Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL_734825514200.exe

Overview

General Information

Sample name:DHL_734825514200.exe
Analysis ID:1436300
MD5:209a4f5760d18041ad0d41d5dde74cd0
SHA1:a45548c688febe40a1608c2b1f6193e612a5ee0d
SHA256:37ac69abe12f3ec977df53efd9e10a1c2f40eba5fab217cbce4e0fb5452c669f
Tags:AgentTeslaDHLexe
Infos:

Detection

AgentTesla, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DHL_734825514200.exe (PID: 5244 cmdline: "C:\Users\user\Desktop\DHL_734825514200.exe" MD5: 209A4F5760D18041AD0D41D5DDE74CD0)
    • powershell.exe (PID: 2004 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_734825514200.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7308 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • DHL_734825514200.exe (PID: 5720 cmdline: "C:\Users\user\Desktop\DHL_734825514200.exe" MD5: 209A4F5760D18041AD0D41D5DDE74CD0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.saludsanjuan.cl", "Username": "sjcdireccion@saludsanjuan.cl", "Password": "*Direcdesam&"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.2888297770.0000000002E46000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.2888297770.0000000002E3E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000002.2887243173.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000002.2887243173.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000000.00000002.1676794817.0000000004BF0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              Click to see the 13 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.DHL_734825514200.exe.2537450.5.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.DHL_734825514200.exe.4bf0000.10.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.DHL_734825514200.exe.4bf0000.10.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    0.2.DHL_734825514200.exe.25267d8.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      0.2.DHL_734825514200.exe.2537450.5.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                        Click to see the 22 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_734825514200.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_734825514200.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_734825514200.exe", ParentImage: C:\Users\user\Desktop\DHL_734825514200.exe, ParentProcessId: 5244, ParentProcessName: DHL_734825514200.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_734825514200.exe", ProcessId: 2004, ProcessName: powershell.exe
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_734825514200.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_734825514200.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_734825514200.exe", ParentImage: C:\Users\user\Desktop\DHL_734825514200.exe, ParentProcessId: 5244, ParentProcessName: DHL_734825514200.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_734825514200.exe", ProcessId: 2004, ProcessName: powershell.exe
                        Sigma detected: Suspicious Outbound SMTP Connections
                        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 138.186.9.97, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\DHL_734825514200.exe, Initiated: true, ProcessId: 5720, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49732
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_734825514200.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_734825514200.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_734825514200.exe", ParentImage: C:\Users\user\Desktop\DHL_734825514200.exe, ParentProcessId: 5244, ParentProcessName: DHL_734825514200.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_734825514200.exe", ProcessId: 2004, ProcessName: powershell.exe

                        Snort Signatures

                        Timestamp:05/04/24-10:01:56.099442
                        SID:2839723
                        Source Port:49732
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/04/24-10:01:56.099510
                        SID:2851779
                        Source Port:49732
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/04/24-10:01:56.099510
                        SID:2855542
                        Source Port:49732
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/04/24-10:01:56.099510
                        SID:2855245
                        Source Port:49732
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/04/24-10:01:56.099510
                        SID:2840032
                        Source Port:49732
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/04/24-10:01:56.099442
                        SID:2030171
                        Source Port:49732
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: DHL_734825514200.exeAvira: detected
                        Found malware configuration
                        Source: 3.2.DHL_734825514200.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.saludsanjuan.cl", "Username": "sjcdireccion@saludsanjuan.cl", "Password": "*Direcdesam&"}
                        Multi AV Scanner detection for submitted file
                        Source: DHL_734825514200.exeReversingLabs: Detection: 57%
                        Source: DHL_734825514200.exeVirustotal: Detection: 53%Perma Link
                        Machine Learning detection for sample
                        Source: DHL_734825514200.exeJoe Sandbox ML: detected
                        Source: DHL_734825514200.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: DHL_734825514200.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49732 -> 138.186.9.97:587
                        Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49732 -> 138.186.9.97:587
                        Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49732 -> 138.186.9.97:587
                        Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49732 -> 138.186.9.97:587
                        Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49732 -> 138.186.9.97:587
                        Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49732 -> 138.186.9.97:587
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.384bf38.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.3811518.6.raw.unpack, type: UNPACKEDPE
                        Source: global trafficTCP traffic: 192.168.2.4:49732 -> 138.186.9.97:587
                        Source: global trafficTCP traffic: 192.168.2.4:49732 -> 138.186.9.97:587
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficDNS traffic detected: DNS query: mail.saludsanjuan.cl
                        Source: DHL_734825514200.exe, 00000003.00000002.2888297770.0000000002E46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.saludsanjuan.cl
                        Source: DHL_734825514200.exe, 00000003.00000002.2888297770.0000000002E46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://saludsanjuan.cl
                        Source: DHL_734825514200.exe, 00000000.00000002.1674399505.0000000002568000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: DHL_734825514200.exe, 00000000.00000002.1675141096.0000000003811000.00000004.00000800.00020000.00000000.sdmp, DHL_734825514200.exe, 00000000.00000002.1675141096.0000000004131000.00000004.00000800.00020000.00000000.sdmp, DHL_734825514200.exe, 00000003.00000002.2887243173.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to log keystrokes (.Net Source)
                        Source: 0.2.DHL_734825514200.exe.384bf38.7.raw.unpack, 3DlgK9re6m.cs.Net Code: TR5

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 0.2.DHL_734825514200.exe.384bf38.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.DHL_734825514200.exe.3811518.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 3.2.DHL_734825514200.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.DHL_734825514200.exe.384bf38.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.DHL_734825514200.exe.3811518.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeCode function: 0_2_0061EFC40_2_0061EFC4
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeCode function: 3_2_02C793703_2_02C79370
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeCode function: 3_2_02C74A983_2_02C74A98
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeCode function: 3_2_02C79BE83_2_02C79BE8
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeCode function: 3_2_02C73E803_2_02C73E80
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeCode function: 3_2_02C7CE803_2_02C7CE80
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeCode function: 3_2_02C741C83_2_02C741C8
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeCode function: 3_2_06412EE83_2_06412EE8
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeCode function: 3_2_064156B83_2_064156B8
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeCode function: 3_2_06413F283_2_06413F28
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeCode function: 3_2_0641BD003_2_0641BD00
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeCode function: 3_2_0641DD203_2_0641DD20
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeCode function: 3_2_06419AE03_2_06419AE0
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeCode function: 3_2_06418B883_2_06418B88
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeCode function: 3_2_064100403_2_06410040
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeCode function: 3_2_064136303_2_06413630
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeCode function: 3_2_06414FD83_2_06414FD8
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeCode function: 3_2_02C7D2283_2_02C7D228
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeCode function: 3_2_02C79BE03_2_02C79BE0
                        Source: DHL_734825514200.exe, 00000000.00000002.1677039533.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE vs DHL_734825514200.exe
                        Source: DHL_734825514200.exe, 00000000.00000002.1673396306.000000000064E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL_734825514200.exe
                        Source: DHL_734825514200.exe, 00000000.00000002.1674399505.0000000002568000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename543e769c-28db-4980-805f-9ef29a53165c.exe4 vs DHL_734825514200.exe
                        Source: DHL_734825514200.exe, 00000000.00000002.1676677866.0000000004BB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dllD vs DHL_734825514200.exe
                        Source: DHL_734825514200.exe, 00000000.00000002.1674399505.00000000024D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dllD vs DHL_734825514200.exe
                        Source: DHL_734825514200.exe, 00000000.00000002.1675141096.0000000003811000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename543e769c-28db-4980-805f-9ef29a53165c.exe4 vs DHL_734825514200.exe
                        Source: DHL_734825514200.exe, 00000000.00000002.1675141096.0000000003811000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs DHL_734825514200.exe
                        Source: DHL_734825514200.exe, 00000000.00000002.1677239931.00000000058B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs DHL_734825514200.exe
                        Source: DHL_734825514200.exe, 00000003.00000002.2887243173.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename543e769c-28db-4980-805f-9ef29a53165c.exe4 vs DHL_734825514200.exe
                        Source: DHL_734825514200.exe, 00000003.00000002.2887375790.0000000000F89000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs DHL_734825514200.exe
                        Source: DHL_734825514200.exe, 00000003.00000002.2887537166.00000000010B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dll vs DHL_734825514200.exe
                        Source: DHL_734825514200.exeBinary or memory string: OriginalFilenameTWxi.exe8 vs DHL_734825514200.exe
                        Source: DHL_734825514200.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 0.2.DHL_734825514200.exe.384bf38.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.DHL_734825514200.exe.3811518.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 3.2.DHL_734825514200.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.DHL_734825514200.exe.384bf38.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.DHL_734825514200.exe.3811518.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: DHL_734825514200.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: 0.2.DHL_734825514200.exe.384bf38.7.raw.unpack, slKb.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.DHL_734825514200.exe.384bf38.7.raw.unpack, mAKJ.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.DHL_734825514200.exe.384bf38.7.raw.unpack, xQRSe0Fg.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                        Source: 0.2.DHL_734825514200.exe.384bf38.7.raw.unpack, n3rhMa.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.DHL_734825514200.exe.384bf38.7.raw.unpack, MQzE4FWn.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.DHL_734825514200.exe.384bf38.7.raw.unpack, nSmgRyX5a1.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.DHL_734825514200.exe.384bf38.7.raw.unpack, 6IMLmJtk.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.DHL_734825514200.exe.384bf38.7.raw.unpack, 6IMLmJtk.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                        Source: 0.2.DHL_734825514200.exe.384bf38.7.raw.unpack, 3HroK7qN.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.DHL_734825514200.exe.384bf38.7.raw.unpack, 3HroK7qN.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.DHL_734825514200.exe.58b0000.11.raw.unpack, VmAl511krMmOe59lJa.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.DHL_734825514200.exe.38b5930.8.raw.unpack, VmAl511krMmOe59lJa.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.DHL_734825514200.exe.38b5930.8.raw.unpack, g3KUlacgmmUpTu6lIf.csSecurity API names: _0020.SetAccessControl
                        Source: 0.2.DHL_734825514200.exe.38b5930.8.raw.unpack, g3KUlacgmmUpTu6lIf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.DHL_734825514200.exe.38b5930.8.raw.unpack, g3KUlacgmmUpTu6lIf.csSecurity API names: _0020.AddAccessRule
                        Source: 0.2.DHL_734825514200.exe.58b0000.11.raw.unpack, g3KUlacgmmUpTu6lIf.csSecurity API names: _0020.SetAccessControl
                        Source: 0.2.DHL_734825514200.exe.58b0000.11.raw.unpack, g3KUlacgmmUpTu6lIf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.DHL_734825514200.exe.58b0000.11.raw.unpack, g3KUlacgmmUpTu6lIf.csSecurity API names: _0020.AddAccessRule
                        Source: 0.2.DHL_734825514200.exe.25267d8.0.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                        Source: 0.2.DHL_734825514200.exe.4bf0000.10.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                        Source: 0.2.DHL_734825514200.exe.2537450.5.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/6@1/1
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_734825514200.exe.logJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1184:120:WilError_03
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeMutant created: \Sessions\1\BaseNamedObjects\LRvwkRy
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_20mui45p.w2d.ps1Jump to behavior
                        Source: DHL_734825514200.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: DHL_734825514200.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: DHL_734825514200.exeReversingLabs: Detection: 57%
                        Source: DHL_734825514200.exeVirustotal: Detection: 53%
                        Source: unknownProcess created: C:\Users\user\Desktop\DHL_734825514200.exe "C:\Users\user\Desktop\DHL_734825514200.exe"
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_734825514200.exe"
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess created: C:\Users\user\Desktop\DHL_734825514200.exe "C:\Users\user\Desktop\DHL_734825514200.exe"
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_734825514200.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess created: C:\Users\user\Desktop\DHL_734825514200.exe "C:\Users\user\Desktop\DHL_734825514200.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: vaultcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                        Source: DHL_734825514200.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: DHL_734825514200.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Data Obfuscation

                        barindex
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: 0.2.DHL_734825514200.exe.4bf0000.10.raw.unpack, XG.cs.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
                        Source: 0.2.DHL_734825514200.exe.2537450.5.raw.unpack, XG.cs.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
                        Source: 0.2.DHL_734825514200.exe.25267d8.0.raw.unpack, XG.cs.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
                        .NET source code contains potential unpacker
                        Source: 0.2.DHL_734825514200.exe.38b5930.8.raw.unpack, g3KUlacgmmUpTu6lIf.cs.Net Code: dT9YFK0KSk System.Reflection.Assembly.Load(byte[])
                        Source: 0.2.DHL_734825514200.exe.58b0000.11.raw.unpack, g3KUlacgmmUpTu6lIf.cs.Net Code: dT9YFK0KSk System.Reflection.Assembly.Load(byte[])
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeCode function: 0_2_0061CA0F push ss; retf 0_2_0061CA1E
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeCode function: 0_2_0061D110 push ebx; retf 0_2_0061D122
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeCode function: 0_2_0061D7E8 push es; retf 0_2_0061D7F6
                        Source: DHL_734825514200.exeStatic PE information: section name: .text entropy: 7.974833679696894
                        Source: 0.2.DHL_734825514200.exe.4bf0000.10.raw.unpack, XG.csHigh entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
                        Source: 0.2.DHL_734825514200.exe.2537450.5.raw.unpack, XG.csHigh entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
                        Source: 0.2.DHL_734825514200.exe.25267d8.0.raw.unpack, XG.csHigh entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
                        Source: 0.2.DHL_734825514200.exe.38b5930.8.raw.unpack, VmAl511krMmOe59lJa.csHigh entropy of concatenated method names: 'HiJNDh1xrD', 'bJ6NP3PEaJ', 'LwuNj51d3R', 's5nNxIqZCk', 'cY9NBtPK1o', 'hnoNH8ZEOh', 'CxNNdw7JE9', 'iJGN4Etig9', 'RGoN2c8b99', 'WV0Nm0bFR4'
                        Source: 0.2.DHL_734825514200.exe.38b5930.8.raw.unpack, CL82XRElcwGt3tZn7E.csHigh entropy of concatenated method names: 'agGC16g75e', 'H7LC7AI3d4', 'YdlC0qga2d', 'Du4C6bvCn7', 'nFTCkltJgi', 'obqCZnD8gZ', 'zT3CWateP1', 'x6uCS5Zl67', 'fkiCTl4lSb', 'XrXCXaWGN2'
                        Source: 0.2.DHL_734825514200.exe.38b5930.8.raw.unpack, C8ISlE20nTA5qbKi9A.csHigh entropy of concatenated method names: 'J9t80xKojx', 'Vfs86R5l0v', 'nJF83hmBA3', 'QoK8kIp9Ye', 'G1Z8DNbyB0', 'C328Z4HgD1', 'Next', 'Next', 'Next', 'NextBytes'
                        Source: 0.2.DHL_734825514200.exe.38b5930.8.raw.unpack, XAIdZDHc59O0vuFCMj.csHigh entropy of concatenated method names: 'kQGV4UFXv9', 'aVGVmdgoiu', 'OvA8LPZbxP', 'lgy8KveS3W', 'f0HVXcmuXJ', 'ECpVJLBY2T', 'Rq8VEVgFTY', 'wr5VD6Pt5K', 'aOfVPv9MER', 'Wf8VjBFqU4'
                        Source: 0.2.DHL_734825514200.exe.38b5930.8.raw.unpack, Qu7b5nNrTP1uSaPXch.csHigh entropy of concatenated method names: 'Dispose', 'XhKK2JQJTK', 'xbj56ECf90', 'WWpIIPVbUX', 'upoKmucl6E', 'QoaKzpc1sr', 'ProcessDialogKey', 'xlv5L8ISlE', 'FnT5KA5qbK', 'x9A55Yftc6'
                        Source: 0.2.DHL_734825514200.exe.38b5930.8.raw.unpack, lsl4W0Kw4PE5pKdYH5w.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'x9SrDGd9n5', 'CBIrP2RLaN', 'ijnrjy6I7R', 'O81rxcNqUQ', 'BZXrBoC5Tb', 'cvLrHm4YhG', 'QQJrdgIZkI'
                        Source: 0.2.DHL_734825514200.exe.38b5930.8.raw.unpack, qHi6VCj2P8LO8DiGKI.csHigh entropy of concatenated method names: 'ToString', 'VGdpX9aIXr', 'isYp6vQXuL', 'xIcp3NG3fP', 'jF9pkfFl71', 'mQvpZOu9jH', 'tKdpaSijoj', 'PwGpWYWPYi', 'gCvpSOBQIV', 'tDjpRP4owy'
                        Source: 0.2.DHL_734825514200.exe.38b5930.8.raw.unpack, cxC4bbYZl6eBcEU3wM.csHigh entropy of concatenated method names: 'hkHKlmAl51', 'IrMKcmOe59', 'MXmK9TYyZX', 'lo5KfCwpah', 'jgKKOgjPs3', 'ClbKplcfM7', 'MNXrefurEfVoBvWW6w', 'sG09DCPC1UnKRSnh7K', 'JlLKKKWUfM', 'wDPKwWItbw'
                        Source: 0.2.DHL_734825514200.exe.38b5930.8.raw.unpack, Pq9WxS7XmTYyZX9o5C.csHigh entropy of concatenated method names: 'N8fUGGVM1f', 'xNLUv0MARA', 'HeWU1FnTKd', 'spaU7XYW3A', 'h1BUOeOCHk', 'KMNUpMkew5', 'Q0wUVtmJbh', 'LSGU8JAmId', 'rjnUQeNhmA', 'qXGUrsTUuR'
                        Source: 0.2.DHL_734825514200.exe.38b5930.8.raw.unpack, tk7biFWC8WYhqrikIn.csHigh entropy of concatenated method names: 'xxLltCtU9l', 'keXlUFit1e', 'opqlybyq6B', 'epaymFJsHa', 'Yeayzwe4Xa', 'Ys0lLFW5kw', 'bM9lKLVv4A', 'mQGl5UdRFf', 'A5nlwMwM27', 'lJwlY6xKWW'
                        Source: 0.2.DHL_734825514200.exe.38b5930.8.raw.unpack, pxEb9pRFSjgO2kaKSC.csHigh entropy of concatenated method names: 'rhElgMWxrB', 'zWXlodWHU7', 'J8BlFIvkkh', 'b9LlGNNMIl', 'ETZlI2aMRh', 'FH8lvlRPgr', 'DL4lemj2jQ', 'JbGl1HXhZa', 'F55l7CPs7b', 'RMOlAk4vEK'
                        Source: 0.2.DHL_734825514200.exe.38b5930.8.raw.unpack, dftc6qmqxeZpIIMTcL.csHigh entropy of concatenated method names: 'buaQKUyOZa', 'bxTQw2R7X7', 'vhoQYsBMWB', 'WPbQtLF77Y', 'QVkQNsaxsd', 'z5BQMSP7EA', 'wJBQylfUSM', 'YxA8ds5G7B', 'RK5846VKLT', 'YOe82Qgb8a'
                        Source: 0.2.DHL_734825514200.exe.38b5930.8.raw.unpack, JsLk0mKLTcq2wr9pFtV.csHigh entropy of concatenated method names: 'BsmQgE6RnQ', 't2dQorAeHy', 'fIbQFZQ3er', 'BEyQG4enES', 'skcQIy68Dp', 'XqOQvePPtC', 'AAxQevugxr', 'jPmQ1sd4S0', 'zVYQ7ArJGo', 'NJMQAN00xC'
                        Source: 0.2.DHL_734825514200.exe.38b5930.8.raw.unpack, tKdTyLUYMYGxOE1SeH.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'xEX52dvPqC', 'muZ5mdRjON', 'J7O5z21Skx', 'P8AwL83RhF', 'ySBwKo5agZ', 'h3rw5m1Og0', 'on2wwv8u1i', 'BGm2K84Y4vHjEEGCuMt'
                        Source: 0.2.DHL_734825514200.exe.38b5930.8.raw.unpack, g3KUlacgmmUpTu6lIf.csHigh entropy of concatenated method names: 'CgZwbaGbTo', 'htIwt0GyKK', 'DYfwNe45cD', 'qFTwUfExnX', 'urvwM55A0L', 'LAawyMRhLY', 'g9Gwlo1XoB', 'Sk1wckgky9', 'GPewsW7cyq', 'J7Zw9cPDSW'
                        Source: 0.2.DHL_734825514200.exe.38b5930.8.raw.unpack, dpahhjAkOBgSplgKgj.csHigh entropy of concatenated method names: 'jC3MI2i9pI', 'qofMev0H2H', 'XCmU3IGHEV', 'p91UkwgGb2', 'PYQUZRg6pi', 's4wUajKZPb', 'LOMUW5Pvlt', 'fhYUSUHYq9', 'kAHURi1Lyn', 'HwWUT0qtyl'
                        Source: 0.2.DHL_734825514200.exe.38b5930.8.raw.unpack, Rs3vlb0lcfM77gAQMt.csHigh entropy of concatenated method names: 'ztAybpaYwS', 'oLlyNVK6uO', 'e2FyMHOkUy', 'PnKylOdE3L', 'Y4Uyc6chd6', 'pmHMBWHcaM', 'sKXMHpemf8', 'FMHMdrlefc', 'yZoM4fUGg6', 'NJDM2AZIBG'
                        Source: 0.2.DHL_734825514200.exe.38b5930.8.raw.unpack, gLCAp05FFGn89jcjAE.csHigh entropy of concatenated method names: 'KgQFKf3PS', 'rpCGn0MYt', 'HhCv0xuf8', 'gtEexAchr', 'bUi7OL1et', 'PDhAKq0x3', 'JLmxdlgkyBqHyBN6vO', 'vU1PthwsVEMRwL0nQV', 'jPDMi4SN472BHnwIaN', 'TDg8vbEUe'
                        Source: 0.2.DHL_734825514200.exe.38b5930.8.raw.unpack, poucl64EDoapc1sril.csHigh entropy of concatenated method names: 'bmP8tjuSb4', 'fde8N6KvMK', 'pLQ8Ur8URr', 'fkb8MbM0Qt', 'FHM8yfxh5i', 'HiO8l5d8L1', 'Ukd8c3p3Rg', 'Ula8s6kEo1', 'Amq89kxluM', 'cKL8fkNj6U'
                        Source: 0.2.DHL_734825514200.exe.58b0000.11.raw.unpack, VmAl511krMmOe59lJa.csHigh entropy of concatenated method names: 'HiJNDh1xrD', 'bJ6NP3PEaJ', 'LwuNj51d3R', 's5nNxIqZCk', 'cY9NBtPK1o', 'hnoNH8ZEOh', 'CxNNdw7JE9', 'iJGN4Etig9', 'RGoN2c8b99', 'WV0Nm0bFR4'
                        Source: 0.2.DHL_734825514200.exe.58b0000.11.raw.unpack, CL82XRElcwGt3tZn7E.csHigh entropy of concatenated method names: 'agGC16g75e', 'H7LC7AI3d4', 'YdlC0qga2d', 'Du4C6bvCn7', 'nFTCkltJgi', 'obqCZnD8gZ', 'zT3CWateP1', 'x6uCS5Zl67', 'fkiCTl4lSb', 'XrXCXaWGN2'
                        Source: 0.2.DHL_734825514200.exe.58b0000.11.raw.unpack, C8ISlE20nTA5qbKi9A.csHigh entropy of concatenated method names: 'J9t80xKojx', 'Vfs86R5l0v', 'nJF83hmBA3', 'QoK8kIp9Ye', 'G1Z8DNbyB0', 'C328Z4HgD1', 'Next', 'Next', 'Next', 'NextBytes'
                        Source: 0.2.DHL_734825514200.exe.58b0000.11.raw.unpack, XAIdZDHc59O0vuFCMj.csHigh entropy of concatenated method names: 'kQGV4UFXv9', 'aVGVmdgoiu', 'OvA8LPZbxP', 'lgy8KveS3W', 'f0HVXcmuXJ', 'ECpVJLBY2T', 'Rq8VEVgFTY', 'wr5VD6Pt5K', 'aOfVPv9MER', 'Wf8VjBFqU4'
                        Source: 0.2.DHL_734825514200.exe.58b0000.11.raw.unpack, Qu7b5nNrTP1uSaPXch.csHigh entropy of concatenated method names: 'Dispose', 'XhKK2JQJTK', 'xbj56ECf90', 'WWpIIPVbUX', 'upoKmucl6E', 'QoaKzpc1sr', 'ProcessDialogKey', 'xlv5L8ISlE', 'FnT5KA5qbK', 'x9A55Yftc6'
                        Source: 0.2.DHL_734825514200.exe.58b0000.11.raw.unpack, lsl4W0Kw4PE5pKdYH5w.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'x9SrDGd9n5', 'CBIrP2RLaN', 'ijnrjy6I7R', 'O81rxcNqUQ', 'BZXrBoC5Tb', 'cvLrHm4YhG', 'QQJrdgIZkI'
                        Source: 0.2.DHL_734825514200.exe.58b0000.11.raw.unpack, qHi6VCj2P8LO8DiGKI.csHigh entropy of concatenated method names: 'ToString', 'VGdpX9aIXr', 'isYp6vQXuL', 'xIcp3NG3fP', 'jF9pkfFl71', 'mQvpZOu9jH', 'tKdpaSijoj', 'PwGpWYWPYi', 'gCvpSOBQIV', 'tDjpRP4owy'
                        Source: 0.2.DHL_734825514200.exe.58b0000.11.raw.unpack, cxC4bbYZl6eBcEU3wM.csHigh entropy of concatenated method names: 'hkHKlmAl51', 'IrMKcmOe59', 'MXmK9TYyZX', 'lo5KfCwpah', 'jgKKOgjPs3', 'ClbKplcfM7', 'MNXrefurEfVoBvWW6w', 'sG09DCPC1UnKRSnh7K', 'JlLKKKWUfM', 'wDPKwWItbw'
                        Source: 0.2.DHL_734825514200.exe.58b0000.11.raw.unpack, Pq9WxS7XmTYyZX9o5C.csHigh entropy of concatenated method names: 'N8fUGGVM1f', 'xNLUv0MARA', 'HeWU1FnTKd', 'spaU7XYW3A', 'h1BUOeOCHk', 'KMNUpMkew5', 'Q0wUVtmJbh', 'LSGU8JAmId', 'rjnUQeNhmA', 'qXGUrsTUuR'
                        Source: 0.2.DHL_734825514200.exe.58b0000.11.raw.unpack, tk7biFWC8WYhqrikIn.csHigh entropy of concatenated method names: 'xxLltCtU9l', 'keXlUFit1e', 'opqlybyq6B', 'epaymFJsHa', 'Yeayzwe4Xa', 'Ys0lLFW5kw', 'bM9lKLVv4A', 'mQGl5UdRFf', 'A5nlwMwM27', 'lJwlY6xKWW'
                        Source: 0.2.DHL_734825514200.exe.58b0000.11.raw.unpack, pxEb9pRFSjgO2kaKSC.csHigh entropy of concatenated method names: 'rhElgMWxrB', 'zWXlodWHU7', 'J8BlFIvkkh', 'b9LlGNNMIl', 'ETZlI2aMRh', 'FH8lvlRPgr', 'DL4lemj2jQ', 'JbGl1HXhZa', 'F55l7CPs7b', 'RMOlAk4vEK'
                        Source: 0.2.DHL_734825514200.exe.58b0000.11.raw.unpack, dftc6qmqxeZpIIMTcL.csHigh entropy of concatenated method names: 'buaQKUyOZa', 'bxTQw2R7X7', 'vhoQYsBMWB', 'WPbQtLF77Y', 'QVkQNsaxsd', 'z5BQMSP7EA', 'wJBQylfUSM', 'YxA8ds5G7B', 'RK5846VKLT', 'YOe82Qgb8a'
                        Source: 0.2.DHL_734825514200.exe.58b0000.11.raw.unpack, JsLk0mKLTcq2wr9pFtV.csHigh entropy of concatenated method names: 'BsmQgE6RnQ', 't2dQorAeHy', 'fIbQFZQ3er', 'BEyQG4enES', 'skcQIy68Dp', 'XqOQvePPtC', 'AAxQevugxr', 'jPmQ1sd4S0', 'zVYQ7ArJGo', 'NJMQAN00xC'
                        Source: 0.2.DHL_734825514200.exe.58b0000.11.raw.unpack, tKdTyLUYMYGxOE1SeH.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'xEX52dvPqC', 'muZ5mdRjON', 'J7O5z21Skx', 'P8AwL83RhF', 'ySBwKo5agZ', 'h3rw5m1Og0', 'on2wwv8u1i', 'BGm2K84Y4vHjEEGCuMt'
                        Source: 0.2.DHL_734825514200.exe.58b0000.11.raw.unpack, g3KUlacgmmUpTu6lIf.csHigh entropy of concatenated method names: 'CgZwbaGbTo', 'htIwt0GyKK', 'DYfwNe45cD', 'qFTwUfExnX', 'urvwM55A0L', 'LAawyMRhLY', 'g9Gwlo1XoB', 'Sk1wckgky9', 'GPewsW7cyq', 'J7Zw9cPDSW'
                        Source: 0.2.DHL_734825514200.exe.58b0000.11.raw.unpack, dpahhjAkOBgSplgKgj.csHigh entropy of concatenated method names: 'jC3MI2i9pI', 'qofMev0H2H', 'XCmU3IGHEV', 'p91UkwgGb2', 'PYQUZRg6pi', 's4wUajKZPb', 'LOMUW5Pvlt', 'fhYUSUHYq9', 'kAHURi1Lyn', 'HwWUT0qtyl'
                        Source: 0.2.DHL_734825514200.exe.58b0000.11.raw.unpack, Rs3vlb0lcfM77gAQMt.csHigh entropy of concatenated method names: 'ztAybpaYwS', 'oLlyNVK6uO', 'e2FyMHOkUy', 'PnKylOdE3L', 'Y4Uyc6chd6', 'pmHMBWHcaM', 'sKXMHpemf8', 'FMHMdrlefc', 'yZoM4fUGg6', 'NJDM2AZIBG'
                        Source: 0.2.DHL_734825514200.exe.58b0000.11.raw.unpack, gLCAp05FFGn89jcjAE.csHigh entropy of concatenated method names: 'KgQFKf3PS', 'rpCGn0MYt', 'HhCv0xuf8', 'gtEexAchr', 'bUi7OL1et', 'PDhAKq0x3', 'JLmxdlgkyBqHyBN6vO', 'vU1PthwsVEMRwL0nQV', 'jPDMi4SN472BHnwIaN', 'TDg8vbEUe'
                        Source: 0.2.DHL_734825514200.exe.58b0000.11.raw.unpack, poucl64EDoapc1sril.csHigh entropy of concatenated method names: 'bmP8tjuSb4', 'fde8N6KvMK', 'pLQ8Ur8URr', 'fkb8MbM0Qt', 'FHM8yfxh5i', 'HiO8l5d8L1', 'Ukd8c3p3Rg', 'Ula8s6kEo1', 'Amq89kxluM', 'cKL8fkNj6U'

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AntiVM3
                        Source: Yara matchFile source: Process Memory Space: DHL_734825514200.exe PID: 5244, type: MEMORYSTR
                        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeMemory allocated: 610000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeMemory allocated: 24D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeMemory allocated: 22F0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeMemory allocated: 5930000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeMemory allocated: 6930000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeMemory allocated: 6B70000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeMemory allocated: 7B70000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeMemory allocated: 2BD0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeMemory allocated: 2DF0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeMemory allocated: 2BD0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6329Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3359Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeWindow / User API: threadDelayed 1958Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeWindow / User API: threadDelayed 5616Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 5544Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7264Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -21213755684765971s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -100000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7292Thread sleep count: 1958 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -99875s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7292Thread sleep count: 5616 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -99739s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -99609s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -99500s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -99390s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -99281s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -99170s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -99057s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -98953s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -98843s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -98734s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -98625s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -98515s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -98405s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -98296s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -98187s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -98078s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -97968s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -97859s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -97750s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -97640s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -97531s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -97422s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -97312s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -97203s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -97093s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -96984s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -96875s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -96765s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -96656s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -96546s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -96437s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -96328s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -96219s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -96109s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -96000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exe TID: 7284Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 99875Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 99739Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 99609Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 99500Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 99390Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 99281Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 99170Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 99057Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 98953Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 98843Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 98734Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 98625Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 98515Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 98405Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 98296Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 98187Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 98078Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 97968Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 97859Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 97750Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 97640Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 97531Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 97422Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 97312Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 97203Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 97093Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 96984Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 96875Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 96765Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 96656Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 96546Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 96437Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 96328Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 96219Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 96109Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 96000Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: DHL_734825514200.exe, 00000000.00000002.1673396306.0000000000686000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}h
                        Source: DHL_734825514200.exe, 00000000.00000002.1677239931.00000000058B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: rYY9VMCilG
                        Source: DHL_734825514200.exe, 00000003.00000002.2887537166.0000000001170000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_734825514200.exe"
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_734825514200.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_734825514200.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeProcess created: C:\Users\user\Desktop\DHL_734825514200.exe "C:\Users\user\Desktop\DHL_734825514200.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeQueries volume information: C:\Users\user\Desktop\DHL_734825514200.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeQueries volume information: C:\Users\user\Desktop\DHL_734825514200.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.384bf38.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.3811518.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.DHL_734825514200.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.384bf38.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.3811518.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.2888297770.0000000002E46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.2888297770.0000000002E3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.2887243173.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1675141096.0000000004131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.2888297770.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1675141096.0000000003811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: DHL_734825514200.exe PID: 5244, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: DHL_734825514200.exe PID: 5720, type: MEMORYSTR
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.2537450.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.4bf0000.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.4bf0000.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.25267d8.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.2537450.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.25267d8.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.24f35b4.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.2778578.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.277b5a8.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.2779590.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1676794817.0000000004BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1674399505.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1674399505.000000000273E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                        Tries to harvest and steal ftp login credentials
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                        Source: C:\Users\user\Desktop\DHL_734825514200.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.384bf38.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.3811518.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.DHL_734825514200.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.384bf38.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.3811518.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.2887243173.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1675141096.0000000004131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.2888297770.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1675141096.0000000003811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: DHL_734825514200.exe PID: 5244, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: DHL_734825514200.exe PID: 5720, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.384bf38.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.3811518.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.DHL_734825514200.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.384bf38.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.3811518.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.2888297770.0000000002E46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.2888297770.0000000002E3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.2887243173.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1675141096.0000000004131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.2888297770.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1675141096.0000000003811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: DHL_734825514200.exe PID: 5244, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: DHL_734825514200.exe PID: 5720, type: MEMORYSTR
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.2537450.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.4bf0000.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.4bf0000.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.25267d8.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.2537450.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.25267d8.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.24f35b4.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.2778578.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.277b5a8.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.DHL_734825514200.exe.2779590.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1676794817.0000000004BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1674399505.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1674399505.000000000273E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		11
                        Process Injection                        		1
                        Masquerading                        		2
                        OS Credential Dumping                        		111
                        Security Software Discovery                        		Remote Services1
                        Email Collection                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                        DLL Side-Loading                        		11
                        Disable or Modify Tools                        		1
                        Input Capture                        		1
                        Process Discovery                        		Remote Desktop Protocol1
                        Input Capture                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)141
                        Virtualization/Sandbox Evasion                        		1
                        Credentials in Registry                        		141
                        Virtualization/Sandbox Evasion                        		SMB/Windows Admin Shares11
                        Archive Collected Data                        		1
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                        Process Injection                        		NTDS1
                        Application Window Discovery                        		Distributed Component Object Model2
                        Data from Local System                        		11
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        File and Directory Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                        Obfuscated Files or Information                        		Cached Domain Credentials24
                        System Information Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                        Software Packing                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        DLL Side-Loading                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        DHL_734825514200.exe58%ReversingLabsWin32.Trojan.SnakeKeyLogger
                        DHL_734825514200.exe54%VirustotalBrowse
                        DHL_734825514200.exe100%AviraHEUR/AGEN.1305452
                        DHL_734825514200.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        SourceDetectionScannerLabelLink
                        saludsanjuan.cl0%VirustotalBrowse
                        mail.saludsanjuan.cl0%VirustotalBrowse

                        URLs

                        SourceDetectionScannerLabelLink
                        http://mail.saludsanjuan.cl0%Avira URL Cloudsafe
                        http://saludsanjuan.cl0%Avira URL Cloudsafe
                        http://saludsanjuan.cl0%VirustotalBrowse
                        http://mail.saludsanjuan.cl0%VirustotalBrowse

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        saludsanjuan.cl
                        		138.186.9.97
                        		truetrueunknown
                        mail.saludsanjuan.cl
                        		unknown
                        		unknowntrueunknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://account.dyn.com/DHL_734825514200.exe, 00000000.00000002.1675141096.0000000003811000.00000004.00000800.00020000.00000000.sdmp, DHL_734825514200.exe, 00000000.00000002.1675141096.0000000004131000.00000004.00000800.00020000.00000000.sdmp, DHL_734825514200.exe, 00000003.00000002.2887243173.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          		high
                          http://mail.saludsanjuan.clDHL_734825514200.exe, 00000003.00000002.2888297770.0000000002E46000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL_734825514200.exe, 00000000.00000002.1674399505.0000000002568000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://saludsanjuan.clDHL_734825514200.exe, 00000003.00000002.2888297770.0000000002E46000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            138.186.9.97
                            		saludsanjuan.clChile
                            		52511IRONSERVERSEIRLCLtrue

                            General Information

                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1436300
                            Start date and time:2024-05-04 10:01:00 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 6m 13s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:9
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:DHL_734825514200.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@7/6@1/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 71
                            • Number of non-executed functions: 1
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtCreateKey calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            10:01:50API Interceptor38x Sleep call for process: DHL_734825514200.exe modified
                            10:01:51API Interceptor13x Sleep call for process: powershell.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            138.186.9.97DHL_DWE00495.exeGet hashmaliciousAgentTeslaBrowse

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              IRONSERVERSEIRLCLDHL_DWE00495.exeGet hashmaliciousAgentTeslaBrowse
                              • 138.186.9.97

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_734825514200.exe.log

                              Download File
                              Process:C:\Users\user\Desktop\DHL_734825514200.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1216
                              Entropy (8bit):5.34331486778365
                              Encrypted:false
                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2232
                              Entropy (8bit):5.379401388151058
                              Encrypted:false
                              SSDEEP:48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//MPUyus:fLHxvIIwLgZ2KRHWLOugss
                              MD5:25321E5EF46D4B6586B432EDE14CDFB7
                              SHA1:7B04466E0869735444E88F5F99045A021E104D5B
                              SHA-256:D01CD798290DF4649DC4747E1130281BCB90400C1BABA2727D819D2626CCE70B
                              SHA-512:4C5A5AEBCCF0426B10C11CAC0E2B935030FE539EF3582BC6AE4CCF052A9A7C6C35F3B8409123F59BDC7F0C35ABB9B433A4FAFFA50F856197A0B4712C8283BD40
                              Malicious:false
                              Reputation:low
                              Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14d1iv1g.4xt.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_20mui45p.w2d.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2wzepedb.r4c.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bcxw0qdb.yvy.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.955929905236926
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                              • Win32 Executable (generic) a (10002005/4) 49.78%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Win16/32 Executable Delphi generic (2074/23) 0.01%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              File name:DHL_734825514200.exe
                              File size:702'464 bytes
                              MD5:209a4f5760d18041ad0d41d5dde74cd0
                              SHA1:a45548c688febe40a1608c2b1f6193e612a5ee0d
                              SHA256:37ac69abe12f3ec977df53efd9e10a1c2f40eba5fab217cbce4e0fb5452c669f
                              SHA512:67e1600d83d924c09f16d95f4db9d58139e062360711c217d9cbf21aff17004526d4b2266211ba41c686ff3debc4839e0688128c27bdb70f5c708ebf9f837760
                              SSDEEP:12288:83/T3/fVrTtK3/KMq2g3aNizWHrFqR1OfeN359bEn8+D5L/1at1Q/BaK6DPcEOkY:8rXVrTtKjr0sfeNu5jMt2kDEEHIe+
                              TLSH:08E422C033DA5B3FD87B93F40E5D998027B1B3A6A870E5492EE169D45CB974E8F4021B
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a3f..............0..x...8........... ........@.. ....................................@................................

                              File Icon

                              Icon Hash:0773f1fcfccc6113

                              Static PE Info

                              General

                              Entrypoint:0x4a930e
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0x663361DB [Thu May 2 09:50:19 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              aaa
                              inc edi
                              aaa
                              dec eax
                              xor eax, 42000000h
                              xor eax, 4E343531h
                              xor eax, 32414939h
                              dec ecx
                              aaa
                              aaa
                              inc ebp
                              xor al, 56h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xa92bc0x4f.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x2ce4.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xae0000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000xa73340xa780017d6fa7882bf2eea60680415b61f4de3False0.9602028917910448data7.974833679696894IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rsrc0xaa0000x2ce40x3000d8fd0399806ed28620fba15b63857712False0.87158203125data7.429749448330355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xae0000xc0x80034bbe42ab9db14edb4b61a1898f9f8baFalse0.015625data0.03037337037012526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0xaa1000x26cdPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9980871841336958
                              RT_GROUP_ICON0xac7e00x14data1.05
                              RT_VERSION0xac8040x2e0data0.4470108695652174
                              RT_MANIFEST0xacaf40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Network Behavior

                              Snort IDS Alerts

                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                              05/04/24-10:01:56.099442TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49732587192.168.2.4138.186.9.97
                              05/04/24-10:01:56.099510TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49732587192.168.2.4138.186.9.97
                              05/04/24-10:01:56.099510TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49732587192.168.2.4138.186.9.97
                              05/04/24-10:01:56.099510TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49732587192.168.2.4138.186.9.97
                              05/04/24-10:01:56.099510TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249732587192.168.2.4138.186.9.97
                              05/04/24-10:01:56.099442TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49732587192.168.2.4138.186.9.97

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              May 4, 2024 10:01:53.035129070 CEST49732587192.168.2.4138.186.9.97
                              May 4, 2024 10:01:53.354629993 CEST58749732138.186.9.97192.168.2.4
                              May 4, 2024 10:01:53.354717016 CEST49732587192.168.2.4138.186.9.97
                              May 4, 2024 10:01:54.145215988 CEST58749732138.186.9.97192.168.2.4
                              May 4, 2024 10:01:54.146179914 CEST49732587192.168.2.4138.186.9.97
                              May 4, 2024 10:01:54.468240023 CEST58749732138.186.9.97192.168.2.4
                              May 4, 2024 10:01:54.469434977 CEST49732587192.168.2.4138.186.9.97
                              May 4, 2024 10:01:54.789098978 CEST58749732138.186.9.97192.168.2.4
                              May 4, 2024 10:01:54.789504051 CEST49732587192.168.2.4138.186.9.97
                              May 4, 2024 10:01:55.123800039 CEST58749732138.186.9.97192.168.2.4
                              May 4, 2024 10:01:55.124066114 CEST49732587192.168.2.4138.186.9.97
                              May 4, 2024 10:01:55.443871021 CEST58749732138.186.9.97192.168.2.4
                              May 4, 2024 10:01:55.444124937 CEST49732587192.168.2.4138.186.9.97
                              May 4, 2024 10:01:55.777316093 CEST58749732138.186.9.97192.168.2.4
                              May 4, 2024 10:01:55.777477026 CEST49732587192.168.2.4138.186.9.97
                              May 4, 2024 10:01:56.098634958 CEST58749732138.186.9.97192.168.2.4
                              May 4, 2024 10:01:56.098849058 CEST58749732138.186.9.97192.168.2.4
                              May 4, 2024 10:01:56.099442005 CEST49732587192.168.2.4138.186.9.97
                              May 4, 2024 10:01:56.099509954 CEST49732587192.168.2.4138.186.9.97
                              May 4, 2024 10:01:56.099544048 CEST49732587192.168.2.4138.186.9.97
                              May 4, 2024 10:01:56.099544048 CEST49732587192.168.2.4138.186.9.97
                              May 4, 2024 10:01:56.418926001 CEST58749732138.186.9.97192.168.2.4
                              May 4, 2024 10:01:56.426333904 CEST58749732138.186.9.97192.168.2.4
                              May 4, 2024 10:01:56.473438978 CEST49732587192.168.2.4138.186.9.97
                              May 4, 2024 10:03:32.443213940 CEST49732587192.168.2.4138.186.9.97
                              May 4, 2024 10:03:32.801769972 CEST58749732138.186.9.97192.168.2.4
                              May 4, 2024 10:03:32.964378119 CEST58749732138.186.9.97192.168.2.4
                              May 4, 2024 10:03:32.964510918 CEST49732587192.168.2.4138.186.9.97
                              May 4, 2024 10:03:32.964792967 CEST49732587192.168.2.4138.186.9.97
                              May 4, 2024 10:03:33.284192085 CEST58749732138.186.9.97192.168.2.4

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              May 4, 2024 10:01:52.418561935 CEST5070453192.168.2.41.1.1.1
                              May 4, 2024 10:01:53.028062105 CEST53507041.1.1.1192.168.2.4

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              May 4, 2024 10:01:52.418561935 CEST192.168.2.41.1.1.10x8ad9Standard query (0)mail.saludsanjuan.clA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              May 4, 2024 10:01:53.028062105 CEST1.1.1.1192.168.2.40x8ad9No error (0)mail.saludsanjuan.clsaludsanjuan.clCNAME (Canonical name)IN (0x0001)false
                              May 4, 2024 10:01:53.028062105 CEST1.1.1.1192.168.2.40x8ad9No error (0)saludsanjuan.cl138.186.9.97A (IP address)IN (0x0001)false

                              SMTP Packets

                              TimestampSource PortDest PortSource IPDest IPCommands
                              May 4, 2024 10:01:54.145215988 CEST58749732138.186.9.97192.168.2.4220 vps.saludsanjuan.cl ESMTP Exim 4.96.2-12-g29d01ae2a Sat, 04 May 2024 04:01:53 -0400
                              May 4, 2024 10:01:54.146179914 CEST49732587192.168.2.4138.186.9.97EHLO 971342
                              May 4, 2024 10:01:54.468240023 CEST58749732138.186.9.97192.168.2.4250-vps.saludsanjuan.cl Hello 971342 [81.181.54.104]
                              250-SIZE 52428800
                              250-8BITMIME
                              250-PIPELINING
                              250-PIPECONNECT
                              250-AUTH PLAIN LOGIN
                              250-STARTTLS
                              250 HELP
                              May 4, 2024 10:01:54.469434977 CEST49732587192.168.2.4138.186.9.97AUTH login c2pjZGlyZWNjaW9uQHNhbHVkc2FuanVhbi5jbA==
                              May 4, 2024 10:01:54.789098978 CEST58749732138.186.9.97192.168.2.4334 UGFzc3dvcmQ6
                              May 4, 2024 10:01:55.123800039 CEST58749732138.186.9.97192.168.2.4235 Authentication succeeded
                              May 4, 2024 10:01:55.124066114 CEST49732587192.168.2.4138.186.9.97MAIL FROM:<sjcdireccion@saludsanjuan.cl>
                              May 4, 2024 10:01:55.443871021 CEST58749732138.186.9.97192.168.2.4250 OK
                              May 4, 2024 10:01:55.444124937 CEST49732587192.168.2.4138.186.9.97RCPT TO:<sjcdireccion@saludsanjuan.cl>
                              May 4, 2024 10:01:55.777316093 CEST58749732138.186.9.97192.168.2.4250 Accepted
                              May 4, 2024 10:01:55.777477026 CEST49732587192.168.2.4138.186.9.97DATA
                              May 4, 2024 10:01:56.098849058 CEST58749732138.186.9.97192.168.2.4354 Enter message, ending with "." on a line by itself
                              May 4, 2024 10:01:56.099544048 CEST49732587192.168.2.4138.186.9.97.
                              May 4, 2024 10:01:56.426333904 CEST58749732138.186.9.97192.168.2.4250 OK id=1s36ax-0007wr-0B
                              May 4, 2024 10:03:32.443213940 CEST49732587192.168.2.4138.186.9.97QUIT
                              May 4, 2024 10:03:32.964378119 CEST58749732138.186.9.97192.168.2.4221 vps.saludsanjuan.cl closing connection

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:10:01:49
                              Start date:04/05/2024
                              Path:C:\Users\user\Desktop\DHL_734825514200.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\DHL_734825514200.exe"
                              Imagebase:0x10000
                              File size:702'464 bytes
                              MD5 hash:209A4F5760D18041AD0D41D5DDE74CD0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1676794817.0000000004BF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1675141096.0000000004131000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1675141096.0000000004131000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1674399505.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1675141096.0000000003811000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1675141096.0000000003811000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1674399505.000000000273E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:1
                              Start time:10:01:50
                              Start date:04/05/2024
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_734825514200.exe"
                              Imagebase:0x6c0000
                              File size:433'152 bytes
                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:2
                              Start time:10:01:50
                              Start date:04/05/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:3
                              Start time:10:01:50
                              Start date:04/05/2024
                              Path:C:\Users\user\Desktop\DHL_734825514200.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\DHL_734825514200.exe"
                              Imagebase:0xb50000
                              File size:702'464 bytes
                              MD5 hash:209A4F5760D18041AD0D41D5DDE74CD0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2888297770.0000000002E46000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2888297770.0000000002E3E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2887243173.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2887243173.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2888297770.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2888297770.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:false

                              General

                              Target ID:4
                              Start time:10:01:52
                              Start date:04/05/2024
                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                              Imagebase:0x7ff693ab0000
                              File size:496'640 bytes
                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                              Has elevated privileges:true
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:8.3%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:85
                                Total number of Limit Nodes:5
                                execution_graph 14770 61d4e0 14771 61d526 GetCurrentProcess 14770->14771 14773 61d571 14771->14773 14774 61d578 GetCurrentThread 14771->14774 14773->14774 14775 61d5b5 GetCurrentProcess 14774->14775 14776 61d5ae 14774->14776 14777 61d5eb 14775->14777 14776->14775 14778 61d613 GetCurrentThreadId 14777->14778 14779 61d644 14778->14779 14780 614668 14781 61467f 14780->14781 14782 61468b 14781->14782 14786 614798 14781->14786 14791 614238 14782->14791 14784 6146aa 14787 6147bd 14786->14787 14795 6148a8 14787->14795 14799 614898 14787->14799 14792 614243 14791->14792 14807 615ca4 14792->14807 14794 6170f8 14794->14784 14797 6148cf 14795->14797 14796 6149ac 14797->14796 14803 614508 14797->14803 14800 6148cf 14799->14800 14801 6149ac 14800->14801 14802 614508 CreateActCtxA 14800->14802 14802->14801 14804 615938 CreateActCtxA 14803->14804 14806 6159fb 14804->14806 14808 615caf 14807->14808 14811 615cc4 14808->14811 14810 61719d 14810->14794 14812 615ccf 14811->14812 14815 615cf4 14812->14815 14814 61727a 14814->14810 14816 615cff 14815->14816 14819 615d24 14816->14819 14818 61736d 14818->14814 14820 615d2f 14819->14820 14822 61866b 14820->14822 14825 61ad18 14820->14825 14821 6186a9 14821->14818 14822->14821 14829 61ce00 14822->14829 14834 61ad50 14825->14834 14837 61ad3f 14825->14837 14826 61ad2e 14826->14822 14830 61ce31 14829->14830 14831 61ce55 14830->14831 14858 61d3c8 14830->14858 14862 61d3b8 14830->14862 14831->14821 14841 61ae48 14834->14841 14835 61ad5f 14835->14826 14838 61ad50 14837->14838 14840 61ae48 LoadLibraryExW 14838->14840 14839 61ad5f 14839->14826 14840->14839 14842 61ae59 14841->14842 14843 61ae74 14841->14843 14842->14843 14846 61b0e0 14842->14846 14850 61b0d2 14842->14850 14843->14835 14847 61b0f4 14846->14847 14849 61b119 14847->14849 14854 61a228 14847->14854 14849->14843 14851 61b0f4 14850->14851 14852 61b119 14851->14852 14853 61a228 LoadLibraryExW 14851->14853 14852->14843 14853->14852 14855 61b6c0 LoadLibraryExW 14854->14855 14857 61b739 14855->14857 14857->14849 14860 61d3d5 14858->14860 14859 61d40f 14859->14831 14860->14859 14866 61cfb4 14860->14866 14863 61d3d5 14862->14863 14864 61cfb4 LoadLibraryExW 14863->14864 14865 61d40f 14863->14865 14864->14865 14865->14831 14867 61cfb9 14866->14867 14869 61dd20 14867->14869 14870 61d0dc 14867->14870 14869->14869 14871 61d0e7 14870->14871 14872 615d24 LoadLibraryExW 14871->14872 14873 61dd8f 14872->14873 14873->14869 14874 61d728 DuplicateHandle 14875 61d7be 14874->14875 14876 61b038 14877 61b080 GetModuleHandleW 14876->14877 14878 61b07a 14876->14878 14879 61b0ad 14877->14879 14878->14877

                                Executed Functions

                                Function 0061D4E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 579 61d4e0-61d56f GetCurrentProcess 583 61d571-61d577 579->583 584 61d578-61d5ac GetCurrentThread 579->584 583->584 585 61d5b5-61d5e9 GetCurrentProcess 584->585 586 61d5ae-61d5b4 584->586 588 61d5f2-61d60d call 61d6b0 585->588 589 61d5eb-61d5f1 585->589 586->585 592 61d613-61d642 GetCurrentThreadId 588->592 589->588 593 61d644-61d64a 592->593 594 61d64b-61d6ad 592->594 593->594
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0061D55E
                                • GetCurrentThread.KERNEL32 ref: 0061D59B
                                • GetCurrentProcess.KERNEL32 ref: 0061D5D8
                                • GetCurrentThreadId.KERNEL32 ref: 0061D631
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1673186353.0000000000610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00610000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_610000_DHL_734825514200.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID: (ij
                                • API String ID: 2063062207-3494352610
                                • Opcode ID: 17982c230135b3b2559830134955b6030eddac336120ac10420d8c2178232966
                                • Instruction ID: ff8119d529fafb62d20bb2f4ec4a6440dbf487425ca830881d43d1bc87f760a4
                                • Opcode Fuzzy Hash: 17982c230135b3b2559830134955b6030eddac336120ac10420d8c2178232966
                                • Instruction Fuzzy Hash: 735147B0900249CFDB14CFA9D948BDEBFF6EF88314F248459E409A7360DB755984CB65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0061D4DF Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 557 61d4df-61d56f GetCurrentProcess 561 61d571-61d577 557->561 562 61d578-61d5ac GetCurrentThread 557->562 561->562 563 61d5b5-61d5e9 GetCurrentProcess 562->563 564 61d5ae-61d5b4 562->564 566 61d5f2-61d60d call 61d6b0 563->566 567 61d5eb-61d5f1 563->567 564->563 570 61d613-61d642 GetCurrentThreadId 566->570 567->566 571 61d644-61d64a 570->571 572 61d64b-61d6ad 570->572 571->572
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0061D55E
                                • GetCurrentThread.KERNEL32 ref: 0061D59B
                                • GetCurrentProcess.KERNEL32 ref: 0061D5D8
                                • GetCurrentThreadId.KERNEL32 ref: 0061D631
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1673186353.0000000000610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00610000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_610000_DHL_734825514200.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID: (ij
                                • API String ID: 2063062207-3494352610
                                • Opcode ID: d62d6d3177ecc3e38f194f51e0f3e1ebfd515a06ab8a4592cd566388f6cfcbda
                                • Instruction ID: ac259737ee5026371977d6a13bcc5b2b4af197365d0df617937f3ce69929b7bc
                                • Opcode Fuzzy Hash: d62d6d3177ecc3e38f194f51e0f3e1ebfd515a06ab8a4592cd566388f6cfcbda
                                • Instruction Fuzzy Hash: 0A5135B0901249CFDB14CFA9D948BDEBFF2EF88314F248459E409A7360DB755984CB65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00614508 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1090 614508-6159f9 CreateActCtxA 1093 615a02-615a5c 1090->1093 1094 6159fb-615a01 1090->1094 1101 615a6b-615a6f 1093->1101 1102 615a5e-615a61 1093->1102 1094->1093 1103 615a71-615a7d 1101->1103 1104 615a80 1101->1104 1102->1101 1103->1104 1105 615a81 1104->1105 1105->1105
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 006159E9
                                Memory Dump Source
                                • Source File: 00000000.00000002.1673186353.0000000000610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00610000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_610000_DHL_734825514200.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: ccb87bc8a33332b11ea0dff9b8ffb2a9de1e32b6f06a3f674d46428059f32601
                                • Instruction ID: b98b64c8526239dc85da89c5ae8670e73fdd18cca1b9f38993e3b85410caf647
                                • Opcode Fuzzy Hash: ccb87bc8a33332b11ea0dff9b8ffb2a9de1e32b6f06a3f674d46428059f32601
                                • Instruction Fuzzy Hash: 7B41C4B0C01759CADF24CFA9C984BDDFBB6BF84304F24816AD409AB251DB756945CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0061592D Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1107 61592d-6159f9 CreateActCtxA 1109 615a02-615a5c 1107->1109 1110 6159fb-615a01 1107->1110 1117 615a6b-615a6f 1109->1117 1118 615a5e-615a61 1109->1118 1110->1109 1119 615a71-615a7d 1117->1119 1120 615a80 1117->1120 1118->1117 1119->1120 1121 615a81 1120->1121 1121->1121
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 006159E9
                                Memory Dump Source
                                • Source File: 00000000.00000002.1673186353.0000000000610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00610000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_610000_DHL_734825514200.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: dde7128cf2fd35598e20b27df637decd362bf23f1df8f641cc3b334ccbdd4952
                                • Instruction ID: 87e3fbec668975f5c5464bcc14f53232dc53124193e00edce6493afee78f9e73
                                • Opcode Fuzzy Hash: dde7128cf2fd35598e20b27df637decd362bf23f1df8f641cc3b334ccbdd4952
                                • Instruction Fuzzy Hash: F741F1B0C00759CEDB24CFA9C884BDEFBB6BF89304F24816AD409AB251DB756946CF50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00615AA4 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1123 615aa4-615b34
                                Memory Dump Source
                                • Source File: 00000000.00000002.1673186353.0000000000610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00610000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_610000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 63bd2fcc03a951b91ea3f99728d6b9a04964ac51cb1b90e22142ecff51731408
                                • Instruction ID: 7afc9e02c7e5af1caf0d09b49cb197ab551c8575d9e52266a0c293b6cdac309c
                                • Opcode Fuzzy Hash: 63bd2fcc03a951b91ea3f99728d6b9a04964ac51cb1b90e22142ecff51731408
                                • Instruction Fuzzy Hash: FD31F471C49B89CECF21CBA8C8853DDFFB2EF91315F58858AC0066B251C73A598ACB41
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0061D727 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0061D7AF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1673186353.0000000000610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00610000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_610000_DHL_734825514200.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 2232854c5134cd73e720711e18187eed4142f99bbf240689fe2f11049f2710d2
                                • Instruction ID: 4fc3bb921854ec944cb6f9c3db38d67644c7fbd126e4507f908521ebc02885f8
                                • Opcode Fuzzy Hash: 2232854c5134cd73e720711e18187eed4142f99bbf240689fe2f11049f2710d2
                                • Instruction Fuzzy Hash: 7E21E4B5D002499FDB10CFAAD984ADEBFF5EB48310F24801AE914A7350D374A944CF60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0061D728 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0061D7AF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1673186353.0000000000610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00610000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_610000_DHL_734825514200.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 35100c8a6d0d54841e41c95d5e6ace25283addc2c8afeca9eb1c1eb9b416fdaf
                                • Instruction ID: cd3504c206c84e8950f1fecd8b30e37c1fee1de98148f8515e0085fa1a819301
                                • Opcode Fuzzy Hash: 35100c8a6d0d54841e41c95d5e6ace25283addc2c8afeca9eb1c1eb9b416fdaf
                                • Instruction Fuzzy Hash: E321E4B5D002499FDB10CF9AD984ADEBFF9EB48320F14801AE914A7350D374A944CFA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0061A228 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0061B119,00000800,00000000,00000000), ref: 0061B72A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1673186353.0000000000610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00610000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_610000_DHL_734825514200.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 0d2be5172311e82f64fbc11f1d8b18650496545bbe91d52008f7b306ed918afc
                                • Instruction ID: 2112d2c07fa024c94229e1f32b7339233df27bb9a406e46a2cb9ff756d34dd59
                                • Opcode Fuzzy Hash: 0d2be5172311e82f64fbc11f1d8b18650496545bbe91d52008f7b306ed918afc
                                • Instruction Fuzzy Hash: 161114B6C003098FCB10CFAAC444ADEFBF9EB88310F14842AE419A7740C375A945CFA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0061B6BF Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0061B119,00000800,00000000,00000000), ref: 0061B72A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1673186353.0000000000610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00610000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_610000_DHL_734825514200.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: de0372908a12646376343cd2204764f8c668d870a177dffb1398ada1d97903ea
                                • Instruction ID: 598fba2e55de3ab508819dd5e1fe383254d833b1ae4b058daa21e0a528034e62
                                • Opcode Fuzzy Hash: de0372908a12646376343cd2204764f8c668d870a177dffb1398ada1d97903ea
                                • Instruction Fuzzy Hash: 0811F3B6C003498FDB10CFAAD484ADEFBF5AB88314F14846ED419A7750C375A545CFA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0061B037 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0061B09E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1673186353.0000000000610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00610000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_610000_DHL_734825514200.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 3b0bfac3a8ee7fd3e887ce5be7b9b75ede24d5bc051f1f3796097fc31b01885b
                                • Instruction ID: 0126dbe294c0f6a829a02c4d126b9ad8453328025eb84a3a67d30e6318964635
                                • Opcode Fuzzy Hash: 3b0bfac3a8ee7fd3e887ce5be7b9b75ede24d5bc051f1f3796097fc31b01885b
                                • Instruction Fuzzy Hash: FC110FB5C002498ECB20CFAAC544BDEFBF5AF88324F24845AD829A7710C379A545CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0061B038 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0061B09E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1673186353.0000000000610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00610000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_610000_DHL_734825514200.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 7bc3b5266b6872b077ef3628055fdffea898a2e1afdc8be75eded2dcb04f5824
                                • Instruction ID: ce87c9c785c9f4b532561176d73e825019ab7e4d73b13b58f929bb18922d3d85
                                • Opcode Fuzzy Hash: 7bc3b5266b6872b077ef3628055fdffea898a2e1afdc8be75eded2dcb04f5824
                                • Instruction Fuzzy Hash: 0F11DFB5C003498FCB20CF9AC544BDEFBF9AB88324F14845AD829A7710D379A545CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0059D1FC Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1672237560.000000000059D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0059D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_59d000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3f07cb86c1926f0dfcfb9fbdf982b91c2bc4826c3376e3363f936dec4f21c8c8
                                • Instruction ID: 4f248c4cd3d43219184cd4092fa64f184b360a80e01247f90f4761bf1e4da369
                                • Opcode Fuzzy Hash: 3f07cb86c1926f0dfcfb9fbdf982b91c2bc4826c3376e3363f936dec4f21c8c8
                                • Instruction Fuzzy Hash: 0221CFBA504240EFDF05DF54D9C0B2ABF75FB88314F24C9A9E9090A256C33AD816DBB1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005AD01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1672317210.00000000005AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 005AD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5ad000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 57d475045314061ac89df631acff5cc3fd715992b6033a0dfa3ddb132d039171
                                • Instruction ID: ed41a56bb9969c69d5662f3dde1e7891b19e2e51424f2dfa525b1c0457cd1491
                                • Opcode Fuzzy Hash: 57d475045314061ac89df631acff5cc3fd715992b6033a0dfa3ddb132d039171
                                • Instruction Fuzzy Hash: D62103B5504200DFCB14EF14D9C8B2ABF75FB85314F20C969D90A4B656D33AD807CA71
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005AD1D4 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1672317210.00000000005AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 005AD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5ad000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 53fbb80e78b6fe67beadea9239a5f329991c93857b3c9a3fb97a92c37abad5f1
                                • Instruction ID: ab2e82e701eee13a224da9ba13d57217d452cbd92ddf4d3fbda1b4d5e3b5a6c8
                                • Opcode Fuzzy Hash: 53fbb80e78b6fe67beadea9239a5f329991c93857b3c9a3fb97a92c37abad5f1
                                • Instruction Fuzzy Hash: 5A21D0B9504200AFDB05EF14D9C0B2ABFB5FF85314F24C96DE90A4B692C73AD846CA71
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005AD006 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1672317210.00000000005AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 005AD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5ad000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 29c8b4635b4881c8cfd1be38ff2b2f72715f425a2c0545e1dde9cfe8532cbd11
                                • Instruction ID: 7fc0e9d72b19ec5b18c79483099e8bcfe1a604bdd24cd44ad7f58365b328fa21
                                • Opcode Fuzzy Hash: 29c8b4635b4881c8cfd1be38ff2b2f72715f425a2c0545e1dde9cfe8532cbd11
                                • Instruction Fuzzy Hash: 4E217C755093808FCB12DF24D994B15BF71FB46314F28C5EAD8498B6A7C33A980ACB62
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0059D1F7 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1672237560.000000000059D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0059D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_59d000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0198dffcca54c8a327979ca184e18e1179e26769679eb7287e54d642110c921c
                                • Instruction ID: 381b073fa7cf388f750e5c4e3ef78496494d53a93a4c0d12afc30933d3879de1
                                • Opcode Fuzzy Hash: 0198dffcca54c8a327979ca184e18e1179e26769679eb7287e54d642110c921c
                                • Instruction Fuzzy Hash: B4219D76504240DFDF16CF50D9C4B16BF72FB84314F24C5A9DD094A656C33AD86ACBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005AD1CF Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1672317210.00000000005AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 005AD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5ad000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                • Instruction ID: 5f7ac2525ff8eca474b7059519b54f8af73e452335a9a0521e911356256c98a8
                                • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                • Instruction Fuzzy Hash: 9C11BE79504240DFCB11DF10D5C4B19BF71FF85314F24C6A9D84A4B666C33AD84ACB61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0059D745 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1672237560.000000000059D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0059D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_59d000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 692e55625b40d0ef41c7b0c558e632a6bdebce2533e2b046c32b2501d4d0ce1f
                                • Instruction ID: f07eec01cb2619d812d83dfbe82214b2d579b6c9d6aa850424213c3597e51646
                                • Opcode Fuzzy Hash: 692e55625b40d0ef41c7b0c558e632a6bdebce2533e2b046c32b2501d4d0ce1f
                                • Instruction Fuzzy Hash: 8601DB711043409AEB105FA5CDC4B66BFBCEF51364F18C95AED094B282D67D9840D6B1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0059D744 Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1672237560.000000000059D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0059D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_59d000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 53b2a9ed4b7f2a2827c49ebff2054a66a943dbfba947409bc13fe967903e8b57
                                • Instruction ID: 0dd0b34d0e8b75114f22b38d6bb15751b4071e7132506dbc1190c71413e02af3
                                • Opcode Fuzzy Hash: 53b2a9ed4b7f2a2827c49ebff2054a66a943dbfba947409bc13fe967903e8b57
                                • Instruction Fuzzy Hash: 82F062724043449AEB108F56D9C4B62FFACEB91734F18C45AED085A286C2799844CBB1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 0061EFC4 Relevance: .3, Instructions: 264COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1673186353.0000000000610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00610000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_610000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d951aae36be68e4d72e2b52a5cbadbd9d3e92e9ca65464fe524412cc8d796439
                                • Instruction ID: 1c05213c123e263c0bbc665b31587ef3c4b58891bb0a97fd37925527565e966d
                                • Opcode Fuzzy Hash: d951aae36be68e4d72e2b52a5cbadbd9d3e92e9ca65464fe524412cc8d796439
                                • Instruction Fuzzy Hash: 2EA13D32E002158FCF05DFA4C8545DEB7B3FF88301B19857AE906AB266DB71E956CB80
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Execution Graph

                                Execution Coverage:12%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:13
                                Total number of Limit Nodes:2
                                execution_graph 27626 2c70848 27627 2c7084e 27626->27627 27628 2c7091b 27627->27628 27630 2c71380 27627->27630 27632 2c71396 27630->27632 27631 2c71480 27631->27627 27632->27631 27634 2c77088 27632->27634 27635 2c77092 27634->27635 27636 2c770cf 27635->27636 27638 641e337 27635->27638 27636->27632 27639 641e2f3 GlobalMemoryStatusEx 27638->27639 27641 641e33e 27638->27641 27640 641e306 27639->27640 27640->27636 27641->27636

                                Executed Functions

                                Function 02C79BE8 Relevance: 3.0, Instructions: 3002COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b113a49e9402c33141fe544d35c5e9208efc9aca6a393bdf1968331429b31f16
                                • Instruction ID: 49d6af25623cebb3f4bc4da4eba4b0570f45387d3649f056853653c2e506e008
                                • Opcode Fuzzy Hash: b113a49e9402c33141fe544d35c5e9208efc9aca6a393bdf1968331429b31f16
                                • Instruction Fuzzy Hash: 4E63E731D10B1A8ADB11EF68C8846A9F7B1FF99300F55D79AE45877121EB70AAC4CF81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C79BE0 Relevance: 2.7, Instructions: 2721COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bc8feebc309e897b802343756821b1eedd5e7f2869ea34921843aa4ae70debb0
                                • Instruction ID: 9fcbd05daf346ceea380a40cae69cb39971e825ae4cb1fb6c95493d93358135d
                                • Opcode Fuzzy Hash: bc8feebc309e897b802343756821b1eedd5e7f2869ea34921843aa4ae70debb0
                                • Instruction Fuzzy Hash: CB53D631D10B1A8ADB11EF68C8846A9F7B1FF99300F51D79AE45877121EB70AAD4CF81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C7CE80 Relevance: 2.3, Instructions: 2299COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6996070301328d7afb73461724984e6cebf5198675b3f16b23e8c6873fcf2194
                                • Instruction ID: 856282bdf3105775a67528eb39c8255c1a85a9c66be02f0c55cd9fbe88d0d1ec
                                • Opcode Fuzzy Hash: 6996070301328d7afb73461724984e6cebf5198675b3f16b23e8c6873fcf2194
                                • Instruction Fuzzy Hash: 75331F31D107198ECB11EF68C8806ADF7B1FF99300F15D79AE459A7225EB70AAC5CB81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C79370 Relevance: .6, Instructions: 611COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cc7c9d83a14c96dfffa1c81c003a92d93be04468c46749202f1c1f2aab706d62
                                • Instruction ID: f9c598c8277509405128946b9ba60cfdcb2628a2666174787c1a62e361f08993
                                • Opcode Fuzzy Hash: cc7c9d83a14c96dfffa1c81c003a92d93be04468c46749202f1c1f2aab706d62
                                • Instruction Fuzzy Hash: 89226D75A002058FDB14DFA9D584BAEBBB2FF88310F248569E909EB395DB31DD41CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C74A98 Relevance: .3, Instructions: 266COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 67289b7283736278a55dc8b99b9cead3e70182fdbb7b4ef2e239b9e4c2502fe1
                                • Instruction ID: e99bae597822b90354c694e66b701d39b18825607da63d0a3055afb3709763a9
                                • Opcode Fuzzy Hash: 67289b7283736278a55dc8b99b9cead3e70182fdbb7b4ef2e239b9e4c2502fe1
                                • Instruction Fuzzy Hash: 06B16D70E00609CFDB28CFA9C9817ADBBF2BF88354F148129D855E7294EB749985CF81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C73E80 Relevance: .2, Instructions: 238COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d900df500533724b88bbd9f4bc2cbaba6c5036092dbcff85ceaebc2d802dfded
                                • Instruction ID: 2cbbdbe99373709be67954d40e9c57c45eaafe810fff243a051419318dbbf339
                                • Opcode Fuzzy Hash: d900df500533724b88bbd9f4bc2cbaba6c5036092dbcff85ceaebc2d802dfded
                                • Instruction Fuzzy Hash: 96917C70E00209CFDF24DFA9C9857AEBBF2BF88354F148129E415A7294EB759945CF81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0641E337 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 188COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1437 641e337-641e33c 1438 641e2f3-641e304 GlobalMemoryStatusEx 1437->1438 1439 641e33e-641e36a 1437->1439 1441 641e306-641e30c 1438->1441 1442 641e30d-641e335 1438->1442 1443 641e36c-641e36f 1439->1443 1441->1442 1445 641e371-641e38d 1443->1445 1446 641e392-641e395 1443->1446 1445->1446 1448 641e397-641e3a5 1446->1448 1449 641e3aa-641e3ad 1446->1449 1448->1449 1450 641e3d5-641e3d8 1449->1450 1451 641e3af-641e3d0 1449->1451 1454 641e427-641e42a 1450->1454 1455 641e3da-641e422 1450->1455 1451->1450 1458 641e42c-641e433 1454->1458 1459 641e43e-641e441 1454->1459 1455->1454 1460 641e787-641e7c2 1458->1460 1461 641e439 1458->1461 1462 641e443-641e454 1459->1462 1463 641e459-641e45c 1459->1463 1489 641e7d4 1460->1489 1490 641e7c4-641e7d2 1460->1490 1461->1459 1462->1463 1465 641e46a-641e46d 1463->1465 1466 641e45e-641e465 1463->1466 1469 641e4c9-641e4cc 1465->1469 1470 641e46f-641e4c4 1465->1470 1466->1465 1473 641e4e4-641e4e7 1469->1473 1474 641e4ce-641e4df 1469->1474 1470->1469 1475 641e4f1-641e4f4 1473->1475 1476 641e4e9-641e4ee 1473->1476 1474->1473 1481 641e514-641e517 1475->1481 1482 641e4f6-641e50f call 6411b4c 1475->1482 1476->1475 1486 641e525-641e528 1481->1486 1487 641e519-641e520 1481->1487 1482->1481 1491 641e534-641e537 1486->1491 1492 641e52a-641e531 1486->1492 1487->1486 1502 641e7dc-641e7f1 1489->1502 1490->1502 1496 641e539-641e556 1491->1496 1497 641e55b-641e55e 1491->1497 1496->1497 1498 641e571-641e574 1497->1498 1499 641e560-641e56a 1497->1499 1504 641e576-641e597 1498->1504 1505 641e59c-641e59f 1498->1505 1499->1504 1515 641e56c 1499->1515 1522 641e803 1502->1522 1523 641e7f3-641e801 1502->1523 1504->1505 1508 641e5a1-641e5a5 1505->1508 1509 641e5b0-641e5b3 1505->1509 1508->1460 1511 641e5ab 1508->1511 1513 641e5d1-641e5d4 1509->1513 1514 641e5b5-641e5c6 1509->1514 1511->1509 1520 641e5f0-641e5f3 1513->1520 1521 641e5d6-641e5eb 1513->1521 1514->1466 1519 641e5cc 1514->1519 1515->1498 1519->1513 1524 641e5f5-641e62a 1520->1524 1525 641e62f-641e632 1520->1525 1521->1520 1532 641e80b-641e84b 1522->1532 1523->1532 1524->1525 1528 641e634-641e64a 1525->1528 1529 641e64f-641e652 1525->1529 1528->1529 1529->1508 1530 641e658-641e65b 1529->1530 1533 641e672-641e675 1530->1533 1534 641e65d-641e66d 1530->1534 1555 641e853-641e886 1532->1555 1537 641e692-641e694 1533->1537 1538 641e677-641e68d 1533->1538 1534->1533 1542 641e696 1537->1542 1543 641e69b-641e69e 1537->1543 1538->1537 1542->1543 1543->1443 1544 641e6a4-641e6b3 1543->1544 1550 641e6b9-641e769 call 6411b4c 1544->1550 1551 641e76f-641e784 1544->1551 1550->1551 1551->1460 1564 641e893 1555->1564 1565 641e888-641e88d 1555->1565 1567 641e894 1564->1567 1565->1564 1567->1567
                                APIs
                                • GlobalMemoryStatusEx.KERNELBASE(00000000), ref: 0641E2F7
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2891634079.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6410000_DHL_734825514200.jbxd
                                Similarity
                                • API ID: GlobalMemoryStatus
                                • String ID: Tefq
                                • API String ID: 1890195054-1066582953
                                • Opcode ID: eef26668da16ae193a237b6daf8201a6c0ce1d09ed9253862b7fb2d46e3e181f
                                • Instruction ID: 43e65b20c55d5543d25e9e9603a6e0e44f6172e32be0919f73c2388c7a4766b1
                                • Opcode Fuzzy Hash: eef26668da16ae193a237b6daf8201a6c0ce1d09ed9253862b7fb2d46e3e181f
                                • Instruction Fuzzy Hash: A661A439E10218DFDB15DBA8C590B9EB7B1EB89310F64852AE809EF355CB35DD42CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C76ED2 Relevance: 2.6, Strings: 2, Instructions: 138COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3034 2c76ed2-2c76f3a call 2c76c38 3043 2c76f56-2c76f84 3034->3043 3044 2c76f3c-2c76f55 call 2c76384 3034->3044 3049 2c76f86-2c76f89 3043->3049 3051 2c76fbc-2c76fbf 3049->3051 3052 2c76f8b-2c76f9f 3049->3052 3053 2c76fc1 call 2c77900 3051->3053 3054 2c76fcf-2c76fd2 3051->3054 3060 2c76fa5 3052->3060 3061 2c76fa1-2c76fa3 3052->3061 3062 2c76fc7-2c76fca 3053->3062 3056 2c76fd4-2c77009 3054->3056 3057 2c7700e-2c77011 3054->3057 3056->3057 3058 2c77025-2c77027 3057->3058 3059 2c77013-2c7701a 3057->3059 3065 2c7702e-2c77031 3058->3065 3066 2c77029 3058->3066 3063 2c770e3-2c770e9 3059->3063 3064 2c77020 3059->3064 3067 2c76fa8-2c76fb7 3060->3067 3061->3067 3062->3054 3064->3058 3065->3049 3068 2c77037-2c77046 3065->3068 3066->3065 3067->3051 3071 2c77070-2c77086 3068->3071 3072 2c77048-2c7704b 3068->3072 3071->3063 3074 2c77053-2c7706e 3072->3074 3074->3071 3074->3072
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID: LRfq$LRfq
                                • API String ID: 0-2141892265
                                • Opcode ID: d34bf735bd6c86aafcef53286cb6a080337bd397a2221c6b0cd13ff2333d1e5c
                                • Instruction ID: 18e71f82d8e833f397d80aa4ee01ab937873ef719b3721584c4228eb4177d8e4
                                • Opcode Fuzzy Hash: d34bf735bd6c86aafcef53286cb6a080337bd397a2221c6b0cd13ff2333d1e5c
                                • Instruction Fuzzy Hash: 0241B271E002099FDB15DBB9C55079EBBB6FF85300F21846AE405EB390EBB59D45CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0641D368 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3710 641d368-641e2ec 3713 641e2f3-641e304 GlobalMemoryStatusEx 3710->3713 3714 641e306-641e30c 3713->3714 3715 641e30d-641e335 3713->3715 3714->3715
                                APIs
                                • GlobalMemoryStatusEx.KERNELBASE(00000000), ref: 0641E2F7
                                Memory Dump Source
                                • Source File: 00000003.00000002.2891634079.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6410000_DHL_734825514200.jbxd
                                Similarity
                                • API ID: GlobalMemoryStatus
                                • String ID:
                                • API String ID: 1890195054-0
                                • Opcode ID: 8c3b296280ca09468ad101bd9a4f675fe700b02e6beba035f6665b31856596ef
                                • Instruction ID: c397d7ba18cd98376773d32320a8cb5dcd8b60bc476b9a849dd82269efea8683
                                • Opcode Fuzzy Hash: 8c3b296280ca09468ad101bd9a4f675fe700b02e6beba035f6665b31856596ef
                                • Instruction Fuzzy Hash: EA1103B5C0065A9BCB10CF9AD544BDEFBF4AF48320F14856AE918A7340D378A944CFE5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C7F3B5 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID: PHfq
                                • API String ID: 0-2154135885
                                • Opcode ID: 08dd04ba10aa218c613302570e67df858110b2393b85134589017f48d96c7182
                                • Instruction ID: 6284d40b7422a36f717ccaa7711f2c13ae55f3a221f61ec2a2b790d0e9d1a449
                                • Opcode Fuzzy Hash: 08dd04ba10aa218c613302570e67df858110b2393b85134589017f48d96c7182
                                • Instruction Fuzzy Hash: 4731CD31B002068BDB59AB74D5947AE7BB6BF89240F14497CD406DB399EF35CC42CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C7F3C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID: PHfq
                                • API String ID: 0-2154135885
                                • Opcode ID: f02c6397f79f742b0ebab25fccaf65271a0fba0e51b9b29d63d13f4cd4ed5a7d
                                • Instruction ID: 741293bb275387eb4f2a7a6f424a58ce831de30b29d2631231f06a937fbfb06a
                                • Opcode Fuzzy Hash: f02c6397f79f742b0ebab25fccaf65271a0fba0e51b9b29d63d13f4cd4ed5a7d
                                • Instruction Fuzzy Hash: A531BE30B002068BDB19AA74D5947AF7BA6BF89240F24497CE406DB395EF31DC41CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C76F70 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID: LRfq
                                • API String ID: 0-2333822924
                                • Opcode ID: 65103c5df148981074268f490f80cfe8d24989b7b863ee19774f34ca9d887716
                                • Instruction ID: c62d44a4f6b1855704586cade8800c88e49b797afe835a6b7d464a6aa9fc8df4
                                • Opcode Fuzzy Hash: 65103c5df148981074268f490f80cfe8d24989b7b863ee19774f34ca9d887716
                                • Instruction Fuzzy Hash: CC317E31E1020A9BDB14DFA5C5507AEF7B6FF85310F208569E805FB350EBB1A949CB80
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C76B87 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID: LRfq
                                • API String ID: 0-2333822924
                                • Opcode ID: 8bfb028188695bb68bf485395e23d6ced19ef8a1ccf9df806161c0119c1c83cc
                                • Instruction ID: e6a3a857a31c1d007b36892f110379547b34aab79ef0c21eae9643474453de32
                                • Opcode Fuzzy Hash: 8bfb028188695bb68bf485395e23d6ced19ef8a1ccf9df806161c0119c1c83cc
                                • Instruction Fuzzy Hash: 3621D1723002019FC714EB78D4907DE7BA6EF8A350F51846AE145DB798EF34DC468791
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C77900 Relevance: .6, Instructions: 554COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 04870878e9633addb4eca062211fe9704abf527441c1b87ac068309c187d4e8e
                                • Instruction ID: 9e323c7e453554e246e96da70bbea684eb058c45e9012824f34c7b50a7ee3fe6
                                • Opcode Fuzzy Hash: 04870878e9633addb4eca062211fe9704abf527441c1b87ac068309c187d4e8e
                                • Instruction Fuzzy Hash: 6A127A717002068BCB19AB78E494A697BA7FBC9354F605A2DE006CF354CF71ED86DB81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C74A8C Relevance: .3, Instructions: 258COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5dead323ad8c89f8e599d228cee2bbc5a1f8245416256b950a7bf3402211384f
                                • Instruction ID: f0444e12bb6d1f260a7fc9643a0a4a0f5fa663c9cef61928176c9503241fe69d
                                • Opcode Fuzzy Hash: 5dead323ad8c89f8e599d228cee2bbc5a1f8245416256b950a7bf3402211384f
                                • Instruction Fuzzy Hash: 5FA16CB0E00609CFDB24CFA9C98579DBBF2BF88354F148129D854E7294EB749985CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C7935C Relevance: .2, Instructions: 239COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 32ec0f48285d31b957f6ca25b0189e2934073ebb69f1df735c6fc3dbe4fb12c1
                                • Instruction ID: 5f8fc29958bdc205df463735a79d1994e45f8272b4169fb444ade7b599dafea1
                                • Opcode Fuzzy Hash: 32ec0f48285d31b957f6ca25b0189e2934073ebb69f1df735c6fc3dbe4fb12c1
                                • Instruction Fuzzy Hash: 24915E78A002148FCB54DFA9D584AADBBF2FF88310F148569E906E73A5DB31ED42CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C73E74 Relevance: .2, Instructions: 235COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fbb311a43e0a3912f9406e7e1c976e2b1613f3df69a38ca99ebf663782e3e979
                                • Instruction ID: 70a66a79413c2bb72e5334300699f25f3d6bf7c19ff142fd1dec239175029d72
                                • Opcode Fuzzy Hash: fbb311a43e0a3912f9406e7e1c976e2b1613f3df69a38ca99ebf663782e3e979
                                • Instruction Fuzzy Hash: EB916A70E00209CFDF24DFA9C98579EBBF2AF88354F148129E415A7294EB759985CF81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C74810 Relevance: .2, Instructions: 180COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 43b835cf6b609631fe07053ef93aa8a237533da7a65635f15fae284fa58e5e4b
                                • Instruction ID: 01adaae0d88992c1f439e15ed2307797f8710974870686458affca665900e394
                                • Opcode Fuzzy Hash: 43b835cf6b609631fe07053ef93aa8a237533da7a65635f15fae284fa58e5e4b
                                • Instruction Fuzzy Hash: 1D715CB0E00249CFDF28CFA9C98579EBBF6BF88314F148129E415AB254EB749941CF95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C74806 Relevance: .2, Instructions: 178COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c41d7cda7ee1eb5f00d620120dbe40242cc7829aa710928a650dca9f3691f987
                                • Instruction ID: b39cdfaef427cfebd602dd8b06cd77031acf366cb0f7c3acda914bb5c47ed32f
                                • Opcode Fuzzy Hash: c41d7cda7ee1eb5f00d620120dbe40242cc7829aa710928a650dca9f3691f987
                                • Instruction Fuzzy Hash: 3A715BB0E00249CFDB24CFA9C985B9EBBF6BF88314F148129E415AB254EB749941CF95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C76CD6 Relevance: .1, Instructions: 133COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cdd741888f93690f6c43d69514eb8b813acc9cb48e002891c79aaedd121ae8eb
                                • Instruction ID: 882e0065b1e5518b3421495557162a9a70650e00143fc802794d07f6fee202cb
                                • Opcode Fuzzy Hash: cdd741888f93690f6c43d69514eb8b813acc9cb48e002891c79aaedd121ae8eb
                                • Instruction Fuzzy Hash: 9E5125B0D106588FDB14CFAAC885B9DBBB5FF88314F24812AE815BB350D774A944CF95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C76CE0 Relevance: .1, Instructions: 132COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ddd175210df4703303efa34fd9b2fe8f1197d2d02aa38e1358ab3ecd19543150
                                • Instruction ID: 06ae5e472d445ce8f59339ddeb6ac779933ec2ef882698c6feffb62f04f0d1ec
                                • Opcode Fuzzy Hash: ddd175210df4703303efa34fd9b2fe8f1197d2d02aa38e1358ab3ecd19543150
                                • Instruction Fuzzy Hash: 855124B0D106588FDB14CFAAC884B9DBBB5FF88314F24812AE815AB354D7B4A944CF95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C796D8 Relevance: .1, Instructions: 122COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 96b9f2e177acc3840695e32cb30278ce9c7e3ca6c7cdf6dfaa47eb606dc71b13
                                • Instruction ID: 47d206c7ea3724eba9453b150f502cf4d1d5b23c4d392089a6732a62dbae9a23
                                • Opcode Fuzzy Hash: 96b9f2e177acc3840695e32cb30278ce9c7e3ca6c7cdf6dfaa47eb606dc71b13
                                • Instruction Fuzzy Hash: 48416F34F002068BDF249E69D59076EB3B6FBC6210F604929D41ADB395DB34DE418B81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C71128 Relevance: .1, Instructions: 118COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a6bd58b86dccbaf4d6895bf57c6ee865e60917ed050552416ecaa0b111178630
                                • Instruction ID: 57d42b766e76ec71992fda488ce2f6f542ef31a53c3e3ac1e5b0769f966065e9
                                • Opcode Fuzzy Hash: a6bd58b86dccbaf4d6895bf57c6ee865e60917ed050552416ecaa0b111178630
                                • Instruction Fuzzy Hash: 125131BB6052468FC719FB28F9C0A593FF5FB92304702A96DE1445B33EEA306A45CB41
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C7187A Relevance: .1, Instructions: 116COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9fa4678462d82dc14e53b52f1c0306889b6e43bb840cd006adf555b719c2767b
                                • Instruction ID: 374d7da9bd37dfaa96280e148f029bd76acd7dc2a091cc5ef539d2b2069b54c6
                                • Opcode Fuzzy Hash: 9fa4678462d82dc14e53b52f1c0306889b6e43bb840cd006adf555b719c2767b
                                • Instruction Fuzzy Hash: 8841E035B00205CFDF24EA78D9447AD77F6EB88344F180469D50AEB394EB719E42CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C71138 Relevance: .1, Instructions: 112COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 55c46d60548bfb1fa01b471e8bdf7a571446e90be409ed63ec07d228a94e40d1
                                • Instruction ID: f36cf930e589563e48ef2cf1cdc0b25bec352becf3ede8ad3984e806ed106b4e
                                • Opcode Fuzzy Hash: 55c46d60548bfb1fa01b471e8bdf7a571446e90be409ed63ec07d228a94e40d1
                                • Instruction Fuzzy Hash: AE5110BA6052468FC719FB28F9C0A593FF5FBD2304702A96DE1445B33DEA306A45CB81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C7F278 Relevance: .1, Instructions: 94COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bced2d3c11f409fa876771906480d7400326a4b77ff7a65b328670f0c7ba927f
                                • Instruction ID: e2052f4ba254155261efd1f7821a7bcfada2755f4c126b9f3c7890ca0fabd8da
                                • Opcode Fuzzy Hash: bced2d3c11f409fa876771906480d7400326a4b77ff7a65b328670f0c7ba927f
                                • Instruction Fuzzy Hash: A3316B79E102059BCB15CFA5D49469EBBB2FF88300F10C92AE81AEB754DB75ED42CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C726DC Relevance: .1, Instructions: 94COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 638c50cfff21286cc4cb5bbde8b18db83a44964710262ee75aad2653b57d4a02
                                • Instruction ID: 5544e361d93eb91395121a0d3b7d6ac25b30140bdd15bdcfd10da889c66de5cd
                                • Opcode Fuzzy Hash: 638c50cfff21286cc4cb5bbde8b18db83a44964710262ee75aad2653b57d4a02
                                • Instruction Fuzzy Hash: 6441FCB1D00349DFDB10CFA9C984ADEBFF5EF48314F20842AE819AB254DB75A945CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C7F288 Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 516b0f8cdd4ca40b51c0cba15a28a350a41f797df978258f956fd887abf90797
                                • Instruction ID: 5c423cf1bd68c6d25ef948008df7f53927893d89263c0a16dcd2006ab420c39f
                                • Opcode Fuzzy Hash: 516b0f8cdd4ca40b51c0cba15a28a350a41f797df978258f956fd887abf90797
                                • Instruction Fuzzy Hash: B3314B34E106059BCB15CFA5D49469EBBB2FFC9300F10C529E81AEB754DB75AD42CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C726E8 Relevance: .1, Instructions: 90COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3137a6fccba2ce61985cfad0726609d6c4403a950383a3f43d80f0900e1a0d79
                                • Instruction ID: 230f0775b08bc398154674188e37bbdfd925dd3ebd7ff37dea9eeb5795ef521e
                                • Opcode Fuzzy Hash: 3137a6fccba2ce61985cfad0726609d6c4403a950383a3f43d80f0900e1a0d79
                                • Instruction Fuzzy Hash: F541ECB1D00349DFDB10CFA9C980A9EBFF5FF48314F20842AE819AB254DB75A945CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C79248 Relevance: .1, Instructions: 81COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dd7e3a10dccd7e82623483cc6cec5ab7c5a156b37e30a439e2fdeecb27313792
                                • Instruction ID: eada3bc3ad6b1d5e4572ed73bce3cd02c2317c8b9f98246ef04316e920d1ea16
                                • Opcode Fuzzy Hash: dd7e3a10dccd7e82623483cc6cec5ab7c5a156b37e30a439e2fdeecb27313792
                                • Instruction Fuzzy Hash: D9315C31E0020A9BDB19DFA4D59069EF7B2FFC5300F10862AE805AB354DB719986CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C79258 Relevance: .1, Instructions: 78COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 65450d9a150749f4bdeacba8ea3537008db3ac6bbf4a51110f0f602d51424629
                                • Instruction ID: 6a41ec0aa26ef045c1001a03e8d7cd0f0a75068cd0d146bd57da4602819afa1d
                                • Opcode Fuzzy Hash: 65450d9a150749f4bdeacba8ea3537008db3ac6bbf4a51110f0f602d51424629
                                • Instruction Fuzzy Hash: BE216031E0020A9BDB05DFA5D59079EF7B2FFC5300F10C629E805AB354DB719986CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C79148 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 09bfebc9126202c0a7894fd0fde49b97db825d3a021ee7e09aab6df2995a882a
                                • Instruction ID: c1ec820845c4957f42d5558b0e992eac63d35d4bbd014c7dafd28dd126aee67a
                                • Opcode Fuzzy Hash: 09bfebc9126202c0a7894fd0fde49b97db825d3a021ee7e09aab6df2995a882a
                                • Instruction Fuzzy Hash: B8218031E0060A9BDB09DFA4C854ADEF7B6EF89310F10C52AE815FB350EB709951CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C716A2 Relevance: .1, Instructions: 74COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8cd247571cf9bb6a85333a424c3a63198e2c37840a85f622bbf3caaa68cca0cd
                                • Instruction ID: f49b97de67772b0187a864783f709115e186319d30471eda7cc8adf68762c399
                                • Opcode Fuzzy Hash: 8cd247571cf9bb6a85333a424c3a63198e2c37840a85f622bbf3caaa68cca0cd
                                • Instruction Fuzzy Hash: 7721A1796101014FDF25E738E9C472A3B69EBC1314F195E29E00ACB369EF70DE858B91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0138D01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2887982689.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_138d000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 433e6ae64f3bc053b3b38c56bcc6e01d62a3d6a6a410e87d48a4d21d03577d67
                                • Instruction ID: a264b4921a90bff064adfcb4305449da0c9448e475abd7d75f92fde7583ecf72
                                • Opcode Fuzzy Hash: 433e6ae64f3bc053b3b38c56bcc6e01d62a3d6a6a410e87d48a4d21d03577d67
                                • Instruction Fuzzy Hash: 0C2122B1604304EFDB15EF98D9C0B26BB65FB84358F20C96DE90A4B286C33AD407CA61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C79A20 Relevance: .1, Instructions: 71COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3d5ce66eec5fd93613019404f60f30dd8998be66204b1db30e9bb803d54b319f
                                • Instruction ID: 759b6c003ea9170793e16c71c4f362f4b102189313a253da873262a141936bf7
                                • Opcode Fuzzy Hash: 3d5ce66eec5fd93613019404f60f30dd8998be66204b1db30e9bb803d54b319f
                                • Instruction Fuzzy Hash: 15219F71B401158FEB04DB69C955BAE7BF6FF88720F148065E505EB3A0DB719D00CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C79158 Relevance: .1, Instructions: 70COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5041ef033b82b5b84415638a99f0d6f0bd4313e3f01659b6877d97a8fdd501a5
                                • Instruction ID: 4514b97bcfc2fb81fffa4497a5dabb8c4ae74f7a688b1b66c6196409d56b7d1e
                                • Opcode Fuzzy Hash: 5041ef033b82b5b84415638a99f0d6f0bd4313e3f01659b6877d97a8fdd501a5
                                • Instruction Fuzzy Hash: 6E216F30E0060A9BDB19DFA4C954A9EF7B6AF89310F10C52AE815FB350EB70A941CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C71888 Relevance: .1, Instructions: 70COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 642f7fd9f50e0c7c83b2c81cb6e90161173b4686b66c9b4dc08e237fe25f4243
                                • Instruction ID: 10e1d3e981539e911aefa7dbf46ef881c49aa376741c8859008695d854c351c3
                                • Opcode Fuzzy Hash: 642f7fd9f50e0c7c83b2c81cb6e90161173b4686b66c9b4dc08e237fe25f4243
                                • Instruction Fuzzy Hash: 46213934B00205CFDB54EBB8C5547AE77F6AF89345F240468D50AEB394DBB28E42DBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C716B0 Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0862f350c8952b0475d50ff971626dd942b209d38a40ee4191cdd2d36804fc21
                                • Instruction ID: abf5ea7fe1eacaa4c23c7404865c6e1d1441856d12e840b3afc44a6d3d754dc9
                                • Opcode Fuzzy Hash: 0862f350c8952b0475d50ff971626dd942b209d38a40ee4191cdd2d36804fc21
                                • Instruction Fuzzy Hash: 0321A2796101014FDF25E738E9C4B693B69E7C0314F155A25E00ACB369EF74DA858B91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C74F89 Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ba9dcdd8be63fb6750f85597334797673307348826d3af727ada6995c3cb38fa
                                • Instruction ID: d0879303514bb88b77f2168010fbf1770e03d10a21180d2cf8f587052728ca35
                                • Opcode Fuzzy Hash: ba9dcdd8be63fb6750f85597334797673307348826d3af727ada6995c3cb38fa
                                • Instruction Fuzzy Hash: 19212675A00219CFCB14EB78D558BAD7BF1EF8D345B1448A8E406EB3A0DB769D01CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C71380 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 61f08316ffa4d404e4a678ac08e91d9238740ad47dfcc08eb49d40b0bafb1a26
                                • Instruction ID: 9967d68602db5cb0e30b79c3e7bfccc508a5e5dd3e11accdd584312e3299be99
                                • Opcode Fuzzy Hash: 61f08316ffa4d404e4a678ac08e91d9238740ad47dfcc08eb49d40b0bafb1a26
                                • Instruction Fuzzy Hash: 4621BE75A102018BDF356674E4D932D3F65E7C2316F59497AF40ECB384DFA8DA848B42
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C74F98 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d2de40d666675dfaa557b826c0f5ae01e8cf3f0ed2fc2615461af2f4489c7a65
                                • Instruction ID: 70b84cbd729c984e77f257b6078565ae67da3893b918558d20199487b3cacc90
                                • Opcode Fuzzy Hash: d2de40d666675dfaa557b826c0f5ae01e8cf3f0ed2fc2615461af2f4489c7a65
                                • Instruction Fuzzy Hash: 7321E775A00219CFDB54EB78C558BAD77F1EF8D754B104868E406EB3A4DB769D00CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C70848 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ad6da0317d4afb9c7825f996aebbb57720616c4da7cd1660bafa3c6b724962b8
                                • Instruction ID: 3e00c10f14e0ed33b3a2daa9a0eae3172791498c62f82964800f4479c5c1971b
                                • Opcode Fuzzy Hash: ad6da0317d4afb9c7825f996aebbb57720616c4da7cd1660bafa3c6b724962b8
                                • Instruction Fuzzy Hash: E2119171B002088BEF54AA79D49477A3755EFC5314F20897AE416CF341DF21DD819BD2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C70838 Relevance: .1, Instructions: 60COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3485db9ef2ff1df6cbaaf4677d0b375cd5bd0bf8cb6b986b2cd7335be371994f
                                • Instruction ID: 01f783f45ec357b3250ad1e5ab5191ada9ab901b6e50a11f84e84bc8087b8a2e
                                • Opcode Fuzzy Hash: 3485db9ef2ff1df6cbaaf4677d0b375cd5bd0bf8cb6b986b2cd7335be371994f
                                • Instruction Fuzzy Hash: BD11C671B04204CFEF6566B8E45137A3765EFC1354F11897BD456CF281EB24CA818BD2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C71488 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 28f2c3a787f169a07753e5a40ee8a8abdcee734c0f8878224270fbbfd0124cc3
                                • Instruction ID: 0746a6b654fa1147c13f6edbd890bf92b1b4eb5786204f385f4574bfab528e6f
                                • Opcode Fuzzy Hash: 28f2c3a787f169a07753e5a40ee8a8abdcee734c0f8878224270fbbfd0124cc3
                                • Instruction Fuzzy Hash: BB115271E002159BCB25EFB594502ADBAF6EB48260B184479D809E7301E776CA418BE1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C717C2 Relevance: .1, Instructions: 55COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e7172407a9884c38657b81ba4ae8dea3d66c4bf41de116015707ac39487fe0a0
                                • Instruction ID: fa76190ac9baa7eedfdc41b551175412a4c2bceaae1e19659d557ae5f0054347
                                • Opcode Fuzzy Hash: e7172407a9884c38657b81ba4ae8dea3d66c4bf41de116015707ac39487fe0a0
                                • Instruction Fuzzy Hash: 6611A1BAF002118FCB11AB75A94975EBFF9EB88250F150929EA09D7344EA349A118B91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0138D017 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2887982689.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_138d000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                • Instruction ID: 620bb0d7ca82ab900d76414f09f704b7536825b650df3438e090492328706812
                                • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                • Instruction Fuzzy Hash: 8E11BBB5504380CFDB12DF58D5C4B15BBA2FB84318F24C6AAD8494B696C33AD44BCBA2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C71498 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 768471571836afea497b90a370840a7d1782f97df1082d07d0c477bd4bb12238
                                • Instruction ID: 310a5a8f31ccc494bbc36a603588f8f401f279386ecd5e526c5b8ced89f02615
                                • Opcode Fuzzy Hash: 768471571836afea497b90a370840a7d1782f97df1082d07d0c477bd4bb12238
                                • Instruction Fuzzy Hash: 26014031B002149FCB65EFB984502AEBBF6EF88260B18047AD809E7301E776C941CBE5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C79888 Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ec7de65cb48c8d1163a7cdb5825c7575dc1162ada64a376fd5d142075050a3d1
                                • Instruction ID: 4c30624d45e65ed3d8af958ddcdea60425d142ae5cff578ba3ad81e96ee1c2bd
                                • Opcode Fuzzy Hash: ec7de65cb48c8d1163a7cdb5825c7575dc1162ada64a376fd5d142075050a3d1
                                • Instruction Fuzzy Hash: 0D018871A002048BDB14DF99D98478EBB75FFC4310F54C664D84C6F299EB70AE45CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C780E8 Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3bbfc8390b09cdfc26d058c3a9408967502779011bbea49d15adc648bd1b0cb4
                                • Instruction ID: 52cc8be5fb5ae2d4674506407ce503b3004e0a89110132064a01485be408bc42
                                • Opcode Fuzzy Hash: 3bbfc8390b09cdfc26d058c3a9408967502779011bbea49d15adc648bd1b0cb4
                                • Instruction Fuzzy Hash: AA01A2B050024A9FCB06E7A4F9D0A9D7B71EF81344B515B98D0115B3A9DE315A85DB82
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C71524 Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 573d8c8a733739e798f8cf4aa6653a6fa4d35cbed37afd8113c0ff0f81505192
                                • Instruction ID: d503edc729f196153167699c1da5a82f564110be7d36eae278daaa24032d5bb9
                                • Opcode Fuzzy Hash: 573d8c8a733739e798f8cf4aa6653a6fa4d35cbed37afd8113c0ff0f81505192
                                • Instruction Fuzzy Hash: 4DF02437A04150CFDB229FA888902ACBFB1EE98261B1D40EBD80ADB201D376D942DB51
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C77088 Relevance: .0, Instructions: 34COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8a23e76140bca76b1647a9a6fa6f879079f9ded4b5c682b7cd7338b632a574c4
                                • Instruction ID: c7ad2c7f479a953d4ac0c5e68c598f8a9d27c4458384f47926298f7520075f87
                                • Opcode Fuzzy Hash: 8a23e76140bca76b1647a9a6fa6f879079f9ded4b5c682b7cd7338b632a574c4
                                • Instruction Fuzzy Hash: 73F0C939B001048FC704DB64D5A9B6D7BB2EF88715F514068E5069B3A4DF31AD42CB40
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02C780F8 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2888192162.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_2c70000_DHL_734825514200.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 038846480a2985d65c8120787b0576433733b3cb5ac8f5af39c8a4d9d43cc34d
                                • Instruction ID: aeec09bbc53ce4e49be51244cec44f2b5bbcee26f27ccfeab3705967c45acce5
                                • Opcode Fuzzy Hash: 038846480a2985d65c8120787b0576433733b3cb5ac8f5af39c8a4d9d43cc34d
                                • Instruction Fuzzy Hash: FBF06270A00209EFCB45FBF8F9D099D7BB1EB80300F505668D004AB368EE312F859B81
                                Uniqueness

                                Uniqueness Score: -1.00%