Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe

Overview

General Information

Sample Name:DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Analysis ID:383976
MD5:edae8c184a250cccba45c023e805e12d
SHA1:6042a0f078faad9525f052a561120d1e2551160f
SHA256:0a572e4a9f5d166e563f1c63aa7aa029c2c206d23767bd6ab033a95d7d7027cb
Tags:AgentTeslaDHLexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

Startup

  • System is w10x64
  • DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe (PID: 5716 cmdline: 'C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe' MD5: EDAE8C184A250CCCBA45C023E805E12D)
    • cmd.exe (PID: 3412 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 5432 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • Files.exe (PID: 6280 cmdline: 'C:\Users\user\AppData\Roaming\Files.exe' MD5: EDAE8C184A250CCCBA45C023E805E12D)
  • Files.exe (PID: 5980 cmdline: 'C:\Users\user\AppData\Roaming\Files.exe' MD5: EDAE8C184A250CCCBA45C023E805E12D)
  • Files.exe (PID: 6332 cmdline: 'C:\Users\user\AppData\Roaming\Files.exe' MD5: EDAE8C184A250CCCBA45C023E805E12D)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "sammorris@askoblue.comP)RTDOg8mail.privateemail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.299807783.0000000003E66000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.300534811.000000000402B000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.299471132.0000000003DB7000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe PID: 5716JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f1bb92.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3ec0f92.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f76782.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f76782.5.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3db76a0.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 5 entries

                    Sigma Overview

                    No Sigma rule has matched

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f1bb92.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "sammorris@askoblue.comP)RTDOg8mail.privateemail.com"}
                    Multi AV Scanner detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Roaming\Files.exeReversingLabs: Detection: 37%
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeVirustotal: Detection: 28%Perma Link
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeReversingLabs: Detection: 37%
                    Machine Learning detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Roaming\Files.exeJoe Sandbox ML: detected
                    Machine Learning detection for sampleShow sources
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeJoe Sandbox ML: detected
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                    Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.274495104.0000000006863000.00000004.00000001.sdmp, InstallUtil.exe.0.dr
                    Source: Binary string: InstallUtil.pdb source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.274495104.0000000006863000.00000004.00000001.sdmp, InstallUtil.exe.0.dr
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_06C68448
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_06C64500
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_06C644FB
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_06C68446
                    Source: Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
                    Source: Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.303110487.00000000067F6000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.306843617.00000000025F9000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325646667.0000000002A17000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329537552.000000000314B000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                    Source: Files.exe, 0000000D.00000002.306843617.00000000025F9000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325634684.0000000002A13000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329537552.000000000314B000.00000004.00000001.sdmpString found in binary or memory: http://dual-a-0001.a-msedge.net
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.232439693.00000000070D3000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.305089826.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g%%
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.303110487.00000000067F6000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.306843617.00000000025F9000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325646667.0000000002A17000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329537552.000000000314B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                    Source: Files.exe, 00000015.00000002.322781369.0000000000A9C000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.m
                    Source: Files.exe, 0000000D.00000002.306843617.00000000025F9000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325646667.0000000002A17000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329537552.000000000314B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                    Source: Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
                    Source: Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
                    Source: Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.297284689.0000000002D6E000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325378597.00000000029FC000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329505639.0000000003135000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.297204343.0000000002D41000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.306692734.0000000002591000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.329046892.0000000002DF7000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329364718.00000000030E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329441226.0000000003118000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com
                    Source: Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmpString found in binary or memory: https://pki.goog/repository/0
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.297204343.0000000002D41000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.306692734.0000000002591000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.329046892.0000000002DF7000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329364718.00000000030E1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.297204343.0000000002D41000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.306692734.0000000002591000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325792650.0000000002AD1000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329364718.00000000030E1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.299807783.0000000003E66000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

                    System Summary:

                    barindex
                    .NET source code contains very large array initializationsShow sources
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, Bs5w/z4R1.csLarge array initialization: .cctor: array initializer size 2488
                    Source: Files.exe.0.dr, Bs5w/z4R1.csLarge array initialization: .cctor: array initializer size 2488
                    Source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.9a0000.0.unpack, Bs5w/z4R1.csLarge array initialization: .cctor: array initializer size 2488
                    Source: 0.0.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.9a0000.0.unpack, Bs5w/z4R1.csLarge array initialization: .cctor: array initializer size 2488
                    Source: 13.2.Files.exe.120000.0.unpack, Bs5w/z4R1.csLarge array initialization: .cctor: array initializer size 2488
                    Source: 13.0.Files.exe.120000.0.unpack, Bs5w/z4R1.csLarge array initialization: .cctor: array initializer size 2488
                    Source: 21.0.Files.exe.3c0000.0.unpack, Bs5w/z4R1.csLarge array initialization: .cctor: array initializer size 2488
                    Source: 21.2.Files.exe.3c0000.0.unpack, Bs5w/z4R1.csLarge array initialization: .cctor: array initializer size 2488
                    Source: 22.2.Files.exe.c30000.0.unpack, Bs5w/z4R1.csLarge array initialization: .cctor: array initializer size 2488
                    Source: 22.0.Files.exe.c30000.0.unpack, Bs5w/z4R1.csLarge array initialization: .cctor: array initializer size 2488
                    Initial sample is a PE file and has a suspicious nameShow sources
                    Source: initial sampleStatic PE information: Filename: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_0133D7F00_2_0133D7F0
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_0133E4D80_2_0133E4D8
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C664230_2_06C66423
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C664280_2_06C66428
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C652460_2_06C65246
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C652480_2_06C65248
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 13_2_00A4D7F013_2_00A4D7F0
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 13_2_00A4BD1813_2_00A4BD18
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 21_2_00BED45821_2_00BED458
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 21_2_00BED7F021_2_00BED7F0
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 21_2_00BEE4D821_2_00BEE4D8
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 22_2_0161D7F022_2_0161D7F0
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 22_2_0161BD1822_2_0161BD18
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.302369445.0000000005E00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.299807783.0000000003E66000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamegJXtAEencRYFIZTxBNckJHYqrAmfI.exe4 vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.305503971.0000000007750000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.295875557.0000000000A6E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBDHL.exeD vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.274495104.0000000006863000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInstallUtil.exeT vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.299399775.0000000003D47000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.304498768.0000000006C90000.00000002.00000001.sdmpBinary or memory string: originalfilename vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.304498768.0000000006C90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.303468804.00000000068F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeBinary or memory string: OriginalFilenameBDHL.exeD vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
                    Source: classification engineClassification label: mal92.troj.evad.winEXE@10/5@0/1
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile created: C:\Users\user\AppData\Roaming\Files.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4060:120:WilError_01
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeVirustotal: Detection: 28%
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeReversingLabs: Detection: 37%
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile read: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe 'C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe'
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe'
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe'
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe' Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                    Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.274495104.0000000006863000.00000004.00000001.sdmp, InstallUtil.exe.0.dr
                    Source: Binary string: InstallUtil.pdb source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.274495104.0000000006863000.00000004.00000001.sdmp, InstallUtil.exe.0.dr
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_009A6890 push ds; retf 0_2_009A68B5
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_009A6FDE push eax; retf 0_2_009A6FF2
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_009A70D5 push ecx; retf 0_2_009A70E8
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_009A7EFC push cs; retf 0_2_009A7F0B
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_009A90FC push ds; retf 0_2_009A910B
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_009A6D33 push ebx; retf 0_2_009A6D46
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_009A6F2F push ebp; retf 0_2_009A6F56
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_009A7023 push edx; retf 0_2_009A704F
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_009A6E51 push esi; retf 0_2_009A6E64
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_009A6F57 push ebp; retf 0_2_009A6F6A
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_009A6E65 push esp; retf 0_2_009A6E75
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C65E58 push esp; ret 0_2_06C65E5A
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C65E00 push esp; ret 0_2_06C65E02
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C65FF1 push edi; ret 0_2_06C65FF2
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C65FF9 push esi; ret 0_2_06C65FFA
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C65C88 push edx; ret 0_2_06C65C8A
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C65DA9 push ebx; ret 0_2_06C65DAA
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C65D7B push ebx; ret 0_2_06C65D82
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C65D78 push ebx; ret 0_2_06C65D7A
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C65D1B push edx; ret 0_2_06C65D22
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C65AD9 push ecx; ret 0_2_06C65ADA
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 13_2_00126D33 push ebx; retf 13_2_00126D46
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 13_2_00127023 push edx; retf 13_2_0012704F
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 13_2_00126F2F push ebp; retf 13_2_00126F56
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 13_2_00126E51 push esi; retf 13_2_00126E64
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 13_2_00126F57 push ebp; retf 13_2_00126F6A
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 13_2_00126E65 push esp; retf 13_2_00126E75
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 13_2_00126890 push ds; retf 13_2_001268B5
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 13_2_001270D5 push ecx; retf 13_2_001270E8
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 13_2_00126FDE push eax; retf 13_2_00126FF2
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 13_2_00127EFC push cs; retf 13_2_00127F0B
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile created: C:\Users\user\AppData\Roaming\Files.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
                    Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FilesJump to behavior
                    Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FilesJump to behavior

                    Hooking and other Techniques for Hiding and Protection:

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile opened: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe\:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeWindow / User API: threadDelayed 3079Jump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeWindow / User API: threadDelayed 6522Jump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe TID: 4580Thread sleep time: -23058430092136925s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe TID: 5752Thread sleep count: 3079 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe TID: 5752Thread sleep count: 6522 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe TID: 1832Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe TID: 4144Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6176Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6340Thread sleep count: 63 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6340Thread sleep count: 149 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 4720Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 5528Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6488Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6524Thread sleep count: 77 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6524Thread sleep count: 117 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6372Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6328Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6512Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6632Thread sleep count: 91 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6632Thread sleep count: 107 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6364Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6452Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.302369445.0000000005E00000.00000002.00000001.sdmp, reg.exe, 00000008.00000002.252198044.0000000002C20000.00000002.00000001.sdmp, Files.exe, 0000000D.00000002.309501538.00000000055B0000.00000002.00000001.sdmp, Files.exe, 00000015.00000002.330474287.0000000005960000.00000002.00000001.sdmp, Files.exe, 00000016.00000002.333829232.0000000006050000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.302369445.0000000005E00000.00000002.00000001.sdmp, reg.exe, 00000008.00000002.252198044.0000000002C20000.00000002.00000001.sdmp, Files.exe, 0000000D.00000002.309501538.00000000055B0000.00000002.00000001.sdmp, Files.exe, 00000015.00000002.330474287.0000000005960000.00000002.00000001.sdmp, Files.exe, 00000016.00000002.333829232.0000000006050000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.302369445.0000000005E00000.00000002.00000001.sdmp, reg.exe, 00000008.00000002.252198044.0000000002C20000.00000002.00000001.sdmp, Files.exe, 0000000D.00000002.309501538.00000000055B0000.00000002.00000001.sdmp, Files.exe, 00000015.00000002.330474287.0000000005960000.00000002.00000001.sdmp, Files.exe, 00000016.00000002.333829232.0000000006050000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                    Source: Files.exe, 00000016.00000002.328296751.0000000001364000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.303280982.0000000006862000.00000004.00000001.sdmpBinary or memory string: VMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.302369445.0000000005E00000.00000002.00000001.sdmp, reg.exe, 00000008.00000002.252198044.0000000002C20000.00000002.00000001.sdmp, Files.exe, 0000000D.00000002.309501538.00000000055B0000.00000002.00000001.sdmp, Files.exe, 00000015.00000002.330474287.0000000005960000.00000002.00000001.sdmp, Files.exe, 00000016.00000002.333829232.0000000006050000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe' Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Users\user\AppData\Roaming\Files.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Users\user\AppData\Roaming\Files.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Users\user\AppData\Roaming\Files.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 00000000.00000002.299807783.0000000003E66000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.300534811.000000000402B000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.299471132.0000000003DB7000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe PID: 5716, type: MEMORY
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f1bb92.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3ec0f92.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f76782.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f76782.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3db76a0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3db76a0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3ec0f92.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f1bb92.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.402bf42.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.402bf42.6.unpack, type: UNPACKEDPE

                    Remote Access Functionality:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 00000000.00000002.299807783.0000000003E66000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.300534811.000000000402B000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.299471132.0000000003DB7000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe PID: 5716, type: MEMORY
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f1bb92.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3ec0f92.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f76782.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f76782.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3db76a0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3db76a0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3ec0f92.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f1bb92.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.402bf42.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.402bf42.6.unpack, type: UNPACKEDPE

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management InstrumentationRegistry Run Keys / Startup Folder1Process Injection11Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Modify Registry1LSASS MemorySecurity Software Discovery111Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSVirtualization/Sandbox Evasion31Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection11LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery12Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe29%VirustotalBrowse
                    DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe38%ReversingLabsWin32.Trojan.Wacatac
                    DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\Files.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%MetadefenderBrowse
                    C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%ReversingLabs
                    C:\Users\user\AppData\Roaming\Files.exe38%ReversingLabsWin32.Trojan.Wacatac

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://ns.adobe.c/g%%0%Avira URL Cloudsafe
                    http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                    http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                    http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                    http://ns.adobe.c/g0%URL Reputationsafe
                    http://ns.adobe.c/g0%URL Reputationsafe
                    http://ns.adobe.c/g0%URL Reputationsafe
                    http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                    http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                    http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                    https://pki.goog/repository/00%URL Reputationsafe
                    https://pki.goog/repository/00%URL Reputationsafe
                    https://pki.goog/repository/00%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                    http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                    http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                    http://ocsp.m0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://ns.adobe.c/g%%DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.305089826.00000000070D2000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pki.goog/gsr2/GTS1O1.crt0Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://ns.adobe.c/gDHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.232439693.00000000070D3000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://crl.pki.goog/gsr2/gsr2.crl0?Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://pki.goog/repository/0Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.297204343.0000000002D41000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.306692734.0000000002591000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.329046892.0000000002DF7000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329364718.00000000030E1000.00000004.00000001.sdmpfalse
                      		high
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipDHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.299807783.0000000003E66000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://schema.org/WebPageDHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.297284689.0000000002D6E000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325378597.00000000029FC000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329505639.0000000003135000.00000004.00000001.sdmpfalse
                        		high
                        http://crl.pki.goog/GTS1O1core.crl0Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://ocsp.mFiles.exe, 00000015.00000002.322781369.0000000000A9C000.00000004.00000020.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious

                        Private

                        IP
                        192.168.2.1

                        General Information

                        Joe Sandbox Version:31.0.0 Emerald
                        Analysis ID:383976
                        Start date:08.04.2021
                        Start time:13:30:42
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 11m 13s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Sample file name:DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:35
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal92.troj.evad.winEXE@10/5@0/1
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 0.7% (good quality ratio 0.2%)
                        • Quality average: 20.1%
                        • Quality standard deviation: 29.5%
                        HCA Information:
                        • Successful, ratio: 81%
                        • Number of executed functions: 100
                        • Number of non-executed functions: 5
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .exe
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, wermgr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                        • Excluded IPs from analysis (whitelisted): 40.88.32.150, 13.88.21.125, 172.217.168.4, 204.79.197.200, 13.107.21.200, 168.61.161.212, 104.83.127.80, 104.83.87.75, 13.107.42.23, 13.107.5.88, 40.126.31.138, 20.190.159.135, 40.126.31.5, 40.126.31.142, 20.190.159.137, 40.126.31.3, 20.190.159.131, 20.190.159.133, 93.184.220.29, 95.100.54.203, 2.22.152.11, 20.82.210.154, 205.185.216.10, 205.185.216.42, 23.54.113.53, 20.82.209.183, 23.10.249.26, 23.10.249.43
                        • Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, cdn.onenote.net.edgekey.net, www.tm.a.prd.aadg.trafficmanager.net, skypedataprdcoleus15.cloudapp.net, ocsp.digicert.com, wildcard.weather.microsoft.com.edgekey.net, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, www.google.com, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.bing.com, afdo-tas-offload.trafficmanager.net, fs.microsoft.com, dual-a-0001.a-msedge.net, skypedataprdcolcus17.cloudapp.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e1553.dspg.akamaiedge.net, www.tm.lg.prod.aadmsa.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, config-edge-skype.l-0014.l-msedge.net, e15275.g.akamaiedge.net, l-0014.config.skype.com, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, storeedgefd.dsx.mp.microsoft.com, tile-service.weather.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, login.msa.msidentity.com, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, dub1.current.a.prd.aadg.trafficmanager.net, l-0014.l-msedge.net, e16646.dscg.akamaiedge.net, skypedataprdcolwus15.cloudapp.net
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        13:31:53API Interceptor46x Sleep call for process: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe modified
                        13:31:57AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Files C:\Users\user\AppData\Roaming\Files.exe
                        13:32:06AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Files C:\Users\user\AppData\Roaming\Files.exe
                        13:32:18API Interceptor3x Sleep call for process: Files.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASN

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        C:\Users\user\AppData\Local\Temp\InstallUtil.exeDHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeGet hashmaliciousBrowse
                          DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exeGet hashmaliciousBrowse
                            DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeGet hashmaliciousBrowse
                              DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exeGet hashmaliciousBrowse
                                Sample Qoutation List.exeGet hashmaliciousBrowse
                                  DHL_Express_Shipment_Confirmation_BKKR005545473_88700456XXXX.exeGet hashmaliciousBrowse
                                    APRILQUOTATION#QQO2103060_SAMPLES_KHANG HY_CO_CORPORATION.exeGet hashmaliciousBrowse
                                      Thalesnano.exeGet hashmaliciousBrowse
                                        DHL_SHIPMENT_ADDRESS_CONFIRMATION_00000001.exeGet hashmaliciousBrowse
                                          RFQ#040820.exeGet hashmaliciousBrowse
                                            payment swift copy.exeGet hashmaliciousBrowse
                                              I201002X430 CIF #20210604.exeGet hashmaliciousBrowse
                                                PO#29710634.exeGet hashmaliciousBrowse
                                                  PO_6620200947535257662_Arabico.PDF.exeGet hashmaliciousBrowse
                                                    payment notification.exeGet hashmaliciousBrowse
                                                      Payment Notification.exeGet hashmaliciousBrowse
                                                        s.exeGet hashmaliciousBrowse
                                                          MV.exeGet hashmaliciousBrowse
                                                            e.exeGet hashmaliciousBrowse
                                                              SL_PO8192.PDF.exeGet hashmaliciousBrowse

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.log
                                                                Process:C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:modified
                                                                Size (bytes):1402
                                                                Entropy (8bit):5.338819835253785
                                                                Encrypted:false
                                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4bE4Ko84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7csX3:MIHK5HKXE1qHbHKoviYHKhQnoPtHoxHH
                                                                MD5:EB9F730FB5388BB883772033EA3CCE59
                                                                SHA1:7DFF24FBD26D0ED7065882AE0A9A52E459D7F2A9
                                                                SHA-256:B7192E58E5E91CF2CA113CA1C9575AADEAD3C417076AB83D8EF0720D5E473887
                                                                SHA-512:1FB4FF9E7E85C4F4B2395B948A4B69180E602259FFC582A067B96420C60BA4B49D091F3D525333E07930AA21A8254AF1C9F90B29CCD31AA97C368CB1CB7EF322
                                                                Malicious:true
                                                                Reputation:low
                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configu
                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Files.exe.log
                                                                Process:C:\Users\user\AppData\Roaming\Files.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1402
                                                                Entropy (8bit):5.338819835253785
                                                                Encrypted:false
                                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4bE4Ko84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7csX3:MIHK5HKXE1qHbHKoviYHKhQnoPtHoxHH
                                                                MD5:EB9F730FB5388BB883772033EA3CCE59
                                                                SHA1:7DFF24FBD26D0ED7065882AE0A9A52E459D7F2A9
                                                                SHA-256:B7192E58E5E91CF2CA113CA1C9575AADEAD3C417076AB83D8EF0720D5E473887
                                                                SHA-512:1FB4FF9E7E85C4F4B2395B948A4B69180E602259FFC582A067B96420C60BA4B49D091F3D525333E07930AA21A8254AF1C9F90B29CCD31AA97C368CB1CB7EF322
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configu
                                                                C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                Process:C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                                                                File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):41064
                                                                Entropy (8bit):6.164873449128079
                                                                Encrypted:false
                                                                SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                                MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                                SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                                SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                                SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Joe Sandbox View:
                                                                • Filename: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, Detection: malicious, Browse
                                                                • Filename: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, Detection: malicious, Browse
                                                                • Filename: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, Detection: malicious, Browse
                                                                • Filename: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, Detection: malicious, Browse
                                                                • Filename: Sample Qoutation List.exe, Detection: malicious, Browse
                                                                • Filename: DHL_Express_Shipment_Confirmation_BKKR005545473_88700456XXXX.exe, Detection: malicious, Browse
                                                                • Filename: APRILQUOTATION#QQO2103060_SAMPLES_KHANG HY_CO_CORPORATION.exe, Detection: malicious, Browse
                                                                • Filename: Thalesnano.exe, Detection: malicious, Browse
                                                                • Filename: DHL_SHIPMENT_ADDRESS_CONFIRMATION_00000001.exe, Detection: malicious, Browse
                                                                • Filename: RFQ#040820.exe, Detection: malicious, Browse
                                                                • Filename: payment swift copy.exe, Detection: malicious, Browse
                                                                • Filename: I201002X430 CIF #20210604.exe, Detection: malicious, Browse
                                                                • Filename: PO#29710634.exe, Detection: malicious, Browse
                                                                • Filename: PO_6620200947535257662_Arabico.PDF.exe, Detection: malicious, Browse
                                                                • Filename: payment notification.exe, Detection: malicious, Browse
                                                                • Filename: Payment Notification.exe, Detection: malicious, Browse
                                                                • Filename: s.exe, Detection: malicious, Browse
                                                                • Filename: MV.exe, Detection: malicious, Browse
                                                                • Filename: e.exe, Detection: malicious, Browse
                                                                • Filename: SL_PO8192.PDF.exe, Detection: malicious, Browse
                                                                Reputation:moderate, very likely benign file
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                                                                C:\Users\user\AppData\Roaming\Files.exe
                                                                Process:C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):888320
                                                                Entropy (8bit):6.555631827817538
                                                                Encrypted:false
                                                                SSDEEP:12288:Xd+vpIV1Fn6OAVo1TXiJM8R0aJEu0AxTd9lB3pa77FMHK25PPlXU:UC65o1OMCPabAd7pk7F+K25ZU
                                                                MD5:EDAE8C184A250CCCBA45C023E805E12D
                                                                SHA1:6042A0F078FAAD9525F052A561120D1E2551160F
                                                                SHA-256:0A572E4A9F5D166E563F1C63AA7AA029C2C206D23767BD6AB033A95D7D7027CB
                                                                SHA-512:A2880BEF10470D56E87452FD1C6FEB27C4D1DDE1FCAE5F00901254EA99D1A743190AA3E802B1A492F107A54445FE5FC0C98C4B1C2A3123CCF2DCFEAE1FF6ED68
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 38%
                                                                Reputation:low
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5..S................................. ........@.. ....................................`.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...k......*....M..B............................................X..e)..c........[..........Z....E..w......q...<............9...f..,$......)+..j.......;....t..rC..<o..\[..V...B...8...4.......[...........Q.......#.......D...........hp...:..............W...@...R........_..8_..o...1....;..*...R...I...q...=x..}...._..K...B...J.......l..................XV...]...#.....e...K....W...>..<........@..........v8..p.......U...t..%.........._....=...?...........!..............
                                                                C:\Users\user\AppData\Roaming\Files.exe:Zone.Identifier
                                                                Process:C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):26
                                                                Entropy (8bit):3.95006375643621
                                                                Encrypted:false
                                                                SSDEEP:3:ggPYV:rPYV
                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                Malicious:true
                                                                Reputation:high, very likely benign file
                                                                Preview: [ZoneTransfer]....ZoneId=0

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Entropy (8bit):6.555631827817538
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                File name:DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                                                                File size:888320
                                                                MD5:edae8c184a250cccba45c023e805e12d
                                                                SHA1:6042a0f078faad9525f052a561120d1e2551160f
                                                                SHA256:0a572e4a9f5d166e563f1c63aa7aa029c2c206d23767bd6ab033a95d7d7027cb
                                                                SHA512:a2880bef10470d56e87452fd1c6feb27c4d1dde1fcae5f00901254ea99d1a743190aa3e802b1a492f107a54445fe5fc0c98c4b1c2a3123ccf2dcfeae1ff6ed68
                                                                SSDEEP:12288:Xd+vpIV1Fn6OAVo1TXiJM8R0aJEu0AxTd9lB3pa77FMHK25PPlXU:UC65o1OMCPabAd7pk7F+K25ZU
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5..S................................. ........@.. ....................................`................................

                                                                File Icon

                                                                Icon Hash:eaee8e96b2a8e0b2

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x4ccece
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                Time Stamp:0x531A1D35 [Fri Mar 7 19:25:41 2014 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:v4.0.30319
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp dword ptr [00402000h]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xcce780x53.text
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xce0000xd8ca.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xdc0000xc.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x20000xcaed40xcb000False0.619055235914data6.57686671715IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                .rsrc0xce0000xd8ca0xda00False0.0914922591743data3.77202593589IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0xdc0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountry
                                                                RT_ICON0xce1300xd228data
                                                                RT_GROUP_ICON0xdb3580x14data
                                                                RT_VERSION0xdb36c0x374data
                                                                RT_MANIFEST0xdb6e00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                Imports

                                                                DLLImport
                                                                mscoree.dll_CorExeMain

                                                                Version Infos

                                                                DescriptionData
                                                                Translation0x0000 0x04b0
                                                                LegalCopyrightCopyright 2004 :=C=G=2A<F?<AHJI:52
                                                                Assembly Version1.0.0.0
                                                                InternalNameBDHL.exe
                                                                FileVersion5.7.10.12
                                                                CompanyName:=C=G=2A<F?<AHJI:52
                                                                Comments65>=BBIJ@55F:>8G
                                                                ProductNameB422A<96:DJ>@;I;
                                                                ProductVersion5.7.10.12
                                                                FileDescriptionB422A<96:DJ>@;I;
                                                                OriginalFilenameBDHL.exe

                                                                Network Behavior

                                                                Network Port Distribution

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Apr 8, 2021 13:31:24.494191885 CEST5696153192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:24.507533073 CEST53569618.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:25.217374086 CEST5935353192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:25.230161905 CEST53593538.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:26.666817904 CEST5223853192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:26.678715944 CEST53522388.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:27.399626970 CEST4987353192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:27.412344933 CEST53498738.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:28.605986118 CEST5319653192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:28.618580103 CEST53531968.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:29.491197109 CEST5677753192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:29.503729105 CEST53567778.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:30.359407902 CEST5864353192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:30.372710943 CEST53586438.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:31.243885040 CEST6098553192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:31.256592989 CEST53609858.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:32.217641115 CEST5020053192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:32.230163097 CEST53502008.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:32.985733032 CEST5128153192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:33.002245903 CEST53512818.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:34.239829063 CEST4919953192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:34.253031969 CEST53491998.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:34.505069017 CEST5062053192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:34.517946959 CEST53506208.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:34.535218000 CEST6493853192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:34.568444014 CEST53649388.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:37.783739090 CEST6015253192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:37.796343088 CEST53601528.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:38.595550060 CEST5754453192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:38.609460115 CEST53575448.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:39.379354000 CEST5598453192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:39.392750978 CEST53559848.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:40.140357018 CEST6418553192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:40.153753042 CEST53641858.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:40.774282932 CEST6511053192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:40.786783934 CEST53651108.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:41.515301943 CEST5836153192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:41.528565884 CEST53583618.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:42.290077925 CEST6349253192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:42.303049088 CEST53634928.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:48.665591002 CEST6083153192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:48.666646004 CEST6010053192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:48.683274984 CEST53608318.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:48.684961081 CEST53601008.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:51.926831961 CEST5872253192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:51.939348936 CEST53587228.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:52.008577108 CEST5659653192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:52.008682966 CEST6410153192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:52.020414114 CEST53565968.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:52.021186113 CEST53641018.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:58.441668987 CEST5319553192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:58.455288887 CEST53531958.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:58.596616983 CEST5014153192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:58.609157085 CEST53501418.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:00.560795069 CEST5302353192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:00.580951929 CEST53530238.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:02.775338888 CEST4956353192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:02.787714958 CEST53495638.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:03.951311111 CEST5135253192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:03.988884926 CEST53513528.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:04.086729050 CEST5934953192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:04.099466085 CEST53593498.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:11.381330013 CEST5708453192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:11.394567966 CEST53570848.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:11.756453037 CEST5882353192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:11.769443989 CEST53588238.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:11.786787033 CEST5756853192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:11.799402952 CEST53575688.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:16.429428101 CEST5054053192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:16.442076921 CEST53505408.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:16.835311890 CEST5436653192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:16.847729921 CEST53543668.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:16.864099026 CEST5303453192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:16.876862049 CEST53530348.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:18.615900993 CEST5776253192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:18.628416061 CEST53577628.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:19.072899103 CEST5543553192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:19.099473000 CEST53554358.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:19.116641045 CEST5071353192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:19.129224062 CEST53507138.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:20.696052074 CEST5613253192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:20.708268881 CEST53561328.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:33.232908010 CEST5898753192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:33.250751019 CEST53589878.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:41.438473940 CEST5657953192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:41.450948954 CEST53565798.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:33:27.003259897 CEST6063353192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:33:27.017275095 CEST53606338.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:33:34.521936893 CEST6129253192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:33:34.540304899 CEST53612928.8.8.8192.168.2.3

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                Apr 8, 2021 13:31:58.455288887 CEST8.8.8.8192.168.2.30x5fccNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)

                                                                Code Manipulations

                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                Analysis Process: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe PID: 5716 Parent PID: 5704

                                                                General

                                                                Start time:13:31:32
                                                                Start date:08/04/2021
                                                                Path:C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe'
                                                                Imagebase:0x9a0000
                                                                File size:888320 bytes
                                                                MD5 hash:EDAE8C184A250CCCBA45C023E805E12D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.299807783.0000000003E66000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.300534811.000000000402B000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.299471132.0000000003DB7000.00000004.00000001.sdmp, Author: Joe Security
                                                                Reputation:low

                                                                Chronological Activities

                                                                Analysis Process: cmd.exe PID: 3412 Parent PID: 5716

                                                                General

                                                                Start time:13:31:52
                                                                Start date:08/04/2021
                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
                                                                Imagebase:0xbd0000
                                                                File size:232960 bytes
                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: conhost.exe PID: 4060 Parent PID: 3412

                                                                General

                                                                Start time:13:31:52
                                                                Start date:08/04/2021
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6b2800000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: reg.exe PID: 5432 Parent PID: 3412

                                                                General

                                                                Start time:13:31:53
                                                                Start date:08/04/2021
                                                                Path:C:\Windows\SysWOW64\reg.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
                                                                Imagebase:0x1b0000
                                                                File size:59392 bytes
                                                                MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: Files.exe PID: 5980 Parent PID: 3388

                                                                General

                                                                Start time:13:32:07
                                                                Start date:08/04/2021
                                                                Path:C:\Users\user\AppData\Roaming\Files.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\AppData\Roaming\Files.exe'
                                                                Imagebase:0x120000
                                                                File size:888320 bytes
                                                                MD5 hash:EDAE8C184A250CCCBA45C023E805E12D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Antivirus matches:
                                                                • Detection: 100%, Joe Sandbox ML
                                                                • Detection: 38%, ReversingLabs
                                                                Reputation:low

                                                                Chronological Activities

                                                                Analysis Process: Files.exe PID: 6280 Parent PID: 5716

                                                                General

                                                                Start time:13:32:13
                                                                Start date:08/04/2021
                                                                Path:C:\Users\user\AppData\Roaming\Files.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\AppData\Roaming\Files.exe'
                                                                Imagebase:0x3c0000
                                                                File size:888320 bytes
                                                                MD5 hash:EDAE8C184A250CCCBA45C023E805E12D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Reputation:low

                                                                Chronological Activities

                                                                Analysis Process: Files.exe PID: 6332 Parent PID: 3388

                                                                General

                                                                Start time:13:32:15
                                                                Start date:08/04/2021
                                                                Path:C:\Users\user\AppData\Roaming\Files.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\AppData\Roaming\Files.exe'
                                                                Imagebase:0xc30000
                                                                File size:888320 bytes
                                                                MD5 hash:EDAE8C184A250CCCBA45C023E805E12D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Reputation:low

                                                                Chronological Activities

                                                                Disassembly

                                                                Code Analysis

                                                                Reset < >

                                                                  Analysis Process: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe PID: 5716 Parent PID: 5704 DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCOMMON

                                                                  Executed Functions

                                                                  Function 0133D7F0, Relevance: 1.0, Instructions: 954COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.297037128.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 176356b906307f2ff8848f7612ccfd7ba59e830cb34ac077bf21096a34a0c478
                                                                  • Instruction ID: 5f1f52218edc65f9e84811fcb2e4187391b6baaebd28482d2fae1808bbe5df92
                                                                  • Opcode Fuzzy Hash: 176356b906307f2ff8848f7612ccfd7ba59e830cb34ac077bf21096a34a0c478
                                                                  • Instruction Fuzzy Hash: B2828071A002199FDB15DFA8C884AAEBBB6FFC8318F158469E905DB3A1DB34DC41CB54
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06C64500, Relevance: .1, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304422980.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: afebecd2ebeed9f8c663805cec67628d14b9af736c8ca1d19c80ed9fe78dea55
                                                                  • Instruction ID: 382a2bc453bc8923a57ea01b9b26dcebb67fe80933b4a23ad7512519d3f97010
                                                                  • Opcode Fuzzy Hash: afebecd2ebeed9f8c663805cec67628d14b9af736c8ca1d19c80ed9fe78dea55
                                                                  • Instruction Fuzzy Hash: 0751E178D04218CFDB18CFA5C594BEDBBB2EF89304F248029E815AB394C7759A86CF54
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06C68448, Relevance: .1, Instructions: 129COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304422980.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 18d4827d5fb8e04032587fd6255e065cbf94e8bf9f1e4f6b917509c73b6a00d8
                                                                  • Instruction ID: c2e265808ed429fb441bb761ba715fc2ad6d207d12d46e147f963a4daa24f8b9
                                                                  • Opcode Fuzzy Hash: 18d4827d5fb8e04032587fd6255e065cbf94e8bf9f1e4f6b917509c73b6a00d8
                                                                  • Instruction Fuzzy Hash: 0E513774E01208DFDB44DFAAE494AADFBB5FF89310F149129E415A7390CBB19902CF94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06C68446, Relevance: .1, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304422980.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 58c375908c98fde148a7b047d979e938dd26ec083298d90064c825a5e1726cd8
                                                                  • Instruction ID: 26aecf11036aa8ac96ff82c49d50eafd972faa7cd562455c2960eb98bc4bacdd
                                                                  • Opcode Fuzzy Hash: 58c375908c98fde148a7b047d979e938dd26ec083298d90064c825a5e1726cd8
                                                                  • Instruction Fuzzy Hash: 28513674E01208DFDB44CFA9E494AADBBB1FF89310F149129E419B7390CBB19A02CF94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06C644FB, Relevance: .1, Instructions: 115COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304422980.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 74fcf00e72a07d75753a90d14f9bcd1b12ffb0aba0933c2f4141be9b4e087657
                                                                  • Instruction ID: 61890c05b1e7408ceb918c577effc9fda5f4f8c52f67f68d7a05c2431dbf0d30
                                                                  • Opcode Fuzzy Hash: 74fcf00e72a07d75753a90d14f9bcd1b12ffb0aba0933c2f4141be9b4e087657
                                                                  • Instruction Fuzzy Hash: 7E412278D04218DFDB08CFA5D594BEDBBB2EF48304F24902AE804AB394C7759A46CF54
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06C64F64, Relevance: 1.8, APIs: 1, Instructions: 273COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CopyFileExW.KERNEL32(?,?,?,?,?,?), ref: 06C67019
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304422980.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                                                  Similarity
                                                                  • API ID: CopyFile
                                                                  • String ID:
                                                                  • API String ID: 1304948518-0
                                                                  • Opcode ID: 981657baccf1b6ca458e6944c5e37c4bdb92daaefea9583f810b0559e2600d99
                                                                  • Instruction ID: 500b40bb3688551cbd5760dbe98613439721cda8e2398efd1e95b73b4273ef7a
                                                                  • Opcode Fuzzy Hash: 981657baccf1b6ca458e6944c5e37c4bdb92daaefea9583f810b0559e2600d99
                                                                  • Instruction Fuzzy Hash: 53C1E074E00218CFDB64CFAAC981B9EBBB1BF49304F1485A9E409A7351D734AA85CF95
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06C66D6D, Relevance: 1.8, APIs: 1, Instructions: 266COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CopyFileExW.KERNEL32(?,?,?,?,?,?), ref: 06C67019
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304422980.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                                                  Similarity
                                                                  • API ID: CopyFile
                                                                  • String ID:
                                                                  • API String ID: 1304948518-0
                                                                  • Opcode ID: b35714f9d5669e1c1e7dfe1fa0d83ac7d8318b17367bb49049e35f060ba7d142
                                                                  • Instruction ID: 90db080ff34d0e3c1f4f2df8b052397820f6c094071ed36f49ad39a35efb3319
                                                                  • Opcode Fuzzy Hash: b35714f9d5669e1c1e7dfe1fa0d83ac7d8318b17367bb49049e35f060ba7d142
                                                                  • Instruction Fuzzy Hash: A4B1F174E04218CFDB24CFAAC981B9EBBB1BF49304F1485A9E409B7351D734AA85CF55
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06C66F3D, Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CopyFileExW.KERNEL32(?,?,?,?,?,?), ref: 06C67019
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304422980.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                                                  Similarity
                                                                  • API ID: CopyFile
                                                                  • String ID:
                                                                  • API String ID: 1304948518-0
                                                                  • Opcode ID: fd9b8b20f7882e0f049bc92b5e9cf22a2aa0bb4502910e619c645ee0c6b02c93
                                                                  • Instruction ID: 86f8075424bd355e2f10e1f511b227fa3f38f6faba423e9a8de5d331b0ebf851
                                                                  • Opcode Fuzzy Hash: fd9b8b20f7882e0f049bc92b5e9cf22a2aa0bb4502910e619c645ee0c6b02c93
                                                                  • Instruction Fuzzy Hash: D351CF74D04218CFDB10CFA9C984BEEBBB1AF09308F109569E804BB250D7759985CF69
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0133CE08, Relevance: .4, Instructions: 444COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.297037128.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d854bfe505fbc44e5ceacbee993622967ae4f4b431b5e03b882e2b2009ead8b5
                                                                  • Instruction ID: 36e527aae70a5847db0e9ae3ff52d077ff3bb5e08a83e8ca3586b8412bae3964
                                                                  • Opcode Fuzzy Hash: d854bfe505fbc44e5ceacbee993622967ae4f4b431b5e03b882e2b2009ead8b5
                                                                  • Instruction Fuzzy Hash: 46F1D1307002049FCB15ABA8D859B7E7BA6EFC8349F588429EA0ADB385DF74DC05C795
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0133D458, Relevance: .2, Instructions: 231COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.297037128.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a8ec144fa4defd682f5533550dde13cd9eb65e209d130bc91f1ce0774eafd419
                                                                  • Instruction ID: 6d4f2b0748ea5ec978067af69f0db26e553f05b051d34653b282550b15a8f51b
                                                                  • Opcode Fuzzy Hash: a8ec144fa4defd682f5533550dde13cd9eb65e209d130bc91f1ce0774eafd419
                                                                  • Instruction Fuzzy Hash: 7F81C230A00105CFDB14CFEDC884AA9BBB6FFC9218B958165D519DB7A1DB31EC41CB95
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0133BD18, Relevance: .2, Instructions: 222COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.297037128.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 701717965e1fbb5d276a773643332391cfd2ba5057f31ee8d3ddab61f554246b
                                                                  • Instruction ID: 2a1bd86c9a0256b58dcd811b83866b887c4e520aa2416edc5a137ee250b4508b
                                                                  • Opcode Fuzzy Hash: 701717965e1fbb5d276a773643332391cfd2ba5057f31ee8d3ddab61f554246b
                                                                  • Instruction Fuzzy Hash: A0812830B082089BD704DBBCD852B6EB7B6AFC5318F148425E606DFB88DB31DC418B96
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0133F108, Relevance: .1, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.297037128.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3bc351329b6417ea64aceb414ebf0f0f607fdcf1969a42a91f7bfaa5e48193c5
                                                                  • Instruction ID: 8e7149bde8f11e99fdf7939312d5ccbc432e619709f5077e17007d80a6388425
                                                                  • Opcode Fuzzy Hash: 3bc351329b6417ea64aceb414ebf0f0f607fdcf1969a42a91f7bfaa5e48193c5
                                                                  • Instruction Fuzzy Hash: 4A31CF31B002449FCB159BA8EC557AE7BBAEFC9214F144469EA06EB3D1CF349C01CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0133C5D0, Relevance: .1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.297037128.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b496c9074c5f607b2ff554c5a534a5dd2052571c3e21eb057130db8033ba5b6b
                                                                  • Instruction ID: 8a075174c80bc735d5da80dccd6d1640b9a96d1f2ecc542ac4eccf73fce87077
                                                                  • Opcode Fuzzy Hash: b496c9074c5f607b2ff554c5a534a5dd2052571c3e21eb057130db8033ba5b6b
                                                                  • Instruction Fuzzy Hash: 2A31A1316002099FCB05AF68E85867E7BA6FF88315F085429FA06AB391CF75DD11EB94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0133FAC0, Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.297037128.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cd495bce05e04589895fe74d2ca5c9b279f0c0c6c0b225d2cc1c3314d1f26ed3
                                                                  • Instruction ID: 8a42ce1fe750c8dbe2a53eae9b345bf105bc5fee6207ebed33336b887bade038
                                                                  • Opcode Fuzzy Hash: cd495bce05e04589895fe74d2ca5c9b279f0c0c6c0b225d2cc1c3314d1f26ed3
                                                                  • Instruction Fuzzy Hash: A821F032E08119CBD7289AAC982066BB7BDEFC8318F944627F802D7744C2309D418B9B
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0133C0B0, Relevance: .1, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.297037128.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c6444ea29d85bfc7aae711c9b8a6e66001127b0277034cb66d35cc1b05dec132
                                                                  • Instruction ID: 269081599faad458d9fbea04c531ccd7eb19e3b949a55d3d00e7e6634cdf20fb
                                                                  • Opcode Fuzzy Hash: c6444ea29d85bfc7aae711c9b8a6e66001127b0277034cb66d35cc1b05dec132
                                                                  • Instruction Fuzzy Hash: 0E21D572A04199C7DB008E5DDC00BEAB6AEFBC5318F049523F916E7680C679D9509795
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01339DC8, Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.297037128.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 798c108a0f24d9c8ff86e1ddc17200967385956aa6c236c2fa0023d4dd84dcae
                                                                  • Instruction ID: 38d08f0cc2d0797ce413964c89bd1b60806ac914d99668f6466c6ca619dea83a
                                                                  • Opcode Fuzzy Hash: 798c108a0f24d9c8ff86e1ddc17200967385956aa6c236c2fa0023d4dd84dcae
                                                                  • Instruction Fuzzy Hash: 0C21C031628258CFC300DEACC8A97AAB7BEEB8531DF14457BE506CF641D2B49D05C766
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06B80000, Relevance: .1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304186741.0000000006B80000.00000040.00000001.sdmp, Offset: 06B80000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5aa9f254f25164743aa1198d7fa3e50db9a748f98f344553f08dff2af72cd2c9
                                                                  • Instruction ID: 2e2cf29f88194fd6ceee4f2624c04f1c541c56cf317861ccdb414e535fcaf075
                                                                  • Opcode Fuzzy Hash: 5aa9f254f25164743aa1198d7fa3e50db9a748f98f344553f08dff2af72cd2c9
                                                                  • Instruction Fuzzy Hash: CC212A7250E3D48FC7479B7498642997FB1AF03225B1A02DBD4D4CF2E3C2294E4AC762
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0133A658, Relevance: .1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.297037128.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fcd089b662831f67a2b595d2d61e13ad89c393fd31613d50217a770e75b5df77
                                                                  • Instruction ID: 57daeefb57b7334b5ad34d8adf94264827b0a0510b1a230e8eee7e7d166dbb7f
                                                                  • Opcode Fuzzy Hash: fcd089b662831f67a2b595d2d61e13ad89c393fd31613d50217a770e75b5df77
                                                                  • Instruction Fuzzy Hash: 35213D31A041558BC7018BEC8885267F7BDBBC2328F054776D1A6D7641D634DC80C7AA
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01337F08, Relevance: .1, Instructions: 66COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.297037128.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 937868752e0d2d679820c22f580145ca138a5527c79e492c64d0c86cd49a28bc
                                                                  • Instruction ID: aa47b1cd520c0d20f97301145a3e5bf8eacdfe28c16f0f3d4680a3fcf4ca7fe7
                                                                  • Opcode Fuzzy Hash: 937868752e0d2d679820c22f580145ca138a5527c79e492c64d0c86cd49a28bc
                                                                  • Instruction Fuzzy Hash: 951194717042489BE724DAACDC56B3AB59AFB89301F108439770AEB7C8CE789C0587A5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06B80B80, Relevance: .1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304186741.0000000006B80000.00000040.00000001.sdmp, Offset: 06B80000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 65091e158ebb1d2f1df29027ba81169bcd4b1238ec96389db89f14086d570867
                                                                  • Instruction ID: a0a799741f2ce2ba7ace60b431c2088a4e2467638f06c63ccf3b6333a6a1d68d
                                                                  • Opcode Fuzzy Hash: 65091e158ebb1d2f1df29027ba81169bcd4b1238ec96389db89f14086d570867
                                                                  • Instruction Fuzzy Hash: 451179709093989FCB56EFA4E9602987FB1AF46215F1042EAD844DB392D7344A89CB61
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 013362D0, Relevance: .1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.297037128.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 333b681b4fa084eba144961f4c13bef046ae528343436bf55f9d25e1a8eb07f8
                                                                  • Instruction ID: aefac2f1d330c37bfcc9aa514f2518fdf746c56dbb8ce78543f5a5f6f5484894
                                                                  • Opcode Fuzzy Hash: 333b681b4fa084eba144961f4c13bef046ae528343436bf55f9d25e1a8eb07f8
                                                                  • Instruction Fuzzy Hash: 3111B6B0A14205EFD704DBA8D81B36DBB79FF84319F054176E50AC76D1CBB4CA818B86
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0133AAD8, Relevance: .1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.297037128.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e928407269295340d73ab63006b202d0e4f49c1b18e3b5a5ed0d537b5e452954
                                                                  • Instruction ID: 1b25198ff41ef532eca69ac16d57973fa946da3db95b2f678b18daf5b4b51535
                                                                  • Opcode Fuzzy Hash: e928407269295340d73ab63006b202d0e4f49c1b18e3b5a5ed0d537b5e452954
                                                                  • Instruction Fuzzy Hash: 2B1148317081409FE7056BA8E809B763B6AEFC4304F10457AF245CF6C1CE659C81C351
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0133D748, Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.297037128.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 210aca74ae6b3211b9e4bb5b7472f81c25ecc7ee59c9098f82a620dcea3ab906
                                                                  • Instruction ID: 998bea4633091579a824bee34b38d60f2925e7b824834e4db6d03aaf65bba7b6
                                                                  • Opcode Fuzzy Hash: 210aca74ae6b3211b9e4bb5b7472f81c25ecc7ee59c9098f82a620dcea3ab906
                                                                  • Instruction Fuzzy Hash: AC01F1363012584F9B28ABFD88409AF36EAEFC51587100439AA05CBB94EF71CC0187E0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01339CE0, Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.297037128.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a1ea542afbd8886f88fc759ce45182f1b1e96ed7ef3f6390f5b44eefcbee8085
                                                                  • Instruction ID: 256637de47a3e923e9db360956b28047ae810d16da5a98098aa6e3a74c4d91c9
                                                                  • Opcode Fuzzy Hash: a1ea542afbd8886f88fc759ce45182f1b1e96ed7ef3f6390f5b44eefcbee8085
                                                                  • Instruction Fuzzy Hash: 5E01D63171814CC7CB409B9DC4D57AAB6ECF7C431CF4046379A53C7B84C6B48A44835A
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0133AEB0, Relevance: .1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.297037128.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 56ba1de0efc804ef373337665cb78039a3dea072feaca823666e7f0d7e758f1f
                                                                  • Instruction ID: 5aba83854233bbe0bf5589e46b80c8ab851d4c6615f7c9634f7be504860a6451
                                                                  • Opcode Fuzzy Hash: 56ba1de0efc804ef373337665cb78039a3dea072feaca823666e7f0d7e758f1f
                                                                  • Instruction Fuzzy Hash: A501FC7271811D97C7009AAA8C0067FF7AEEBC621CF104937E59AC7E80D774894493BA
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 013362C0, Relevance: .0, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.297037128.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 048d12d6ed32af28eaccbc3b4b4910e8e21b9d09d8b472bbbcdcbbce9cf454ed
                                                                  • Instruction ID: 6e7ce09c5dc3ab2299379781a90736d24d6cf97126b7c1ebee04977e725b72b8
                                                                  • Opcode Fuzzy Hash: 048d12d6ed32af28eaccbc3b4b4910e8e21b9d09d8b472bbbcdcbbce9cf454ed
                                                                  • Instruction Fuzzy Hash: 0311E1B1A24112DFDB048B58D4173ADBBB4FF48318F094276E50AD7681C774CA928B86
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01333E41, Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.297037128.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 87d0a071df2f4330f77fb5b712de663b6f4140f77ceb8ea7163b09f7887ba864
                                                                  • Instruction ID: dbafea258f1c2635b8895d0e6c81b0f0bb65013aaab507c35663fe5f38d7ceb4
                                                                  • Opcode Fuzzy Hash: 87d0a071df2f4330f77fb5b712de663b6f4140f77ceb8ea7163b09f7887ba864
                                                                  • Instruction Fuzzy Hash: 03015B71D05208AFCB40EFECC841AEEBBF5EF84304F1185A5C614AB254EB309E09AB81
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01339C10, Relevance: .0, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.297037128.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 26ef26b41901a2f731bc5409a850937a44f48afd67f7e3c0e1607fd23fd4478e
                                                                  • Instruction ID: c5cece8039a44652e53f275bdfcec712b521323361ce5d0e2951747f3ed15f55
                                                                  • Opcode Fuzzy Hash: 26ef26b41901a2f731bc5409a850937a44f48afd67f7e3c0e1607fd23fd4478e
                                                                  • Instruction Fuzzy Hash: 5A01A471F10228DBEF14AB99D5067EA7BBDEB81B18F014426E506DB680D7F49D0087DA
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01333E50, Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.297037128.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a0cc96b5a2391157a35e9361a74463dec35cb8dec74a3e8ac4c6c7fc88bb72c8
                                                                  • Instruction ID: 91dad73b97ecee92c6c7c7ea9748d310e96c1cb3693871af16aeebeaf4dceb78
                                                                  • Opcode Fuzzy Hash: a0cc96b5a2391157a35e9361a74463dec35cb8dec74a3e8ac4c6c7fc88bb72c8
                                                                  • Instruction Fuzzy Hash: 55010875D0520DAFCB41EFECC8419AEBBF1EF84304F1185AAC615AB654EB305E159B81
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06B80B24, Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304186741.0000000006B80000.00000040.00000001.sdmp, Offset: 06B80000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b50d62f74ff0ed702163636f8026e2a89d576bd86429720017595b25e5e93a6d
                                                                  • Instruction ID: 2cf81e0ba1b6d48b5ee8782ad28bb724c012d466cea3e2fe4735658b70665c43
                                                                  • Opcode Fuzzy Hash: b50d62f74ff0ed702163636f8026e2a89d576bd86429720017595b25e5e93a6d
                                                                  • Instruction Fuzzy Hash: 9F0181718093889FCB51DFA4D8546E9BFB0EB06204F1081EBD884D7251D6388A49DB51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06B80988, Relevance: .0, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304186741.0000000006B80000.00000040.00000001.sdmp, Offset: 06B80000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 487721d6cfb9d16c91ba1881a0773c420576e611a584599c81aa2ff0d8692f39
                                                                  • Instruction ID: 6b274dbf7ca0c98b8dbf768e3f2590ecd0aa481156237b13eb7d0809e427c029
                                                                  • Opcode Fuzzy Hash: 487721d6cfb9d16c91ba1881a0773c420576e611a584599c81aa2ff0d8692f39
                                                                  • Instruction Fuzzy Hash: 49F03C35E0A384DFC742DBA4D854699BFB0AF06210F1981DBD844DB362C2354E49CB11
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06B807C4, Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304186741.0000000006B80000.00000040.00000001.sdmp, Offset: 06B80000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 60286094470211ac40bdfe18f7d4275f9a125e78452edfa611e9f501d8d030fb
                                                                  • Instruction ID: 27e3f41417a2126fbecdae5dc8b6aefc79ab7657df8beed10953950fbee85b2c
                                                                  • Opcode Fuzzy Hash: 60286094470211ac40bdfe18f7d4275f9a125e78452edfa611e9f501d8d030fb
                                                                  • Instruction Fuzzy Hash: 8FF0BE35809348EFC746DFA0D814ADDBFB0EF06311F1181D6E8845B262C7308E95CB51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06B80818, Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304186741.0000000006B80000.00000040.00000001.sdmp, Offset: 06B80000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bb54e19c543aa0ee59af8cff3fd0772aa1842ecd8ace7b6b4b59d34f05ecb8f6
                                                                  • Instruction ID: bdfac9634b3fd001e370fdccc77934632cf4fa7e8958ffae0f51948e08aa8dd2
                                                                  • Opcode Fuzzy Hash: bb54e19c543aa0ee59af8cff3fd0772aa1842ecd8ace7b6b4b59d34f05ecb8f6
                                                                  • Instruction Fuzzy Hash: 95F0653040E3849FC31397B0A8656E57F79DF03115F0901DBD4448B2A3CA290D85D773
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06B80E64, Relevance: .0, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304186741.0000000006B80000.00000040.00000001.sdmp, Offset: 06B80000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9a9c3019d465fd20344f255b749e17680594b826a3ca3e20dc8cd3ce08782b1b
                                                                  • Instruction ID: 46ae02a1008b34f4872a98e8267e22d4dce256e1ea7aaaaa12e30be3950bd97f
                                                                  • Opcode Fuzzy Hash: 9a9c3019d465fd20344f255b749e17680594b826a3ca3e20dc8cd3ce08782b1b
                                                                  • Instruction Fuzzy Hash: 1FF08C74809394DFC743EBB0A8242E87FB0AF06209F1541EBD8488BA92D3394E85D792
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06B80534, Relevance: .0, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304186741.0000000006B80000.00000040.00000001.sdmp, Offset: 06B80000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3b78117128ed605cb0bbdca88e8a5cbd6345bdcdb471447a8f4398ea3eddfa87
                                                                  • Instruction ID: 0da436ea61535e85f2466466452041556e4d3f11e98d8856803bc8fd04911adc
                                                                  • Opcode Fuzzy Hash: 3b78117128ed605cb0bbdca88e8a5cbd6345bdcdb471447a8f4398ea3eddfa87
                                                                  • Instruction Fuzzy Hash: 13F0E234809344DFC743DF60D958999BF72BF0A310F1A81CAE8445B662C3358E95CB11
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06B80B40, Relevance: .0, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304186741.0000000006B80000.00000040.00000001.sdmp, Offset: 06B80000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 213c5c48c7fbdfb98dae516af97b7eba9522d7cb6ac17b545698e9ea930b0b67
                                                                  • Instruction ID: 5b2eef2070180a64c615dade51f3a477469b7746407b55e0c72313045cb8ea2b
                                                                  • Opcode Fuzzy Hash: 213c5c48c7fbdfb98dae516af97b7eba9522d7cb6ac17b545698e9ea930b0b67
                                                                  • Instruction Fuzzy Hash: BDE0E5B4D04208AFCB95EFA8E4446ADBBF5AB49305F1081AAD814A7340D7359A85DF91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06B809A8, Relevance: .0, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304186741.0000000006B80000.00000040.00000001.sdmp, Offset: 06B80000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 39982273fd131b332c52a214a909a1ba0dad0a8c0c4cabae1ecc1d063be3a650
                                                                  • Instruction ID: e5ace90ad17cdf7c6fff5a855044752b2a58c1e813ce181b67686546bd27a65c
                                                                  • Opcode Fuzzy Hash: 39982273fd131b332c52a214a909a1ba0dad0a8c0c4cabae1ecc1d063be3a650
                                                                  • Instruction Fuzzy Hash: 90E0E574E05208EFCB84EFA8D449A9CBBF4FF48304F1081EAD80897350D6309A41CF40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06B80BA0, Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304186741.0000000006B80000.00000040.00000001.sdmp, Offset: 06B80000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ab0c7e102ba7f4939338635b3e15113f501c0a3ef73453cc4276ade70f52911c
                                                                  • Instruction ID: ddf588079a49c2c8dc9adf7706d372015a189597edfa005b4622d149a6baf777
                                                                  • Opcode Fuzzy Hash: ab0c7e102ba7f4939338635b3e15113f501c0a3ef73453cc4276ade70f52911c
                                                                  • Instruction Fuzzy Hash: E0E01A74D0420CEFCB54EFE8D04429CBBB5EB44304F1081E9C81493340D7355A45CF44
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06B807E0, Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304186741.0000000006B80000.00000040.00000001.sdmp, Offset: 06B80000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0ea8d97f5b2bdf4842cf373c33f6cccc5f5eb4e608f7b222c728f68178a98647
                                                                  • Instruction ID: 038f6bf3586594628f42d3af6a69349f65b1836ac8ffc15cc3ed39e3ebe7d2b4
                                                                  • Opcode Fuzzy Hash: 0ea8d97f5b2bdf4842cf373c33f6cccc5f5eb4e608f7b222c728f68178a98647
                                                                  • Instruction Fuzzy Hash: 96E04638904208EFCB45EFA4E848A9CBFB5FF09311F108198E8442B360C731AE95DF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06B80550, Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304186741.0000000006B80000.00000040.00000001.sdmp, Offset: 06B80000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0ea8d97f5b2bdf4842cf373c33f6cccc5f5eb4e608f7b222c728f68178a98647
                                                                  • Instruction ID: 14f8541193998d9259c0c62b33f1698aac4cc7d026df49f5485223408432b8e6
                                                                  • Opcode Fuzzy Hash: 0ea8d97f5b2bdf4842cf373c33f6cccc5f5eb4e608f7b222c728f68178a98647
                                                                  • Instruction Fuzzy Hash: 27E04638914208EFCB45EFA4E888A9DBFB5FF09311F108198E8442B360C731AE95DF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06B80E80, Relevance: .0, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304186741.0000000006B80000.00000040.00000001.sdmp, Offset: 06B80000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6a732193db72802b1a09f8d1db35abf4f348b66cfec4391bddb48af30a7223a2
                                                                  • Instruction ID: 61656f4ed501a63e4724a198202c732616b9ff430ceec733abd3f8fe01e95b35
                                                                  • Opcode Fuzzy Hash: 6a732193db72802b1a09f8d1db35abf4f348b66cfec4391bddb48af30a7223a2
                                                                  • Instruction Fuzzy Hash: 1BE08C34C15258DFCB55EFB494143ACBFB4AB0020AF2001E9C80892240E7314A85CB80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06B80048, Relevance: .0, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304186741.0000000006B80000.00000040.00000001.sdmp, Offset: 06B80000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 43bb3297fdc10ccfe1b84ecf19a5f2429eabc0676928f9b50e89e70cdabb7bbd
                                                                  • Instruction ID: 9692c47b5bc0844a668053f706d2a2406af54a23dd21c26d27257f9483f5dae1
                                                                  • Opcode Fuzzy Hash: 43bb3297fdc10ccfe1b84ecf19a5f2429eabc0676928f9b50e89e70cdabb7bbd
                                                                  • Instruction Fuzzy Hash: 70E0EC70D1531CDFCB45EFB8D45529CBBB5AB04209F6001A9C80897340E7315A85CB41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06B80838, Relevance: .0, Instructions: 14COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304186741.0000000006B80000.00000040.00000001.sdmp, Offset: 06B80000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bac959350c0e9544723ed4a559b361f35e522fc042b2642cdfa42573fa93920b
                                                                  • Instruction ID: 0b4530af00641a7f48d610cf3c48595f0b126249c838400d6345b40246359dfb
                                                                  • Opcode Fuzzy Hash: bac959350c0e9544723ed4a559b361f35e522fc042b2642cdfa42573fa93920b
                                                                  • Instruction Fuzzy Hash: F0D0C970816208DBC759EBE4E5157A9776AEB0224AF5011E9D40817250DF725986CA91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0133D708, Relevance: .0, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.297037128.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 161bef9166dd112bde55a5157df86637e720695878dbfbe8db04cb50cd77e737
                                                                  • Instruction ID: d4d25a5a629bdac03b3f00725cf85aea09af7edb1c68c7b2568856a93aa6de5f
                                                                  • Opcode Fuzzy Hash: 161bef9166dd112bde55a5157df86637e720695878dbfbe8db04cb50cd77e737
                                                                  • Instruction Fuzzy Hash: E2C0123516824547C180FF74FF46415335AEA812157C89C6095184A65DDF74A90597A6
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01335750, Relevance: .0, Instructions: 6COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.297037128.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b4b47b6fc5bf751f2dfeb3c194f3bd161a38e3c342e9936773f4ff12760f1031
                                                                  • Instruction ID: 98dfb357831b1c468b87da99a87747db00f6bf419a73d5e3fac9e173a627e82a
                                                                  • Opcode Fuzzy Hash: b4b47b6fc5bf751f2dfeb3c194f3bd161a38e3c342e9936773f4ff12760f1031
                                                                  • Instruction Fuzzy Hash: C2B092A296A6850FCE02A2A0585E0042FB05E5220130900CAD4418A292E4A510088712
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 0133E4D8, Relevance: 1.0, Instructions: 954COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.297037128.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d406a9e9fc76b3ec8abfa1eddee6f88f02d508e9ad5965ca4fe65c5886f0cfed
                                                                  • Instruction ID: 52cc9d7dc4079692620adc7209acc297b05c2b704be3d1102f1b3d93c85ea04c
                                                                  • Opcode Fuzzy Hash: d406a9e9fc76b3ec8abfa1eddee6f88f02d508e9ad5965ca4fe65c5886f0cfed
                                                                  • Instruction Fuzzy Hash: 15926B30A00209DFDB15CF68D984AAEBBF6BF88318F158669E905DB3A1D730EC41CB55
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06C65248, Relevance: .1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304422980.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a553a60f3895f82d3a0fda3f194e2599dd22cb51a2f79b77b67fcc8ef25ca6af
                                                                  • Instruction ID: 3944649c90197184f379da16817b2af6c564a92a01a5d2abe1dc53e41d8714aa
                                                                  • Opcode Fuzzy Hash: a553a60f3895f82d3a0fda3f194e2599dd22cb51a2f79b77b67fcc8ef25ca6af
                                                                  • Instruction Fuzzy Hash: A8218571E016188BEB58CF6BD94569EFAF7BFC9300F24C17A9818AB255EB7149428F40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06C65246, Relevance: .1, Instructions: 66COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304422980.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4b0e12d08f8cd4beb7cbbcae0bb178990f39a9f14eaff9ed120a7204dccbf95a
                                                                  • Instruction ID: 25dbe0d8009c09fcb828528684216c221175338ed660df49a89a0ff81e00e396
                                                                  • Opcode Fuzzy Hash: 4b0e12d08f8cd4beb7cbbcae0bb178990f39a9f14eaff9ed120a7204dccbf95a
                                                                  • Instruction Fuzzy Hash: 70218971D016188BEB58CF6BD94579DFAF3BFC8300F14C17A9418A7255EB7045428F40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06C66423, Relevance: .1, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304422980.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 68227e3306350b9871e16942bc98a90851188eff0609a855b1eca4ae0ce06e44
                                                                  • Instruction ID: 3ea517e5f069f48efb14701f1ec00def2457aa4b87b724585ddb4c7460adc407
                                                                  • Opcode Fuzzy Hash: 68227e3306350b9871e16942bc98a90851188eff0609a855b1eca4ae0ce06e44
                                                                  • Instruction Fuzzy Hash: 4F21C8B1E046188BEB58CF6BC95079AFAF3AFC9310F14C1AAD50CA6254DB714A868F45
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 06C66428, Relevance: .1, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.304422980.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f2bab9af6cc0c6490a5d871913515701bd66a9db3b9c6224ca41dd478faff5f7
                                                                  • Instruction ID: 9a9e9f920d49717a9816eda02a111516a331ecd585fc06345f8d436c86eaff5f
                                                                  • Opcode Fuzzy Hash: f2bab9af6cc0c6490a5d871913515701bd66a9db3b9c6224ca41dd478faff5f7
                                                                  • Instruction Fuzzy Hash: C321E871E046188BEB58CF6BC85079AFAF3AFC9310F14C0AAD40CA6254DB711A868F45
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Analysis Process: Files.exe PID: 5980 Parent PID: 3388 Files.exeCOMMON

                                                                  Executed Functions

                                                                  Function 00A4D7F0, Relevance: 1.0, Instructions: 995COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.306283030.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c2c32fb504b6a8a7e4d0ea3202877c56ec61178c772344d9a0908b182f03bc59
                                                                  • Instruction ID: 44b2d2e2f7e3c6d360fd4cee3555800049c6813f1011f1cf023c4161ed62a3c6
                                                                  • Opcode Fuzzy Hash: c2c32fb504b6a8a7e4d0ea3202877c56ec61178c772344d9a0908b182f03bc59
                                                                  • Instruction Fuzzy Hash: C1827F74A002199FCB15DFA8C884AAEBBB6FFC9304F158469E405DB361DB74EC45CB51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A4BD18, Relevance: .3, Instructions: 335COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.306283030.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f71cc077f52917854cd152319076b2e0805372dcdb05db144a0dc45d8107dd71
                                                                  • Instruction ID: 88e34576d922f03697206b3065593b75dd4a37af9315e061f3f6ded009197c0b
                                                                  • Opcode Fuzzy Hash: f71cc077f52917854cd152319076b2e0805372dcdb05db144a0dc45d8107dd71
                                                                  • Instruction Fuzzy Hash: ACC13538B19244DFD714DB78CC12BAA77B2AFC9310F248466E506DB391CB35DC468BA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A4CE08, Relevance: 1.7, Strings: 1, Instructions: 444COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.306283030.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 0zr
                                                                  • API String ID: 0-2968632814
                                                                  • Opcode ID: e19c7c3fc191e5d3377fdd6bd50c0a3dca21d715ffac1956b894e72c1795b231
                                                                  • Instruction ID: 4316b438d7b78baf0e519ba7de24e65f41bbb282c363ed2b86f2fe447de31c5b
                                                                  • Opcode Fuzzy Hash: e19c7c3fc191e5d3377fdd6bd50c0a3dca21d715ffac1956b894e72c1795b231
                                                                  • Instruction Fuzzy Hash: 25F1CC38B002159FCB19AB68D854B7E77A7EBC8315F148429E90ADB385DF74DC42CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A43E50, Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.306283030.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: <Gn
                                                                  • API String ID: 0-3338817659
                                                                  • Opcode ID: a2f4f752207433bec97f37dd6ce560e3d19836c877f5e0ac9b94c202111931a1
                                                                  • Instruction ID: bb89bada86a7b01d32ba841034b0f0eaf54ad08445b35dad0a6fb07828314e48
                                                                  • Opcode Fuzzy Hash: a2f4f752207433bec97f37dd6ce560e3d19836c877f5e0ac9b94c202111931a1
                                                                  • Instruction Fuzzy Hash: F0010C74D0520DEFCB40EFE8C4419AEBBF2EB84304F1185AAC115AB764EB305E059B81
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A4A758, Relevance: .1, Instructions: 132COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.306283030.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 38a37460d631910a3d87db3321adfe04ef3a23d22e31de7422791ee030fa0a61
                                                                  • Instruction ID: a5ea4b98873f7d3dc16cb6d55217c742979b8b596b426268e539cc0f806fcacd
                                                                  • Opcode Fuzzy Hash: 38a37460d631910a3d87db3321adfe04ef3a23d22e31de7422791ee030fa0a61
                                                                  • Instruction Fuzzy Hash: 0C412139B44240DFC700EBB8D885A7EB7B6EBD4300F22452AD516DB396DA34EC45CB92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A4A658, Relevance: .1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.306283030.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e22c67985f9c61861c74c603dc2fd3e7f58fe6b0f32ee0a2b69fbaa15af32389
                                                                  • Instruction ID: db524710d838c2cd32c2024c8ada9d34da2e711361c91741e546bc411610b883
                                                                  • Opcode Fuzzy Hash: e22c67985f9c61861c74c603dc2fd3e7f58fe6b0f32ee0a2b69fbaa15af32389
                                                                  • Instruction Fuzzy Hash: 6E21363DA481958BC7108BAD888426BF7B6BBE2310F174676D529D7381E634DD80C7A3
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A462D0, Relevance: .1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.306283030.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e428d86b8131a2e9486c77d85578a191ae0fcd16c5cbf37402194dee032b6644
                                                                  • Instruction ID: 96633150d20bd905f5e3fd38882ac10f676d4634e003761581a123a0dd6ac58a
                                                                  • Opcode Fuzzy Hash: e428d86b8131a2e9486c77d85578a191ae0fcd16c5cbf37402194dee032b6644
                                                                  • Instruction Fuzzy Hash: 8711B278E04201DBD7089FA8D8197A9B775FB8A305F144576E00BCB281CBB49D959B83
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A4AEB0, Relevance: .1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.306283030.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 016967d047aa2f899007115c5e1e0a972252ecb918d10b5777e870a066b0a4a2
                                                                  • Instruction ID: 681bb28dd794c1b99a3443d5cb7c4f0a15b4a43acf9e6ff4757b62098ae13cd4
                                                                  • Opcode Fuzzy Hash: 016967d047aa2f899007115c5e1e0a972252ecb918d10b5777e870a066b0a4a2
                                                                  • Instruction Fuzzy Hash: 8C01D8BA748135D7C7008AAA88026BFF7BAEBE6314F204937E436C7640D734895593A3
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A462C0, Relevance: .1, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.306283030.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f9efe35ec931a62e5ca0c99fcf45dfa53914318811078e899ff9739f4c8ed368
                                                                  • Instruction ID: e031963f14dc3ec81c01b8016155948b67a19dbc5a6713e134f82dc8bfdf200e
                                                                  • Opcode Fuzzy Hash: f9efe35ec931a62e5ca0c99fcf45dfa53914318811078e899ff9739f4c8ed368
                                                                  • Instruction Fuzzy Hash: C111E538D14151DBCB589F68D8583E9BB70FB8A305F184676D44ACB241C7749D46DBC2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A49C10, Relevance: .0, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.306283030.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 326462366da1e7dae31b20cb65b73c2665d91e0e9cbb4a87b3340613cdd76776
                                                                  • Instruction ID: 880f72bc057f4d73c373a13c91198ea413d6ba28cfa6d8115b3e76397b8f0bb6
                                                                  • Opcode Fuzzy Hash: 326462366da1e7dae31b20cb65b73c2665d91e0e9cbb4a87b3340613cdd76776
                                                                  • Instruction Fuzzy Hash: 200128B5F00228DFEB149F99D6462EB7BB8FB81B50F104026E906DB280C7B49D10CBC2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A43EDC, Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.306283030.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d92bdf645914e4c804ec61ee19d7f8c56bd7f332b425451f78fe39a67b7a61bf
                                                                  • Instruction ID: 0c37e19177e7522f2f0f5fb62478a50fda5c2d62fcb124977f1d3978eff20a6b
                                                                  • Opcode Fuzzy Hash: d92bdf645914e4c804ec61ee19d7f8c56bd7f332b425451f78fe39a67b7a61bf
                                                                  • Instruction Fuzzy Hash: 11F0BBB6C0D1949FCB02CBA8C85546EBFB0EE82304B0545CBD4468F671E7314A05D741
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A4D708, Relevance: .0, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.306283030.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e3de228f80f939fea36dbbcb976964a88e107da5744e45d5aa02902a6d4e2b1f
                                                                  • Instruction ID: 52e2ac8fbc01183b4c7914644b337c81bd144122cb599b39aa62a4bd84771024
                                                                  • Opcode Fuzzy Hash: e3de228f80f939fea36dbbcb976964a88e107da5744e45d5aa02902a6d4e2b1f
                                                                  • Instruction Fuzzy Hash: BEC012301683054BC180BB74FE41815335BDA82208781886291084E72DDF749D0A579F
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A45750, Relevance: .0, Instructions: 7COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.306283030.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 11fc9c34a56e668a3ca5547b61c122bf6445d7fa0e9e2c77ff8c31ab10be0a20
                                                                  • Instruction ID: 67c3a852f7eda88a888987412edcea0ae55e83509ccc66932f16167a5140c4d0
                                                                  • Opcode Fuzzy Hash: 11fc9c34a56e668a3ca5547b61c122bf6445d7fa0e9e2c77ff8c31ab10be0a20
                                                                  • Instruction Fuzzy Hash: 95B0124854F7D00FCB4342340C7C0B07F24EE0320839E21DF86C08F0A3C2480046A723
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Analysis Process: Files.exe PID: 6280 Parent PID: 5716 Files.exeCOMMON

                                                                  Executed Functions

                                                                  Function 00BED7F0, Relevance: 1.0, Instructions: 960COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.323243582.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1eafaec29cd71eae3959d33feedc4c880f2e8932b6950514aed7de082edb6615
                                                                  • Instruction ID: 176f4791072426d86a143b2294a6a00a644c91495c04dbadbf410f731736fe40
                                                                  • Opcode Fuzzy Hash: 1eafaec29cd71eae3959d33feedc4c880f2e8932b6950514aed7de082edb6615
                                                                  • Instruction Fuzzy Hash: 9E829170A002498FCB15DFAAC884AAEBBF6FF88305F1485A9E515DB361DB74DD41CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BED458, Relevance: .2, Instructions: 231COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.323243582.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 811efecc7995bc67452017ea24501d054e447567f83ad4f74696d4e615f71e2f
                                                                  • Instruction ID: 1a8f4a41e44bd2e725ccb0ca5330650d56c35cb601ccd026b50472fa1d87d38b
                                                                  • Opcode Fuzzy Hash: 811efecc7995bc67452017ea24501d054e447567f83ad4f74696d4e615f71e2f
                                                                  • Instruction Fuzzy Hash: F5819F74B00145CFCB14DFAAC484AAAB7F2FF89315B2581A9D40ADB365DBB1EC41CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BECE08, Relevance: .4, Instructions: 444COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.323243582.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: edcd685105fa13141a5ca1914db153c53e01bb100890dd0e0d050f178377bdac
                                                                  • Instruction ID: 20db122148f028f33b08b21eea9e4c7f3b3d31a0ac344c7b4ae751a6d0b82462
                                                                  • Opcode Fuzzy Hash: edcd685105fa13141a5ca1914db153c53e01bb100890dd0e0d050f178377bdac
                                                                  • Instruction Fuzzy Hash: 8DF1D1307042549FCB19AB65C858B7E77E6EF88702F1484A9E90ADB385DF74DC42C791
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BEF2C0, Relevance: .4, Instructions: 357COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.323243582.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d0dac6e8028c27ebda59352fca370b43f8fa9eb7ff84c6acb46dc3ba33357d51
                                                                  • Instruction ID: 816f58d638c7b30489305bfb06cbe77d37ca6f47a5aebd35c7f753a472a426d0
                                                                  • Opcode Fuzzy Hash: d0dac6e8028c27ebda59352fca370b43f8fa9eb7ff84c6acb46dc3ba33357d51
                                                                  • Instruction Fuzzy Hash: 12E11872E0055A8FCB04DFA9C5889ADBBF2FF88311B1685A9E915AB371C734EC41CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BEBD18, Relevance: .2, Instructions: 237COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.323243582.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: decfbe4ba180002bce927f4010b160a13f2ad00834744ff0f128642411bc9d5e
                                                                  • Instruction ID: 6be2b64059b4cc2baa0bde212027795222520a972cbd2883106116f88fcef5fb
                                                                  • Opcode Fuzzy Hash: decfbe4ba180002bce927f4010b160a13f2ad00834744ff0f128642411bc9d5e
                                                                  • Instruction Fuzzy Hash: BD811530F08284DBD7149B69D856BAE77F2AF89314F2588A5E602EB785DB30DC418B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BEA758, Relevance: .1, Instructions: 132COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.323243582.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dce16acdd542658589d1f09582e868f679649154a0706f051eaeabf7ac94c7c6
                                                                  • Instruction ID: 99e374025f91f5de98e42862b67ce088ef0abc8735be6a1f5266cbe556ecc17e
                                                                  • Opcode Fuzzy Hash: dce16acdd542658589d1f09582e868f679649154a0706f051eaeabf7ac94c7c6
                                                                  • Instruction Fuzzy Hash: 3D412634B082849FC700EB79D88967EB7FAEB80301F12466AD555DB395DB70EC40CB92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BEF108, Relevance: .1, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.323243582.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cef1fabf6435dade64bcead6347fcbb93e9f2a90345ae4137fb68af2194b702e
                                                                  • Instruction ID: 50e9dc006fee862d4bcf732f0bae64702a2b9141dce5dfe814bd414d5e7da194
                                                                  • Opcode Fuzzy Hash: cef1fabf6435dade64bcead6347fcbb93e9f2a90345ae4137fb68af2194b702e
                                                                  • Instruction Fuzzy Hash: 8531D0317042089FCB19AB69C8587AE7BF6EF88711F1444A9E506EB795CF349C01CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BEC5D0, Relevance: .1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.323243582.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bb28657dfbdee79bea1219f5608e680c95cd23aee7cef9842603971079908934
                                                                  • Instruction ID: f3ecb46546407feba16554b8eb745676a6fefb7aaf632985eebdd7cd9ccaa176
                                                                  • Opcode Fuzzy Hash: bb28657dfbdee79bea1219f5608e680c95cd23aee7cef9842603971079908934
                                                                  • Instruction Fuzzy Hash: 3931AF30600249DFDB06AF69D858A6F3BE2FF88706F008058F9058B355DB34DD12DB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BEC0B0, Relevance: .1, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.323243582.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c3f1727c216dae851d5338d915bd474a1093ace5d0e4b24d009d1edfb676c1b7
                                                                  • Instruction ID: eab13f125182b2046f68f3f12b5943e0f1700cb9aa2d5d43c7d2bc88b8f3b0eb
                                                                  • Opcode Fuzzy Hash: c3f1727c216dae851d5338d915bd474a1093ace5d0e4b24d009d1edfb676c1b7
                                                                  • Instruction Fuzzy Hash: 5421D232604189C7DB018E5EDC40BAA7EE6FB84310F208663F816D3282C739D9529792
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BE9DC8, Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.323243582.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: be2a303fcb8342c307d12ae34c0fbaceb122e88415203a544cfd1153c04f9872
                                                                  • Instruction ID: 5c5f7ce53317991da96e5d634551143d6d1ba3f6d9aa209003fac226aa2c88e1
                                                                  • Opcode Fuzzy Hash: be2a303fcb8342c307d12ae34c0fbaceb122e88415203a544cfd1153c04f9872
                                                                  • Instruction Fuzzy Hash: 552181316182A88FC304DAAECCD066AB7F5EB45719F2486BBE505CB241D3349D4DC752
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BEA658, Relevance: .1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.323243582.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b4768e2fea3d3ec5ea3f27c3f39bcfd8100ecc746196b02d262cb163914bba1e
                                                                  • Instruction ID: 40af1c23ab4c69edb5942a94bd9715b29556e46eeecdd747cc4f9f5211723b52
                                                                  • Opcode Fuzzy Hash: b4768e2fea3d3ec5ea3f27c3f39bcfd8100ecc746196b02d262cb163914bba1e
                                                                  • Instruction Fuzzy Hash: 5C210535A081D58FC700DEAE8884266FBFDAF92310F1547A6D129D7291D724FC8087A3
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BE62D0, Relevance: .1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.323243582.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 61b9ae18b60be4d78b5acf915d1ddf58df05d16dfcae8080d79f166348134a40
                                                                  • Instruction ID: 833a952c705029ac03b8dcb28537b0a9d5f25580027de170ba5be0fef4413755
                                                                  • Opcode Fuzzy Hash: 61b9ae18b60be4d78b5acf915d1ddf58df05d16dfcae8080d79f166348134a40
                                                                  • Instruction Fuzzy Hash: 7711EF70A08241CBE7049BADD8583BDB7F1FB14341F1486BAE10ACB281CB74CC818B86
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BED748, Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.323243582.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a1c5ca939f81d97a5f1c41453861e1b1315fd0edcdd0fdbc9bb318b92cf05438
                                                                  • Instruction ID: 34879f1e4c467d3db942b2c4d393375320ebd1abd314230632861be23eab2bb1
                                                                  • Opcode Fuzzy Hash: a1c5ca939f81d97a5f1c41453861e1b1315fd0edcdd0fdbc9bb318b92cf05438
                                                                  • Instruction Fuzzy Hash: 0801B1353062184FDB28ABBA995196F32EAEFC66587100479EA05CF795EFB1CC0187E0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BE9CE0, Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.323243582.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c68686a1a3f1fc1e957ce258d84acb3218701d614d37aaa32beeb2fa229c8580
                                                                  • Instruction ID: f3082165f4e790b22f7cb27c430e7e2f0b88aad1e6cd92b48c59901bcc7d827b
                                                                  • Opcode Fuzzy Hash: c68686a1a3f1fc1e957ce258d84acb3218701d614d37aaa32beeb2fa229c8580
                                                                  • Instruction Fuzzy Hash: 2E019231B081D987C740AB9FC8D07AAB6E5EB44314F7085B7AA56C7380C7248A8CA792
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065D0001, Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.330959596.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5530cfd9e529369979ab359ca48050687b6cd9005ee2ed7714e9768b3ccc2cf0
                                                                  • Instruction ID: 21a80b8b4d3e1413ae55d94e05979175fb949283111fccc8174c67faa9516379
                                                                  • Opcode Fuzzy Hash: 5530cfd9e529369979ab359ca48050687b6cd9005ee2ed7714e9768b3ccc2cf0
                                                                  • Instruction Fuzzy Hash: 0611872184E3D89FC7138B789C691A97FB09F03114B1A02DBD4C0CF2E3D26A4A4AD772
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BEAEB0, Relevance: .1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.323243582.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a7b05c133266fb41615c30aea52eadff5c1b4dd4d3cbc06ce4fc6be8139a8f50
                                                                  • Instruction ID: bed18cf573a173660ed9db2936aa6479d91ea70a17a1c0f18fb74bcfb493016f
                                                                  • Opcode Fuzzy Hash: a7b05c133266fb41615c30aea52eadff5c1b4dd4d3cbc06ce4fc6be8139a8f50
                                                                  • Instruction Fuzzy Hash: 3801D432A081D597C7008BAB88806BFF6EEEBC4314F308977E416D7680D738E95093A3
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BE62C0, Relevance: .1, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.323243582.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2bd7c510c918af75840b77daad54e0a826b7134faae4d245eded3c59db20d328
                                                                  • Instruction ID: e3dff3c5c55fefe1e70c4e411e94465e7f8edaf83bbb462791d4c923edd622f8
                                                                  • Opcode Fuzzy Hash: 2bd7c510c918af75840b77daad54e0a826b7134faae4d245eded3c59db20d328
                                                                  • Instruction Fuzzy Hash: 34110E30A081A2CBCB159F6DD8583BEBBF0FB14340F0842BAD00ACB282D774C9468BC5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BE3E41, Relevance: .0, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.323243582.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: decccc1cadcb0e0312d21e8eb72034592cf905e0637923511195f9973173a5bf
                                                                  • Instruction ID: 24fca4d0769cca048871c863907ee3abc79b99580035c3815531c05854b9ca99
                                                                  • Opcode Fuzzy Hash: decccc1cadcb0e0312d21e8eb72034592cf905e0637923511195f9973173a5bf
                                                                  • Instruction Fuzzy Hash: F7115E70E481099FCB41EFE8C9519EE7BF5EF85304F0185AAC5159B665EB305E09DB80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B8D819, Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.322954766.0000000000B8D000.00000040.00000001.sdmp, Offset: 00B8D000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2c1bd098429b78aa2ab1385ea9435431a43873d543e42614d738891fbf4f9273
                                                                  • Instruction ID: f9d240ed48c12dc6c23cafe86c79ee774db1510f3e7e4d9b79d2d0f9a6549278
                                                                  • Opcode Fuzzy Hash: 2c1bd098429b78aa2ab1385ea9435431a43873d543e42614d738891fbf4f9273
                                                                  • Instruction Fuzzy Hash: 4D01F771408340AAD7106A15CCC4B66BBDCEF41374F18849BE9045B2E2D775D844C7B1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BE9C10, Relevance: .0, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.323243582.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d5e69905a52c495e3802bbeb779df0445fe408eb0c4b5d2e2d4de386d8c66a15
                                                                  • Instruction ID: 6559e5be968fa7d7da55825ac1810ed370b8cf6c7befd5da9378eee7a0e72f83
                                                                  • Opcode Fuzzy Hash: d5e69905a52c495e3802bbeb779df0445fe408eb0c4b5d2e2d4de386d8c66a15
                                                                  • Instruction Fuzzy Hash: 5D01CD71F00268DBDB146F96D5066EB77F9EB01B11F2140A6E506DB384D7B48D04C7D1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BE3E50, Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.323243582.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 204cbbfaee52c4bf2b9b4c6f4d9c33b3597901a5ce6b6f3e8ea2e61dac575311
                                                                  • Instruction ID: 2022991f05e2e3a86c253f498736b769777b844ce1923aa019fd80f56ae15862
                                                                  • Opcode Fuzzy Hash: 204cbbfaee52c4bf2b9b4c6f4d9c33b3597901a5ce6b6f3e8ea2e61dac575311
                                                                  • Instruction Fuzzy Hash: 34011E71D0920DAFCB40EFE8D4519EEBBF1EB84304F1185A5C115AB664EB305E059B81
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B8D818, Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.322954766.0000000000B8D000.00000040.00000001.sdmp, Offset: 00B8D000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 148beae833568bc9eb04fb31e0c56493862288e4891a07970927b2d7af47a06e
                                                                  • Instruction ID: dcd029b41c03c9474fb3c0ffd540cff7da9649b79f4c020b3973422e925f900a
                                                                  • Opcode Fuzzy Hash: 148beae833568bc9eb04fb31e0c56493862288e4891a07970927b2d7af47a06e
                                                                  • Instruction Fuzzy Hash: C8F06271404284AAE7209A15DC84B62FBE8EB41774F18C49BED085B296C3799844CBB1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BE3EDC, Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.323243582.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9ce89df9e8432975476e15ae6f0e7608c4db071a2cfcef22d2fef7dedd737c8f
                                                                  • Instruction ID: dcbc86083db8455946e2db0b172dc37b1d77f1c090ba5c1e692543834078e590
                                                                  • Opcode Fuzzy Hash: 9ce89df9e8432975476e15ae6f0e7608c4db071a2cfcef22d2fef7dedd737c8f
                                                                  • Instruction Fuzzy Hash: BEF0B4B280D2D49FCB02DFA8C8A94AEBFF0EE42704B0545CBD4458F572F7215A04DB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065D0048, Relevance: .0, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.330959596.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e67a41f2d4c0e1cb1d80e9d320bec9d6f495293fed78e7ad107da992d0288554
                                                                  • Instruction ID: 7087b74a6716eeec0ba0bf0d6407e4c3a57be8a147296a34a405de3e8a9bf124
                                                                  • Opcode Fuzzy Hash: e67a41f2d4c0e1cb1d80e9d320bec9d6f495293fed78e7ad107da992d0288554
                                                                  • Instruction Fuzzy Hash: 2FE0EC30D1525CEFCB55EFB8945439DBBB5AB0420AF6001A9880892380E7319A85CB41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BED708, Relevance: .0, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.323243582.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5972e4739146964eb1205daa988608c649a65ec8c9cfc71430336b99dc4c204d
                                                                  • Instruction ID: 33af98baf38ebb3bcdf13da9214dd1d7d10293f93856c0f7216f8ee655e191ae
                                                                  • Opcode Fuzzy Hash: 5972e4739146964eb1205daa988608c649a65ec8c9cfc71430336b99dc4c204d
                                                                  • Instruction Fuzzy Hash: 8DC0123015C2084BC280BFB9EB85415339ADFC1A0678089A091089E62DEF74DD058795
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BE5750, Relevance: .0, Instructions: 7COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000015.00000002.323243582.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f4bfc935abb33da6d48131dc114012e1faa2c277a3b4af3a8f99615befe3fa82
                                                                  • Instruction ID: 7da825e035aecd635b1e411858458d9a231be6b773289578300adafd9f19d0bc
                                                                  • Opcode Fuzzy Hash: f4bfc935abb33da6d48131dc114012e1faa2c277a3b4af3a8f99615befe3fa82
                                                                  • Instruction Fuzzy Hash: BAB0124428F7E00EC703823C0C3C0B57FA0AA4320838C10EF95C0CF0E3C148904AA717
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Analysis Process: Files.exe PID: 6332 Parent PID: 3388 Files.exeCOMMON

                                                                  Executed Functions

                                                                  Function 0161D7F0, Relevance: 1.0, Instructions: 1018COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000016.00000002.328897998.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ecc2c761ed8190004a1541057ec5370913a0f91c17c2df06a48563f29770a586
                                                                  • Instruction ID: 9682e8d2f175a00860625b0e90742ca3270d71dc9f37a91597c6c9a4deee15f0
                                                                  • Opcode Fuzzy Hash: ecc2c761ed8190004a1541057ec5370913a0f91c17c2df06a48563f29770a586
                                                                  • Instruction Fuzzy Hash: BF828F70A002199FDB15CFA9C884AAEBBF6FF88304F198469E905DB365DB35DC41CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0161BD18, Relevance: .3, Instructions: 334COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000016.00000002.328897998.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4cde3581bc912e169e4c7b28f2299a7df29e05a922e286c701c266d6a62e6bdf
                                                                  • Instruction ID: 2f41312213b336f745d9cc3b1e795b69f9dd14b9d79d0d47b633634f506b8c25
                                                                  • Opcode Fuzzy Hash: 4cde3581bc912e169e4c7b28f2299a7df29e05a922e286c701c266d6a62e6bdf
                                                                  • Instruction Fuzzy Hash: 16C12631B092059FD7148BBCDC42BAE77B6EB8A310F188566E502DB788DB75DC42CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0161CC60, Relevance: .6, Instructions: 572COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000016.00000002.328897998.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fef64685e45aa3f54f0d46c1882ed3502a180375668fdd372c8a8682121ad869
                                                                  • Instruction ID: ac103c20de509073511a9a55b268814686138aed27fbd8f3f23cec5ccd7323e0
                                                                  • Opcode Fuzzy Hash: fef64685e45aa3f54f0d46c1882ed3502a180375668fdd372c8a8682121ad869
                                                                  • Instruction Fuzzy Hash: 1312D3307102059FDB15ABA8C858B7E7BA6EFC8245F188469EA06CB399DF34DC46C791
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0161A658, Relevance: .1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000016.00000002.328897998.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b9623c61d39b390e4beb488a3c38252b0eda7cd3d98504b63a2e3b95c151d96b
                                                                  • Instruction ID: ab7ef81e576ae6653d20464df4aa7c0ef3836af0cba94f94b4888c0a370fabfd
                                                                  • Opcode Fuzzy Hash: b9623c61d39b390e4beb488a3c38252b0eda7cd3d98504b63a2e3b95c151d96b
                                                                  • Instruction Fuzzy Hash: A721EB35A061E58BC7049AEC8C54276F7B9BB86310F094A76D126D734AD634DE81C7E2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 016162C0, Relevance: .1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000016.00000002.328897998.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cae3cec15ff55f1773bcec501227461a65fa65eb52ced3ec88b0d58dc0321742
                                                                  • Instruction ID: 6ce8f31fd9e19dadc5eb9df861c9ab39a0d1d382982083d219f318b28c884af9
                                                                  • Opcode Fuzzy Hash: cae3cec15ff55f1773bcec501227461a65fa65eb52ced3ec88b0d58dc0321742
                                                                  • Instruction Fuzzy Hash: 9421C379D24111CBDB14DB6CCC193E9BBA4EB04301F0C85BAD806DB24AC7F8C9468B81
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 016162D0, Relevance: .1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000016.00000002.328897998.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8d95280af9cae91caed5fade6ed46f8c2209cc070b1eaecb87a82629141be38d
                                                                  • Instruction ID: 09ec95522cad2550d33cee73367f1041647feee7af6802c8a3758a898003ed8e
                                                                  • Opcode Fuzzy Hash: 8d95280af9cae91caed5fade6ed46f8c2209cc070b1eaecb87a82629141be38d
                                                                  • Instruction Fuzzy Hash: FC118678A15211CBD714AB68DC197ADB775FB04305F088576E50ADB289D7F88D828B82
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0161CE08, Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000016.00000002.328897998.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1216c82e9b5e1f65b79765058cda3ac4cfc9da6a19c006c9ab93b8009b30f2a5
                                                                  • Instruction ID: 3ff2bb15b93843a389b099d8155af7e1068cea97a5b303e1ac0d64fcef2ffdac
                                                                  • Opcode Fuzzy Hash: 1216c82e9b5e1f65b79765058cda3ac4cfc9da6a19c006c9ab93b8009b30f2a5
                                                                  • Instruction Fuzzy Hash: 0411A031B40214DFCB10DE19D849B6DBBA2EFC8711F18812AE90A8B355DB70EC45C791
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0161AEB0, Relevance: .1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000016.00000002.328897998.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 98efcc19ce67c004a6db0332b88e4fe27859f1af4b1eae51257179f5213f4a5f
                                                                  • Instruction ID: 58c9b6cdcffb8ed814c0875849da8e4d834a3be0c86337a81e33ee1b4dc8187c
                                                                  • Opcode Fuzzy Hash: 98efcc19ce67c004a6db0332b88e4fe27859f1af4b1eae51257179f5213f4a5f
                                                                  • Instruction Fuzzy Hash: 8101FC327561D597C7008AEE8C0067FFFAAEBC4214F1C4937E516C768CD734895293A2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01613E41, Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000016.00000002.328897998.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 14c9bf12ee0672ff6b25828d79eac851e9c73d547367208f53598ddc6aecc531
                                                                  • Instruction ID: d4d2851ead51292e72134bfcb693737efd0b7d7a2c4aabe07a33442eefd69653
                                                                  • Opcode Fuzzy Hash: 14c9bf12ee0672ff6b25828d79eac851e9c73d547367208f53598ddc6aecc531
                                                                  • Instruction Fuzzy Hash: AF115B71D09209AFCB81EFE8C8509EEBBF1FF85204F0185AAC615EF265E7354E058B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 015BD819, Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000016.00000002.328791989.00000000015BD000.00000040.00000001.sdmp, Offset: 015BD000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b1a793df942e9a79a95232f4b78c324955ff99a77e5690d6334cc8061d50d6b1
                                                                  • Instruction ID: ea81b41831eed979749da4c9cf56a881fd916f4e23efff3ddd5270f809c9acf7
                                                                  • Opcode Fuzzy Hash: b1a793df942e9a79a95232f4b78c324955ff99a77e5690d6334cc8061d50d6b1
                                                                  • Instruction Fuzzy Hash: 2401D471408340AAE7104B99CCC47A6BBE8FF41269F08885AFE085E286C7759844CAB1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01619C10, Relevance: .0, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000016.00000002.328897998.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 63f1a41bb640d2bb4da57bf909a8bf36c3890d9263ae20331e990c89674ded03
                                                                  • Instruction ID: 9e48eb0b98b3f3329ad3f981fb384c0bad81cd9c0ad9a1ac20a404ceddd84fff
                                                                  • Opcode Fuzzy Hash: 63f1a41bb640d2bb4da57bf909a8bf36c3890d9263ae20331e990c89674ded03
                                                                  • Instruction Fuzzy Hash: A401FF70F00228CBEB149B9CDD162EA7BB8FB00B04F058036E546DB388D7B08E018BC2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01613E50, Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000016.00000002.328897998.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2d02ee6f4aff22f8960b7858f51080a0740cba4d89e49f064be9d38450c84b0f
                                                                  • Instruction ID: bcfdc80b5c3f25c13c73a20240da5f840a3ce00fd254fc9a1c0d9c1bc9f2e754
                                                                  • Opcode Fuzzy Hash: 2d02ee6f4aff22f8960b7858f51080a0740cba4d89e49f064be9d38450c84b0f
                                                                  • Instruction Fuzzy Hash: 0B011E71D0520DAFCB44EFE8C4519EEBBF1FB84304F1185A9C515AB754EB305E059B81
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 015BD818, Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000016.00000002.328791989.00000000015BD000.00000040.00000001.sdmp, Offset: 015BD000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0747ceab772ef324c337f233aac33aa41c3f0df985c546ac6a41e79c17ee2937
                                                                  • Instruction ID: 748625bd31ad7f6211b302c84b44281b0fa2ed7b5ad7b1c488a0c2efa6bb59f2
                                                                  • Opcode Fuzzy Hash: 0747ceab772ef324c337f233aac33aa41c3f0df985c546ac6a41e79c17ee2937
                                                                  • Instruction Fuzzy Hash: C2F06271404384AAE7258B59DCC5BA6FFA8EB41778F18C45AED085F286C3799844CAB1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01615750, Relevance: .0, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000016.00000002.328897998.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ab31e377bb7eb7bc66536bbdb9dae2d1a36d374318af818c5ddf84fa216541e0
                                                                  • Instruction ID: a893af3fc3ba8e93d1ed56293a66cdf1da1b8e258da01e44d18ed01fbaaf89b5
                                                                  • Opcode Fuzzy Hash: ab31e377bb7eb7bc66536bbdb9dae2d1a36d374318af818c5ddf84fa216541e0
                                                                  • Instruction Fuzzy Hash: 38E0929385E3C18FC31393785C2A490BF74AA53605B4D40CBD483CA5B7E2984606C312
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01613EDC, Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000016.00000002.328897998.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4ff00cfbe2375db7bdfa3e789c6c5e2782d10af1391916ac3816603aa479c939
                                                                  • Instruction ID: 71082d898b1e094b4257ca3e02e6715caaaed2ba6d95a8520537627345240566
                                                                  • Opcode Fuzzy Hash: 4ff00cfbe2375db7bdfa3e789c6c5e2782d10af1391916ac3816603aa479c939
                                                                  • Instruction Fuzzy Hash: 81F0B4B280E2899FCB02CBB8CC654ADBFB0FE92A00B4945CBD4429F671F7354905DB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0161D708, Relevance: .0, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000016.00000002.328897998.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5e6b085dc0a5389c17eb2aa2d6fdf46e5b74b3c10f1cab8785342e5b188cacb1
                                                                  • Instruction ID: 01b0acc3f0be307304502ea7a1682a5afc60bad1f111791929b1601ec56421ca
                                                                  • Opcode Fuzzy Hash: 5e6b085dc0a5389c17eb2aa2d6fdf46e5b74b3c10f1cab8785342e5b188cacb1
                                                                  • Instruction Fuzzy Hash: 13C012301686454AC280AFB9EA81855335EEAC16087808870D1085F518DF789D555796
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions