Instructions: 453COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.493851800.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: Xcl$Xcl
                                                                                                                                        • API String ID: 0-2795669184
                                                                                                                                        • Opcode ID: 4c7f163f83cdd55dec2daa1ca0e83bf9cbfb29c2fb7c18e0548813979de6891b
                                                                                                                                        • Instruction ID: 50ad3ef448220852c14d2f96abdb510ccd6b906e42d334006e0013b5ea07ecd6
                                                                                                                                        • Opcode Fuzzy Hash: 4c7f163f83cdd55dec2daa1ca0e83bf9cbfb29c2fb7c18e0548813979de6891b
                                                                                                                                        • Instruction Fuzzy Hash: F6F1CE31B002159FDB29AF64D868B7E7BA3EBC8205F188469E906DB794DF74DC01CB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0276D7A8, Relevance: 2.7, Strings: 2, Instructions: 231COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.493851800.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: Xcl$Xcl
                                                                                                                                        • API String ID: 0-2795669184
                                                                                                                                        • Opcode ID: 814e8ec89ef6e0c5c7bd3069dbc4e4d1d8c4190b4f45ce48cefab0f0e0c6df6b
                                                                                                                                        • Instruction ID: ed611de6f7fd7ec31b819c722b02043e3c99e3cc9b097a67cbfc4d931bee967e
                                                                                                                                        • Opcode Fuzzy Hash: 814e8ec89ef6e0c5c7bd3069dbc4e4d1d8c4190b4f45ce48cefab0f0e0c6df6b
                                                                                                                                        • Instruction Fuzzy Hash: 9B817C30B206068FCB24CF69C49CA7DB7B2FF89218B158169D815EB369DB31E841CB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0662F0F5, Relevance: 1.8, APIs: 1, Instructions: 255processCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,0662F085,?,?,?), ref: 0662F2EC
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512906173.0000000006620000.00000040.00000001.sdmp, Offset: 06620000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateProcessUser
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2217836671-0
                                                                                                                                        • Opcode ID: 66a597d0c34b9aa966052d85f6dbcf91a7b05738d2198d07203439579f1fd523
                                                                                                                                        • Instruction ID: 7e47ec66ceca45c30686e8755c09bd7517e7f98c7b6819dfd336f4085bddd99b
                                                                                                                                        • Opcode Fuzzy Hash: 66a597d0c34b9aa966052d85f6dbcf91a7b05738d2198d07203439579f1fd523
                                                                                                                                        • Instruction Fuzzy Hash: 0991CF75D0426D9FCB65CFA4C880BDEBBB5BB09304F1490AAE549B7210DB70AA85CF94
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06671731, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 0667180B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.513119253.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MemoryProcessWrite
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3559483778-0
                                                                                                                                        • Opcode ID: 53ee4aefa879bbdc5ed29f68d197308d73bbf2e1f53a6b8dc87506cb65c931d2
                                                                                                                                        • Instruction ID: 8523e82b2784be15ed624021007770b0dd50e4eb02e864365d3e16955dbd87dc
                                                                                                                                        • Opcode Fuzzy Hash: 53ee4aefa879bbdc5ed29f68d197308d73bbf2e1f53a6b8dc87506cb65c931d2
                                                                                                                                        • Instruction Fuzzy Hash: B9419AB5D012589FCF10CFA9D984ADEFBF1BB49314F14902AE818B7210D774AA45CFA4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06671738, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 0667180B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.513119253.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MemoryProcessWrite
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3559483778-0
                                                                                                                                        • Opcode ID: 8a1646e9e8ee3e9e5c375bfa1a89c36d0d42ecbe2a4aa992bb3204158eade165
                                                                                                                                        • Instruction ID: b0b067d51e2131a2aa6f4ab54b37e1ef9c83e5e88860f9bd329e0f72f9cb4c29
                                                                                                                                        • Opcode Fuzzy Hash: 8a1646e9e8ee3e9e5c375bfa1a89c36d0d42ecbe2a4aa992bb3204158eade165
                                                                                                                                        • Instruction Fuzzy Hash: 8E41ABB5D012589FCF00CFA9D984ADEFBF1BB49314F14902AE814B7210D774AA45CF64
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0662CF40, Relevance: 1.6, APIs: 1, Instructions: 114memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualProtect.KERNEL32(?,?,?,?), ref: 0662D03F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512906173.0000000006620000.00000040.00000001.sdmp, Offset: 06620000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ProtectVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 544645111-0
                                                                                                                                        • Opcode ID: 641e59b4b3b0f10c1e803a4fd97bb4288eb44fbacc167461e8a0d781f30836ae
                                                                                                                                        • Instruction ID: 45e7b2ccbff4c3900e4f5323db514dd3e1034747e223f89e1263bf8828522d89
                                                                                                                                        • Opcode Fuzzy Hash: 641e59b4b3b0f10c1e803a4fd97bb4288eb44fbacc167461e8a0d781f30836ae
                                                                                                                                        • Instruction Fuzzy Hash: 4741EE74C052589FCB11CFA9E484AEEFBB0AF49310F24909AE854B7311D7359A85CFA5
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06671448, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 066714FA
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.513119253.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                        • Opcode ID: 2d8bd1cc769e17700a9584499d6fd84cb5447e51213e328d63bf46686b4ffb77
                                                                                                                                        • Instruction ID: 4889711cee07d2bb60d21b319fce9939838a60cf3944652da730d4b1291f2369
                                                                                                                                        • Opcode Fuzzy Hash: 2d8bd1cc769e17700a9584499d6fd84cb5447e51213e328d63bf46686b4ffb77
                                                                                                                                        • Instruction Fuzzy Hash: 573189B9D042589FCF10CFA9E980ADEFBB1BB49314F14942AE815B7310D735A946CFA4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06671450, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 066714FA
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.513119253.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                        • Opcode ID: 0c668e535202cc99709426b03b3bc5ec78521c31ab7a237119909179ed02a9f3
                                                                                                                                        • Instruction ID: 67f10949d6a4804728a81ff8ec3b6578e1e56f01679250bbfbbc873d7420dc13
                                                                                                                                        • Opcode Fuzzy Hash: 0c668e535202cc99709426b03b3bc5ec78521c31ab7a237119909179ed02a9f3
                                                                                                                                        • Instruction Fuzzy Hash: 233198B9D042589FCF10CFA9E880ADEFBB5BB49314F14942AE815B7310D735A946CFA4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06670950, Relevance: 1.6, APIs: 1, Instructions: 100threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetThreadContext.KERNEL32(?,?), ref: 06670A07
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.513119253.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ContextThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1591575202-0
                                                                                                                                        • Opcode ID: 094b9c8b79c37479bcaea1ffc1dd8a0b292c622217b000cddf2bbaf84990fa9a
                                                                                                                                        • Instruction ID: b783ff5b830ff60bf77aff712c44ba655b2f30af5d02df412cbc0d6e7d935153
                                                                                                                                        • Opcode Fuzzy Hash: 094b9c8b79c37479bcaea1ffc1dd8a0b292c622217b000cddf2bbaf84990fa9a
                                                                                                                                        • Instruction Fuzzy Hash: 8541DFB5D012589FDB10CFA9D884AEEFBF1BF49314F24802AE415B7201D778A945CFA4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0662CF92, Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualProtect.KERNEL32(?,?,?,?), ref: 0662D03F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512906173.0000000006620000.00000040.00000001.sdmp, Offset: 06620000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ProtectVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 544645111-0
                                                                                                                                        • Opcode ID: c3e273f7ad1fa390a59ca3a87bed31f493488423430bb82da9905f115d0e2493
                                                                                                                                        • Instruction ID: 38475233f76b0a6ebf23f4b9ff95179a481178338f607389180e760a1e18a147
                                                                                                                                        • Opcode Fuzzy Hash: c3e273f7ad1fa390a59ca3a87bed31f493488423430bb82da9905f115d0e2493
                                                                                                                                        • Instruction Fuzzy Hash: 7D31A9B9D042589FCB10CFA9E884ADEFBB4BF19310F24902AE814B7310D775A945CFA4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06671B80, Relevance: 1.6, APIs: 1, Instructions: 98threadinjectionCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetThreadContext.KERNEL32(?,?), ref: 06671C37
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.513119253.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ContextThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1591575202-0
                                                                                                                                        • Opcode ID: f91b23dc3deb124dc473d70f6159c1ec44437d048f5888b2c7fbb2e8e104d1ad
                                                                                                                                        • Instruction ID: 047c4f23a22ae0fc742008d447e109891854ee74567ef45d9e2a840f0af7a4da
                                                                                                                                        • Opcode Fuzzy Hash: f91b23dc3deb124dc473d70f6159c1ec44437d048f5888b2c7fbb2e8e104d1ad
                                                                                                                                        • Instruction Fuzzy Hash: 9C41CDB5D052589FCB10DFA9D884AEEFBF1BF49314F14802AE414B7200D738A945CFA4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06628A18, Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualProtect.KERNEL32(?,?,?,?), ref: 06628AC7
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512906173.0000000006620000.00000040.00000001.sdmp, Offset: 06620000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ProtectVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 544645111-0
                                                                                                                                        • Opcode ID: 2c8dba05e651baed404e891766793afeb2713c82acf55f9915f08c49a5f94c90
                                                                                                                                        • Instruction ID: 3528060729a3889d1f86af26398239de63a226c7d3f4d6630a746f16f4be700d
                                                                                                                                        • Opcode Fuzzy Hash: 2c8dba05e651baed404e891766793afeb2713c82acf55f9915f08c49a5f94c90
                                                                                                                                        • Instruction Fuzzy Hash: 7E31A9B9D042589FCF10CFA9E984ADEFBB4BB09310F14902AE814B7310D774AA45CFA4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06670958, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetThreadContext.KERNEL32(?,?), ref: 06670A07
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.513119253.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ContextThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1591575202-0
                                                                                                                                        • Opcode ID: a8998687a9d9f4733491fe9e40a1d65b292b587bd3477097d6484d022719a93b
                                                                                                                                        • Instruction ID: 1123b0a91fae1e959a320f07428501798dfd35d92281909816e33a6017156f14
                                                                                                                                        • Opcode Fuzzy Hash: a8998687a9d9f4733491fe9e40a1d65b292b587bd3477097d6484d022719a93b
                                                                                                                                        • Instruction Fuzzy Hash: 9131CDB4D052589FCB10CFAAD884AEEFBF1BF49314F14802AE415B7201D778A945CFA4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06671B88, Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetThreadContext.KERNEL32(?,?), ref: 06671C37
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.513119253.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ContextThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1591575202-0
                                                                                                                                        • Opcode ID: 0b0a6a31ecef868d592aa13f8c384e81aee1c23cf32613f07988473198a51a48
                                                                                                                                        • Instruction ID: df575209cc1238afd5cf48b22482ed56559b3ab2a3925b35c69d09378332f451
                                                                                                                                        • Opcode Fuzzy Hash: 0b0a6a31ecef868d592aa13f8c384e81aee1c23cf32613f07988473198a51a48
                                                                                                                                        • Instruction Fuzzy Hash: 6231BCB5D002589FCB10CFAAD884AEEFBF1BF49314F14802AE414B7200D778A945CFA4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0662CF98, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualProtect.KERNEL32(?,?,?,?), ref: 0662D03F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512906173.0000000006620000.00000040.00000001.sdmp, Offset: 06620000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ProtectVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 544645111-0
                                                                                                                                        • Opcode ID: 2c5680ef42b912c1b8b7e4cd2e6eb33cfa1114a5fa18eb60d6ed71891be1c6fd
                                                                                                                                        • Instruction ID: f084f682bffe3b7997289826284b1d827a4fd387d36ff76fc31ffbcf0b8af737
                                                                                                                                        • Opcode Fuzzy Hash: 2c5680ef42b912c1b8b7e4cd2e6eb33cfa1114a5fa18eb60d6ed71891be1c6fd
                                                                                                                                        • Instruction Fuzzy Hash: 7D3179B9D042589FCB10CFA9D584ADEFBB0BF59310F14902AE814B7310D775A945CFA4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06628A20, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualProtect.KERNEL32(?,?,?,?), ref: 06628AC7
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512906173.0000000006620000.00000040.00000001.sdmp, Offset: 06620000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ProtectVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 544645111-0
                                                                                                                                        • Opcode ID: 822614f9fd59e1f393540e1f30307ad75c07fd4b64c41f29f065fb1083f1abae
                                                                                                                                        • Instruction ID: fa1f4b2b5c2e27387f22ee515c561e6d98c61e569a8d502a6b3cee96b97d8fec
                                                                                                                                        • Opcode Fuzzy Hash: 822614f9fd59e1f393540e1f30307ad75c07fd4b64c41f29f065fb1083f1abae
                                                                                                                                        • Instruction Fuzzy Hash: 4A3188B9D042589FCF10CFA9E984ADEFBB0BB19310F14902AE815B7350D774AA45CF64
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 066721E0, Relevance: 1.6, APIs: 1, Instructions: 78threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.513119253.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ResumeThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 947044025-0
                                                                                                                                        • Opcode ID: ec8fc1a940643c92d3640e271c119e5e1b5984092f33b6e3c6a92683508be0b8
                                                                                                                                        • Instruction ID: 810813dd4cd623b072a5a9be8baa9925db693d213dd789c9e2632d4a602196fc
                                                                                                                                        • Opcode Fuzzy Hash: ec8fc1a940643c92d3640e271c119e5e1b5984092f33b6e3c6a92683508be0b8
                                                                                                                                        • Instruction Fuzzy Hash: 2731CCB4D052589FCF10CFA9E884ADEFBB5AF49314F14902AE819B7300DB34A945CFA4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 066721E8, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.513119253.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ResumeThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 947044025-0
                                                                                                                                        • Opcode ID: 69d0fd17fbc862458caedb2cf93670bb26414ff1bf89fcb8aba835abc3196e2e
                                                                                                                                        • Instruction ID: 668457eb977292c012ddab2981e57003777ab63a7b89b61943da40f6f17cfba3
                                                                                                                                        • Opcode Fuzzy Hash: 69d0fd17fbc862458caedb2cf93670bb26414ff1bf89fcb8aba835abc3196e2e
                                                                                                                                        • Instruction Fuzzy Hash: 1A31AAB4D052589FCF14CFAAE884ADEFBB4AF49314F14902AE815B7310DB74A945CFA4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0276F610, Relevance: .4, Instructions: 356COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.493851800.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 5646ffeb2f5fbc5f4b63288fb7f7d63fafa0af93641fb92305b75da3f8bb4344
                                                                                                                                        • Instruction ID: dbde8708b0ee7251ca42d96dfa5139697431c329ea06c8afc8b781014840a7ee
                                                                                                                                        • Opcode Fuzzy Hash: 5646ffeb2f5fbc5f4b63288fb7f7d63fafa0af93641fb92305b75da3f8bb4344
                                                                                                                                        • Instruction Fuzzy Hash: 58E12E75E006159FCB04DF68D888AADBBF6FF49314B268095E816EB761CB34EC81CB51
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0276BC10, Relevance: .3, Instructions: 255COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.493851800.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 64f6b572fcdeb204d07b87263d3b62fc270c7791aeffcb5cf69dd20fa9c3f2f4
                                                                                                                                        • Instruction ID: aec169983b7d2f82f7300f3d95f0760a9b90374eaaa26056073c6300aa79613b
                                                                                                                                        • Opcode Fuzzy Hash: 64f6b572fcdeb204d07b87263d3b62fc270c7791aeffcb5cf69dd20fa9c3f2f4
                                                                                                                                        • Instruction Fuzzy Hash: 9C917F30B44204DFD704DBA8D859B7EB3A3AB8A318F259469E916FB395DB30DC41CB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0276B350, Relevance: .1, Instructions: 141COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.493851800.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: d2d4a9d29f288bb2be7ea5fbf4db3d9fa297a9b9ca114381591f12b6efd8026e
                                                                                                                                        • Instruction ID: 9b6fa463914b995269ab6c683e4544e99880b4b8c03aef50b3e8973eaacd23e3
                                                                                                                                        • Opcode Fuzzy Hash: d2d4a9d29f288bb2be7ea5fbf4db3d9fa297a9b9ca114381591f12b6efd8026e
                                                                                                                                        • Instruction Fuzzy Hash: 7D511631B04240DBD700DBB8D84967EB7B6EB86308F11866AD515FB396EB34EC81CB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0276F458, Relevance: .1, Instructions: 132COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.493851800.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 1abb0b7be5857182838097054fc5f74bd83fb89685dd611e1bcbdecd9d5e5d9c
                                                                                                                                        • Instruction ID: 596727edb132e35c68352416c0eac9f0c772715357d797e93b390f69694e53ae
                                                                                                                                        • Opcode Fuzzy Hash: 1abb0b7be5857182838097054fc5f74bd83fb89685dd611e1bcbdecd9d5e5d9c
                                                                                                                                        • Instruction Fuzzy Hash: DE41B3317051149FCB159F64E8646BE7BB7EBC9210F24406AE917DBB91DF34DC028B91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0276C518, Relevance: .1, Instructions: 95COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.493851800.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: dfa20c6174ac18e20e8d91254440f3bb1073020c104d9137107dbdc338b29533
                                                                                                                                        • Instruction ID: 5f6edb1a2101c658b10969ccdb99e78d641e8b921faa6a9166fa0e29983a7f06
                                                                                                                                        • Opcode Fuzzy Hash: dfa20c6174ac18e20e8d91254440f3bb1073020c104d9137107dbdc338b29533
                                                                                                                                        • Instruction Fuzzy Hash: A4316D3170011A9FDF06AF64E858A6E3B72FB88310F248069F90697350DB39DC519B95
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0276A450, Relevance: .1, Instructions: 93COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.493851800.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 381e4c26031e0cd8c79d1cd80c18aea450739c14b471a6d6750a33471428987b
                                                                                                                                        • Instruction ID: c0ee1c45bea4cba5167f69b9c19bbf172cbea88ab8c2cd710000f12a78241e9e
                                                                                                                                        • Opcode Fuzzy Hash: 381e4c26031e0cd8c79d1cd80c18aea450739c14b471a6d6750a33471428987b
                                                                                                                                        • Instruction Fuzzy Hash: 4531D6B1E082658BD725D66C9C4C2BEFF65DB82200F1541A7EC26FB693D734C985C362
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0276FD98, Relevance: .1, Instructions: 90COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.493851800.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: b1953e570c4d9907cdf6b5d5c689c5149fb1f54205caa526b3fca633ef5d3339
                                                                                                                                        • Instruction ID: 06eb8bf6b8c0d09b8c5716e9efc89a2564b6a4fdefad44327581112f5e25bcab
                                                                                                                                        • Opcode Fuzzy Hash: b1953e570c4d9907cdf6b5d5c689c5149fb1f54205caa526b3fca633ef5d3339
                                                                                                                                        • Instruction Fuzzy Hash: 5A310375A08745DBCB108FFEE8982BAFBB4EB05200F04453BD82BE6A46D334A940C753
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0276A578, Relevance: .1, Instructions: 72COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.493851800.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: ce96c0bc644525e5b3d8681a9218717d0ee5032b518c4e75d6ecbbbdb71677f2
                                                                                                                                        • Instruction ID: 2a9bba18b2cb4dd031bd6fbf5b9bdcc10f85db3eb5858df29680a1b098271b3c
                                                                                                                                        • Opcode Fuzzy Hash: ce96c0bc644525e5b3d8681a9218717d0ee5032b518c4e75d6ecbbbdb71677f2
                                                                                                                                        • Instruction Fuzzy Hash: F0119031718034CBD704DA69C8087BAF3AAEF88220F158536ED26FB392E634D944C692
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 027680F8, Relevance: .1, Instructions: 64COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.493851800.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 47bf9534cebb2975f6481d8192d818e9fe4a72aa06c7b8c3e4327ead3510a10c
                                                                                                                                        • Instruction ID: cf73bad7db1eb453d9c6b9e1d3ceb0b35f8eccb8fe71a5b669dc934038f6da16
                                                                                                                                        • Opcode Fuzzy Hash: 47bf9534cebb2975f6481d8192d818e9fe4a72aa06c7b8c3e4327ead3510a10c
                                                                                                                                        • Instruction Fuzzy Hash: A411EC31F041486BFB645AA4CC25B1B625BE7C4700F21803EA707DF7C4DEB5AC168365
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0276BB18, Relevance: .1, Instructions: 64COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.493851800.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 02bb12bc1fd42a19fbf218dd19bdf5736a8708bff5ed4d88ba9215e6ff5e020e
                                                                                                                                        • Instruction ID: 3895540bf9e044b4db941c6baf4060370dfee20f0421f808fb860f2bf1894889
                                                                                                                                        • Opcode Fuzzy Hash: 02bb12bc1fd42a19fbf218dd19bdf5736a8708bff5ed4d88ba9215e6ff5e020e
                                                                                                                                        • Instruction Fuzzy Hash: AC110E32608147C7DB209E2D98597BAF2AAEBC6218F106127EC1EF7748DB30D940C396
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0276C428, Relevance: .1, Instructions: 61COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.493851800.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: b14b08dc17c169db16dbf001cf67e6a56c598a6deb6e78c80c26954a094740bb
                                                                                                                                        • Instruction ID: ab8f6869ec52bf29b78a027d5061e8e76844b61af93a99dfa9bfb4691a9b4e72
                                                                                                                                        • Opcode Fuzzy Hash: b14b08dc17c169db16dbf001cf67e6a56c598a6deb6e78c80c26954a094740bb
                                                                                                                                        • Instruction Fuzzy Hash: CE11E732605014C7EB02CE5ADC0C6BBBFA6EBC4240F40412BFE9AE3640C734D921C792
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 02767060, Relevance: .1, Instructions: 61COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.493851800.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 3d609e180d8ba1fd05e912734bf82201ee9e4c3bf1e9e7791a3fd2cadeec93f5
                                                                                                                                        • Instruction ID: 824ab7b457ac24128a0638e3dcb5f3f3d2b4819b380ade9741c789ca6915bac4
                                                                                                                                        • Opcode Fuzzy Hash: 3d609e180d8ba1fd05e912734bf82201ee9e4c3bf1e9e7791a3fd2cadeec93f5
                                                                                                                                        • Instruction Fuzzy Hash: 5B119A70E04140CBD7189B78D818779FB65EB41349F24807AD909DA285DB7ACD92CB62
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06590012, Relevance: .0, Instructions: 45COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: ca322602068caa0d7309e1d8aa75b24e20328c9b7525b82965b70b955c8c8e68
                                                                                                                                        • Instruction ID: b665cea35980a60c336bcdd665b45ce29598070b51a1195aea701bf21adaf938
                                                                                                                                        • Opcode Fuzzy Hash: ca322602068caa0d7309e1d8aa75b24e20328c9b7525b82965b70b955c8c8e68
                                                                                                                                        • Instruction Fuzzy Hash: 2401462090F3C4AFC7079B749C295E97F709E03201B2A41DBD084CB2E3EA785E49D7A2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 025CD819, Relevance: .0, Instructions: 45COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.493332068.00000000025CD000.00000040.00000001.sdmp, Offset: 025CD000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 56f0c6dd2cc1d5bcfbc81462252f2f3153e3d6e6cf59d700f1d7d9accd6a7c42
                                                                                                                                        • Instruction ID: 023312e1deff91dbd5ec6d19542347e00427dc5377d0a87b2083025837e3fd2b
                                                                                                                                        • Opcode Fuzzy Hash: 56f0c6dd2cc1d5bcfbc81462252f2f3153e3d6e6cf59d700f1d7d9accd6a7c42
                                                                                                                                        • Instruction Fuzzy Hash: 7F01247140D340AEE7204A56CC80766BBB8FF41A78F28842EE9049A286E378D840C6B5
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0276A380, Relevance: .0, Instructions: 40COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.493851800.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 024b07467dad80498c2257305fed5969a7c69c04163d7913df38dfbaf5ab71a6
                                                                                                                                        • Instruction ID: 597cfb7e6f7cd4bdd7ca2474a1a10b02964a6abf2898ba4021244cb72fe15f43
                                                                                                                                        • Opcode Fuzzy Hash: 024b07467dad80498c2257305fed5969a7c69c04163d7913df38dfbaf5ab71a6
                                                                                                                                        • Instruction Fuzzy Hash: 55018131F04218DBDB109B98990D6BABA78EB05B00F158026ED0ABB781D7748E01CBD2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06590E10, Relevance: .0, Instructions: 37COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 57a5176168139656747ce5828dbc65bdb2a6989ea82d4b8851185cefe9667b70
                                                                                                                                        • Instruction ID: bec8d338f6a4ca0befbbaf7bfc4d72ed291a1d01b731f7089e813c69920a0ba3
                                                                                                                                        • Opcode Fuzzy Hash: 57a5176168139656747ce5828dbc65bdb2a6989ea82d4b8851185cefe9667b70
                                                                                                                                        • Instruction Fuzzy Hash: 68013C3490E388AFC743CFB49824599BFB0AB06200F1581EBD884DB292D7395E49DB62
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 025CD818, Relevance: .0, Instructions: 36COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.493332068.00000000025CD000.00000040.00000001.sdmp, Offset: 025CD000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 8453944c1dce0a1c8b4615ef020dfec9d6c39d01193abd7f4ccdc2712e56ad5b
                                                                                                                                        • Instruction ID: 6ebcb0c76b9081be5300c3582c28d018922c5f3543ff4eaede79f44eda8c8056
                                                                                                                                        • Opcode Fuzzy Hash: 8453944c1dce0a1c8b4615ef020dfec9d6c39d01193abd7f4ccdc2712e56ad5b
                                                                                                                                        • Instruction Fuzzy Hash: 93F0C271409244AEEB258A16DC84B62FFA8EB41774F28C06AED085B286D378D844CAB0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06590C28, Relevance: .0, Instructions: 35COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 806b7dca7157a5f450902e31fad70476b68a3021ed9123d2f2b5ebc8956050ad
                                                                                                                                        • Instruction ID: b87514e6e24c01d2cee7d1eae3617f2f4972e55103e6187ba49baa087ec38ca2
                                                                                                                                        • Opcode Fuzzy Hash: 806b7dca7157a5f450902e31fad70476b68a3021ed9123d2f2b5ebc8956050ad
                                                                                                                                        • Instruction Fuzzy Hash: 4D01193490E3C4AFC7138B749C58899BF74AF47210B1981DBE8809B2B3D6345E59D762
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06590D70, Relevance: .0, Instructions: 34COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6a83b45cc151528e84430b21d4b60a5575c60fb6af15855b4210c150f980e074
                                                                                                                                        • Instruction ID: f970c7d8c86652249b34e4949a3067c474b92611de6ea394c0dbf6a5eae26d13
                                                                                                                                        • Opcode Fuzzy Hash: 6a83b45cc151528e84430b21d4b60a5575c60fb6af15855b4210c150f980e074
                                                                                                                                        • Instruction Fuzzy Hash: BEF01D3491E3889FC742CB789C589A9BFB4AF07210B1A80DBD844CB2A3D6345E48C762
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06590988, Relevance: .0, Instructions: 34COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6d4a53df34690d0bf9b05d6dee3b1a791df42e08e3250b073f28938238896da6
                                                                                                                                        • Instruction ID: c4d2283e744ff5c11fc694a4d2d256d32eddd0d13c2d59c85fec9d34c91c4cbc
                                                                                                                                        • Opcode Fuzzy Hash: 6d4a53df34690d0bf9b05d6dee3b1a791df42e08e3250b073f28938238896da6
                                                                                                                                        • Instruction Fuzzy Hash: 3C011D3090E3C59FC743CF788868599BFB0AF07210B1981DBD484CB2A3D2345949CB12
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06590E6C, Relevance: .0, Instructions: 33COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 7aeb064ebdb8bf9a7275c5a24d093bbda1bccc84ce2792b1c6552c887e47aeb5
                                                                                                                                        • Instruction ID: 5a499f27c60f2e0711fcc3c8864aba88da91ade1bed9bf5745f48393de40ed8f
                                                                                                                                        • Opcode Fuzzy Hash: 7aeb064ebdb8bf9a7275c5a24d093bbda1bccc84ce2792b1c6552c887e47aeb5
                                                                                                                                        • Instruction Fuzzy Hash: 08F0123094F3849FC7069B749C595AA7FB4AB03204F1985DFD44097293C7355D49C7A6
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06590B24, Relevance: .0, Instructions: 33COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: c4f7ea9079a6c28cd1c3c447a4e23ffdc1cf065c2b274924e0af2dfa42b85edd
                                                                                                                                        • Instruction ID: abb75d21b2aa95925c835c9f3ea2606670322eb6103f8620c359475a17e9ea98
                                                                                                                                        • Opcode Fuzzy Hash: c4f7ea9079a6c28cd1c3c447a4e23ffdc1cf065c2b274924e0af2dfa42b85edd
                                                                                                                                        • Instruction Fuzzy Hash: 10F0127090A388AFCB52CFB8DC545ADBFB4AF06200F0581EFD844DB293D6385A45DB61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 065907C4, Relevance: .0, Instructions: 33COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: ba8c20edd45266df2c33307b02327f5f8995c8231e8d190f9572c62db8b5da48
                                                                                                                                        • Instruction ID: a10414cfd3f66dd4f14fd78d78299817007054134d39323e503159feef233c5e
                                                                                                                                        • Opcode Fuzzy Hash: ba8c20edd45266df2c33307b02327f5f8995c8231e8d190f9572c62db8b5da48
                                                                                                                                        • Instruction Fuzzy Hash: 53F0963450A284AFC706CFA4DC15DE97F74EF06210F0980DAE4449B2A3C6345D85DBA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06590CCC, Relevance: .0, Instructions: 32COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 67715a25e23d3b22cc41300510d48f653df4cad550957cc5948bfff60e470b9e
                                                                                                                                        • Instruction ID: 738007270a2730e58aeda8e19532729164a9d57a64ee7bfc938defef68126abf
                                                                                                                                        • Opcode Fuzzy Hash: 67715a25e23d3b22cc41300510d48f653df4cad550957cc5948bfff60e470b9e
                                                                                                                                        • Instruction Fuzzy Hash: 96F03A3490E3D89FCB03DBB448642A97FB49F07100F4981EBD5889B693D6394A49DB62
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06590B84, Relevance: .0, Instructions: 31COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 1d48e6f256bbd3798805470dc4bfac09392eaaa8d24fea5329afb74a1c3a22fe
                                                                                                                                        • Instruction ID: 4c94fec268e19ad4ceaf4e39a25f338fd6014b15b30ae228be7e4b0222735e29
                                                                                                                                        • Opcode Fuzzy Hash: 1d48e6f256bbd3798805470dc4bfac09392eaaa8d24fea5329afb74a1c3a22fe
                                                                                                                                        • Instruction Fuzzy Hash: 39F05830D0E388AFCB42DBB4986459CBFB4AF06204F1980EBC444DB392D63D4E49CB62
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0659081C, Relevance: .0, Instructions: 29COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 91e6edc1ec604a4be1e8eb53d394a42492e22c0f9297777295047ebb7a7b4b7c
                                                                                                                                        • Instruction ID: ec250a1614c76e1f4c1f87972e0b6b2631e1404f835f855d3d50dfad60d35d2c
                                                                                                                                        • Opcode Fuzzy Hash: 91e6edc1ec604a4be1e8eb53d394a42492e22c0f9297777295047ebb7a7b4b7c
                                                                                                                                        • Instruction Fuzzy Hash: F5F0152040F3C49FC313877059656957F789F03108B1A40DBC484CB2E3D62A0C4AC3B6
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06590D20, Relevance: .0, Instructions: 29COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 935711ff6d61d4c1c4f45c3a4d456162195071d8ef8dba07926591835b65963e
                                                                                                                                        • Instruction ID: 89d933b6b7612b6711d2236b6ae2fb9870571af33d996b8262a62bfd16cfdf7a
                                                                                                                                        • Opcode Fuzzy Hash: 935711ff6d61d4c1c4f45c3a4d456162195071d8ef8dba07926591835b65963e
                                                                                                                                        • Instruction Fuzzy Hash: 39F03A34D0A348DFCB42DFA8D858689BFB4AF4A300F1481DAD844D73A2D2385D45DF61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06590538, Relevance: .0, Instructions: 28COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: f49140ca8704a40721f34cdfa1001cf560d92391a1c27eae00b44f4287f403d1
                                                                                                                                        • Instruction ID: bf5fc21bee127624bc4ed03743410d876511de6bc748c6df2324fec4cdd35f34
                                                                                                                                        • Opcode Fuzzy Hash: f49140ca8704a40721f34cdfa1001cf560d92391a1c27eae00b44f4287f403d1
                                                                                                                                        • Instruction Fuzzy Hash: 57F0823480A388AFCB42DFA4DC54D897F74AF06300F0580C6E840973A2C2345D54DB66
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0659085C, Relevance: .0, Instructions: 26COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 7610b7d78e2ff12210136d59c1cb05e6fd6eab5489b62dadea06a19dac367d2c
                                                                                                                                        • Instruction ID: ab77e38a0be35e7400c0848e9caba7bd6701b86947db88549af6ed8a189efbd0
                                                                                                                                        • Opcode Fuzzy Hash: 7610b7d78e2ff12210136d59c1cb05e6fd6eab5489b62dadea06a19dac367d2c
                                                                                                                                        • Instruction Fuzzy Hash: 1EF0392494F3C89FC7078BB8AC295997F349F03211B1A40DBD4849B2A3C6695A59D7A3
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06590B40, Relevance: .0, Instructions: 21COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e9eedb5476eb2c77a0eb47be67d4710b081f12407b80965372c491e792639cc9
                                                                                                                                        • Instruction ID: 48d29727318177513d56d4d23d928d4bd55fbd3b5820cf794da9103572d75af7
                                                                                                                                        • Opcode Fuzzy Hash: e9eedb5476eb2c77a0eb47be67d4710b081f12407b80965372c491e792639cc9
                                                                                                                                        • Instruction Fuzzy Hash: EEE0E570D01208EFCB54DFA8D84469DBBF4AB49304F1084AAD81493340E7399A81EF91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06590D38, Relevance: .0, Instructions: 20COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 1ad0e3f28ec2386d8cfc5b739547134d9346ae636d276b2e2826c407429dfe86
                                                                                                                                        • Instruction ID: 4e340385d1861a61a668d6b54b38649ff8ada079494885b05db0bac205650a93
                                                                                                                                        • Opcode Fuzzy Hash: 1ad0e3f28ec2386d8cfc5b739547134d9346ae636d276b2e2826c407429dfe86
                                                                                                                                        • Instruction Fuzzy Hash: 2DE07574E01208EFCB44DFA9D548A9DBBF4FB48304F1081E9D80597364D6356E41DF41
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06590E30, Relevance: .0, Instructions: 20COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: daa33534ee12ea35d3dcc793fd274de385ec10bb8ac697647a1ff4084519102d
                                                                                                                                        • Instruction ID: 4f9721238a78dc73221d318760c493747f39aa6b38e298f6c2ec8e165a73ef70
                                                                                                                                        • Opcode Fuzzy Hash: daa33534ee12ea35d3dcc793fd274de385ec10bb8ac697647a1ff4084519102d
                                                                                                                                        • Instruction Fuzzy Hash: E9E01270D01208EFCB94DFE8D548A9DBBB4FB48300F10C0AAD808A3340E7399A90DF90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 065909A8, Relevance: .0, Instructions: 20COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 72cd85b3d01cc3af31b80fd7ee3e59d8a0b95c9c5ea3d9480fd6753caeca43be
                                                                                                                                        • Instruction ID: bb3b165c54a08e41f039824c0371eea83179f912abd555cc816e69dce8567092
                                                                                                                                        • Opcode Fuzzy Hash: 72cd85b3d01cc3af31b80fd7ee3e59d8a0b95c9c5ea3d9480fd6753caeca43be
                                                                                                                                        • Instruction Fuzzy Hash: A2E07574E01208EFCB84DFA9D549A9DBBF4FB48314F1081EAD80897354D6359A41DF41
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06590550, Relevance: .0, Instructions: 19COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: d0de57643b4b91221ebafd184ad7b1a75b68d10dab59b023e102eec74dd6896b
                                                                                                                                        • Instruction ID: 8d6af98256a64a4ba2502e961a344bbcada237023b75e45f41cfec719e0403a9
                                                                                                                                        • Opcode Fuzzy Hash: d0de57643b4b91221ebafd184ad7b1a75b68d10dab59b023e102eec74dd6896b
                                                                                                                                        • Instruction Fuzzy Hash: 94E01234901208EFCB44EFA4D848A9DBBB4FB09311F108098E80427360C731AE90EB90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06590C48, Relevance: .0, Instructions: 19COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: d0de57643b4b91221ebafd184ad7b1a75b68d10dab59b023e102eec74dd6896b
                                                                                                                                        • Instruction ID: 529d6639bde02d0deca4556e58e5fc1632c9fabfa82554f90469075bf7beaafe
                                                                                                                                        • Opcode Fuzzy Hash: d0de57643b4b91221ebafd184ad7b1a75b68d10dab59b023e102eec74dd6896b
                                                                                                                                        • Instruction Fuzzy Hash: 46E04634901208EFCB44DFA4D888E9DBBB4FF09311F10C098E8042B360C731AE90EB90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 065907E0, Relevance: .0, Instructions: 19COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: d0de57643b4b91221ebafd184ad7b1a75b68d10dab59b023e102eec74dd6896b
                                                                                                                                        • Instruction ID: e2577ac0090991660fbfa5646a1672e6bc947767a48dacbb6b1e86e0e54927a1
                                                                                                                                        • Opcode Fuzzy Hash: d0de57643b4b91221ebafd184ad7b1a75b68d10dab59b023e102eec74dd6896b
                                                                                                                                        • Instruction Fuzzy Hash: 16E01234901208EFCB44DFA4D848A9DBBB4FB09321F108098E80427360C731AE91EB90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06590BA0, Relevance: .0, Instructions: 19COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: c195997ef1f67ce5b56d7ead27d9959bfeb8be704c0aa0c78b45cec50253ac85
                                                                                                                                        • Instruction ID: b6731c1e9dc67c652aa7eaabbb81a1efaeab02004090d6099501c2ed00bb7ae3
                                                                                                                                        • Opcode Fuzzy Hash: c195997ef1f67ce5b56d7ead27d9959bfeb8be704c0aa0c78b45cec50253ac85
                                                                                                                                        • Instruction Fuzzy Hash: D1E09270E01208EFCB94EFA9D54469DBBB9EB48305F1085EAC818A3344E7395A45DF85
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06590D90, Relevance: .0, Instructions: 18COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 271153e40c22b40f279f800f508ba1183c748eca70515d8bc125d8c3fef93eb5
                                                                                                                                        • Instruction ID: 20c7f21d286f8c4f1a172a861bcdf10cfc3362e1f08aadaad56cc0e86533d6b9
                                                                                                                                        • Opcode Fuzzy Hash: 271153e40c22b40f279f800f508ba1183c748eca70515d8bc125d8c3fef93eb5
                                                                                                                                        • Instruction Fuzzy Hash: 8DE0B634D21208DFCB80DFA8D588A9DBBF8FB08715F6080E9D80897350E631AE40CB51
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06590048, Relevance: .0, Instructions: 17COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 3820fd19cb0b5aeaf58ac8f37227b30f40b7b6b24ff09d7e508740486b0cb33e
                                                                                                                                        • Instruction ID: 0a10b31bb101afaa79e9ebec4cc4aba4a0975675e7a3eee7861029176723cdcc
                                                                                                                                        • Opcode Fuzzy Hash: 3820fd19cb0b5aeaf58ac8f37227b30f40b7b6b24ff09d7e508740486b0cb33e
                                                                                                                                        • Instruction Fuzzy Hash: C8E0E230D12208EFCB44EFB8955869DBBB5AB04205F6045A9C80892380EB359A85CB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06590CE8, Relevance: .0, Instructions: 17COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6381f58efa9a4b6cc119ac7000010f50f3ed56d73edec7d05d015881adb57b57
                                                                                                                                        • Instruction ID: f07d05c67a0b61fa2f35cf0e663d2d2e2360d335f9303d15bae8406f2a9b45aa
                                                                                                                                        • Opcode Fuzzy Hash: 6381f58efa9a4b6cc119ac7000010f50f3ed56d73edec7d05d015881adb57b57
                                                                                                                                        • Instruction Fuzzy Hash: A5E01270D12248DFCB54EFB495547ADBFF4AB04205F5044EDC90892380E7355F85DB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06590E88, Relevance: .0, Instructions: 16COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 63f2510c43c16142ec2118115ab15f9b1e0e2f32a50996c2714c6c929af50096
                                                                                                                                        • Instruction ID: 3ddb94784b964be4c9d8f37b1bd54958775663106421d10a31bdb14c3a395e47
                                                                                                                                        • Opcode Fuzzy Hash: 63f2510c43c16142ec2118115ab15f9b1e0e2f32a50996c2714c6c929af50096
                                                                                                                                        • Instruction Fuzzy Hash: F5D05E30D06208DBCB04DFE4E5446ADBB78FB45305F6085EDC80423384D7355E86DBA5
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06590838, Relevance: .0, Instructions: 14COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 74a118c7b54d4177e565151680d522895411f8427a19c483abd3450451791ae3
                                                                                                                                        • Instruction ID: bee384259efae980e962f1abc2016bf3f4510278d30f29f023ed60cde9c4a7bf
                                                                                                                                        • Opcode Fuzzy Hash: 74a118c7b54d4177e565151680d522895411f8427a19c483abd3450451791ae3
                                                                                                                                        • Instruction Fuzzy Hash: F8D0C930902208DBC759DBA49619B9A7779EB01209F5055ADD40812380EB365E41DA91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06590878, Relevance: .0, Instructions: 13COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 29d499266da62b0ffca2dba0d05264d29edec821ba55b1359c3635929bb9205f
                                                                                                                                        • Instruction ID: 7791a4d162b91cf0802f5a21f79ae9d602b2c9fec66175aba92c4ab18a4f0338
                                                                                                                                        • Opcode Fuzzy Hash: 29d499266da62b0ffca2dba0d05264d29edec821ba55b1359c3635929bb9205f
                                                                                                                                        • Instruction Fuzzy Hash: 72D01230D02208DFCB48DFD4E919BAE777CE745215F004599D80863394DB755D50DA95
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0276DA58, Relevance: .0, Instructions: 12COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.493851800.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 211cf3075f67efa679bba5db2cafc5d933be881a6a22fda51c69da5a1bcefd6d
                                                                                                                                        • Instruction ID: ba1a1753a21f87f6d4a68a1d44bc5ad05ad741ba49a2039dd9ef8fa4365262e0
                                                                                                                                        • Opcode Fuzzy Hash: 211cf3075f67efa679bba5db2cafc5d933be881a6a22fda51c69da5a1bcefd6d
                                                                                                                                        • Instruction Fuzzy Hash: 2EC012711556094EC945BB70E85295A333BAAC0B083A0C864D30849168FFB89C444A99
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 065905DD, Relevance: .0, Instructions: 10COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e90962b5ba3f9bc2241c383dd61cfe99d7f3a4830f4e4feb10de633807ddb84c
                                                                                                                                        • Instruction ID: 3c60e3ee792c6d4bf7cc3ca47062f0d8e2e9967b435f51f8563d6149e528e379
                                                                                                                                        • Opcode Fuzzy Hash: e90962b5ba3f9bc2241c383dd61cfe99d7f3a4830f4e4feb10de633807ddb84c
                                                                                                                                        • Instruction Fuzzy Hash: 52C09B315441448F83C0DB14D444C25B354FF1661170556C5F45A47631C7319C50DA61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06590DC5, Relevance: .0, Instructions: 10COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.512581405.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 259bf2a6150f211667f28fc5a3b20e06b4cabb93e63bc8e757aaf609913a345f
                                                                                                                                        • Instruction ID: dfed6546b63fd01bbac7b469f5fa7b3330629fc2b98a0bead780adb0defe9691
                                                                                                                                        • Opcode Fuzzy Hash: 259bf2a6150f211667f28fc5a3b20e06b4cabb93e63bc8e757aaf609913a345f
                                                                                                                                        • Instruction Fuzzy Hash: 43C00234A445489F8B50CF59D444858B7B0EF09205B0055D9E91A97730D632A9108F50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 02764EB0, Relevance: .0, Instructions: 10COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.493851800.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e9deef208ea195935b019be0eddb0f9ab5c75775840ecdf1fb96e1f16202d162
                                                                                                                                        • Instruction ID: d4f7a30d9b763a19e344f0d201417cdb2854016ab395cfdde57a7fe030ae865a
                                                                                                                                        • Opcode Fuzzy Hash: e9deef208ea195935b019be0eddb0f9ab5c75775840ecdf1fb96e1f16202d162
                                                                                                                                        • Instruction Fuzzy Hash: 02C092AA99AA805FDB022331A47B7C02F39EB03611F1E00C6E2C0C7193982C0A0EC322
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 0276D6F0, Relevance: 5.1, Strings: 4, Instructions: 59COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000014.00000002.493851800.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: Kl$Kl$Kl$Kl
                                                                                                                                        • API String ID: 0-3565144343
                                                                                                                                        • Opcode ID: 26d130f09923d9489f044bcd6f5a724536251321b7c796a6ff70fe696eed9a7f
                                                                                                                                        • Instruction ID: 3fec94fc9a53a3b1fe475df8a62fbf14dea676247dbedff554e240f083810ec5
                                                                                                                                        • Opcode Fuzzy Hash: 26d130f09923d9489f044bcd6f5a724536251321b7c796a6ff70fe696eed9a7f
                                                                                                                                        • Instruction Fuzzy Hash: 2B1170757042025FC310AB7AE598A3973EABFC975472044BDE909DF760EB61DC04C7A6
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Analysis Process: InstallUtil.exe PID: 5248 Parent PID: 6860 InstallUtil.exeCOMMON

                                                                                                                                        Executed Functions

                                                                                                                                        Function 06572654, Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0657B643
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001A.00000002.505191198.0000000006570000.00000040.00000001.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: NameUser
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2645101109-0
                                                                                                                                        • Opcode ID: 97eb9aa7db45cc966e7c31cab71d50825d750f2dd606be157425923ced0ab1b5
                                                                                                                                        • Instruction ID: 64b6874cbbd941782652f38ea86191da507560370d9903c61d2ec258dede8a3e
                                                                                                                                        • Opcode Fuzzy Hash: 97eb9aa7db45cc966e7c31cab71d50825d750f2dd606be157425923ced0ab1b5
                                                                                                                                        • Instruction Fuzzy Hash: 1E51F2B0E002188FDB54CFA9E888BDEBBB5BF48314F158129E815BB351DB74A944CF95
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0339691F, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 033969A0
                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 033969DD
                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 03396A1A
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 03396A73
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001A.00000002.493569055.0000000003390000.00000040.00000001.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Current$ProcessThread
                                                                                                                                        • String ID: l
                                                                                                                                        • API String ID: 2063062207-2517025534
                                                                                                                                        • Opcode ID: fb0882cd954b9f362c40f026503b8cfb7a438eb83d8dc6d9416b5471844296bf
                                                                                                                                        • Instruction ID: 5846592833128a60d79b7f582216fa2f88a88f9ed6ec1db66167f002695eecc0
                                                                                                                                        • Opcode Fuzzy Hash: fb0882cd954b9f362c40f026503b8cfb7a438eb83d8dc6d9416b5471844296bf
                                                                                                                                        • Instruction Fuzzy Hash: 665165B0A057498FEB10CFA9C989BDEBBF0EF88314F24805AE449A7351DB749944CB61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 03396940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 033969A0
                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 033969DD
                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 03396A1A
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 03396A73
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001A.00000002.493569055.0000000003390000.00000040.00000001.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Current$ProcessThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2063062207-0
                                                                                                                                        • Opcode ID: 637ab91926e1e23b9f800e78f6b27b961ab4cd688cab8ad403854d7a7fc14621
                                                                                                                                        • Instruction ID: d973b4ef1ad62f3a11a4da7c6db631f099645e0d18f98218d7759c966fc4e361
                                                                                                                                        • Opcode Fuzzy Hash: 637ab91926e1e23b9f800e78f6b27b961ab4cd688cab8ad403854d7a7fc14621
                                                                                                                                        • Instruction Fuzzy Hash: 5B5143B0A117498FEB10CFA9D989B9EFBF0AB88314F24845AE419A7350DB745944CB61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0657B4FC, Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0657B643
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001A.00000002.505191198.0000000006570000.00000040.00000001.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: NameUser
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2645101109-0
                                                                                                                                        • Opcode ID: 9bfed7d7d332add55c43127b9259e3eb008321d8823ff0b311a069cad4b4a559
                                                                                                                                        • Instruction ID: e1e672c63278d9d7cdf503e74293be5b1c7ea9f09121acceb8f4269327e75093
                                                                                                                                        • Opcode Fuzzy Hash: 9bfed7d7d332add55c43127b9259e3eb008321d8823ff0b311a069cad4b4a559
                                                                                                                                        • Instruction Fuzzy Hash: 825124B0E002188FDB14CFA9D888BDEBBB5BF48314F158119E815BB351DB74A944CFA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 065791AC, Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0657B643
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001A.00000002.505191198.0000000006570000.00000040.00000001.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: NameUser
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2645101109-0
                                                                                                                                        • Opcode ID: 18309a08cc4d025947d28fecdec663aee1f8147c9b04a7e91e5b887b21026653
                                                                                                                                        • Instruction ID: dc1f1484c0100119a8effc9b143ef8553952a3f9a83121448355b75f6b595181
                                                                                                                                        • Opcode Fuzzy Hash: 18309a08cc4d025947d28fecdec663aee1f8147c9b04a7e91e5b887b21026653
                                                                                                                                        • Instruction Fuzzy Hash: 915104B0E002188FDB54CFA9D888BDDBBB1BF48314F158129E815BB351DB74A944CF95
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 03395090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 033951A2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001A.00000002.493569055.0000000003390000.00000040.00000001.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 716092398-0
                                                                                                                                        • Opcode ID: 9ce9d06ed0357400008286181c416ad9880c6db47bfbd9c4afadc1c16f7d2e6a
                                                                                                                                        • Instruction ID: b11c2541eb2a31e4f27ebe03d431ed7248e89cdeab0b1b417564db120097066e
                                                                                                                                        • Opcode Fuzzy Hash: 9ce9d06ed0357400008286181c416ad9880c6db47bfbd9c4afadc1c16f7d2e6a
                                                                                                                                        • Instruction Fuzzy Hash: 5641BEB1D10209DFEF15CFA9C884ADEFBB5BF49314F24812AE819AB210D7749985CF91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 03395084, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 033951A2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001A.00000002.493569055.0000000003390000.00000040.00000001.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 716092398-0
                                                                                                                                        • Opcode ID: 2b944fe04c2586b1195928f038f8a69305cc68bcd07048e1cb8528c82043f9ae
                                                                                                                                        • Instruction ID: b3ffb2f722d941d5732bf250de79ecdc993b0aafc514c70a0f50025d4838bae8
                                                                                                                                        • Opcode Fuzzy Hash: 2b944fe04c2586b1195928f038f8a69305cc68bcd07048e1cb8528c82043f9ae
                                                                                                                                        • Instruction Fuzzy Hash: 2151BDB1D10209DFEF15CFA9C884ADEFBB5BF49314F24812AE819AB210D7749985CF91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0339779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 03397F09
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001A.00000002.493569055.0000000003390000.00000040.00000001.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CallProcWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2714655100-0
                                                                                                                                        • Opcode ID: 99bfdde3982f6dda8a9b1b6cf8b891d7060cdc035a1fab5eefe500bb55460f2c
                                                                                                                                        • Instruction ID: 27a7fae77060e246615dfd6bb4f854dd3bb45152ee295ae4177f7a6f0918eb41
                                                                                                                                        • Opcode Fuzzy Hash: 99bfdde3982f6dda8a9b1b6cf8b891d7060cdc035a1fab5eefe500bb55460f2c
                                                                                                                                        • Instruction Fuzzy Hash: F4414CB5910705CFDB14CF59C488AAAFBF9FF88314F248599E419AB361D734A941CFA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 03396B62, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03396BEF
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001A.00000002.493569055.0000000003390000.00000040.00000001.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                        • Opcode ID: 612a042d76d44f761ceb3589cd458ecbb322f7bd96a87647fdd83a81735c200f
                                                                                                                                        • Instruction ID: 959797ef0e35e6826a3370d789b1f5f8ad84b85c75eccbcc23b3901865e2c85a
                                                                                                                                        • Opcode Fuzzy Hash: 612a042d76d44f761ceb3589cd458ecbb322f7bd96a87647fdd83a81735c200f
                                                                                                                                        • Instruction Fuzzy Hash: 2D21E4B59012489FDF10CFA9D985ADEFBF8EB48324F14841AE914A7311D774A944CFA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 03396B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03396BEF
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001A.00000002.493569055.0000000003390000.00000040.00000001.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                        • Opcode ID: ed05179535aeac8d00722c5cbf9caabd41deed5a024e4397ec5254bb3f7f7a0b
                                                                                                                                        • Instruction ID: 0bb57aad5cb25f7b739447e3d9e22b0bf7d9b84e0b818ee5e6c8b45caf05312b
                                                                                                                                        • Opcode Fuzzy Hash: ed05179535aeac8d00722c5cbf9caabd41deed5a024e4397ec5254bb3f7f7a0b
                                                                                                                                        • Instruction Fuzzy Hash: F021C2B59012489FDF10CFAAD985ADEFBF8EB48324F14841AE914A7310D778A944CFA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0339BE88, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlEncodePointer.NTDLL(00000000), ref: 0339BF12
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001A.00000002.493569055.0000000003390000.00000040.00000001.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: EncodePointer
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2118026453-0
                                                                                                                                        • Opcode ID: 34f6f905b711a866a0a25bca40daf6df9e5b1cceb97b890c0bbe48a9c6b28340
                                                                                                                                        • Instruction ID: 2b7cec09efcf9da83ff84c33ad2808647a20b65c7a5ccabce74eb5bda2776e57
                                                                                                                                        • Opcode Fuzzy Hash: 34f6f905b711a866a0a25bca40daf6df9e5b1cceb97b890c0bbe48a9c6b28340
                                                                                                                                        • Instruction Fuzzy Hash: 22215C71905349CFDF10DFA9E94939EBBF8EB48324F14842AE409A7641CB396945CFA2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0339BE98, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlEncodePointer.NTDLL(00000000), ref: 0339BF12
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001A.00000002.493569055.0000000003390000.00000040.00000001.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: EncodePointer
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2118026453-0
                                                                                                                                        • Opcode ID: 77cb163c543e6a75a360ada02c29e0bbe4c8de75c2a1b5ea97b97db93e67c9df
                                                                                                                                        • Instruction ID: 9a333de64947eee9b123f461e9ac19b56b82519ec0e09a5cf517a52558011879
                                                                                                                                        • Opcode Fuzzy Hash: 77cb163c543e6a75a360ada02c29e0bbe4c8de75c2a1b5ea97b97db93e67c9df
                                                                                                                                        • Instruction Fuzzy Hash: D2116A71905309CFDF10DFA9D94979EBBF8FB48324F14842AE409A7640CB79A945CFA2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0194D53C, Relevance: .1, Instructions: 75COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001A.00000002.492087506.000000000194D000.00000040.00000001.sdmp, Offset: 0194D000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 2e9e3fdd214d9f6eeb799f9f06a53dd50abe7cf4a84b682a9f16ebab9604ee40
                                                                                                                                        • Instruction ID: 11d9b048b9477b6e108542e9b50211ebf4b320c383db6091a5d70daba384e2a7
                                                                                                                                        • Opcode Fuzzy Hash: 2e9e3fdd214d9f6eeb799f9f06a53dd50abe7cf4a84b682a9f16ebab9604ee40
                                                                                                                                        • Instruction Fuzzy Hash: 502103B5504240DFDB05DF94D8C0F26BFA9FB98328F248969E90D4B24AC736D856CAA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0195D01C, Relevance: .1, Instructions: 72COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001A.00000002.492308088.000000000195D000.00000040.00000001.sdmp, Offset: 0195D000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: a263a2f3258efb04112fca6809839e7c576eeec791a786306bce1f2625925cc7
                                                                                                                                        • Instruction ID: 9893a353bdf7df78d5634218f14049dc38769a7e32ba4d08888f22dd92bbc5f0
                                                                                                                                        • Opcode Fuzzy Hash: a263a2f3258efb04112fca6809839e7c576eeec791a786306bce1f2625925cc7
                                                                                                                                        • Instruction Fuzzy Hash: FA210071508240DFDB51DFA4D8C0B26BBA9EB88264F24C969EC0E5B246C73AD846CB61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0195D005, Relevance: .1, Instructions: 60COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001A.00000002.492308088.000000000195D000.00000040.00000001.sdmp, Offset: 0195D000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 8c6d41bca567a07d464cfd8240cc7a91a65dbc639a8f8ebc97a270dc9ca952e9
                                                                                                                                        • Instruction ID: 1aa23fdf7fb9eb13c115af604710aefd41f7e8b715627f2d9b3474a5c6b98be9
                                                                                                                                        • Opcode Fuzzy Hash: 8c6d41bca567a07d464cfd8240cc7a91a65dbc639a8f8ebc97a270dc9ca952e9
                                                                                                                                        • Instruction Fuzzy Hash: BF219F755093C08FDB02CF64D990B15BFB1EB46214F28C5EAD8498B697C33A984ACB62
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0194D537, Relevance: .1, Instructions: 56COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001A.00000002.492087506.000000000194D000.00000040.00000001.sdmp, Offset: 0194D000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 475f330473868ad3c29f7e884537fa5e2c046c0b54d26c118bd7d839c6bfe152
                                                                                                                                        • Instruction ID: 3b63c16556698c50713f023d4efe01e77982ec3853554de3013eefeff376c68d
                                                                                                                                        • Opcode Fuzzy Hash: 475f330473868ad3c29f7e884537fa5e2c046c0b54d26c118bd7d839c6bfe152
                                                                                                                                        • Instruction Fuzzy Hash: 8111D376504280CFCB02CF54D5C4B1ABFB2FB94324F28C6A9D8094B65BC336D45ACBA2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Non-executed Functions

                                                                                                                                        Analysis Process: AcroRd32.exe PID: 5336 Parent PID: 5288 AcroRd32.exeCOMMON

                                                                                                                                        Executed Functions

                                                                                                                                        Function 00632050, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001B.00000002.487034774.0000000000632000.00000020.00000001.sdmp, Offset: 00632000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                        • Opcode ID: 4c84151277232184f4ece1caff9d03736cb5b2ac7b5af92573ec6003a39c157d
                                                                                                                                        • Instruction ID: c167b7542daf6858573f5189dc2cfda649c436be1ab1a95d524171969364458c
                                                                                                                                        • Opcode Fuzzy Hash: 4c84151277232184f4ece1caff9d03736cb5b2ac7b5af92573ec6003a39c157d
                                                                                                                                        • Instruction Fuzzy Hash: 5B9002B178500812D541B15A4459706011D57D0281FE9C012A0118554DCE958B76B6E1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00632003, Relevance: 1.5, APIs: 1, Instructions: 11libraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001B.00000002.487034774.0000000000632000.00000020.00000001.sdmp, Offset: 00632000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                        • Opcode ID: fb269d273603896e8253d897fa35f50221e2e72d8a57a74862c2f157e07bbb90
                                                                                                                                        • Instruction ID: 40cd280011e125d5d4e91a7c615fc32c60841392b617f2dbdcc29b7f9f6c08ff
                                                                                                                                        • Opcode Fuzzy Hash: fb269d273603896e8253d897fa35f50221e2e72d8a57a74862c2f157e07bbb90
                                                                                                                                        • Instruction Fuzzy Hash: 1FC04C9518EBD54FD30353711C7A9D22F645A9325275E81D7D480CB09BC54806AB9373
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 006326D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001B.00000002.487034774.0000000000632000.00000020.00000001.sdmp, Offset: 00632000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                        • Opcode ID: dfe2004c431489e9de8f4bf325dee0477a038e150051f59701c81b6116e10e0f
                                                                                                                                        • Instruction ID: 410af6811aa0a808a77b91965b216cec03cf9dd7cdf36a1e6e8a0aa3957d8b51
                                                                                                                                        • Opcode Fuzzy Hash: dfe2004c431489e9de8f4bf325dee0477a038e150051f59701c81b6116e10e0f
                                                                                                                                        • Instruction Fuzzy Hash: 499002B138100812D500A59A540D646010957E0341FA9D011A5118555ECEA588B171B1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 006322D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001B.00000002.487034774.0000000000632000.00000020.00000001.sdmp, Offset: 00632000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                        • Opcode ID: b2a3f88fabd24f7c8c3c2fafaa86054f15987965036c94671819ae633b8cb8be
                                                                                                                                        • Instruction ID: 595b96017b642c6488b1f85f8e50c5a5e77438745a2681b1e6536427cda0bd29
                                                                                                                                        • Opcode Fuzzy Hash: b2a3f88fabd24f7c8c3c2fafaa86054f15987965036c94671819ae633b8cb8be
                                                                                                                                        • Instruction Fuzzy Hash: 0D9002B139114812D510A15A8409706010957D1241FA9C411A0918558DCED588B171A2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 006321D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001B.00000002.487034774.0000000000632000.00000020.00000001.sdmp, Offset: 00632000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                        • Opcode ID: 7e47dad86479da47a279e07b6665d510168b853dcf6ee2752cb09e064007092b
                                                                                                                                        • Instruction ID: f712c09118f7ab06895c2f92f54f831258102bbc0871f5471167a53f10353a1b
                                                                                                                                        • Opcode Fuzzy Hash: 7e47dad86479da47a279e07b6665d510168b853dcf6ee2752cb09e064007092b
                                                                                                                                        • Instruction Fuzzy Hash: 4C9002B138100C52D500A15A4409B46010957E0341FA9C016A0218654DCE55C87175A1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00632750, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001B.00000002.487034774.0000000000632000.00000020.00000001.sdmp, Offset: 00632000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                        • Opcode ID: 29a4828123023646854a7bbbcb48b4819c91ec2835c90ceab7cf9a40c6c5dfcf
                                                                                                                                        • Instruction ID: afc34d6a9a137a3c542639b049d78ead32c0aee77a63480a3447406eeacafe08
                                                                                                                                        • Opcode Fuzzy Hash: 29a4828123023646854a7bbbcb48b4819c91ec2835c90ceab7cf9a40c6c5dfcf
                                                                                                                                        • Instruction Fuzzy Hash: F89002B939300412D580B15A540D60A010957D1242FE9D415A0109558CCD55887963A1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00632350, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001B.00000002.487034774.0000000000632000.00000020.00000001.sdmp, Offset: 00632000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                        • Opcode ID: 8d89eae79bf23fd2470a217f38d913a545bfe8558363e65addd2e62fded9dca4
                                                                                                                                        • Instruction ID: 5ea3d84543781284fe2818d238d8025bab4dbd911074f17dbebd2ae9ea90420b
                                                                                                                                        • Opcode Fuzzy Hash: 8d89eae79bf23fd2470a217f38d913a545bfe8558363e65addd2e62fded9dca4
                                                                                                                                        • Instruction Fuzzy Hash: 1C9002F138504492D511A25A4409F0A420D57E0285FE9C016A0148594CCD658972E1A1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00632310, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001B.00000002.487034774.0000000000632000.00000020.00000001.sdmp, Offset: 00632000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                        • Opcode ID: 94fe9238a1e4ce733e42958529fbd4d5e349bfa2a5c7ed018426c4686885a88d
                                                                                                                                        • Instruction ID: 9447b12b62010385d9d3105b563272ad9021b1b32defda6667d104bdddd03be6
                                                                                                                                        • Opcode Fuzzy Hash: 94fe9238a1e4ce733e42958529fbd4d5e349bfa2a5c7ed018426c4686885a88d
                                                                                                                                        • Instruction Fuzzy Hash: 079002F13C100852D500A15A4419B06010997E1341FA9C015E1158554DCE59CC7271A6
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00632110, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001B.00000002.487034774.0000000000632000.00000020.00000001.sdmp, Offset: 00632000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                        • Opcode ID: 974553679e260ee94105ede55221de7ebabb8bf32f6d2476e9886545627095af
                                                                                                                                        • Instruction ID: e9e25a79da4b49eba1e8d7fe18c27522da9b3995b9a6b5d6e8808763a65d6502
                                                                                                                                        • Opcode Fuzzy Hash: 974553679e260ee94105ede55221de7ebabb8bf32f6d2476e9886545627095af
                                                                                                                                        • Instruction Fuzzy Hash: 699002B138504852D500A55A540DA06010957D0245FA9D011A1158595DCE758871B1B1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00632490, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001B.00000002.487034774.0000000000632000.00000020.00000001.sdmp, Offset: 00632000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                        • Opcode ID: 27f39f725fbc4ddf4ed6edbdbaf2fb901154df17dbddf5cfe2b0171797882fc8
                                                                                                                                        • Instruction ID: ed9f01ea0f7c23bd89b61a385316db703e49615f704c05367ebdf9426b085d9c
                                                                                                                                        • Opcode Fuzzy Hash: 27f39f725fbc4ddf4ed6edbdbaf2fb901154df17dbddf5cfe2b0171797882fc8
                                                                                                                                        • Instruction Fuzzy Hash: 409002B138100812D500A19A4409706010957D0241FA9C412E0618558DCE95887175B1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00632790, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000001B.00000002.487034774.0000000000632000.00000020.00000001.sdmp, Offset: 00632000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                        • Opcode ID: ca610c29548365b14193f4b3733efc108bc5fba3ea4f85a3fdda65596795f4ca
                                                                                                                                        • Instruction ID: 24c222a81b5e1cdc8929526d861eb7b7469039e69b5b0c81c8aede3c95c81b83
                                                                                                                                        • Opcode Fuzzy Hash: ca610c29548365b14193f4b3733efc108bc5fba3ea4f85a3fdda65596795f4ca
                                                                                                                                        • Instruction Fuzzy Hash: 1F9002B138100413D540B15A541D6064109A7E1341FA9D011E0508554CDD55887662A2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Non-executed Functions