Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL_VTER000105453.exe

Overview

General Information

Sample name:DHL_VTER000105453.exe
Analysis ID:1436301
MD5:7dec2c3596f3081f16fb71af0b1340ef
SHA1:2f95bb30d3d11e88713b66fe1c55113e06890656
SHA256:0144ad3c79e25335ba0bb88e4c47c497215af9d44f0dc9f8a550bf71d579ca07
Tags:AgentTeslaDHLexe
Infos:

Detection

AgentTesla, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DHL_VTER000105453.exe (PID: 3564 cmdline: "C:\Users\user\Desktop\DHL_VTER000105453.exe" MD5: 7DEC2C3596F3081F16FB71AF0B1340EF)
    • DHL_VTER000105453.exe (PID: 5060 cmdline: "C:\Users\user\Desktop\DHL_VTER000105453.exe" MD5: 7DEC2C3596F3081F16FB71AF0B1340EF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "nl9.nlkoddos.com", "Username": "99@jolnsmad.site", "Password": "Myname321@"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.2455637570.0000000002C1E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.2455637570.0000000002BF5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.2455637570.0000000002BF5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000002.2455637570.0000000002C16000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.1233395937.0000000004F70000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.DHL_VTER000105453.exe.4f70000.9.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.DHL_VTER000105453.exe.4f70000.9.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.DHL_VTER000105453.exe.24f8df0.5.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.DHL_VTER000105453.exe.24f8df0.5.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    0.2.DHL_VTER000105453.exe.24e8154.2.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      Click to see the 23 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Suspicious Outbound SMTP Connections
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 89.249.49.141, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\DHL_VTER000105453.exe, Initiated: true, ProcessId: 5060, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49708

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 0.2.DHL_VTER000105453.exe.37aeb48.7.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "nl9.nlkoddos.com", "Username": "99@jolnsmad.site", "Password": "Myname321@"}
                      Multi AV Scanner detection for submitted file
                      Source: DHL_VTER000105453.exeReversingLabs: Detection: 65%
                      Source: DHL_VTER000105453.exeVirustotal: Detection: 44%Perma Link
                      Machine Learning detection for sample
                      Source: DHL_VTER000105453.exeJoe Sandbox ML: detected
                      Source: DHL_VTER000105453.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49704 version: TLS 1.2
                      Source: DHL_VTER000105453.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: WIgI.pdbSHA25666 source: DHL_VTER000105453.exe
                      Source: Binary string: WIgI.pdb source: DHL_VTER000105453.exe

                      Networking

                      barindex
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 3.2.DHL_VTER000105453.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.37aeb48.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.3773728.6.raw.unpack, type: UNPACKEDPE
                      Source: global trafficTCP traffic: 192.168.2.7:49708 -> 89.249.49.141:587
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewIP Address: 89.249.49.141 89.249.49.141
                      Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                      Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                      Source: Joe Sandbox ViewASN Name: IPCTRU IPCTRU
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: ip-api.com
                      Source: global trafficTCP traffic: 192.168.2.7:49708 -> 89.249.49.141:587
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: nl9.nlkoddos.com
                      Source: DHL_VTER000105453.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: DHL_VTER000105453.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                      Source: DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                      Source: DHL_VTER000105453.exe, 00000000.00000002.1230174556.000000000366E000.00000004.00000800.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2450708050.0000000000402000.00000040.00000400.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                      Source: DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002C16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nl9.nlkoddos.com
                      Source: DHL_VTER000105453.exeString found in binary or memory: http://ocsp.comodoca.com0
                      Source: DHL_VTER000105453.exe, 00000003.00000002.2452463721.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2460798271.0000000006333000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2460798271.00000000062BA000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2460798271.000000000630C000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002C38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                      Source: DHL_VTER000105453.exe, 00000003.00000002.2452463721.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2460798271.0000000006333000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2460798271.00000000062BA000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2460798271.000000000630C000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002C38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: DHL_VTER000105453.exeString found in binary or memory: http://tempuri.org/DataSeta.xsd)Microsoft
                      Source: DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2460798271.0000000006333000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2460798271.000000000630C000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2452463721.0000000000ECC000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2452463721.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                      Source: DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2460798271.0000000006333000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2460798271.000000000630C000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2452463721.0000000000ECC000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2452463721.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                      Source: DHL_VTER000105453.exe, 00000000.00000002.1230174556.000000000366E000.00000004.00000800.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2450708050.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: DHL_VTER000105453.exe, 00000000.00000002.1230174556.000000000366E000.00000004.00000800.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2450708050.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                      Source: DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                      Source: DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                      Source: DHL_VTER000105453.exeString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                      Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49704 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.DHL_VTER000105453.exe.37aeb48.7.raw.unpack, 3DlgK9re6m.cs.Net Code: GpVHF3
                      Source: 0.2.DHL_VTER000105453.exe.3773728.6.raw.unpack, 3DlgK9re6m.cs.Net Code: GpVHF3
                      Contains functionality to register a low level keyboard hook
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 3_2_069C5248 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,069C5890,00000000,000000003_2_069C5248
                      Installs a global keyboard hook
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\DHL_VTER000105453.exeJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 3.2.DHL_VTER000105453.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.DHL_VTER000105453.exe.3773728.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.DHL_VTER000105453.exe.37aeb48.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.DHL_VTER000105453.exe.37aeb48.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.DHL_VTER000105453.exe.3773728.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 0_2_022DD4240_2_022DD424
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 0_2_044E3CE00_2_044E3CE0
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 0_2_044E00F00_2_044E00F0
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 0_2_04A672780_2_04A67278
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 0_2_04A600400_2_04A60040
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 0_2_04A672680_2_04A67268
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 0_2_06A6C1E00_2_06A6C1E0
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 0_2_06A600070_2_06A60007
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 0_2_06A6A8780_2_06A6A878
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 0_2_06A600400_2_06A60040
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 0_2_06A66A000_2_06A66A00
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 3_2_010641F03_2_010641F0
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 3_2_01064AC03_2_01064AC0
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 3_2_01063EA83_2_01063EA8
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 3_2_069CA5883_2_069CA588
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 3_2_069C00323_2_069C0032
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 3_2_069C00403_2_069C0040
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 3_2_069E079C3_2_069E079C
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 3_2_069E67783_2_069E6778
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 3_2_069E8CB83_2_069E8CB8
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 3_2_069E93F33_2_069E93F3
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 3_2_069E36803_2_069E3680
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 3_2_069EADB83_2_069EADB8
                      Source: DHL_VTER000105453.exeStatic PE information: invalid certificate
                      Source: DHL_VTER000105453.exe, 00000000.00000002.1233225897.0000000004F30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dllD vs DHL_VTER000105453.exe
                      Source: DHL_VTER000105453.exe, 00000000.00000002.1228882170.000000000252A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed213acd4-fb3f-466d-9fca-6bbad3fb6fd7.exe4 vs DHL_VTER000105453.exe
                      Source: DHL_VTER000105453.exe, 00000000.00000002.1230174556.000000000366E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed213acd4-fb3f-466d-9fca-6bbad3fb6fd7.exe4 vs DHL_VTER000105453.exe
                      Source: DHL_VTER000105453.exe, 00000000.00000002.1230174556.000000000366E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs DHL_VTER000105453.exe
                      Source: DHL_VTER000105453.exe, 00000000.00000002.1227850824.000000000061E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL_VTER000105453.exe
                      Source: DHL_VTER000105453.exe, 00000000.00000002.1228882170.0000000002491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dllD vs DHL_VTER000105453.exe
                      Source: DHL_VTER000105453.exe, 00000000.00000002.1233774134.0000000006C90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs DHL_VTER000105453.exe
                      Source: DHL_VTER000105453.exe, 00000003.00000002.2452463721.0000000000E08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dll vs DHL_VTER000105453.exe
                      Source: DHL_VTER000105453.exe, 00000003.00000002.2451244129.00000000009C9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs DHL_VTER000105453.exe
                      Source: DHL_VTER000105453.exe, 00000003.00000002.2450708050.000000000043E000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed213acd4-fb3f-466d-9fca-6bbad3fb6fd7.exe4 vs DHL_VTER000105453.exe
                      Source: DHL_VTER000105453.exeBinary or memory string: OriginalFilenameWIgI.exeX vs DHL_VTER000105453.exe
                      Source: DHL_VTER000105453.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 3.2.DHL_VTER000105453.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.DHL_VTER000105453.exe.3773728.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.DHL_VTER000105453.exe.37aeb48.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.DHL_VTER000105453.exe.37aeb48.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.DHL_VTER000105453.exe.3773728.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: DHL_VTER000105453.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.DHL_VTER000105453.exe.4f70000.9.raw.unpack, XG.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.DHL_VTER000105453.exe.4f70000.9.raw.unpack, XG.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.DHL_VTER000105453.exe.37aeb48.7.raw.unpack, slKb.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.DHL_VTER000105453.exe.37aeb48.7.raw.unpack, mAKJ.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.DHL_VTER000105453.exe.37aeb48.7.raw.unpack, xQRSe0Fg.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                      Source: 0.2.DHL_VTER000105453.exe.37aeb48.7.raw.unpack, n3rhMa.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.DHL_VTER000105453.exe.37aeb48.7.raw.unpack, MQzE4FWn.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.DHL_VTER000105453.exe.37aeb48.7.raw.unpack, nSmgRyX5a1.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.DHL_VTER000105453.exe.37aeb48.7.raw.unpack, 6IMLmJtk.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.DHL_VTER000105453.exe.37aeb48.7.raw.unpack, 6IMLmJtk.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, EivdxQBqRrY0F7a36q.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, EivdxQBqRrY0F7a36q.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, EivdxQBqRrY0F7a36q.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, odH7uxwkgIAlQoNTtV.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.DHL_VTER000105453.exe.24e8154.2.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                      Source: 0.2.DHL_VTER000105453.exe.24f8df0.5.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                      Source: 0.2.DHL_VTER000105453.exe.4f70000.9.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/3
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_VTER000105453.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeMutant created: NULL
                      Source: DHL_VTER000105453.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: DHL_VTER000105453.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: DHL_VTER000105453.exeReversingLabs: Detection: 65%
                      Source: DHL_VTER000105453.exeVirustotal: Detection: 44%
                      Source: unknownProcess created: C:\Users\user\Desktop\DHL_VTER000105453.exe "C:\Users\user\Desktop\DHL_VTER000105453.exe"
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess created: C:\Users\user\Desktop\DHL_VTER000105453.exe "C:\Users\user\Desktop\DHL_VTER000105453.exe"
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess created: C:\Users\user\Desktop\DHL_VTER000105453.exe "C:\Users\user\Desktop\DHL_VTER000105453.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: DHL_VTER000105453.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: DHL_VTER000105453.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: DHL_VTER000105453.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: WIgI.pdbSHA25666 source: DHL_VTER000105453.exe
                      Source: Binary string: WIgI.pdb source: DHL_VTER000105453.exe

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: 0.2.DHL_VTER000105453.exe.4f70000.9.raw.unpack, XG.cs.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
                      Source: 0.2.DHL_VTER000105453.exe.24e8154.2.raw.unpack, XG.cs.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
                      Source: 0.2.DHL_VTER000105453.exe.24f8df0.5.raw.unpack, XG.cs.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
                      .NET source code contains potential unpacker
                      Source: DHL_VTER000105453.exe, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, EivdxQBqRrY0F7a36q.cs.Net Code: PLBTRis4Th System.Reflection.Assembly.Load(byte[])
                      Source: DHL_VTER000105453.exeStatic PE information: 0x837C71F4 [Sun Nov 27 01:42:12 2039 UTC]
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 3_2_01060C95 push edi; ret 3_2_01060CC2
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 3_2_069CE1BC push es; retf 3_2_069CE1C8
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 3_2_069C0D10 push eax; iretd 3_2_069C0D11
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 3_2_069C69E2 push es; ret 3_2_069C69F0
                      Source: DHL_VTER000105453.exeStatic PE information: section name: .text entropy: 7.963989519893741
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, eWJJrjrCfHyAmgdUTJ.csHigh entropy of concatenated method names: 'hjts5vdN3V', 'XUAsBMAhl2', 'DXJPkmAvCY', 'vhsPqFSMv9', 'TWmsOAHdMF', 'pJlsaRuPfn', 'j0hsSZObe4', 'wxhsvKnG3U', 'hRysgATNsF', 'cHqscFKCEy'
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, KXf5HTv1EDgWO2HJhu.csHigh entropy of concatenated method names: 'cu0V4CKetx', 's0oV8ndruL', 'c53VfvWIYW', 'twbVmHOeyY', 'sFyVCZRC1o', 'GVQV7VB0PI', 'dswVsNxtWP', 'dktVPfnSvh', 'fp5VMQHDS4', 'tbFVD6yPW7'
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, kenKIqxpGLXmeNMaDd.csHigh entropy of concatenated method names: 'i8pRbD89A', 'Ggh4USfww', 'QKY8UJVvO', 'y99IPVcMC', 't5kmIQhqe', 'ji80QhdOP', 'LitoIhZ6Ry43ee3K9S', 'QavkfujayuEs6hwXtP', 'UqDP5Lype', 'XpND8klPv'
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, dXSQFsfapwNXECTt00.csHigh entropy of concatenated method names: 'Dispose', 'S9nqtGcbd6', 'Nk86oBn2OQ', 'PXuddnWV4U', 'z5uqBRAiop', 'xrTqzMJCxV', 'ProcessDialogKey', 'ota6ktipa5', 'xer6qfE7JO', 'b2S669T2hf'
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, bR6y2iNVo4aQFLXY9q.csHigh entropy of concatenated method names: 'OtnqNx1ymu', 'Octqx57b18', 'yp8qQilhZd', 'Q3Mqeel5lh', 'j5IqCrT9x1', 'dibq7HoSI7', 'ixHUcR43WQXA1sQYlR', 'mGLmWVdr4cDJg9rV0Q', 'RDMwfJtiZSvZetpn5j', 'xpEqquNowB'
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, x9vktFQLSJNVJ3Ty78.csHigh entropy of concatenated method names: 'fWHogqeDnnWSd2Gu9cC', 'NBR6Hpegrvc3gf7OVFx', 'USLnPxKauT', 'DAdnMnZYf1', 'T2knDovyrG', 'QZVvVhewPXgJjqva6Au', 'jjs4PTek1xobkHR9sJX'
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, EivdxQBqRrY0F7a36q.csHigh entropy of concatenated method names: 'DPFAXMK11u', 'RlIArWqkB6', 'wnwAidfXDg', 'GudAVJipE7', 'f0NAUbRMn0', 'piNAnqiQFJ', 'xp2AN9KL1q', 'WoOAx3ePPb', 'sA4A1VniWN', 'tXTAQTmyfU'
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, c9F3htae5Y86s64DpE.csHigh entropy of concatenated method names: 'lnBMqFRdAI', 'GgXMAaYIqa', 'qNYMTLXv4n', 'oJ5Mr9Vnkg', 'SIjMiTEcWZ', 'jX6MUVbgT5', 'zyCMn4nA1v', 'SQ3Pb7ntHi', 'KYOP5XYFkM', 'g9FPtvdgh5'
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, nY6ldg53UZJwNyBNq1.csHigh entropy of concatenated method names: 'j9KNHGCItw', 'xWsNj7dHch', 'Ny0NRBet1d', 'jLaN49cTTo', 'oZ4NpyLnNp', 'KKZN8EikIq', 'RmiNImeDXA', 'SqGNfOMcHT', 'QQSNmrE3PF', 'ctvN0yThT8'
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, odH7uxwkgIAlQoNTtV.csHigh entropy of concatenated method names: 'JxdivYlcof', 'OAeigl45jh', 'PXJic1Dqvg', 'weiiwl4e3i', 'Lp6ilYjxH7', 'mNviL3OUv0', 'cDCib5Wx8K', 'T1ei5wD90t', 'O18itYqF6p', 'wj2iBHo82M'
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, kyvUJB2EHZdPSnYWy8.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'rpF6tmwxyv', 'pg16BobqjB', 'Fnq6znHB6j', 'CYuAkjmCx2', 'HNLAq4ULVR', 'NDNA6E1RDa', 'askAApndSK', 'k0xLbgy74Rj8ZLhbecC'
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, arC5ayzBjcojuaeCSL.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mnPMuiBgol', 'R6ZMCVKyfi', 'FkKM7CSVTo', 'cAqMsgjKKt', 'ISRMPdZe8C', 'jG9MMjm2Gh', 'Ki9MDVjkEN'
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, gp9kugeE0OtsrJCCd7.csHigh entropy of concatenated method names: 'BllsQSaybq', 'VMfse80HCb', 'ToString', 'okDsrRkSx7', 'XvYsighUXj', 'k5ksVUPjs1', 'c2CsUj9sVn', 'nctsn0LhlG', 'EObsNExwnB', 'WjCsxbxvS5'
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, P8FBaNiroknZ56PAXm.csHigh entropy of concatenated method names: 'GY9C2fYGCp', 'vxTCat2vg9', 'jBxCvwhJ0J', 'aLvCg4WQ1r', 'OCHCoQ1W05', 'FlFCJAdmxA', 'QFbCYPOTdA', 'UBpCWw4PTK', 'KuHCF6DMux', 'SPxCKs724b'
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, jxQ5D9dZlba0DHcb6KH.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DdtDv9gqKO', 'IdnDgqRdNT', 'zHTDcpbDRf', 'OOZDwbL52e', 'hBHDlQIypV', 'gakDL9fMBT', 'uSYDbyEuht'
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, tnRDZoKGfOyFAw15eD.csHigh entropy of concatenated method names: 'brnPyZcolr', 'HXrPouiMYK', 'OfBPJvVp1l', 'cepPYkmRgQ', 'uMvPvgJwIv', 'p97PWMq7FP', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, jRw3G3dh28QPHCpdZW0.csHigh entropy of concatenated method names: 'fU0MH7hvYf', 'QZgMjVcR3L', 'K8jMRKaas6', 'k8ZM4abtt8', 'BbDMpQ8KIf', 'cdkM8mbZNK', 'm4dMIhXX7f', 'ca9MfYkpjp', 'hG9MmwwP45', 'k5iM0K4ZtU'
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, rdA7BMHBudSB0ROnvU.csHigh entropy of concatenated method names: 'h3oufw2TlU', 'eJVumKR205', 'XNJuyInUa0', 'buwuoX0INd', 'W4MuYdu1K8', 'j1LuWEaZce', 'GWOuKHEICK', 'UFjuhkQXy8', 'ruCu2h9iFE', 'HKBuOBNQLw'
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, AbL3xt33IMuyAcYcBe.csHigh entropy of concatenated method names: 'H2SPr0M9h5', 'P5UPiqTU9C', 'YiQPVKhj43', 'U54PUApbVJ', 'wEBPnVDmSW', 'VY3PNyjvjj', 'RyQPxriHIn', 'xJkP1p0q0b', 'oY6PQX15qj', 'S8ePe8S1qt'
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, W2I17ZV14gi8hbPYKi.csHigh entropy of concatenated method names: 'NqRnX6W7vY', 'yKkni0BMS9', 'I2dnUZfxT9', 'HH4nNfwBWy', 'RpHnxsZhHH', 'U85UlO1tF6', 'o2eULVF8n9', 'DDHUbu9aEJ', 'hSjU5LTWWH', 'DelUt2fcG8'
                      Source: 0.2.DHL_VTER000105453.exe.6c90000.10.raw.unpack, GfU1u4qHP0tZw08pRa.csHigh entropy of concatenated method names: 'wmcNr2O1cA', 'dneNVC0S7G', 'F7GNnY5jE6', 'PQSnBMd3Ul', 'zjqnzcDS8F', 'Y4SNkZYivX', 'vjcNqdCe5t', 'vpMN6wWbee', 'F4sNACHft1', 'beXNTKXUCD'
                      Source: 0.2.DHL_VTER000105453.exe.4f70000.9.raw.unpack, XG.csHigh entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
                      Source: 0.2.DHL_VTER000105453.exe.24e8154.2.raw.unpack, XG.csHigh entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
                      Source: 0.2.DHL_VTER000105453.exe.24f8df0.5.raw.unpack, XG.csHigh entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: DHL_VTER000105453.exe PID: 3564, type: MEMORYSTR
                      Check if machine is in data center or colocation facility
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: DHL_VTER000105453.exe, 00000000.00000002.1230174556.000000000366E000.00000004.00000800.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2450708050.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeMemory allocated: 22D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeMemory allocated: 2490000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeMemory allocated: 4490000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeMemory allocated: 6D10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeMemory allocated: 7D10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeMemory allocated: 7FA0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeMemory allocated: 8FA0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeMemory allocated: 1060000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeMemory allocated: 2B90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeMemory allocated: 2960000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 599890Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 599781Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 599667Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 599563Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 599453Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 599344Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 599219Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 599109Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 599000Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 598891Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 598781Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 598668Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 598562Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 593799Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 593672Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 593547Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 593390Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 593227Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 593077Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 592899Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 592731Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 592625Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 592516Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 592406Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 592297Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeWindow / User API: threadDelayed 3565Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeWindow / User API: threadDelayed 6245Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 4216Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -35048813740048126s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -600000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -599890s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -599781s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -599667s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -599563s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -599453s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -599344s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -599219s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -599109s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -599000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -598891s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -598781s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -598668s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -598562s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -99875s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -99766s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -99657s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -99532s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -99422s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -99313s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -99188s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -99063s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -98938s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -98813s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -98704s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -98579s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -98454s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -98329s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -98204s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -98047s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -97922s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -97813s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -97688s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -97565s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -97453s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -97344s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -96940s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -95657s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -95532s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -95407s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -593799s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -593672s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -593547s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -593390s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -593227s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -593077s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -592899s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -592731s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -592625s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -592516s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -592406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exe TID: 5904Thread sleep time: -592297s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 599890Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 599781Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 599667Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 599563Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 599453Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 599344Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 599219Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 599109Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 599000Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 598891Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 598781Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 598668Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 598562Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 99875Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 99766Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 99657Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 99532Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 99422Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 99313Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 99188Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 99063Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 98938Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 98813Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 98704Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 98579Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 98454Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 98329Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 98204Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 98047Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 97922Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 97813Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 97688Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 97565Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 97453Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 97344Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 96940Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 95657Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 95532Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 95407Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 593799Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 593672Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 593547Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 593390Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 593227Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 593077Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 592899Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 592731Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 592625Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 592516Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 592406Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeThread delayed: delay time: 592297Jump to behavior
                      Source: DHL_VTER000105453.exe, 00000003.00000002.2450708050.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                      Source: DHL_VTER000105453.exe, 00000000.00000002.1230174556.000000000366E000.00000004.00000800.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000000.00000002.1233774134.0000000006C90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: uqe5V5IK8GQO3QeMUxS
                      Source: DHL_VTER000105453.exe, 00000003.00000002.2450708050.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBox
                      Source: DHL_VTER000105453.exe, 00000003.00000002.2452463721.0000000000ECC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeCode function: 3_2_01067EC8 CheckRemoteDebuggerPresent,3_2_01067EC8
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeMemory written: C:\Users\user\Desktop\DHL_VTER000105453.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeProcess created: C:\Users\user\Desktop\DHL_VTER000105453.exe "C:\Users\user\Desktop\DHL_VTER000105453.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeQueries volume information: C:\Users\user\Desktop\DHL_VTER000105453.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeQueries volume information: C:\Users\user\Desktop\DHL_VTER000105453.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: 3.2.DHL_VTER000105453.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.3773728.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.37aeb48.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.37aeb48.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.3773728.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.2455637570.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2455637570.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2455637570.0000000002C16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2450708050.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1230174556.000000000366E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL_VTER000105453.exe PID: 3564, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DHL_VTER000105453.exe PID: 5060, type: MEMORYSTR
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.4f70000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.4f70000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.24f8df0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.24f8df0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.24e8154.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.24e8154.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.24b6468.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.269f198.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.26a01b0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.26a21c8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1233395937.0000000004F70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1228882170.0000000002491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1228882170.000000000252A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\DHL_VTER000105453.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 3.2.DHL_VTER000105453.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.3773728.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.37aeb48.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.37aeb48.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.3773728.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.2455637570.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2450708050.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1230174556.000000000366E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL_VTER000105453.exe PID: 3564, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DHL_VTER000105453.exe PID: 5060, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: 3.2.DHL_VTER000105453.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.3773728.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.37aeb48.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.37aeb48.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.3773728.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.2455637570.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2455637570.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2455637570.0000000002C16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2450708050.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1230174556.000000000366E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL_VTER000105453.exe PID: 3564, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DHL_VTER000105453.exe PID: 5060, type: MEMORYSTR
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.4f70000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.4f70000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.24f8df0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.24f8df0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.24e8154.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.24e8154.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.24b6468.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.269f198.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.26a01b0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_VTER000105453.exe.26a21c8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1233395937.0000000004F70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1228882170.0000000002491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1228882170.000000000252A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		1
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		31
                      Input Capture                      		24
                      System Information Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                      Obfuscated Files or Information                      		Security Account Manager1
                      Query Registry                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook22
                      Software Packing                      		NTDS421
                      Security Software Discovery                      		Distributed Component Object Model31
                      Input Capture                      		2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Timestomp                      		LSA Secrets1
                      Process Discovery                      		SSH1
                      Clipboard Data                      		23
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain Credentials151
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Masquerading                      		DCSync1
                      Application Window Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job151
                      Virtualization/Sandbox Evasion                      		Proc Filesystem1
                      System Network Configuration Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
                      Process Injection                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      DHL_VTER000105453.exe66%ReversingLabsByteCode-MSIL.Trojan.SnakeKeyLogger
                      DHL_VTER000105453.exe44%VirustotalBrowse
                      DHL_VTER000105453.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      nl9.nlkoddos.com0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://x1.c.lencr.org/00%URL Reputationsafe
                      http://x1.c.lencr.org/00%URL Reputationsafe
                      http://x1.i.lencr.org/00%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                      http://r3.i.lencr.org/00%URL Reputationsafe
                      http://tempuri.org/DataSeta.xsd)Microsoft0%Avira URL Cloudsafe
                      http://nl9.nlkoddos.com0%Avira URL Cloudsafe
                      http://nl9.nlkoddos.com0%VirustotalBrowse
                      http://tempuri.org/DataSeta.xsd)Microsoft2%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api.ipify.org
                      		172.67.74.152
                      		truefalse
                        		high
                        ip-api.com
                        		208.95.112.1
                        		truefalse
                          		high
                          nl9.nlkoddos.com
                          		89.249.49.141
                          		truetrueunknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                            		high
                            http://ip-api.com/line/?fields=hostingfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://api.ipify.orgDHL_VTER000105453.exe, 00000000.00000002.1230174556.000000000366E000.00000004.00000800.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2450708050.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                		high
                                https://account.dyn.com/DHL_VTER000105453.exe, 00000000.00000002.1230174556.000000000366E000.00000004.00000800.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2450708050.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                  		high
                                  http://x1.c.lencr.org/0DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2460798271.0000000006333000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2460798271.000000000630C000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2452463721.0000000000ECC000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2452463721.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://x1.i.lencr.org/0DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2460798271.0000000006333000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2460798271.000000000630C000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2452463721.0000000000ECC000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2452463721.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/DataSeta.xsd)MicrosoftDHL_VTER000105453.exefalse
                                  • 2%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://ip-api.comDHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://r3.o.lencr.org0DHL_VTER000105453.exe, 00000003.00000002.2452463721.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2460798271.0000000006333000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2460798271.00000000062BA000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2460798271.000000000630C000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002C38000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.ipify.org/tDHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002B91000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002B91000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.chiark.greenend.org.uk/~sgtatham/putty/0DHL_VTER000105453.exefalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://nl9.nlkoddos.comDHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002C16000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 0%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://r3.i.lencr.org/0DHL_VTER000105453.exe, 00000003.00000002.2452463721.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2460798271.0000000006333000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2460798271.00000000062BA000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2460798271.000000000630C000.00000004.00000020.00020000.00000000.sdmp, DHL_VTER000105453.exe, 00000003.00000002.2455637570.0000000002C38000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        208.95.112.1
                                        		ip-api.comUnited States
                                        		53334TUT-ASUSfalse
                                        89.249.49.141
                                        		nl9.nlkoddos.comRussian Federation
                                        		41310IPCTRUtrue
                                        172.67.74.152
                                        		api.ipify.orgUnited States
                                        		13335CLOUDFLARENETUSfalse

                                        General Information

                                        Joe Sandbox version:40.0.0 Tourmaline
                                        Analysis ID:1436301
                                        Start date and time:2024-05-04 10:01:33 +02:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 6m 45s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:16
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:DHL_VTER000105453.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@3/1@3/3
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 98%
                                        • Number of executed functions: 93
                                        • Number of non-executed functions: 6
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        10:02:23API Interceptor945519x Sleep call for process: DHL_VTER000105453.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        208.95.112.143643456.exeGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting
                                        DHL_VTER000105450.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • ip-api.com/line/?fields=hosting
                                        DHL Receipt_AWB 9899691321..exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • ip-api.com/line/?fields=hosting
                                        Sipari#U015f.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • ip-api.com/line/?fields=hosting
                                        Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exeGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting
                                        Dekont.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • ip-api.com/line/?fields=hosting
                                        http://www.open-sora.orgGet hashmaliciousExela Stealer, Growtopia, Python StealerBrowse
                                        • ip-api.com/json
                                        nXaujG6G1F.exeGet hashmaliciousBlank Grabber, DCRat, Umbral StealerBrowse
                                        • ip-api.com/json/?fields=225545
                                        NFs_98776.msiGet hashmaliciousVMdetectBrowse
                                        • ip-api.com/json/
                                        Invoice _ 2357.exeGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting
                                        89.249.49.141DHL_VTER000105450.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          DHL Receipt_AWB 9899691321..exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            DHL Shipping Documents_AWB 5032675620.exeGet hashmaliciousAgentTeslaBrowse
                                              SecuriteInfo.com.Win32.PWSX-gen.28384.29794.exeGet hashmaliciousAgentTeslaBrowse
                                                SecuriteInfo.com.Trojan.PackedNET.2779.17787.32363.exeGet hashmaliciousAgentTeslaBrowse
                                                  SecuriteInfo.com.Win32.PWSX-gen.21084.5000.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    DHL Express_AWB102235516763.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                      Order and products specication.exeGet hashmaliciousAgentTeslaBrowse
                                                        SecuriteInfo.com.Win32.PWSX-gen.9837.19847.exeGet hashmaliciousAgentTeslaBrowse
                                                          45lndAGIDj.exeGet hashmaliciousAgentTeslaBrowse
                                                            172.67.74.152Sonic-Glyder.exeGet hashmaliciousStealitBrowse
                                                            • api.ipify.org/?format=json
                                                            Sky-Beta.exeGet hashmaliciousUnknownBrowse
                                                            • api.ipify.org/?format=json
                                                            Sky-Beta.exeGet hashmaliciousUnknownBrowse
                                                            • api.ipify.org/?format=json
                                                            Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                                            • api.ipify.org/?format=json
                                                            Sky-Beta.exeGet hashmaliciousStealitBrowse
                                                            • api.ipify.org/?format=json
                                                            SongOfVikings.exeGet hashmaliciousUnknownBrowse
                                                            • api.ipify.org/?format=json
                                                            SongOfVikings.exeGet hashmaliciousUnknownBrowse
                                                            • api.ipify.org/?format=json
                                                            Sky-Beta Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                            • api.ipify.org/?format=json

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            ip-api.com43643456.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 208.95.112.1
                                                            DHL_VTER000105450.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 208.95.112.1
                                                            DHL Receipt_AWB 9899691321..exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 208.95.112.1
                                                            Sipari#U015f.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 208.95.112.1
                                                            Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 208.95.112.1
                                                            Dekont.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 208.95.112.1
                                                            http://www.open-sora.orgGet hashmaliciousExela Stealer, Growtopia, Python StealerBrowse
                                                            • 208.95.112.1
                                                            nXaujG6G1F.exeGet hashmaliciousBlank Grabber, DCRat, Umbral StealerBrowse
                                                            • 208.95.112.1
                                                            NFs_98776.msiGet hashmaliciousVMdetectBrowse
                                                            • 208.95.112.1
                                                            Invoice _ 2357.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 208.95.112.1
                                                            nl9.nlkoddos.comDHL_VTER000105450.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 89.249.49.141
                                                            DHL Receipt_AWB 9899691321..exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 89.249.49.141
                                                            DHL Shipping Documents_AWB 5032675620.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 89.249.49.141
                                                            SecuriteInfo.com.Win32.PWSX-gen.28384.29794.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 89.249.49.141
                                                            SecuriteInfo.com.Trojan.PackedNET.2779.17787.32363.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 89.249.49.141
                                                            SecuriteInfo.com.Win32.PWSX-gen.21084.5000.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 89.249.49.141
                                                            DHL Express_AWB102235516763.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 89.249.49.141
                                                            Order and products specication.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 89.249.49.141
                                                            SecuriteInfo.com.Win32.PWSX-gen.9837.19847.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 89.249.49.141
                                                            45lndAGIDj.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 89.249.49.141
                                                            api.ipify.orgDHL_VTER000105450.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 104.26.12.205
                                                            DHL Receipt_AWB 9899691321..exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 172.67.74.152
                                                            FACTURAS-ALBARANES.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 172.67.74.152
                                                            Order PS24S0040.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 172.67.74.152
                                                            1110022.vbsGet hashmaliciousAgentTeslaBrowse
                                                            • 172.67.74.152
                                                            Transfer copy PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 104.26.13.205
                                                            Invoice _ 2357.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 172.67.74.152
                                                            FACTURAS-ALBARANES.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 172.67.74.152
                                                            nP050NMmkE.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            http://t.co/aoL5aQEhycGet hashmaliciousHTMLPhisherBrowse
                                                            • 172.67.74.152

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            TUT-ASUS43643456.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 208.95.112.1
                                                            DHL_VTER000105450.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 208.95.112.1
                                                            DHL Receipt_AWB 9899691321..exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 208.95.112.1
                                                            Sipari#U015f.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 208.95.112.1
                                                            Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 208.95.112.1
                                                            Dekont.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 208.95.112.1
                                                            http://www.open-sora.orgGet hashmaliciousExela Stealer, Growtopia, Python StealerBrowse
                                                            • 208.95.112.1
                                                            nXaujG6G1F.exeGet hashmaliciousBlank Grabber, DCRat, Umbral StealerBrowse
                                                            • 208.95.112.1
                                                            NFs_98776.msiGet hashmaliciousVMdetectBrowse
                                                            • 208.95.112.1
                                                            Invoice _ 2357.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 208.95.112.1
                                                            IPCTRUDHL_VTER000105450.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 89.249.49.141
                                                            DHL Receipt_AWB 9899691321..exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 89.249.49.141
                                                            DHL Shipping Documents_AWB 5032675620.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 89.249.49.141
                                                            SecuriteInfo.com.Win32.PWSX-gen.28384.29794.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 89.249.49.141
                                                            SecuriteInfo.com.Trojan.PackedNET.2779.17787.32363.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 89.249.49.141
                                                            SecuriteInfo.com.Win32.PWSX-gen.21084.5000.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 89.249.49.141
                                                            DHL Express_AWB102235516763.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 89.249.49.141
                                                            Order and products specication.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 89.249.49.141
                                                            SecuriteInfo.com.Win32.PWSX-gen.9837.19847.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 89.249.49.141
                                                            45lndAGIDj.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 89.249.49.141
                                                            CLOUDFLARENETUSDHL_VTER000105450.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 104.26.12.205
                                                            DHL Receipt_AWB 9899691321..exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 172.67.74.152
                                                            E7236252-receipt.vbsGet hashmaliciousXWormBrowse
                                                            • 104.21.45.138
                                                            I7336446-receipt.vbsGet hashmaliciousXWormBrowse
                                                            • 172.67.215.45
                                                            S94847456-receipt.vbsGet hashmaliciousXWormBrowse
                                                            • 172.67.215.45
                                                            S847453-receipt.vbsGet hashmaliciousXWormBrowse
                                                            • 104.21.45.138
                                                            4365078236450.LnK.lnkGet hashmaliciousUnknownBrowse
                                                            • 172.67.139.174
                                                            1CMweaqlKp.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                            • 172.67.19.24
                                                            SecuriteInfo.com.PossibleThreat.PALLASNET.H.14592.12237.dllGet hashmaliciousUnknownBrowse
                                                            • 172.67.129.98
                                                            https://securepdffilesaccess%E3%80%82com/docx/#9403ZGF2ZW1AY3BlcXVpdHkuY29t??nEJx==78463=/..=L5QpUY&u=276b8dda4ef94158348d5b6b8&id=6b7205781d#&vg=008d8185-7421-4d39-a8ea-d6571496b99e&stid=14&pti=1&pa=20041&pos=0&p=525094&channelId=21280b5d95ea9121&s=lsfbx0rnvkkgxzgo1sbi4b3z&sgs=2004:15-17+F-150Get hashmaliciousHTMLPhisherBrowse
                                                            • 104.17.2.184

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            3b5074b1b5d032e5620f69f9f700ff0eDHL_VTER000105450.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 172.67.74.152
                                                            DHL Receipt_AWB 9899691321..exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 172.67.74.152
                                                            Arrival Notice.pdf.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                            • 172.67.74.152
                                                            Hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 172.67.74.152
                                                            E7236252-receipt.vbsGet hashmaliciousXWormBrowse
                                                            • 172.67.74.152
                                                            invoice PDF -2024.gz.vbsGet hashmaliciousUnknownBrowse
                                                            • 172.67.74.152
                                                            I7336446-receipt.vbsGet hashmaliciousXWormBrowse
                                                            • 172.67.74.152
                                                            S94847456-receipt.vbsGet hashmaliciousXWormBrowse
                                                            • 172.67.74.152
                                                            S847453-receipt.vbsGet hashmaliciousXWormBrowse
                                                            • 172.67.74.152
                                                            LFfjUMuUFU.exeGet hashmaliciousAsyncRAT, PureLog Stealer, XWormBrowse
                                                            • 172.67.74.152

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_VTER000105453.exe.log

                                                            Download File
                                                            Process:C:\Users\user\Desktop\DHL_VTER000105453.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1216
                                                            Entropy (8bit):5.34331486778365
                                                            Encrypted:false
                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                            Malicious:false
                                                            Reputation:high, very likely benign file
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):7.956439048355657
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                            • Win32 Executable (generic) a (10002005/4) 49.97%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            • DOS Executable Generic (2002/1) 0.01%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:DHL_VTER000105453.exe
                                                            File size:713'224 bytes
                                                            MD5:7dec2c3596f3081f16fb71af0b1340ef
                                                            SHA1:2f95bb30d3d11e88713b66fe1c55113e06890656
                                                            SHA256:0144ad3c79e25335ba0bb88e4c47c497215af9d44f0dc9f8a550bf71d579ca07
                                                            SHA512:99b383bc464f37fc5b5a8cf3e8415360e9eca70df7358fec3a2e17b045e8d928042a32ca89504ee460048e28f044efda00ef882264fdf4010c318a3a81fe8a53
                                                            SSDEEP:12288:uVUL2iNdl0ZE1huYAo+eovnS+P1R+5DH2qhu1zbCxjLqsewT8Nu/+SyST3xT1O1V:u+1Pl0GDADZvFPD+tHlAoJewINI+SySq
                                                            TLSH:92E4226453A86B34E3BD13F391B67621DFB2B10B3520E29C6DE650DE18F27411A74A8F
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....q|...............0.............6.... ........@.. ....................................@................................

                                                            File Icon

                                                            Icon Hash:00928e8e8686b000

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x4abe36
                                                            Entrypoint Section:.text
                                                            Digitally signed:true
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x837C71F4 [Sun Nov 27 01:42:12 2039 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Authenticode Signature

                                                            Signature Valid:false
                                                            Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                            Signature Validation Error:The digital signature of the object did not verify
                                                            Error Number:-2146869232
                                                            Not Before, Not After
                                                            • 13/11/2018 01:00:00 09/11/2021 00:59:59
                                                            Subject Chain
                                                            • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                            Version:3
                                                            Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                            Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                            Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                            Serial:7C1118CBBADC95DA3752C46E47A27438

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            xor byte ptr [eax], bh
                                                            xor al, 53h
                                                            cmp byte ptr [eax], bh
                                                            inc esi
                                                            dec eax
                                                            xor eax, 00000038h
                                                            add byte ptr [eax], al
                                                            add byte ptr [edi+35h], cl
                                                            inc ebp
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [41464854h+esi], dh
                                                            dec eax
                                                            xor dh, byte ptr [eax+eax]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xabde40x4f.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000x694.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0xaac000x3608
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xae0000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0xa9fc00x70.text
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000xa9e640xaa00065b841d7756ff5eb0059d412a75fc791False0.9630069508272059data7.963989519893741IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0xac0000x6940x800107e8aba4d5b19169ed84a92c692a58fFalse0.3662109375data3.628552056008294IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0xae0000xc0x200c3231fb56c6fbeedc0bc2b21e1af47ccFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_VERSION0xac0900x404data0.4270428015564202
                                                            RT_MANIFEST0xac4a40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            May 4, 2024 10:02:25.935018063 CEST49704443192.168.2.7172.67.74.152
                                                            May 4, 2024 10:02:25.935067892 CEST44349704172.67.74.152192.168.2.7
                                                            May 4, 2024 10:02:25.935137033 CEST49704443192.168.2.7172.67.74.152
                                                            May 4, 2024 10:02:25.942033052 CEST49704443192.168.2.7172.67.74.152
                                                            May 4, 2024 10:02:25.942061901 CEST44349704172.67.74.152192.168.2.7
                                                            May 4, 2024 10:02:26.275099039 CEST44349704172.67.74.152192.168.2.7
                                                            May 4, 2024 10:02:26.275299072 CEST49704443192.168.2.7172.67.74.152
                                                            May 4, 2024 10:02:26.278182030 CEST49704443192.168.2.7172.67.74.152
                                                            May 4, 2024 10:02:26.278194904 CEST44349704172.67.74.152192.168.2.7
                                                            May 4, 2024 10:02:26.278460026 CEST44349704172.67.74.152192.168.2.7
                                                            May 4, 2024 10:02:26.331433058 CEST49704443192.168.2.7172.67.74.152
                                                            May 4, 2024 10:02:26.331548929 CEST49704443192.168.2.7172.67.74.152
                                                            May 4, 2024 10:02:26.376118898 CEST44349704172.67.74.152192.168.2.7
                                                            May 4, 2024 10:02:26.638842106 CEST44349704172.67.74.152192.168.2.7
                                                            May 4, 2024 10:02:26.638901949 CEST44349704172.67.74.152192.168.2.7
                                                            May 4, 2024 10:02:26.638976097 CEST49704443192.168.2.7172.67.74.152
                                                            May 4, 2024 10:02:26.645406008 CEST49704443192.168.2.7172.67.74.152
                                                            May 4, 2024 10:02:26.816277981 CEST4970680192.168.2.7208.95.112.1
                                                            May 4, 2024 10:02:26.975822926 CEST8049706208.95.112.1192.168.2.7
                                                            May 4, 2024 10:02:26.975990057 CEST4970680192.168.2.7208.95.112.1
                                                            May 4, 2024 10:02:26.976759911 CEST4970680192.168.2.7208.95.112.1
                                                            May 4, 2024 10:02:27.137213945 CEST8049706208.95.112.1192.168.2.7
                                                            May 4, 2024 10:02:27.190833092 CEST4970680192.168.2.7208.95.112.1
                                                            May 4, 2024 10:02:28.122930050 CEST4970680192.168.2.7208.95.112.1
                                                            May 4, 2024 10:02:28.283855915 CEST8049706208.95.112.1192.168.2.7
                                                            May 4, 2024 10:02:28.284126997 CEST4970680192.168.2.7208.95.112.1
                                                            May 4, 2024 10:02:28.448976040 CEST49708587192.168.2.789.249.49.141
                                                            May 4, 2024 10:02:28.760056973 CEST5874970889.249.49.141192.168.2.7
                                                            May 4, 2024 10:02:28.760246038 CEST49708587192.168.2.789.249.49.141
                                                            May 4, 2024 10:02:29.084914923 CEST5874970889.249.49.141192.168.2.7
                                                            May 4, 2024 10:02:29.085089922 CEST49708587192.168.2.789.249.49.141
                                                            May 4, 2024 10:02:29.396522045 CEST5874970889.249.49.141192.168.2.7
                                                            May 4, 2024 10:02:29.396689892 CEST49708587192.168.2.789.249.49.141
                                                            May 4, 2024 10:02:29.708728075 CEST5874970889.249.49.141192.168.2.7
                                                            May 4, 2024 10:02:29.709253073 CEST49708587192.168.2.789.249.49.141
                                                            May 4, 2024 10:02:30.026444912 CEST5874970889.249.49.141192.168.2.7
                                                            May 4, 2024 10:02:30.026468992 CEST5874970889.249.49.141192.168.2.7
                                                            May 4, 2024 10:02:30.026485920 CEST5874970889.249.49.141192.168.2.7
                                                            May 4, 2024 10:02:30.026530027 CEST49708587192.168.2.789.249.49.141
                                                            May 4, 2024 10:02:30.066751957 CEST49708587192.168.2.789.249.49.141
                                                            May 4, 2024 10:02:30.378413916 CEST5874970889.249.49.141192.168.2.7
                                                            May 4, 2024 10:02:30.398374081 CEST49708587192.168.2.789.249.49.141
                                                            May 4, 2024 10:02:30.709716082 CEST5874970889.249.49.141192.168.2.7
                                                            May 4, 2024 10:02:30.719818115 CEST49708587192.168.2.789.249.49.141
                                                            May 4, 2024 10:02:31.033971071 CEST5874970889.249.49.141192.168.2.7
                                                            May 4, 2024 10:02:31.081511021 CEST49708587192.168.2.789.249.49.141
                                                            May 4, 2024 10:02:31.088912964 CEST49708587192.168.2.789.249.49.141
                                                            May 4, 2024 10:02:31.423346043 CEST5874970889.249.49.141192.168.2.7
                                                            May 4, 2024 10:02:31.441693068 CEST49708587192.168.2.789.249.49.141
                                                            May 4, 2024 10:02:31.753135920 CEST5874970889.249.49.141192.168.2.7
                                                            May 4, 2024 10:02:31.783740044 CEST49708587192.168.2.789.249.49.141
                                                            May 4, 2024 10:02:32.104579926 CEST5874970889.249.49.141192.168.2.7
                                                            May 4, 2024 10:02:32.130573988 CEST49708587192.168.2.789.249.49.141
                                                            May 4, 2024 10:02:32.441956043 CEST5874970889.249.49.141192.168.2.7
                                                            May 4, 2024 10:02:32.442991972 CEST49708587192.168.2.789.249.49.141
                                                            May 4, 2024 10:02:32.443057060 CEST49708587192.168.2.789.249.49.141
                                                            May 4, 2024 10:02:32.443084002 CEST49708587192.168.2.789.249.49.141
                                                            May 4, 2024 10:02:32.443105936 CEST49708587192.168.2.789.249.49.141
                                                            May 4, 2024 10:02:32.754302025 CEST5874970889.249.49.141192.168.2.7
                                                            May 4, 2024 10:02:32.754446983 CEST5874970889.249.49.141192.168.2.7
                                                            May 4, 2024 10:02:32.754496098 CEST5874970889.249.49.141192.168.2.7
                                                            May 4, 2024 10:02:32.754621983 CEST5874970889.249.49.141192.168.2.7
                                                            May 4, 2024 10:02:32.755598068 CEST5874970889.249.49.141192.168.2.7
                                                            May 4, 2024 10:02:32.800195932 CEST49708587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:08.176841021 CEST49708587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:08.490658998 CEST5874970889.249.49.141192.168.2.7
                                                            May 4, 2024 10:04:08.491254091 CEST49708587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:24.452008963 CEST49716587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:24.762847900 CEST5874971689.249.49.141192.168.2.7
                                                            May 4, 2024 10:04:24.762958050 CEST49716587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:25.087064028 CEST5874971689.249.49.141192.168.2.7
                                                            May 4, 2024 10:04:25.089731932 CEST49716587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:25.400904894 CEST5874971689.249.49.141192.168.2.7
                                                            May 4, 2024 10:04:25.401117086 CEST49716587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:25.713072062 CEST5874971689.249.49.141192.168.2.7
                                                            May 4, 2024 10:04:25.713592052 CEST49716587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:26.030025959 CEST5874971689.249.49.141192.168.2.7
                                                            May 4, 2024 10:04:26.030071974 CEST5874971689.249.49.141192.168.2.7
                                                            May 4, 2024 10:04:26.030080080 CEST5874971689.249.49.141192.168.2.7
                                                            May 4, 2024 10:04:26.033617020 CEST49716587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:26.037616014 CEST49716587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:26.348418951 CEST5874971689.249.49.141192.168.2.7
                                                            May 4, 2024 10:04:26.353590965 CEST49716587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:26.665488958 CEST5874971689.249.49.141192.168.2.7
                                                            May 4, 2024 10:04:26.669617891 CEST49716587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:26.981107950 CEST5874971689.249.49.141192.168.2.7
                                                            May 4, 2024 10:04:26.981458902 CEST49716587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:27.316349983 CEST5874971689.249.49.141192.168.2.7
                                                            May 4, 2024 10:04:27.316709995 CEST49716587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:27.627791882 CEST5874971689.249.49.141192.168.2.7
                                                            May 4, 2024 10:04:27.629770994 CEST49716587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:27.949662924 CEST5874971689.249.49.141192.168.2.7
                                                            May 4, 2024 10:04:28.003777981 CEST49716587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:29.296833038 CEST49716587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:29.297736883 CEST49716587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:29.357614994 CEST49717587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:29.607358932 CEST5874971689.249.49.141192.168.2.7
                                                            May 4, 2024 10:04:29.607590914 CEST49716587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:29.608057976 CEST5874971689.249.49.141192.168.2.7
                                                            May 4, 2024 10:04:29.608285904 CEST49716587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:29.608702898 CEST5874971689.249.49.141192.168.2.7
                                                            May 4, 2024 10:04:29.608896017 CEST49716587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:29.668023109 CEST5874971789.249.49.141192.168.2.7
                                                            May 4, 2024 10:04:29.668271065 CEST49717587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:29.986018896 CEST5874971789.249.49.141192.168.2.7
                                                            May 4, 2024 10:04:29.986151934 CEST49717587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:30.298592091 CEST5874971789.249.49.141192.168.2.7
                                                            May 4, 2024 10:04:30.298857927 CEST49717587192.168.2.789.249.49.141
                                                            May 4, 2024 10:04:30.610152006 CEST5874971789.249.49.141192.168.2.7
                                                            May 4, 2024 10:04:30.659970999 CEST49717587192.168.2.789.249.49.141

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            May 4, 2024 10:02:25.768403053 CEST5756453192.168.2.71.1.1.1
                                                            May 4, 2024 10:02:25.928396940 CEST53575641.1.1.1192.168.2.7
                                                            May 4, 2024 10:02:26.651097059 CEST6016853192.168.2.71.1.1.1
                                                            May 4, 2024 10:02:26.815291882 CEST53601681.1.1.1192.168.2.7
                                                            May 4, 2024 10:02:28.123749971 CEST5182153192.168.2.71.1.1.1
                                                            May 4, 2024 10:02:28.448086977 CEST53518211.1.1.1192.168.2.7

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            May 4, 2024 10:02:25.768403053 CEST192.168.2.71.1.1.10xff19Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                            May 4, 2024 10:02:26.651097059 CEST192.168.2.71.1.1.10x3c57Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                            May 4, 2024 10:02:28.123749971 CEST192.168.2.71.1.1.10x6597Standard query (0)nl9.nlkoddos.comA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            May 4, 2024 10:02:25.928396940 CEST1.1.1.1192.168.2.70xff19No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                            May 4, 2024 10:02:25.928396940 CEST1.1.1.1192.168.2.70xff19No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                            May 4, 2024 10:02:25.928396940 CEST1.1.1.1192.168.2.70xff19No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                            May 4, 2024 10:02:26.815291882 CEST1.1.1.1192.168.2.70x3c57No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                            May 4, 2024 10:02:28.448086977 CEST1.1.1.1192.168.2.70x6597No error (0)nl9.nlkoddos.com89.249.49.141A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • api.ipify.org
                                                            • ip-api.com

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.749706208.95.112.1805060C:\Users\user\Desktop\DHL_VTER000105453.exe
                                                            TimestampBytes transferredDirectionData
                                                            May 4, 2024 10:02:26.976759911 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                            Host: ip-api.com
                                                            Connection: Keep-Alive
                                                            May 4, 2024 10:02:27.137213945 CEST174INHTTP/1.1 200 OK
                                                            Date: Sat, 04 May 2024 08:02:27 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Content-Length: 5
                                                            Access-Control-Allow-Origin: *
                                                            X-Ttl: 17
                                                            X-Rl: 43
                                                            Data Raw: 74 72 75 65 0a
                                                            Data Ascii: true


                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.749704172.67.74.1524435060C:\Users\user\Desktop\DHL_VTER000105453.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-04 08:02:26 UTC155OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                            Host: api.ipify.org
                                                            Connection: Keep-Alive
                                                            2024-05-04 08:02:26 UTC211INHTTP/1.1 200 OK
                                                            Date: Sat, 04 May 2024 08:02:26 GMT
                                                            Content-Type: text/plain
                                                            Content-Length: 13
                                                            Connection: close
                                                            Vary: Origin
                                                            CF-Cache-Status: DYNAMIC
                                                            Server: cloudflare
                                                            CF-RAY: 87e6f7f3e9940fd9-LAX
                                                            2024-05-04 08:02:26 UTC13INData Raw: 38 31 2e 31 38 31 2e 35 34 2e 31 30 34
                                                            Data Ascii: 81.181.54.104


                                                            SMTP Packets

                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                            May 4, 2024 10:02:29.084914923 CEST5874970889.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Sat, 04 May 2024 10:02:28 +0200
                                                            220-We do not authorize the use of this system to transport unsolicited,
                                                            220 and/or bulk e-mail.
                                                            May 4, 2024 10:02:29.085089922 CEST49708587192.168.2.789.249.49.141EHLO 707748
                                                            May 4, 2024 10:02:29.396522045 CEST5874970889.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 707748 [81.181.54.104]
                                                            250-SIZE 52428800
                                                            250-8BITMIME
                                                            250-PIPELINING
                                                            250-PIPECONNECT
                                                            250-STARTTLS
                                                            250 HELP
                                                            May 4, 2024 10:02:29.396689892 CEST49708587192.168.2.789.249.49.141STARTTLS
                                                            May 4, 2024 10:02:29.708728075 CEST5874970889.249.49.141192.168.2.7220 TLS go ahead
                                                            May 4, 2024 10:04:25.087064028 CEST5874971689.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Sat, 04 May 2024 10:04:24 +0200
                                                            220-We do not authorize the use of this system to transport unsolicited,
                                                            220 and/or bulk e-mail.
                                                            May 4, 2024 10:04:25.089731932 CEST49716587192.168.2.789.249.49.141EHLO 707748
                                                            May 4, 2024 10:04:25.400904894 CEST5874971689.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 707748 [81.181.54.104]
                                                            250-SIZE 52428800
                                                            250-8BITMIME
                                                            250-PIPELINING
                                                            250-PIPECONNECT
                                                            250-STARTTLS
                                                            250 HELP
                                                            May 4, 2024 10:04:25.401117086 CEST49716587192.168.2.789.249.49.141STARTTLS
                                                            May 4, 2024 10:04:25.713072062 CEST5874971689.249.49.141192.168.2.7220 TLS go ahead
                                                            May 4, 2024 10:04:29.608057976 CEST5874971689.249.49.141192.168.2.7421 Lost incoming connection
                                                            May 4, 2024 10:04:29.986018896 CEST5874971789.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Sat, 04 May 2024 10:04:28 +0200
                                                            220-We do not authorize the use of this system to transport unsolicited,
                                                            220 and/or bulk e-mail.
                                                            May 4, 2024 10:04:29.986151934 CEST49717587192.168.2.789.249.49.141EHLO 707748
                                                            May 4, 2024 10:04:30.298592091 CEST5874971789.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 707748 [81.181.54.104]
                                                            250-SIZE 52428800
                                                            250-8BITMIME
                                                            250-PIPELINING
                                                            250-PIPECONNECT
                                                            250-STARTTLS
                                                            250 HELP
                                                            May 4, 2024 10:04:30.298857927 CEST49717587192.168.2.789.249.49.141STARTTLS
                                                            May 4, 2024 10:04:30.610152006 CEST5874971789.249.49.141192.168.2.7220 TLS go ahead

                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:10:02:23
                                                            Start date:04/05/2024
                                                            Path:C:\Users\user\Desktop\DHL_VTER000105453.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\DHL_VTER000105453.exe"
                                                            Imagebase:0x150000
                                                            File size:713'224 bytes
                                                            MD5 hash:7DEC2C3596F3081F16FB71AF0B1340EF
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1233395937.0000000004F70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1228882170.0000000002491000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1230174556.000000000366E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1230174556.000000000366E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1228882170.000000000252A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:10:02:24
                                                            Start date:04/05/2024
                                                            Path:C:\Users\user\Desktop\DHL_VTER000105453.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\DHL_VTER000105453.exe"
                                                            Imagebase:0x790000
                                                            File size:713'224 bytes
                                                            MD5 hash:7DEC2C3596F3081F16FB71AF0B1340EF
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2455637570.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2455637570.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2455637570.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2455637570.0000000002C16000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2450708050.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2450708050.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:false

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:10%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:200
                                                              Total number of Limit Nodes:16
                                                              execution_graph 35202 44e104b 35203 44e1051 35202->35203 35208 44e17fe 35203->35208 35224 44e1791 35203->35224 35239 44e17a0 35203->35239 35204 44e1062 35209 44e178c 35208->35209 35211 44e1801 35208->35211 35254 44e1dd4 35209->35254 35259 44e1ca6 35209->35259 35264 44e1d8a 35209->35264 35268 44e25dc 35209->35268 35273 44e218e 35209->35273 35279 44e2000 35209->35279 35283 44e1d22 35209->35283 35287 44e2082 35209->35287 35292 44e1bd5 35209->35292 35300 44e1c45 35209->35300 35307 44e1f95 35209->35307 35312 44e2295 35209->35312 35210 44e17de 35210->35204 35211->35204 35225 44e17ba 35224->35225 35227 44e218e 2 API calls 35225->35227 35228 44e25dc 2 API calls 35225->35228 35229 44e1d8a 2 API calls 35225->35229 35230 44e1ca6 2 API calls 35225->35230 35231 44e1dd4 2 API calls 35225->35231 35232 44e2295 2 API calls 35225->35232 35233 44e1f95 2 API calls 35225->35233 35234 44e1c45 4 API calls 35225->35234 35235 44e1bd5 4 API calls 35225->35235 35236 44e2082 2 API calls 35225->35236 35237 44e1d22 2 API calls 35225->35237 35238 44e2000 2 API calls 35225->35238 35226 44e17de 35226->35204 35227->35226 35228->35226 35229->35226 35230->35226 35231->35226 35232->35226 35233->35226 35234->35226 35235->35226 35236->35226 35237->35226 35238->35226 35240 44e17ba 35239->35240 35242 44e218e 2 API calls 35240->35242 35243 44e25dc 2 API calls 35240->35243 35244 44e1d8a 2 API calls 35240->35244 35245 44e1ca6 2 API calls 35240->35245 35246 44e1dd4 2 API calls 35240->35246 35247 44e2295 2 API calls 35240->35247 35248 44e1f95 2 API calls 35240->35248 35249 44e1c45 4 API calls 35240->35249 35250 44e1bd5 4 API calls 35240->35250 35251 44e2082 2 API calls 35240->35251 35252 44e1d22 2 API calls 35240->35252 35253 44e2000 2 API calls 35240->35253 35241 44e17de 35241->35204 35242->35241 35243->35241 35244->35241 35245->35241 35246->35241 35247->35241 35248->35241 35249->35241 35250->35241 35251->35241 35252->35241 35253->35241 35255 44e1dde 35254->35255 35317 44e06b9 35255->35317 35321 44e06c0 35255->35321 35256 44e1e13 35260 44e1caf 35259->35260 35261 44e1cba 35260->35261 35325 44e0528 35260->35325 35329 44e0521 35260->35329 35266 44e0528 Wow64SetThreadContext 35264->35266 35267 44e0521 Wow64SetThreadContext 35264->35267 35265 44e1da9 35266->35265 35267->35265 35269 44e25e4 35268->35269 35333 44e05f9 35269->35333 35337 44e0600 35269->35337 35270 44e2602 35274 44e1def 35273->35274 35275 44e21a5 35274->35275 35277 44e06b9 WriteProcessMemory 35274->35277 35278 44e06c0 WriteProcessMemory 35274->35278 35276 44e1e13 35277->35276 35278->35276 35281 44e06b9 WriteProcessMemory 35279->35281 35282 44e06c0 WriteProcessMemory 35279->35282 35280 44e202a 35280->35210 35281->35280 35282->35280 35341 44e07a8 35283->35341 35345 44e07b0 35283->35345 35284 44e1d51 35284->35210 35288 44e2086 35287->35288 35349 44e001a 35288->35349 35353 44e0040 35288->35353 35289 44e20b2 35293 44e1be3 35292->35293 35294 44e1c80 35293->35294 35357 44e093d 35293->35357 35361 44e0948 35293->35361 35295 44e1cba 35294->35295 35296 44e0528 Wow64SetThreadContext 35294->35296 35297 44e0521 Wow64SetThreadContext 35294->35297 35296->35294 35297->35294 35305 44e093d CreateProcessA 35300->35305 35306 44e0948 CreateProcessA 35300->35306 35301 44e1c80 35302 44e1cba 35301->35302 35303 44e0528 Wow64SetThreadContext 35301->35303 35304 44e0521 Wow64SetThreadContext 35301->35304 35303->35301 35304->35301 35305->35301 35306->35301 35308 44e1fa2 35307->35308 35310 44e001a ResumeThread 35308->35310 35311 44e0040 ResumeThread 35308->35311 35309 44e20b2 35310->35309 35311->35309 35313 44e22b8 35312->35313 35315 44e06b9 WriteProcessMemory 35313->35315 35316 44e06c0 WriteProcessMemory 35313->35316 35314 44e250e 35315->35314 35316->35314 35318 44e0708 WriteProcessMemory 35317->35318 35320 44e075f 35318->35320 35320->35256 35322 44e0708 WriteProcessMemory 35321->35322 35324 44e075f 35322->35324 35324->35256 35326 44e056d Wow64SetThreadContext 35325->35326 35328 44e05b5 35326->35328 35328->35260 35330 44e056d Wow64SetThreadContext 35329->35330 35332 44e05b5 35330->35332 35332->35260 35334 44e0640 VirtualAllocEx 35333->35334 35336 44e067d 35334->35336 35336->35270 35338 44e0640 VirtualAllocEx 35337->35338 35340 44e067d 35338->35340 35340->35270 35342 44e07fb ReadProcessMemory 35341->35342 35344 44e083f 35342->35344 35344->35284 35346 44e07fb ReadProcessMemory 35345->35346 35348 44e083f 35346->35348 35348->35284 35350 44e0080 ResumeThread 35349->35350 35352 44e00b1 35350->35352 35352->35289 35354 44e0080 ResumeThread 35353->35354 35356 44e00b1 35354->35356 35356->35289 35358 44e09d1 CreateProcessA 35357->35358 35360 44e0b93 35358->35360 35362 44e09d1 CreateProcessA 35361->35362 35364 44e0b93 35362->35364 35365 22d4668 35366 22d467a 35365->35366 35367 22d4686 35366->35367 35369 22d4778 35366->35369 35370 22d479d 35369->35370 35374 22d4879 35370->35374 35378 22d4888 35370->35378 35376 22d48af 35374->35376 35375 22d498c 35375->35375 35376->35375 35382 22d44d4 35376->35382 35380 22d48af 35378->35380 35379 22d498c 35379->35379 35380->35379 35381 22d44d4 CreateActCtxA 35380->35381 35381->35379 35383 22d5918 CreateActCtxA 35382->35383 35385 22d59db 35383->35385 35385->35385 35386 22dd468 35387 22dd4ae 35386->35387 35391 22dd638 35387->35391 35394 22dd648 35387->35394 35388 22dd59b 35397 22dbb40 35391->35397 35395 22dd676 35394->35395 35396 22dbb40 DuplicateHandle 35394->35396 35395->35388 35396->35395 35398 22dd6b0 DuplicateHandle 35397->35398 35399 22dd676 35398->35399 35399->35388 35418 4a64040 35419 4a64082 35418->35419 35421 4a64089 35418->35421 35420 4a640da CallWindowProcW 35419->35420 35419->35421 35420->35421 35422 22dacd0 35423 22dacdf 35422->35423 35426 22dadb9 35422->35426 35434 22dadc8 35422->35434 35427 22dadd9 35426->35427 35428 22dadfc 35426->35428 35427->35428 35442 22db051 35427->35442 35446 22db060 35427->35446 35428->35423 35429 22dadf4 35429->35428 35430 22db000 GetModuleHandleW 35429->35430 35431 22db02d 35430->35431 35431->35423 35435 22dadd9 35434->35435 35436 22dadfc 35434->35436 35435->35436 35440 22db051 LoadLibraryExW 35435->35440 35441 22db060 LoadLibraryExW 35435->35441 35436->35423 35437 22dadf4 35437->35436 35438 22db000 GetModuleHandleW 35437->35438 35439 22db02d 35438->35439 35439->35423 35440->35437 35441->35437 35443 22db074 35442->35443 35444 22db099 35443->35444 35450 22da168 35443->35450 35444->35429 35448 22db074 35446->35448 35447 22db099 35447->35429 35448->35447 35449 22da168 LoadLibraryExW 35448->35449 35449->35447 35451 22db240 LoadLibraryExW 35450->35451 35453 22db2b9 35451->35453 35453->35444 35400 44e4bc0 35401 44e4bde 35400->35401 35402 44e4be8 35400->35402 35405 44e4c28 35401->35405 35410 44e4c13 35401->35410 35406 44e4c36 35405->35406 35409 44e4c55 35405->35409 35415 44e4888 35406->35415 35409->35402 35411 44e4c36 35410->35411 35414 44e4c55 35410->35414 35412 44e4888 FindCloseChangeNotification 35411->35412 35413 44e4c51 35412->35413 35413->35402 35414->35402 35416 44e4da0 FindCloseChangeNotification 35415->35416 35417 44e4c51 35416->35417 35417->35402 35454 44e29b0 35455 44e29d6 35454->35455 35456 44e2b3b 35454->35456 35455->35456 35459 44e2c29 PostMessageW 35455->35459 35461 44e2c30 PostMessageW 35455->35461 35460 44e2c9c 35459->35460 35460->35455 35462 44e2c9c 35461->35462 35462->35455

                                                              Executed Functions

                                                              Function 04A67278 Relevance: 4.7, Strings: 2, Instructions: 2178COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 4a67278-4a672a3 1 4a672a5 0->1 2 4a672aa-4a67bc2 call 4a66ed8 call 4a66ee8 call 4a66ed8 call 4a66ef8 call 4a66f08 call 4a66ed8 call 4a66ee8 call 4a66f08 call 4a66ed8 call 4a66ef8 call 4a66f08 call 4a66ed8 call 4a66ee8 call 4a66f18 call 4a66ed8 * 2 call 4a66f08 call 4a66ed8 call 4a66ee8 call 4a66f28 call 4a66f38 call 4a66ee8 call 4a66ed8 call 4a66f08 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f88 0->2 1->2 154 4a67ca5-4a67cbe 2->154 155 4a67bc7-4a67c0b 154->155 156 4a67cc4-4a680f5 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f98 call 4a66fa8 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 154->156 164 4a67c17-4a67c29 155->164 217 4a680f7 156->217 218 4a680fc-4a6811c 156->218 165 4a67c30-4a67c4f 164->165 166 4a67c2b 164->166 168 4a67c56-4a67c6a 165->168 169 4a67c51 165->169 166->165 170 4a67c71-4a67c92 168->170 171 4a67c6c 168->171 169->168 173 4a67c94 170->173 174 4a67c99-4a67ca2 170->174 171->170 173->174 174->154 217->218 220 4a68123-4a68177 218->220 221 4a6811e 218->221 224 4a6817e-4a68197 220->224 225 4a68179 220->225 221->220 227 4a6819e-4a681df 224->227 228 4a68199 224->228 225->224 231 4a681e6-4a6988c call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f98 call 4a66fa8 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f88 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f98 call 4a66fa8 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66fb8 call 4a66fc8 call 4a66fd8 call 4a66fe8 call 4a66ff8 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f98 call 4a66fa8 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a67008 call 4a67018 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f98 call 4a66fa8 call 4a67028 call 4a67038 call 4a67048 call 4a67058 * 22 call 4a66f58 call 4a67068 call 4a67078 227->231 228->227
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1232834243.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 'Nq$$Nq
                                                              • API String ID: 0-3789758286
                                                              • Opcode ID: 17628ac8fa9a51fb8ed254ec04b12b22074cd7b8f1433bbdcac5f94da4c2edfa
                                                              • Instruction ID: 9adddd10a515e3468c3bc3c7e9c7f41b1c63e4e2ac2820ccf3f996b50c104253
                                                              • Opcode Fuzzy Hash: 17628ac8fa9a51fb8ed254ec04b12b22074cd7b8f1433bbdcac5f94da4c2edfa
                                                              • Instruction Fuzzy Hash: 9433D634A11219CFDB65EB64C994A99B7B1FF8A304F5142EAD4097B3A0DB31AEC5CF40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04A67268 Relevance: 4.6, Strings: 2, Instructions: 2122COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 533 4a67268-4a672a3 534 4a672a5 533->534 535 4a672aa-4a6732b 533->535 534->535 543 4a67335-4a67341 call 4a66ed8 535->543 545 4a67346-4a673c1 call 4a66ee8 call 4a66ed8 543->545 555 4a673cb-4a673d7 call 4a66ef8 545->555 557 4a673dc-4a673f3 555->557 559 4a673fd-4a67409 call 4a66f08 557->559 561 4a6740e-4a676e1 call 4a66ed8 call 4a66ee8 call 4a66f08 call 4a66ed8 call 4a66ef8 call 4a66f08 call 4a66ed8 call 4a66ee8 call 4a66f18 call 4a66ed8 * 2 call 4a66f08 call 4a66ed8 call 4a66ee8 559->561 619 4a676eb-4a676f7 call 4a66f28 561->619 621 4a676fc-4a6782b call 4a66f38 call 4a66ee8 call 4a66ed8 call 4a66f08 619->621 641 4a67836-4a6784a call 4a66f48 621->641 643 4a6784f-4a67888 call 4a66f58 641->643 646 4a67892-4a678a6 call 4a66f68 643->646 648 4a678ab-4a67aa1 call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 646->648 673 4a67aa6-4a67aba call 4a66f88 648->673 675 4a67abf-4a67bc2 673->675 687 4a67ca5-4a67cbe 675->687 688 4a67bc7-4a67bfc 687->688 689 4a67cc4-4a680ba call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f98 call 4a66fa8 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 687->689 694 4a67c05-4a67c0b 688->694 747 4a680bf-4a680df 689->747 697 4a67c17-4a67c29 694->697 698 4a67c30-4a67c4f 697->698 699 4a67c2b 697->699 701 4a67c56-4a67c6a 698->701 702 4a67c51 698->702 699->698 703 4a67c71-4a67c92 701->703 704 4a67c6c 701->704 702->701 706 4a67c94 703->706 707 4a67c99-4a67ca2 703->707 704->703 706->707 707->687 749 4a680e5-4a680f5 747->749 750 4a680f7 749->750 751 4a680fc-4a6811c 749->751 750->751 753 4a68123-4a68177 751->753 754 4a6811e 751->754 757 4a6817e-4a68197 753->757 758 4a68179 753->758 754->753 760 4a6819e-4a681bd 757->760 761 4a68199 757->761 758->757 763 4a681c7-4a681df 760->763 761->760 764 4a681e6-4a6988c call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f98 call 4a66fa8 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f88 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f98 call 4a66fa8 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66fb8 call 4a66fc8 call 4a66fd8 call 4a66fe8 call 4a66ff8 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f98 call 4a66fa8 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a67008 call 4a67018 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f48 call 4a66f58 call 4a66f68 call 4a66f78 call 4a66f98 call 4a66fa8 call 4a67028 call 4a67038 call 4a67048 call 4a67058 * 22 call 4a66f58 call 4a67068 call 4a67078 763->764
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1232834243.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 'Nq$$Nq
                                                              • API String ID: 0-3789758286
                                                              • Opcode ID: fb08063bfb16c49950dde8b281f6e5bb5aa9ff3f383ca314affc1674223f108f
                                                              • Instruction ID: 4f51501e12b476702a331412775c9f7fa01a4a3f7e35817373e433e68b6859b7
                                                              • Opcode Fuzzy Hash: fb08063bfb16c49950dde8b281f6e5bb5aa9ff3f383ca314affc1674223f108f
                                                              • Instruction Fuzzy Hash: 5133C534A11219CFDB65EB64C994A99B7B1FF8A304F5142EAD4097B3A0DB31AEC5CF40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E3CE0 Relevance: .7, Instructions: 651COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1231953475.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44e0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 527e4c30e54ded909cf14aab7ecc06239e7a1132d8400dab7c9f73f3ed8edd22
                                                              • Instruction ID: 80818d9ef01efc3afa74e525f69a58a20b8e4c0a6ab7ddb2efcd6fcd3f9294f1
                                                              • Opcode Fuzzy Hash: 527e4c30e54ded909cf14aab7ecc06239e7a1132d8400dab7c9f73f3ed8edd22
                                                              • Instruction Fuzzy Hash: 98328A30B012049FEB19DFAAD450BBEB7F6AF89706F14846AE5069B395CB35EC01CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A6C1E0 Relevance: .2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 85601d7d91e921cba6f43935c922b23892d8355aa6e8b541b7769cabb40857a5
                                                              • Instruction ID: c8d291400a6a0598b8c4663b9eed50cc8e81211ccb04a46e323b83359b1b3041
                                                              • Opcode Fuzzy Hash: 85601d7d91e921cba6f43935c922b23892d8355aa6e8b541b7769cabb40857a5
                                                              • Instruction Fuzzy Hash: FD51E474E052099FDB44DFAAD5809AEFBF6FF88310F14C166E419A7255D7309942CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E093D Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1066 44e093d-44e09dd 1068 44e09df-44e09e9 1066->1068 1069 44e0a16-44e0a36 1066->1069 1068->1069 1070 44e09eb-44e09ed 1068->1070 1076 44e0a6f-44e0a9e 1069->1076 1077 44e0a38-44e0a42 1069->1077 1071 44e09ef-44e09f9 1070->1071 1072 44e0a10-44e0a13 1070->1072 1074 44e09fd-44e0a0c 1071->1074 1075 44e09fb 1071->1075 1072->1069 1074->1074 1078 44e0a0e 1074->1078 1075->1074 1083 44e0ad7-44e0b91 CreateProcessA 1076->1083 1084 44e0aa0-44e0aaa 1076->1084 1077->1076 1079 44e0a44-44e0a46 1077->1079 1078->1072 1081 44e0a48-44e0a52 1079->1081 1082 44e0a69-44e0a6c 1079->1082 1085 44e0a56-44e0a65 1081->1085 1086 44e0a54 1081->1086 1082->1076 1097 44e0b9a-44e0c20 1083->1097 1098 44e0b93-44e0b99 1083->1098 1084->1083 1088 44e0aac-44e0aae 1084->1088 1085->1085 1087 44e0a67 1085->1087 1086->1085 1087->1082 1089 44e0ab0-44e0aba 1088->1089 1090 44e0ad1-44e0ad4 1088->1090 1092 44e0abe-44e0acd 1089->1092 1093 44e0abc 1089->1093 1090->1083 1092->1092 1095 44e0acf 1092->1095 1093->1092 1095->1090 1108 44e0c22-44e0c26 1097->1108 1109 44e0c30-44e0c34 1097->1109 1098->1097 1108->1109 1110 44e0c28 1108->1110 1111 44e0c36-44e0c3a 1109->1111 1112 44e0c44-44e0c48 1109->1112 1110->1109 1111->1112 1115 44e0c3c 1111->1115 1113 44e0c4a-44e0c4e 1112->1113 1114 44e0c58-44e0c5c 1112->1114 1113->1114 1116 44e0c50 1113->1116 1117 44e0c6e-44e0c75 1114->1117 1118 44e0c5e-44e0c64 1114->1118 1115->1112 1116->1114 1119 44e0c8c 1117->1119 1120 44e0c77-44e0c86 1117->1120 1118->1117 1122 44e0c8d 1119->1122 1120->1119 1122->1122
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 044E0B7E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1231953475.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44e0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 4523a489e28c46592ac3c80e58890820f2cc4d17f990a93d66f87a2b04242a2b
                                                              • Instruction ID: 92ffa5b36b4cc30968ed5fb34c451f3c8ba4c273dc51d943f741d21835c6601d
                                                              • Opcode Fuzzy Hash: 4523a489e28c46592ac3c80e58890820f2cc4d17f990a93d66f87a2b04242a2b
                                                              • Instruction Fuzzy Hash: 43A14C71D013299FEF24CF69C8407EEBBB2FB48315F14856AD818A7244DB74A985CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E0948 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1123 44e0948-44e09dd 1125 44e09df-44e09e9 1123->1125 1126 44e0a16-44e0a36 1123->1126 1125->1126 1127 44e09eb-44e09ed 1125->1127 1133 44e0a6f-44e0a9e 1126->1133 1134 44e0a38-44e0a42 1126->1134 1128 44e09ef-44e09f9 1127->1128 1129 44e0a10-44e0a13 1127->1129 1131 44e09fd-44e0a0c 1128->1131 1132 44e09fb 1128->1132 1129->1126 1131->1131 1135 44e0a0e 1131->1135 1132->1131 1140 44e0ad7-44e0b91 CreateProcessA 1133->1140 1141 44e0aa0-44e0aaa 1133->1141 1134->1133 1136 44e0a44-44e0a46 1134->1136 1135->1129 1138 44e0a48-44e0a52 1136->1138 1139 44e0a69-44e0a6c 1136->1139 1142 44e0a56-44e0a65 1138->1142 1143 44e0a54 1138->1143 1139->1133 1154 44e0b9a-44e0c20 1140->1154 1155 44e0b93-44e0b99 1140->1155 1141->1140 1145 44e0aac-44e0aae 1141->1145 1142->1142 1144 44e0a67 1142->1144 1143->1142 1144->1139 1146 44e0ab0-44e0aba 1145->1146 1147 44e0ad1-44e0ad4 1145->1147 1149 44e0abe-44e0acd 1146->1149 1150 44e0abc 1146->1150 1147->1140 1149->1149 1152 44e0acf 1149->1152 1150->1149 1152->1147 1165 44e0c22-44e0c26 1154->1165 1166 44e0c30-44e0c34 1154->1166 1155->1154 1165->1166 1167 44e0c28 1165->1167 1168 44e0c36-44e0c3a 1166->1168 1169 44e0c44-44e0c48 1166->1169 1167->1166 1168->1169 1172 44e0c3c 1168->1172 1170 44e0c4a-44e0c4e 1169->1170 1171 44e0c58-44e0c5c 1169->1171 1170->1171 1173 44e0c50 1170->1173 1174 44e0c6e-44e0c75 1171->1174 1175 44e0c5e-44e0c64 1171->1175 1172->1169 1173->1171 1176 44e0c8c 1174->1176 1177 44e0c77-44e0c86 1174->1177 1175->1174 1179 44e0c8d 1176->1179 1177->1176 1179->1179
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 044E0B7E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1231953475.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44e0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: e360dcc4adad8bd8dee3953b05aa6a3efbc1e36dd7960e7346783282168351b2
                                                              • Instruction ID: 46317e3a1f0454108d8ac368072d2df15acbd97f87cdb56632dea7e00b839413
                                                              • Opcode Fuzzy Hash: e360dcc4adad8bd8dee3953b05aa6a3efbc1e36dd7960e7346783282168351b2
                                                              • Instruction Fuzzy Hash: 69915E71D01329DFEF24CF69C8407AEBBF2BB48315F14856AD818A7244DB74A985CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 022DADC8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1180 22dadc8-22dadd7 1181 22dadd9-22dade6 call 22d9740 1180->1181 1182 22dae03-22dae07 1180->1182 1188 22dadfc 1181->1188 1189 22dade8 1181->1189 1184 22dae09-22dae13 1182->1184 1185 22dae1b-22dae5c 1182->1185 1184->1185 1191 22dae5e-22dae66 1185->1191 1192 22dae69-22dae77 1185->1192 1188->1182 1237 22dadee call 22db051 1189->1237 1238 22dadee call 22db060 1189->1238 1191->1192 1193 22dae79-22dae7e 1192->1193 1194 22dae9b-22dae9d 1192->1194 1197 22dae89 1193->1197 1198 22dae80-22dae87 call 22da110 1193->1198 1196 22daea0-22daea7 1194->1196 1195 22dadf4-22dadf6 1195->1188 1199 22daf38-22daf4f 1195->1199 1202 22daea9-22daeb1 1196->1202 1203 22daeb4-22daebb 1196->1203 1200 22dae8b-22dae99 1197->1200 1198->1200 1213 22daf51-22dafb0 1199->1213 1200->1196 1202->1203 1206 22daebd-22daec5 1203->1206 1207 22daec8-22daed1 call 22da120 1203->1207 1206->1207 1211 22daede-22daee3 1207->1211 1212 22daed3-22daedb 1207->1212 1214 22daee5-22daeec 1211->1214 1215 22daf01-22daf0e 1211->1215 1212->1211 1231 22dafb2-22daff8 1213->1231 1214->1215 1216 22daeee-22daefe call 22da130 call 22da140 1214->1216 1221 22daf31-22daf37 1215->1221 1222 22daf10-22daf2e 1215->1222 1216->1215 1222->1221 1232 22daffa-22daffd 1231->1232 1233 22db000-22db02b GetModuleHandleW 1231->1233 1232->1233 1234 22db02d-22db033 1233->1234 1235 22db034-22db048 1233->1235 1234->1235 1237->1195 1238->1195
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 022DB01E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1228672892.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_22d0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 929dfbcbe0abcac5bbb8be5445983c935ead95bcd99b77b1281f614b914573c1
                                                              • Instruction ID: dd78c703b3b2a72c15112858dc4e0da2d9210341fb619a2be73da0a1c91581ea
                                                              • Opcode Fuzzy Hash: 929dfbcbe0abcac5bbb8be5445983c935ead95bcd99b77b1281f614b914573c1
                                                              • Instruction Fuzzy Hash: B5714870A10B068FD724DFAAD454B5ABBF1FF88304F00892DD48AD7A54DB75E846CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 022D590D Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1239 22d590d-22d598c 1240 22d598f-22d59d9 CreateActCtxA 1239->1240 1242 22d59db-22d59e1 1240->1242 1243 22d59e2-22d5a3c 1240->1243 1242->1243 1250 22d5a3e-22d5a41 1243->1250 1251 22d5a4b-22d5a4f 1243->1251 1250->1251 1252 22d5a51-22d5a5d 1251->1252 1253 22d5a60 1251->1253 1252->1253 1255 22d5a61 1253->1255 1255->1255
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 022D59C9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1228672892.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_22d0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 5c69e115922d6e69e579ab788cbbea4ff178cdf2539034f2d26f8f4b7e0706ad
                                                              • Instruction ID: 3fac23ffc7770401838d25a6a445784676e863d5fc1de712f6e563839b17064a
                                                              • Opcode Fuzzy Hash: 5c69e115922d6e69e579ab788cbbea4ff178cdf2539034f2d26f8f4b7e0706ad
                                                              • Instruction Fuzzy Hash: F141E371C01729CBEB24CFA5C88479DBBB1BF48314F60816AD409AB255DBB56946CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 022D5A84 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1256 22d5a84-22d5b14
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1228672892.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_22d0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a7e657ba810a82a5ccc9628fbb5a1c9df5f05f1e2fb5ea4b841a98d98016a482
                                                              • Instruction ID: 10e2c6636183b48de121a1292dfde221b7f0fe982a481e5dc3befeab79004a95
                                                              • Opcode Fuzzy Hash: a7e657ba810a82a5ccc9628fbb5a1c9df5f05f1e2fb5ea4b841a98d98016a482
                                                              • Instruction Fuzzy Hash: EE31CC72C05759CFEB20CBE8C8457EDBBF1EF46314F90818AC005AB259C7B9A94ACB40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 022D44D4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1259 22d44d4-22d59d9 CreateActCtxA 1263 22d59db-22d59e1 1259->1263 1264 22d59e2-22d5a3c 1259->1264 1263->1264 1271 22d5a3e-22d5a41 1264->1271 1272 22d5a4b-22d5a4f 1264->1272 1271->1272 1273 22d5a51-22d5a5d 1272->1273 1274 22d5a60 1272->1274 1273->1274 1276 22d5a61 1274->1276 1276->1276
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 022D59C9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1228672892.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_22d0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: dc7ffa427ae2f924a414be4355e0332e0d83375a5c13da4ce7dae6916456f284
                                                              • Instruction ID: 9dd0ad019330fe899a345415cc67f692174970061fe738942919659bda5297e7
                                                              • Opcode Fuzzy Hash: dc7ffa427ae2f924a414be4355e0332e0d83375a5c13da4ce7dae6916456f284
                                                              • Instruction Fuzzy Hash: 9141F370C1072DCBEB24DFAAC844B9DBBF1BF48314F60816AD408AB255DBB56946CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04A64040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1277 4a64040-4a6407c 1278 4a64082-4a64087 1277->1278 1279 4a6412c-4a6414c 1277->1279 1280 4a640da-4a64112 CallWindowProcW 1278->1280 1281 4a64089-4a640c0 1278->1281 1285 4a6414f-4a6415c 1279->1285 1283 4a64114-4a6411a 1280->1283 1284 4a6411b-4a6412a 1280->1284 1288 4a640c2-4a640c8 1281->1288 1289 4a640c9-4a640d8 1281->1289 1283->1284 1284->1285 1288->1289 1289->1285
                                                              APIs
                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 04A64101
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1232834243.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: CallProcWindow
                                                              • String ID:
                                                              • API String ID: 2714655100-0
                                                              • Opcode ID: 3ae4e93a8069242c50b898a9d8dae429e3a165e6e7b7c9fcf206e81ce03474ad
                                                              • Instruction ID: ac65cb51bd30e2a6fdffddc9e63f88b72b8881ea40eb96c868963529420b94d2
                                                              • Opcode Fuzzy Hash: 3ae4e93a8069242c50b898a9d8dae429e3a165e6e7b7c9fcf206e81ce03474ad
                                                              • Instruction Fuzzy Hash: F24135B8A00319DFDB14CF99C848AAABBF5FB88314F258459D519AB321D775A841CFA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E06B9 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1291 44e06b9-44e070e 1293 44e071e-44e075d WriteProcessMemory 1291->1293 1294 44e0710-44e071c 1291->1294 1296 44e075f-44e0765 1293->1296 1297 44e0766-44e0796 1293->1297 1294->1293 1296->1297
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 044E0750
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1231953475.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44e0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 195e99f042b5306c0149da204471e4709f25692e3f197beb31df4f267d3b7f14
                                                              • Instruction ID: eaf06290cbe74af6936e0bf819f4f8ddc253b135fc68aa7ae5ad7e06bc391cbc
                                                              • Opcode Fuzzy Hash: 195e99f042b5306c0149da204471e4709f25692e3f197beb31df4f267d3b7f14
                                                              • Instruction Fuzzy Hash: 85213775D003598FDB20DFAAC881BEEBBF1FB48310F14852AE959A7240C778A941DF64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E06C0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1301 44e06c0-44e070e 1303 44e071e-44e075d WriteProcessMemory 1301->1303 1304 44e0710-44e071c 1301->1304 1306 44e075f-44e0765 1303->1306 1307 44e0766-44e0796 1303->1307 1304->1303 1306->1307
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 044E0750
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1231953475.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44e0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 51f4aaa174a9c6f5416922c94b28dbce9b1d413e7503f4df6b4f460e54199f37
                                                              • Instruction ID: 8dc8a95a7a018816d3033553e1690001e721afe7442af14bab230de3494f17ec
                                                              • Opcode Fuzzy Hash: 51f4aaa174a9c6f5416922c94b28dbce9b1d413e7503f4df6b4f460e54199f37
                                                              • Instruction Fuzzy Hash: C7211575D003599FDB10DFAAC881BEEBBF5FB48310F50842AE919A7240C778A951CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E0521 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1311 44e0521-44e0573 1313 44e0575-44e0581 1311->1313 1314 44e0583-44e05b3 Wow64SetThreadContext 1311->1314 1313->1314 1316 44e05bc-44e05ec 1314->1316 1317 44e05b5-44e05bb 1314->1317 1317->1316
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 044E05A6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1231953475.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44e0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 3d8c285d136be3abf40dbb993e117dfb560bae3fa38491e6fd0708b9a75d11ac
                                                              • Instruction ID: 59da39de0c683b2f27b02f9500651f249cc92adc70bf386fd62e4c01b10ec048
                                                              • Opcode Fuzzy Hash: 3d8c285d136be3abf40dbb993e117dfb560bae3fa38491e6fd0708b9a75d11ac
                                                              • Instruction Fuzzy Hash: D3213975D003098FDB20DFAAC4857EEBBF1EB48321F54852AD959A7240CB78A945CFA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E07A8 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1321 44e07a8-44e083d ReadProcessMemory 1324 44e083f-44e0845 1321->1324 1325 44e0846-44e0876 1321->1325 1324->1325
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 044E0830
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1231953475.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44e0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: b193295a4abafd69338568b238d601ca41d59ba43c2eca087fe58f09a4ddc2ba
                                                              • Instruction ID: cb0effc4fd9213adf0b475e45a97fa743323eb7a17dfb014fa339ef9dcd14ea3
                                                              • Opcode Fuzzy Hash: b193295a4abafd69338568b238d601ca41d59ba43c2eca087fe58f09a4ddc2ba
                                                              • Instruction Fuzzy Hash: 40213971C003599FDB10CFAAC880BEEBBF1FF48310F54842AE959A7240C7789541DB65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E001A Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1335 44e001a-44e00af ResumeThread 1338 44e00b8-44e00dd 1335->1338 1339 44e00b1-44e00b7 1335->1339 1339->1338
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1231953475.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44e0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 086209f9fcf233b9c9c03a89cf61e79ad1650a0bd0ade76f7f05cf60ad80d3cd
                                                              • Instruction ID: ae03288045595e9f5165baeee5714cb03f13c7b7c65fecdf0f311e1aea4b95b7
                                                              • Opcode Fuzzy Hash: 086209f9fcf233b9c9c03a89cf61e79ad1650a0bd0ade76f7f05cf60ad80d3cd
                                                              • Instruction Fuzzy Hash: 6D218B75C003588FDB20DFA9D8417EFBBF1EF88314F14845AC455A7250C6356506CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 022DBB40 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1329 22dbb40-22dd744 DuplicateHandle 1331 22dd74d-22dd76a 1329->1331 1332 22dd746-22dd74c 1329->1332 1332->1331
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,022DD676,?,?,?,?,?), ref: 022DD737
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1228672892.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_22d0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 4f67f4c86466b5f391def0c67f6773d4ee8d1e9bd7ea04100f1a917d82c96f8c
                                                              • Instruction ID: 5acbf088872856defeb62f406e9391c501ab08ca515df7958c5031c8f9aec79c
                                                              • Opcode Fuzzy Hash: 4f67f4c86466b5f391def0c67f6773d4ee8d1e9bd7ea04100f1a917d82c96f8c
                                                              • Instruction Fuzzy Hash: AE21E5B5D103499FDB10CF9AD584AEEBBF4EB48310F14845AE958A3350D374A951CFA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E0528 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 044E05A6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1231953475.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44e0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: f6c1f4387dce9456a819758fe7376602d9d595ecd0fa7d24c42b7d83f3bebc24
                                                              • Instruction ID: 99228520599c70422ebed199bb6c66480e583f521ed3d1b9cb7f3c1803b0f51d
                                                              • Opcode Fuzzy Hash: f6c1f4387dce9456a819758fe7376602d9d595ecd0fa7d24c42b7d83f3bebc24
                                                              • Instruction Fuzzy Hash: F6213871D003098FDB20DFAAC4857AEBBF4EF48320F54842AD859A7240CB78A945CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E07B0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 044E0830
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1231953475.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44e0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 6baa59541a93c268e76b45fea3cc55e7e8043e762a623c2ac661e82c33ffa2c7
                                                              • Instruction ID: 8259aef693f46e44f050da5a3bcf9621327048eb80cf322be6080f7697b1a956
                                                              • Opcode Fuzzy Hash: 6baa59541a93c268e76b45fea3cc55e7e8043e762a623c2ac661e82c33ffa2c7
                                                              • Instruction Fuzzy Hash: 4C212871C003599FDB10DFAAC881BEEBBF5FF48310F50842AE919A7240C779A951DBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 022DD6A8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,022DD676,?,?,?,?,?), ref: 022DD737
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1228672892.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_22d0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 5d19d689184c8ac415b0403aaec0b455eceab1cd9249bb1934b9b113e1f381f0
                                                              • Instruction ID: 05827ea025752606918ece2fbef8661280fa4ff62d32d476a32a23e8c2e8e5e5
                                                              • Opcode Fuzzy Hash: 5d19d689184c8ac415b0403aaec0b455eceab1cd9249bb1934b9b113e1f381f0
                                                              • Instruction Fuzzy Hash: CC21E4B5D00249DFDB10CFAAD984ADEBFF5EB48310F14805AE954A7350C378A951CF64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E05F9 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 044E066E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1231953475.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44e0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 9a5c2dc26d8ab79aa5d076c3eb85ef8c43dd0168bd9ca5e24ea9a006d5e63492
                                                              • Instruction ID: c01958f58696f927b2f1d890c94ccc99ff8f944a95c3d85c82bcb68b7ec48ca8
                                                              • Opcode Fuzzy Hash: 9a5c2dc26d8ab79aa5d076c3eb85ef8c43dd0168bd9ca5e24ea9a006d5e63492
                                                              • Instruction Fuzzy Hash: 671147759003498FDB20DFAAC844BEEBBF1EF88320F24851AE555A7250C775A941DFA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 022DA168 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,022DB099,00000800,00000000,00000000), ref: 022DB2AA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1228672892.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_22d0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: ced3443136a3185817d984620a358b2b4d807b6c8226626a2c9ce99579cd9c01
                                                              • Instruction ID: 8fa44107825cbb148b37efd25c5c64befc0582466f25af0cda89b703b7e51838
                                                              • Opcode Fuzzy Hash: ced3443136a3185817d984620a358b2b4d807b6c8226626a2c9ce99579cd9c01
                                                              • Instruction Fuzzy Hash: 791117B6D103099FDB20CF9AC444B9EFBF4EB48314F11842ED515A7200C7B5A545CFA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 022DB238 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,022DB099,00000800,00000000,00000000), ref: 022DB2AA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1228672892.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_22d0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: fcd5cb5449acbc826531e4a7ed21ae3a2bc6674a6d66dee1ded2cc949e57e015
                                                              • Instruction ID: 36a889932a5456c4be0b3c3b5b1d93411365caea16367c6e7f5470123ff2c6b0
                                                              • Opcode Fuzzy Hash: fcd5cb5449acbc826531e4a7ed21ae3a2bc6674a6d66dee1ded2cc949e57e015
                                                              • Instruction Fuzzy Hash: E81117B6D002098FDB20DF9AC944BDEFBF4EB48314F11841ED415A7600C775A546CFA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E0600 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 044E066E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1231953475.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44e0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 1eeee0328537dbd9391a216eed4b471dc938048bc02899c5dc7aa9d2e7377ebf
                                                              • Instruction ID: 514a187868c7cd916655a5c1df15a7b0d4edd29fe3d0a678bd5089e45f080cca
                                                              • Opcode Fuzzy Hash: 1eeee0328537dbd9391a216eed4b471dc938048bc02899c5dc7aa9d2e7377ebf
                                                              • Instruction Fuzzy Hash: F61117718003499FDB20DFAAC845BEEBBF5EB88320F148419E515A7250CB75A951CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E4D99 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,044E4C51,?,?), ref: 044E4DF8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1231953475.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44e0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: ChangeCloseFindNotification
                                                              • String ID:
                                                              • API String ID: 2591292051-0
                                                              • Opcode ID: 1d76ad74e5ba39b0e375492d7bc8c3ac922bd8bf9545cfbb93d268dbad14adb5
                                                              • Instruction ID: bb32a7edc1fac9a5f9237c7c30af020877f804de3a979f299d036934ed6b2e79
                                                              • Opcode Fuzzy Hash: 1d76ad74e5ba39b0e375492d7bc8c3ac922bd8bf9545cfbb93d268dbad14adb5
                                                              • Instruction Fuzzy Hash: F51128B58002598FDB20DF99C545BEEBBF0EB48320F24841AD559A7740C738A645CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E4888 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,044E4C51,?,?), ref: 044E4DF8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1231953475.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44e0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: ChangeCloseFindNotification
                                                              • String ID:
                                                              • API String ID: 2591292051-0
                                                              • Opcode ID: 9ba385e0cce7038b6cd4705a7266b549bb065a3cb18fa3d6b8782eea891ecb29
                                                              • Instruction ID: e1994cb1d4619ce827139a71e5feed5d12d3fe99496e04ae646cd66107531d38
                                                              • Opcode Fuzzy Hash: 9ba385e0cce7038b6cd4705a7266b549bb065a3cb18fa3d6b8782eea891ecb29
                                                              • Instruction Fuzzy Hash: 571166B5C003498FDB20DF9AC445BEEBBF4EB48320F10842AD959A7340D738A945CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E0040 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1231953475.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44e0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 838ed0a25c2c1bdf4263b483ea3888577c645aa092b33499de21010996a8c0c3
                                                              • Instruction ID: 142d934dfdfa455f04707d36782bb76b8be533da61267186d2adf67d1d5f04d1
                                                              • Opcode Fuzzy Hash: 838ed0a25c2c1bdf4263b483ea3888577c645aa092b33499de21010996a8c0c3
                                                              • Instruction Fuzzy Hash: 3C115871C003488FDB20DFAAC4457AEFBF4EB88324F20841AD519A7240CB79A941CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E2C29 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,?,?,?), ref: 044E2C8D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1231953475.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44e0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: b32e6167cc91bf7c751a227881e5b240579ebd47683f03369b27f73c96434eb6
                                                              • Instruction ID: e73b9fdb8d80bb0d150d35b83234373d12c6a1f06aaae54809116cf520b9c522
                                                              • Opcode Fuzzy Hash: b32e6167cc91bf7c751a227881e5b240579ebd47683f03369b27f73c96434eb6
                                                              • Instruction Fuzzy Hash: 4F1136B98003498FDB20DF9AD945BEEBFF8FB48310F10845AD554A7200C374A545CFA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 022DAFB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 022DB01E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1228672892.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_22d0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: d7bb395bc2d66300b91a883c87b3a6a5e8d55efc4363b1d6d17018f7d6517069
                                                              • Instruction ID: 60f25a94ed996d1cc6f2e550a40e9986ff5088c80b6ee9807c60812f69b51216
                                                              • Opcode Fuzzy Hash: d7bb395bc2d66300b91a883c87b3a6a5e8d55efc4363b1d6d17018f7d6517069
                                                              • Instruction Fuzzy Hash: B411DFB5C003498FDB20DF9AD444B9EFBF4EB88325F11842AD829A7610D379A545CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E2C30 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,?,?,?), ref: 044E2C8D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1231953475.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44e0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 12aecbb203eba144edb9482c360556c2613de734a5040a57db8dcf35a42e0705
                                                              • Instruction ID: e55709a8ef70ea80f54d47af850a747f5e423a89cb6ec5bf7d2722244bcd3443
                                                              • Opcode Fuzzy Hash: 12aecbb203eba144edb9482c360556c2613de734a5040a57db8dcf35a42e0705
                                                              • Instruction Fuzzy Hash: E211D3B58003499FDB20DF9AD945BDEBBF8FB48320F10845AD559A7250C379A944CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A6EDB8 Relevance: .2, Instructions: 177COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 97aff27b97d1b468ee4dffb559d51177a644c2685dcb269a2a86cf7f9d19b4cd
                                                              • Instruction ID: 374df9c928e6733114664ed9656dad30b015469fc026be5ec1f5791639286424
                                                              • Opcode Fuzzy Hash: 97aff27b97d1b468ee4dffb559d51177a644c2685dcb269a2a86cf7f9d19b4cd
                                                              • Instruction Fuzzy Hash: BD61D478E08208DFDB48DFAAD944AADBBF6FF89300F10912AE519AB354D7715846CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A68ED8 Relevance: .2, Instructions: 164COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c09692dfa0053c0cc8e2e0c79fc6dc615964bbb2a16a4b0f04b9e38d931e4cd2
                                                              • Instruction ID: 1642d099e6bc31b6e8f094c1b92b5d942bdb35d4f2cd3a5a95bfd7ae41f5e9cc
                                                              • Opcode Fuzzy Hash: c09692dfa0053c0cc8e2e0c79fc6dc615964bbb2a16a4b0f04b9e38d931e4cd2
                                                              • Instruction Fuzzy Hash: 9F51E130B043068FDB15EB7A9C845AFBBF6FFC5220715856AE415DB391EB309C068791
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A6C4F0 Relevance: .2, Instructions: 157COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 56720d1de4628e91eb541b407fd5803bedd7243d765530f895318fe6ed7e1c1d
                                                              • Instruction ID: 15d2b0aa01a7d5749c1cedd617d9b826bb4cb7c4826652b4525e51253b100de5
                                                              • Opcode Fuzzy Hash: 56720d1de4628e91eb541b407fd5803bedd7243d765530f895318fe6ed7e1c1d
                                                              • Instruction Fuzzy Hash: 9851E578E04219DFDB44DFAAC9409ADBBF1FB49360F10942AE856EB354D730A801CF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A683F0 Relevance: .1, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a61e63a15c76daed1e7615331512516e939d3c74e3846bd432d5a9afd0337283
                                                              • Instruction ID: a91e083a67f3ca1bf2458e4999b2418778ed4d37bc9d77d22f0a1829f700680e
                                                              • Opcode Fuzzy Hash: a61e63a15c76daed1e7615331512516e939d3c74e3846bd432d5a9afd0337283
                                                              • Instruction Fuzzy Hash: D951F474E142089FDB45EFA9E894A9EBBF6FB89310F108025E905B7358CB749D41CF64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A681D8 Relevance: .1, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 15f8afbfadf55f8349e21954ababaa7797fcbcae760d273b9be35758ef817737
                                                              • Instruction ID: 4b5d9e31b1fa07fcddae702c4c24a69e5edb8d6753cc7728a88490aa41c5f3b1
                                                              • Opcode Fuzzy Hash: 15f8afbfadf55f8349e21954ababaa7797fcbcae760d273b9be35758ef817737
                                                              • Instruction Fuzzy Hash: 1941F238E012189FDB00EFA8D484AEEBBF6FB48320F109455E914B7354D7359995CFA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A67EC8 Relevance: .1, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dd0d71314857c70964dc5417f500c0873a64b60828d2191dbeabc623385750c6
                                                              • Instruction ID: 625ff29432302a32b7db4f31a3fb11b38d313a9670a0e9932372d73232797230
                                                              • Opcode Fuzzy Hash: dd0d71314857c70964dc5417f500c0873a64b60828d2191dbeabc623385750c6
                                                              • Instruction Fuzzy Hash: 75312A74E00209AFDB05DF98E840AEEBBB5FF48310F108565E915BB354D7709A41CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0227D1FC Relevance: .1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1228438707.000000000227D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0227D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_227d000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4300eca757d4c9295c791cbdcb9d899b89877dd535948c850be78fd76dbc2fab
                                                              • Instruction ID: 1fca639f62e4bbcbb3fd849b7e817633f705c847d286ac1000986d6eecfc5cd4
                                                              • Opcode Fuzzy Hash: 4300eca757d4c9295c791cbdcb9d899b89877dd535948c850be78fd76dbc2fab
                                                              • Instruction Fuzzy Hash: 0A21F172618200DFDB05DF90D9C4B26BB65FF98310F24C5A9E8090A24BC3B6D817CBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0227D4C4 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1228438707.000000000227D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0227D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_227d000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3dadf1c8010678c74a8ddefc469496fb7808d46eef076ed4022b702ae4b7e9e1
                                                              • Instruction ID: 6c725f5029240c3d245e9ba561fea9057f102c8b91d3e44196f423ba3d464fca
                                                              • Opcode Fuzzy Hash: 3dadf1c8010678c74a8ddefc469496fb7808d46eef076ed4022b702ae4b7e9e1
                                                              • Instruction Fuzzy Hash: 9E212571518241DFDB15DF54D9C0B26BF65FF88328F24C669E8090B25AC336D456CBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0228D01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1228497554.000000000228D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0228D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_228d000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9d2c3538c86a9d2d7ad8085115114947cdcd6312c06b762617a44d6cb5e20c74
                                                              • Instruction ID: 480639f6b447854a97b7fb0b32df6c3ceb9c1a5f22169c60565b23256f090dd6
                                                              • Opcode Fuzzy Hash: 9d2c3538c86a9d2d7ad8085115114947cdcd6312c06b762617a44d6cb5e20c74
                                                              • Instruction Fuzzy Hash: E9212275614300DFDB14EFA0D9C4B16BBA1EB84324F20C56DD84A4B3CAC376D80BCA62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0228D1D4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1228497554.000000000228D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0228D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_228d000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f3e4d7cf0d3b2e6a73eb529a571d799e77a875960445e2f95c82f3f1df5123a1
                                                              • Instruction ID: 4c46d5a3151bc4a713542b5c0acf348a25d3f4099a651d87d9ce75e09eca7ff7
                                                              • Opcode Fuzzy Hash: f3e4d7cf0d3b2e6a73eb529a571d799e77a875960445e2f95c82f3f1df5123a1
                                                              • Instruction Fuzzy Hash: 51212571614200DFDB04EFA0D9C0B25BBA1FB84314F20C66DD8094B2DEC3B6D80ACA62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A67BE0 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f565853dfdcbcf09904495f9b545e46fb66f8753fa3155e11a3daa8f715304c0
                                                              • Instruction ID: feae3ad1230dc9b41f428dc16c852c026d7942520501b327f81ab2170fd175c0
                                                              • Opcode Fuzzy Hash: f565853dfdcbcf09904495f9b545e46fb66f8753fa3155e11a3daa8f715304c0
                                                              • Instruction Fuzzy Hash: ED312774A10608EFD744DF5AE684A8DBBF5FF88300B6280D5D548AB365DB30EE91DB04
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A69078 Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eb27fbf12e6e1a2f7f3b6efeb3661856131ff88ecbe15e30ee0bea36b6a66c8b
                                                              • Instruction ID: b7f9934889cc27326c3ea513ea2189c5f6a3882331c0e1e48a47710e2a9ebe37
                                                              • Opcode Fuzzy Hash: eb27fbf12e6e1a2f7f3b6efeb3661856131ff88ecbe15e30ee0bea36b6a66c8b
                                                              • Instruction Fuzzy Hash: 6631C0B0D013199FEB60DF9AC984B8EBBF5EF48314F258059E404BB250C7B5A845CF95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0228D007 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1228497554.000000000228D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0228D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_228d000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 71983e0fc855712e27f204d27bea19294618ae30dfaadb0bf99f979b6ad84811
                                                              • Instruction ID: 6cc7a8b634090e7345430f310af31497fbe308b9ea8a7e29a6ceae8daf114a55
                                                              • Opcode Fuzzy Hash: 71983e0fc855712e27f204d27bea19294618ae30dfaadb0bf99f979b6ad84811
                                                              • Instruction Fuzzy Hash: AB218E755093808FDB02DF64D990715BF71EB46314F28C5DAD8898B6A7C33AD80ACB62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A69C10 Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cc6468a467a3eee055afcc23977a3d57b4b6ee1b6234b4adb56ee9230e8a6add
                                                              • Instruction ID: 04ffbf2fc200c9db392170cb14b449284f4eb57016e28477587dfcf6c7c39564
                                                              • Opcode Fuzzy Hash: cc6468a467a3eee055afcc23977a3d57b4b6ee1b6234b4adb56ee9230e8a6add
                                                              • Instruction Fuzzy Hash: 28112131F0021A8FCB54EBB998106EFBAF6AF84311B104069D505EB344EB319D01CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0227D1F7 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1228438707.000000000227D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0227D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_227d000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6fa0a9b6888ab601070468a7c49be392b44274aed9e91ce62da6c30ec0883e0c
                                                              • Instruction ID: c8c09a5df6f97ba0085e6906ae38a6ee090334ae3df926c467a6ca27fa6639f6
                                                              • Opcode Fuzzy Hash: 6fa0a9b6888ab601070468a7c49be392b44274aed9e91ce62da6c30ec0883e0c
                                                              • Instruction Fuzzy Hash: 1C219D76508240DFDB06CF50D9C4B56BF62FF84314F24C5AADC490A65AC37AD426CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A6B310 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e2051b13df625b3d73df8c974e4e9fc3cda87f8c24ddd79d664fc499e029d1c9
                                                              • Instruction ID: b65ed81f1f19d2fe7eb081a647f3477b67e024d7abd0c9d8494e32f7eb99b9bd
                                                              • Opcode Fuzzy Hash: e2051b13df625b3d73df8c974e4e9fc3cda87f8c24ddd79d664fc499e029d1c9
                                                              • Instruction Fuzzy Hash: FF2103B5C003499FDB20DF9AC884BDEBBF4FB48320F108429E919A7210C375A955CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0227D4BF Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1228438707.000000000227D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0227D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_227d000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                              • Instruction ID: f9a7a2fca49f99a1d43a644ef281a8b07d9b8e5e2814babb1a0ca0cfbee87ab9
                                                              • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                              • Instruction Fuzzy Hash: 5411E676504280CFCB15CF54D5C4B16BF72FF84328F24C6A9D8490B65AC336D45ACBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0228D1CF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1228497554.000000000228D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0228D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_228d000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                              • Instruction ID: ff290665af784f81a777a4d8f5cf6b6b8ca656dd7f1231b9b19b1006ae0b8418
                                                              • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                              • Instruction Fuzzy Hash: 1D11BB75544280DFDB05EF64C5C0B15BBA2FB84324F24C6ADD8494B29AC37AD41ACB62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A67D78 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 610fd1dc0e9d6eaccf361799b639f4e272f1d3ffc788e271c4efa167d57286f4
                                                              • Instruction ID: 3cafb1379bf17e0a7e3a0500b9cd57623811a74089d39dbcdcf78bded762e888
                                                              • Opcode Fuzzy Hash: 610fd1dc0e9d6eaccf361799b639f4e272f1d3ffc788e271c4efa167d57286f4
                                                              • Instruction Fuzzy Hash: BB11D238A10608EFC740DF99F484A99BBF8FB88310F5240D1DA84A7369D734EEA0CB45
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0227D745 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1228438707.000000000227D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0227D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_227d000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1695868f8aff53fc5b7b222eb717911a81bedc1b2534aaf77c940e49cc61aca8
                                                              • Instruction ID: 051b0b84736a1838b7428f1b981e2e37990fdc36e6e847d60c39ba4ae8a271b9
                                                              • Opcode Fuzzy Hash: 1695868f8aff53fc5b7b222eb717911a81bedc1b2534aaf77c940e49cc61aca8
                                                              • Instruction Fuzzy Hash: F901263102C3409BE7205EA5CDC4BA6BF98DF81235F18C56AED090F28AC7799841CBB6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0227D744 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1228438707.000000000227D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0227D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_227d000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 56a8cf0940c23b2ecad6843027d792258117101939008aa38290d0f272621a6e
                                                              • Instruction ID: 5dfce04cf18ded47d9016a37a4be95cb67edd9541faf69892f86c61fd186547a
                                                              • Opcode Fuzzy Hash: 56a8cf0940c23b2ecad6843027d792258117101939008aa38290d0f272621a6e
                                                              • Instruction Fuzzy Hash: 51F0F6310083409EE7208E15CC88B62FF98EF81334F18C05AED084B286C379A840CBB1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A6A260 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cf10f04cf97d6123117cb48b65fb3cc3a62970392442fb51a290d8f3f1313fd0
                                                              • Instruction ID: d12efaa5471c1085ebc0f5ddbfc5ae581645c31ec8e7b7923187f702fce9d9be
                                                              • Opcode Fuzzy Hash: cf10f04cf97d6123117cb48b65fb3cc3a62970392442fb51a290d8f3f1313fd0
                                                              • Instruction Fuzzy Hash: E501E870C40219DFDB94DFABC4087AEBBF1BF49350F108665E925AA2A0D7754A44CBD0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A6A300 Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 10db46ef48bd2e4b7a515e9e2726118434786d6310103e8d17e2be840d082c59
                                                              • Instruction ID: b9e306ef89c51a49b324cb58668f34584faffcefc04e08502402684078cdf36e
                                                              • Opcode Fuzzy Hash: 10db46ef48bd2e4b7a515e9e2726118434786d6310103e8d17e2be840d082c59
                                                              • Instruction Fuzzy Hash: C4E06D767042286F9314DBAEDC84D6BBBEEFBCC674351807AF508C7314D9319C0186A0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A6B6B8 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: af94b5a7548347116452d1d17368967b1d345eaa139bb3d5f0eea3d589549a4e
                                                              • Instruction ID: 1829c60b9cb1fc8dc8e98a7d8b9024aec494d786592b36440077b5a7ad791a0d
                                                              • Opcode Fuzzy Hash: af94b5a7548347116452d1d17368967b1d345eaa139bb3d5f0eea3d589549a4e
                                                              • Instruction Fuzzy Hash: 27F065726001087F9F48EF59DC41C9EBFEEEF44220F15807AF409DB224E631E9608B64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A68770 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5de83b4400d195b5e86c17bfdaf760dd908379377e101a202b1d15d86ddb9b65
                                                              • Instruction ID: 8b5797465ef3ea931cc2d0abaebda6b785981631e5ab06c8568753e4cd7af6c7
                                                              • Opcode Fuzzy Hash: 5de83b4400d195b5e86c17bfdaf760dd908379377e101a202b1d15d86ddb9b65
                                                              • Instruction Fuzzy Hash: 89E01A75908208FBCB04DF94E840AADBF79FB49310F1481A9ED0427351C7329A61EB95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A67E80 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7a6d283590ab5d82517e47b04ba07879c57fdc63dbf621fc5bb7bffbf6f57ae4
                                                              • Instruction ID: a3d542cd384b178f2488c1e0e337b655e1399829d1b182d5cb3a4281dc5dc6ab
                                                              • Opcode Fuzzy Hash: 7a6d283590ab5d82517e47b04ba07879c57fdc63dbf621fc5bb7bffbf6f57ae4
                                                              • Instruction Fuzzy Hash: 83E04F39908208FBCB44EF94E8409ADBB79FB46314F10C199EC0817351D7329E55DB80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A6FEF8 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d7d51ab433ec0ca616b338d8da1673fe385c0a3dad860f4c033c5770c0462e2f
                                                              • Instruction ID: c0cf892f97fd3750e2545f1f80efc68073e70c6d3d6c4feed8aff0755c94b30c
                                                              • Opcode Fuzzy Hash: d7d51ab433ec0ca616b338d8da1673fe385c0a3dad860f4c033c5770c0462e2f
                                                              • Instruction Fuzzy Hash: 33E01A70E0420CEBDB58EFEDD40469DBBF5EB89301F1080A99908A7350D6785E41DF92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A669B0 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4e3db940ddc7595ad203d4247795fa9ab175db249efb61726b8fa95f48c4ada4
                                                              • Instruction ID: ebb95cbab53e03d12879cb59beeb42bc24e72bf9292440063d8d06f1f4646129
                                                              • Opcode Fuzzy Hash: 4e3db940ddc7595ad203d4247795fa9ab175db249efb61726b8fa95f48c4ada4
                                                              • Instruction Fuzzy Hash: 5BE0867180420CEFD740FFB1E50479D77FCDB0A205F0015A5A90D97150EA355D049796
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A683A8 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 691225d6b9b5b1eeacca38a0f74a697fc1e40ae264cbc8ad97223c1b29f0e417
                                                              • Instruction ID: 59a03e57a1e72fc8a22b3ad79722384c8a4119fc088f1d4a66443a9c7a435f53
                                                              • Opcode Fuzzy Hash: 691225d6b9b5b1eeacca38a0f74a697fc1e40ae264cbc8ad97223c1b29f0e417
                                                              • Instruction Fuzzy Hash: 37E08C34908208EBCB04EF94E940AACFBBCFB4A300F1091A9EC0427341D7329E52EB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A67D38 Relevance: .0, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d3b107c3f006df8efa757330cc0747b782be2edc0e3a2fa715b93943ba89507
                                                              • Instruction ID: abde47600f6d0943676ca6c71f99c2737ad8582c3f73951b4c0c4f99d7f1ed76
                                                              • Opcode Fuzzy Hash: 0d3b107c3f006df8efa757330cc0747b782be2edc0e3a2fa715b93943ba89507
                                                              • Instruction Fuzzy Hash: 94E0C234908208EBDB04EFA4E44067CBBF8EB46308F1081ACD90917351CB31AE42DF80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A6E3D8 Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3072da3c3abcde304c98a64589640ce7fd8ceb0b46f40627acfe5c3c7cdb8567
                                                              • Instruction ID: 1202abcf66bd372ceaa6393c21fd4f886f75b5a7ac8e4061cf50ce6ad5bdd105
                                                              • Opcode Fuzzy Hash: 3072da3c3abcde304c98a64589640ce7fd8ceb0b46f40627acfe5c3c7cdb8567
                                                              • Instruction Fuzzy Hash: BAC08C30000308D7D3043BA5F44C32477ACE702202F402211A309818608BB80CD9C666
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 04A60040 Relevance: .3, Instructions: 315COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1232834243.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 10eac5fbe841f78d50f9fd0d285c08599a54af2cec3defb22dc39d3e60758ee7
                                                              • Instruction ID: 9d0f0224b08f3b3a561959df747cab763ebb15697032b08d552aa782dba382ab
                                                              • Opcode Fuzzy Hash: 10eac5fbe841f78d50f9fd0d285c08599a54af2cec3defb22dc39d3e60758ee7
                                                              • Instruction Fuzzy Hash: 1912C4B0509745AAD352DF25EA4C1893FA2FB8133CF924729D2612E2E5D7BC194ACFC4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 044E00F0 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1231953475.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44e0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dc158cc108d7043d035b4956a4e2b7d7627ec72b2e5d973a5ceb412f731d5a2b
                                                              • Instruction ID: 43e1d4762834131a8f475f59f3a450d8eb14ff76e638e8ed30b8872a1949f220
                                                              • Opcode Fuzzy Hash: dc158cc108d7043d035b4956a4e2b7d7627ec72b2e5d973a5ceb412f731d5a2b
                                                              • Instruction Fuzzy Hash: 02E11A74E002198FDB14DFA9C580AAEFBF2BF49305F24856AD415AB35AD770AD42CF60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A6A878 Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9fe58508ff51f571939bdbc8017590a8297d77c047ac7218a95b214082f8d640
                                                              • Instruction ID: f960ed3e0f255556e9968d673e48351c4598988bf4aa7d7c05d5c41cc2989dd3
                                                              • Opcode Fuzzy Hash: 9fe58508ff51f571939bdbc8017590a8297d77c047ac7218a95b214082f8d640
                                                              • Instruction Fuzzy Hash: BFD1F635D2075A8ADB10EBA4D850AD9B7B1FF95340F11C79AD5093B224EB706EC9CF81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 022DD424 Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1228672892.00000000022D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_22d0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 12fa925b710853a38988f8178f4bf38bebc890f69a5d18ee9c1d1681ef28ba41
                                                              • Instruction ID: bfa02be157270fd88bb31e451b182f5479c57dc5568881c5f236836015a0af4f
                                                              • Opcode Fuzzy Hash: 12fa925b710853a38988f8178f4bf38bebc890f69a5d18ee9c1d1681ef28ba41
                                                              • Instruction Fuzzy Hash: 56A16C36E103158FCF05DFB4CA445DEBBB2FF84301B15856AE802AB669DB71E946CB80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A60040 Relevance: .1, Instructions: 117COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e0eb878ec5dd40e7639609833d0070faa11892f7bd6cca36aec7dbb38f2be0dd
                                                              • Instruction ID: 8dcf6bb3d5bd02511e76c2bae53be8150a4abd3f61ef35194b8d5702ee748831
                                                              • Opcode Fuzzy Hash: e0eb878ec5dd40e7639609833d0070faa11892f7bd6cca36aec7dbb38f2be0dd
                                                              • Instruction Fuzzy Hash: 0E51A2B4E016188FEB68CF2AD95479DBAF7AFC8200F14C1EAD50DA7264DB751A95CF00
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06A60007 Relevance: .1, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1233738316.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6a60000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 76fcffe16a0c80970fc8980e8f801a2274356f60cee8f18007f681a5f33692c7
                                                              • Instruction ID: 7881c055b5333b9e39589d77d087da06c72d043d725943ae4a84e8f5474b2b7c
                                                              • Opcode Fuzzy Hash: 76fcffe16a0c80970fc8980e8f801a2274356f60cee8f18007f681a5f33692c7
                                                              • Instruction Fuzzy Hash: 3341C8B1D057588FEB19CF6BCD5478ABBF3AFC9200F04C1AAC448AB165DB7509868F51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Execution Graph

                                                              Execution Coverage:11.7%
                                                              Dynamic/Decrypted Code Coverage:96.6%
                                                              Signature Coverage:1%
                                                              Total number of Nodes:292
                                                              Total number of Limit Nodes:28
                                                              execution_graph 34075 69c3b38 34076 69c3b43 34075->34076 34078 69c3b53 34076->34078 34079 69c1e8c 34076->34079 34080 69c3b88 OleInitialize 34079->34080 34081 69c3bec 34080->34081 34081->34078 34082 101d044 34083 101d05c 34082->34083 34084 101d0b6 34083->34084 34089 69c0be8 34083->34089 34094 69c2d00 34083->34094 34104 69c2cf0 34083->34104 34115 69c0bd7 34083->34115 34090 69c0c0e 34089->34090 34092 69c2cf0 2 API calls 34090->34092 34093 69c2d00 2 API calls 34090->34093 34091 69c0c2f 34091->34084 34092->34091 34093->34091 34097 69c2d2d 34094->34097 34095 69c2d61 34098 69c2d5f 34095->34098 34143 69c1dec 34095->34143 34097->34095 34099 69c2d51 34097->34099 34121 69c2e88 34099->34121 34127 69ccda8 34099->34127 34132 69ccd98 34099->34132 34137 69c2e78 34099->34137 34105 69c2c81 34104->34105 34106 69c2cf7 34104->34106 34105->34084 34107 69c2d61 34106->34107 34109 69c2d51 34106->34109 34108 69c1dec CallWindowProcW 34107->34108 34110 69c2d5f 34107->34110 34108->34110 34111 69c2e88 2 API calls 34109->34111 34112 69c2e78 2 API calls 34109->34112 34113 69ccd98 CallWindowProcW 34109->34113 34114 69ccda8 CallWindowProcW 34109->34114 34110->34110 34111->34110 34112->34110 34113->34110 34114->34110 34116 69c0c48 34115->34116 34117 69c0be6 34115->34117 34116->34084 34119 69c2cf0 2 API calls 34117->34119 34120 69c2d00 2 API calls 34117->34120 34118 69c0c2f 34118->34084 34119->34118 34120->34118 34123 69c2e96 34121->34123 34122 69c1dec CallWindowProcW 34122->34123 34123->34122 34124 69c2f6e 34123->34124 34147 69c3756 34123->34147 34152 69c3760 34123->34152 34124->34098 34128 69ccdbc 34127->34128 34203 69cce50 34128->34203 34206 69cce60 34128->34206 34129 69cce48 34129->34098 34134 69ccdbc 34132->34134 34133 69cce48 34133->34098 34135 69cce50 CallWindowProcW 34134->34135 34136 69cce60 CallWindowProcW 34134->34136 34135->34133 34136->34133 34139 69c2e86 34137->34139 34138 69c1dec CallWindowProcW 34138->34139 34139->34138 34140 69c2f6e 34139->34140 34141 69c3756 OleGetClipboard 34139->34141 34142 69c3760 OleGetClipboard 34139->34142 34140->34098 34141->34139 34142->34139 34144 69c1df7 34143->34144 34145 69c3022 CallWindowProcW 34144->34145 34146 69c2fd1 34144->34146 34145->34146 34146->34098 34149 69c377f 34147->34149 34148 69c37e5 34148->34123 34149->34148 34157 69c3918 34149->34157 34163 69c3908 34149->34163 34153 69c377f 34152->34153 34154 69c37e5 34153->34154 34155 69c3918 OleGetClipboard 34153->34155 34156 69c3908 OleGetClipboard 34153->34156 34154->34123 34155->34153 34156->34153 34158 69c3920 34157->34158 34159 69c3934 34158->34159 34169 69c3960 34158->34169 34180 69c3953 34158->34180 34159->34149 34160 69c3949 34160->34149 34165 69c3920 34163->34165 34164 69c3934 34164->34149 34165->34164 34167 69c3960 OleGetClipboard 34165->34167 34168 69c3953 OleGetClipboard 34165->34168 34166 69c3949 34166->34149 34167->34166 34168->34166 34170 69c3972 34169->34170 34171 69c398d 34170->34171 34173 69c39d1 34170->34173 34178 69c3960 OleGetClipboard 34171->34178 34179 69c3953 OleGetClipboard 34171->34179 34172 69c3993 34172->34160 34175 69c3a51 34173->34175 34191 69c3c18 34173->34191 34195 69c3c28 34173->34195 34174 69c3a6f 34174->34160 34175->34160 34178->34172 34179->34172 34181 69c3972 34180->34181 34182 69c398d 34181->34182 34184 69c39d1 34181->34184 34189 69c3960 OleGetClipboard 34182->34189 34190 69c3953 OleGetClipboard 34182->34190 34183 69c3993 34183->34160 34186 69c3a51 34184->34186 34187 69c3c18 OleGetClipboard 34184->34187 34188 69c3c28 OleGetClipboard 34184->34188 34185 69c3a6f 34185->34160 34186->34160 34187->34185 34188->34185 34189->34183 34190->34183 34193 69c3c3d 34191->34193 34194 69c3c63 34193->34194 34199 69c3648 34193->34199 34194->34174 34197 69c3c3d 34195->34197 34196 69c3648 OleGetClipboard 34196->34197 34197->34196 34198 69c3c63 34197->34198 34198->34174 34200 69c3cd0 OleGetClipboard 34199->34200 34202 69c3d6a 34200->34202 34204 69cce71 34203->34204 34209 69ce2a0 34203->34209 34204->34129 34207 69cce71 34206->34207 34208 69ce2a0 CallWindowProcW 34206->34208 34207->34129 34208->34207 34210 69c1dec CallWindowProcW 34209->34210 34211 69ce2ba 34210->34211 34211->34204 34420 106d970 34422 106d97d 34420->34422 34421 106d992 34423 106e8f0 3 API calls 34422->34423 34424 106e8db 3 API calls 34422->34424 34423->34421 34424->34421 34212 69c20f0 DuplicateHandle 34213 69c2186 34212->34213 34425 69c3280 34427 69c3288 34425->34427 34428 69c32ab 34427->34428 34429 69c1e44 34427->34429 34430 69c32c0 KiUserCallbackDispatcher 34429->34430 34432 69c332e 34430->34432 34432->34427 34214 1060848 34216 106084e 34214->34216 34215 106091b 34216->34215 34220 106137f 34216->34220 34226 69c5bd2 34216->34226 34230 69c5be0 34216->34230 34222 1061383 34220->34222 34221 10614aa 34221->34216 34222->34221 34234 106b478 34222->34234 34239 69c57b0 34222->34239 34245 69c57c0 34222->34245 34227 69c5bda 34226->34227 34277 69c5294 34227->34277 34231 69c5bef 34230->34231 34232 69c5294 5 API calls 34231->34232 34233 69c5c0f 34232->34233 34233->34216 34235 106b482 34234->34235 34236 106b49c 34235->34236 34251 69ee4d0 34235->34251 34256 69ee4c0 34235->34256 34236->34222 34240 69c57b9 34239->34240 34241 69c580d 34240->34241 34261 69c5820 34240->34261 34265 69c5812 34240->34265 34269 69c58a2 34240->34269 34241->34222 34246 69c57c8 34245->34246 34247 69c580d 34246->34247 34248 69c5820 SetWindowsHookExA 34246->34248 34249 69c58a2 SetWindowsHookExA 34246->34249 34250 69c5812 SetWindowsHookExA 34246->34250 34247->34222 34248->34246 34249->34246 34250->34246 34253 69ee4e5 34251->34253 34252 69ee6fa 34252->34236 34253->34252 34254 69eeb18 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 34253->34254 34255 69eeb28 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 34253->34255 34254->34253 34255->34253 34258 69ee4d0 34256->34258 34257 69ee6fa 34257->34236 34258->34257 34259 69eeb18 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 34258->34259 34260 69eeb28 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 34258->34260 34259->34258 34260->34258 34263 69c583d 34261->34263 34262 69c58a0 34262->34240 34263->34262 34273 69c5248 34263->34273 34266 69c5820 34265->34266 34267 69c5248 SetWindowsHookExA 34266->34267 34268 69c58a0 34266->34268 34267->34266 34268->34240 34270 69c585d 34269->34270 34271 69c5248 SetWindowsHookExA 34270->34271 34272 69c58a0 34270->34272 34271->34270 34272->34240 34276 69c5a28 SetWindowsHookExA 34273->34276 34275 69c5ab2 34275->34263 34276->34275 34278 69c529f 34277->34278 34281 69c533c 34278->34281 34280 69c5cd5 34280->34280 34282 69c5347 34281->34282 34283 69c6329 34282->34283 34286 69c72d8 34282->34286 34291 69c72e8 34282->34291 34283->34280 34288 69c72e8 34286->34288 34287 69c732d 34287->34283 34288->34287 34296 69c7498 34288->34296 34300 69c7487 34288->34300 34292 69c7309 34291->34292 34293 69c732d 34292->34293 34294 69c7498 5 API calls 34292->34294 34295 69c7487 5 API calls 34292->34295 34293->34283 34294->34293 34295->34293 34298 69c74a5 34296->34298 34297 69c74de 34297->34287 34298->34297 34304 69c5fac 34298->34304 34302 69c7498 34300->34302 34301 69c74de 34301->34287 34302->34301 34303 69c5fac 5 API calls 34302->34303 34303->34301 34305 69c5fb7 34304->34305 34307 69c7550 34305->34307 34308 69c5fe0 34305->34308 34307->34307 34309 69c5feb 34308->34309 34315 69c5ff0 34309->34315 34311 69c75bf 34319 69cc330 34311->34319 34332 69cc348 34311->34332 34312 69c75f9 34312->34307 34316 69c5ffb 34315->34316 34317 69c85e8 34316->34317 34318 69c72e8 5 API calls 34316->34318 34317->34311 34318->34317 34321 69cc348 34319->34321 34320 69cc385 34320->34312 34321->34320 34322 69cc479 34321->34322 34326 69cc348 5 API calls 34321->34326 34328 69cc330 5 API calls 34321->34328 34345 69cc5b1 34321->34345 34349 69cc5c0 34321->34349 34323 69cc57a 34322->34323 34372 69cc5f0 34322->34372 34323->34312 34324 69cc3c5 34352 106e8f0 34324->34352 34362 106e8db 34324->34362 34326->34324 34328->34324 34334 69cc379 34332->34334 34336 69cc479 34332->34336 34333 69cc385 34333->34312 34334->34333 34339 69cc348 5 API calls 34334->34339 34340 69cc5c0 3 API calls 34334->34340 34341 69cc330 5 API calls 34334->34341 34342 69cc5b1 3 API calls 34334->34342 34335 69cc3c5 34343 106e8f0 3 API calls 34335->34343 34344 106e8db 3 API calls 34335->34344 34337 69cc57a 34336->34337 34338 69cc5f0 3 API calls 34336->34338 34337->34312 34338->34337 34339->34335 34340->34335 34341->34335 34342->34335 34343->34336 34344->34336 34346 69cc5c0 34345->34346 34348 69cc5f0 3 API calls 34346->34348 34347 69cc5ca 34347->34324 34348->34347 34351 69cc5f0 3 API calls 34349->34351 34350 69cc5ca 34350->34324 34351->34350 34353 106e91b 34352->34353 34382 106ee50 34353->34382 34387 106ee60 34353->34387 34354 106e99e 34355 106dcdc GetModuleHandleW 34354->34355 34357 106e9ca 34354->34357 34356 106ea0e 34355->34356 34358 69c09d0 CreateWindowExW CreateWindowExW 34356->34358 34359 69c09e0 CreateWindowExW CreateWindowExW 34356->34359 34358->34357 34359->34357 34363 106e8f0 34362->34363 34368 106ee50 GetModuleHandleW 34363->34368 34369 106ee60 GetModuleHandleW 34363->34369 34364 106e99e 34367 106e9ca 34364->34367 34392 106dcdc 34364->34392 34368->34364 34369->34364 34373 69cc611 34372->34373 34377 69cc634 34372->34377 34380 106dcdc GetModuleHandleW 34373->34380 34405 106f308 34373->34405 34374 69cc61c 34374->34377 34379 69cc5f0 3 API calls 34374->34379 34409 69cc7f0 34374->34409 34375 69cc62c 34375->34377 34413 69cbb04 34375->34413 34377->34323 34379->34375 34380->34374 34383 106ee60 34382->34383 34384 106ef0e 34383->34384 34385 106efc0 GetModuleHandleW 34383->34385 34386 106efd0 GetModuleHandleW 34383->34386 34385->34384 34386->34384 34389 106ee8d 34387->34389 34388 106ef0e 34389->34388 34390 106efc0 GetModuleHandleW 34389->34390 34391 106efd0 GetModuleHandleW 34389->34391 34390->34388 34391->34388 34393 106f310 GetModuleHandleW 34392->34393 34395 106ea0e 34393->34395 34396 69c09d0 34395->34396 34401 69c09e0 34395->34401 34397 69c09e0 34396->34397 34399 69c0a25 CreateWindowExW 34397->34399 34400 69c0a30 CreateWindowExW 34397->34400 34398 69c0a15 34398->34367 34399->34398 34400->34398 34403 69c0a25 CreateWindowExW 34401->34403 34404 69c0a30 CreateWindowExW 34401->34404 34402 69c0a15 34402->34367 34403->34402 34404->34402 34406 106f352 34405->34406 34407 106f358 GetModuleHandleW 34405->34407 34406->34407 34408 106f385 34407->34408 34408->34374 34411 69cc804 34409->34411 34410 69cc829 34410->34375 34411->34410 34412 69cbb04 LoadLibraryExW 34411->34412 34412->34410 34414 69cc850 LoadLibraryExW 34413->34414 34416 69cc8c9 34414->34416 34416->34377 34417 1067ec8 34418 1067f0c CheckRemoteDebuggerPresent 34417->34418 34419 1067f4e 34418->34419

                                                              Executed Functions

                                                              Function 01067EC8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 957 1067ec8-1067f4c CheckRemoteDebuggerPresent 959 1067f55-1067f90 957->959 960 1067f4e-1067f54 957->960 960->959
                                                              APIs
                                                              • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 01067F3F
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2455171343.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1060000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: CheckDebuggerPresentRemote
                                                              • String ID:
                                                              • API String ID: 3662101638-0
                                                              • Opcode ID: f11c435f9a2bee919f06fe37fdd7166caf0000ff9848f8d0d8f1223e8c87c917
                                                              • Instruction ID: 6f52b7c7b9d1e89f9eb9295ac686bb69af67ba55e777b719acc6f8b9d207634e
                                                              • Opcode Fuzzy Hash: f11c435f9a2bee919f06fe37fdd7166caf0000ff9848f8d0d8f1223e8c87c917
                                                              • Instruction Fuzzy Hash: E5212871C002598FDB10CF9AD844BEEFBF4AF49310F14845AE959A3250D778A945CF65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 069C5248 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,069C5890,00000000,00000000), ref: 069C5AA3
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2461740832.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_69c0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: HookWindows
                                                              • String ID:
                                                              • API String ID: 2559412058-0
                                                              • Opcode ID: 665c80c873559416ee024c74053b32b3e0dd3e9ae5235fa9901f6de7cb0fa7f1
                                                              • Instruction ID: 547debe44b781b11471abaf33265ffca582091a29261ccd82bc1ab97e1d678d5
                                                              • Opcode Fuzzy Hash: 665c80c873559416ee024c74053b32b3e0dd3e9ae5235fa9901f6de7cb0fa7f1
                                                              • Instruction Fuzzy Hash: A4212775D002099FDB54DF9AC844BEEFBF5EB88320F148429E419A7250C774A945CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 069C3CC4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73comclipboardCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 69c3cc4-69c3d20 1 69c3d2a-69c3d68 OleGetClipboard 0->1 2 69c3d6a-69c3d70 1->2 3 69c3d71-69c3dbf 1->3 2->3 8 69c3dcf 3->8 9 69c3dc1-69c3dc5 3->9 11 69c3dd0 8->11 9->8 10 69c3dc7 9->10 10->8 11->11
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2461740832.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_69c0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: Clipboard
                                                              • String ID: W
                                                              • API String ID: 220874293-655174618
                                                              • Opcode ID: 952a881b0a7c9baf7cfb9d2388699270bd5c76ec93c1e6c1427d90fcb5baf033
                                                              • Instruction ID: 4a1663b226123e4f7650ca71c3a71c1cd33b5f1ecbda099b9ebe385df9174d71
                                                              • Opcode Fuzzy Hash: 952a881b0a7c9baf7cfb9d2388699270bd5c76ec93c1e6c1427d90fcb5baf033
                                                              • Instruction Fuzzy Hash: 703131B0D01349DFEB24DFA9C984BDEBBF5AF08314F24805AE044AB294DBB46845CF61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 069EF2E8 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 849 69ef2e8-69ef2f3 850 69ef31d-69ef33c call 69ee9d4 849->850 851 69ef2f5-69ef31c call 69e79a0 849->851 857 69ef33e-69ef341 850->857 858 69ef342-69ef3a1 850->858 865 69ef3a7-69ef434 GlobalMemoryStatusEx 858->865 866 69ef3a3-69ef3a6 858->866 869 69ef43d-69ef465 865->869 870 69ef436-69ef43c 865->870 870->869
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2461794968.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_69e0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b5211bb132049dfeed4a2f62468190a8af5ef97a80ba80b7b00d02a1a2cf090b
                                                              • Instruction ID: 21791584c9257963e2ed74ffb65e190bc4a4761353731248a0f98051ac8aa846
                                                              • Opcode Fuzzy Hash: b5211bb132049dfeed4a2f62468190a8af5ef97a80ba80b7b00d02a1a2cf090b
                                                              • Instruction Fuzzy Hash: B641F031D043958FCB15CFA9D8006EEFBF5AF8A210F14896BD498E7741DB349846CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 069C0A25 Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 873 69c0a25-69c0a96 875 69c0a98-69c0a9e 873->875 876 69c0aa1-69c0aa8 873->876 875->876 877 69c0aaa-69c0ab0 876->877 878 69c0ab3-69c0b52 CreateWindowExW 876->878 877->878 880 69c0b5b-69c0b93 878->880 881 69c0b54-69c0b5a 878->881 885 69c0b95-69c0b98 880->885 886 69c0ba0 880->886 881->880 885->886 887 69c0ba1 886->887 887->887
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 069C0B42
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2461740832.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_69c0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: 986dfe3ca22880e072bf0a5ee45607ba3549669493daaa426e494a574f7d21d3
                                                              • Instruction ID: c758f4163eea3978ba88f4d1740ef0d266c53263fdaff217c6105dd53b2cd3fa
                                                              • Opcode Fuzzy Hash: 986dfe3ca22880e072bf0a5ee45607ba3549669493daaa426e494a574f7d21d3
                                                              • Instruction Fuzzy Hash: C851CCB5D003499FDB14CFA9C884ADEBFB5BF88310F64852AE818AB210D771A841CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 069C0A30 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 888 69c0a30-69c0a96 889 69c0a98-69c0a9e 888->889 890 69c0aa1-69c0aa8 888->890 889->890 891 69c0aaa-69c0ab0 890->891 892 69c0ab3-69c0b52 CreateWindowExW 890->892 891->892 894 69c0b5b-69c0b93 892->894 895 69c0b54-69c0b5a 892->895 899 69c0b95-69c0b98 894->899 900 69c0ba0 894->900 895->894 899->900 901 69c0ba1 900->901 901->901
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 069C0B42
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2461740832.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_69c0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: 67c2bb2183856989ec3cc17ff09ac34663fcd4db386879cf1da96f69e1b7c925
                                                              • Instruction ID: d0f3f4a386e2fbd2fb0ec1c992e6477f5645231e39e7d7bcdd58ff93d83ffca0
                                                              • Opcode Fuzzy Hash: 67c2bb2183856989ec3cc17ff09ac34663fcd4db386879cf1da96f69e1b7c925
                                                              • Instruction Fuzzy Hash: 2441CCB1D00309DFDF14CFAAC884ADEBBB5BF88310F24852AE818AB210D7719941CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 069C1DEC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 902 69c1dec-69c2fc4 905 69c2fca-69c2fcf 902->905 906 69c3074-69c3094 902->906 907 69c2fd1-69c3008 905->907 908 69c3022-69c305a CallWindowProcW 905->908 913 69c3097-69c30a4 906->913 914 69c300a-69c3010 907->914 915 69c3011-69c3020 907->915 909 69c305c-69c3062 908->909 910 69c3063-69c3072 908->910 909->910 910->913 914->915 915->913
                                                              APIs
                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 069C3049
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2461740832.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_69c0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: CallProcWindow
                                                              • String ID:
                                                              • API String ID: 2714655100-0
                                                              • Opcode ID: 87c5c748b370b8516883c76ede4badf85a3705a028194d62e6b533aff12d404c
                                                              • Instruction ID: 9dc05125da86c25f1c74792fc9d48e2819de430ba53245d8c83a8adeeb1e2eec
                                                              • Opcode Fuzzy Hash: 87c5c748b370b8516883c76ede4badf85a3705a028194d62e6b533aff12d404c
                                                              • Instruction Fuzzy Hash: A2414A759003498FDB54CF99C488AAABBF5FF88314F24C89DD519A7321D335A841CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 069C9509 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 918 69c9509-69c9514 919 69c94af-69c94b1 918->919 920 69c9516-69c9564 918->920 921 69c94ba-69c94ce 919->921 926 69c9566-69c958e GetSystemMetrics 920->926 927 69c95b2-69c95cb 920->927 922 69c94f9-69c9501 921->922 923 69c94d0-69c94e3 call 69c811c 921->923 923->922 932 69c94e5-69c94f2 call 69c1e18 923->932 930 69c9597-69c95ab 926->930 931 69c9590-69c9596 926->931 930->927 931->930 932->922 936 69c94f4 932->936 936->922
                                                              APIs
                                                              • GetSystemMetrics.USER32(0000004B), ref: 069C957D
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2461740832.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_69c0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: MetricsSystem
                                                              • String ID:
                                                              • API String ID: 4116985748-0
                                                              • Opcode ID: a675148d91321c7975981ec6c706b0726ecc2ccdf532fbfa26313829e9783882
                                                              • Instruction ID: 03ef0c4c64991625bd28697eb14211e3f9bc3cd61331076a8e5285dfde40f641
                                                              • Opcode Fuzzy Hash: a675148d91321c7975981ec6c706b0726ecc2ccdf532fbfa26313829e9783882
                                                              • Instruction Fuzzy Hash: 3131EE71C45384CFEB61DF6AD5443AA7FF8AB06360F54449EC894AB682C7389608CB62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 069C3648 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 937 69c3648-69c3d68 OleGetClipboard 940 69c3d6a-69c3d70 937->940 941 69c3d71-69c3dbf 937->941 940->941 946 69c3dcf 941->946 947 69c3dc1-69c3dc5 941->947 949 69c3dd0 946->949 947->946 948 69c3dc7 947->948 948->946 949->949
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2461740832.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_69c0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: Clipboard
                                                              • String ID:
                                                              • API String ID: 220874293-0
                                                              • Opcode ID: cc03adc0e8e1491cd1a7d75cefe34c8bb726d6e8ebf3ac0c51102b64fe3801c6
                                                              • Instruction ID: 8976ddc00f0d3cf3e67307810e7a3ba6f43a89244bc73462e97d60d576d72c0b
                                                              • Opcode Fuzzy Hash: cc03adc0e8e1491cd1a7d75cefe34c8bb726d6e8ebf3ac0c51102b64fe3801c6
                                                              • Instruction Fuzzy Hash: 6E31F4B0D01309DFDB54DFA9C984BDEBBF5AF48314F208459E504AB290DB746845CF95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01067EC0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 950 1067ec0-1067f4c CheckRemoteDebuggerPresent 953 1067f55-1067f90 950->953 954 1067f4e-1067f54 950->954 954->953
                                                              APIs
                                                              • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 01067F3F
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2455171343.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1060000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: CheckDebuggerPresentRemote
                                                              • String ID:
                                                              • API String ID: 3662101638-0
                                                              • Opcode ID: fc25b59b4779e5556f5ce0f4e77562919d35e403b445fd9f789a6ad3d75a3412
                                                              • Instruction ID: 2431aeeadac96a4a27595633cc8bd1abc4b27fafd81d9d43da5e67ad9fd0abb5
                                                              • Opcode Fuzzy Hash: fc25b59b4779e5556f5ce0f4e77562919d35e403b445fd9f789a6ad3d75a3412
                                                              • Instruction Fuzzy Hash: 5C213971C002598FDB10CF9AD444BEEBBF4EF49310F14845AE954A7251D7789945CF60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 069C20EA Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 963 69c20ea-69c2184 DuplicateHandle 964 69c218d-69c21aa 963->964 965 69c2186-69c218c 963->965 965->964
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 069C2177
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2461740832.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_69c0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 16158f74818b7e5f77b8a141c71c6691feba801bf943da6e6f71ef4e8cd56044
                                                              • Instruction ID: 7fac95739e5f46d30a3108ec73ce2412619389096694974fbc61832ba38ac371
                                                              • Opcode Fuzzy Hash: 16158f74818b7e5f77b8a141c71c6691feba801bf943da6e6f71ef4e8cd56044
                                                              • Instruction Fuzzy Hash: 2621E3B5D00349AFDB10CFAAD884AEEFFF5EB48320F14841AE954A3250D375A945CF65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 069C20F0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 968 69c20f0-69c2184 DuplicateHandle 969 69c218d-69c21aa 968->969 970 69c2186-69c218c 968->970 970->969
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 069C2177
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2461740832.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_69c0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 417ea18cf4d7de27a091578f25f1d2ec5b8548694ba70ecb1f0995613a6a5f54
                                                              • Instruction ID: 362fdd52ad45aafe326fb7580b4d94ca1e97254cd70807e1e98012ed4cef1032
                                                              • Opcode Fuzzy Hash: 417ea18cf4d7de27a091578f25f1d2ec5b8548694ba70ecb1f0995613a6a5f54
                                                              • Instruction Fuzzy Hash: A121E4B5D003499FDB10CFAAD884ADEFBF8EB48320F14841AE954A3350D375A945CF65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 069C5A26 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,069C5890,00000000,00000000), ref: 069C5AA3
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2461740832.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_69c0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: HookWindows
                                                              • String ID:
                                                              • API String ID: 2559412058-0
                                                              • Opcode ID: c71fa00bbe0f33773cf48b35ba6950f2d011b99485774a8058df4075d30eb1ae
                                                              • Instruction ID: ccc090473a067711fe8d61416231c5dc32dcc1625c7155b11ba69376ea54f32a
                                                              • Opcode Fuzzy Hash: c71fa00bbe0f33773cf48b35ba6950f2d011b99485774a8058df4075d30eb1ae
                                                              • Instruction Fuzzy Hash: 65211575D002099FDB14DF9AC844BEEFBF5EB88320F10842AE459A7250C774A941CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 069CBB04 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,069CC829,00000800), ref: 069CC8BA
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2461740832.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_69c0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: 37035e8c18fb300b07034f409d273679c424550fb77bd6e0e5d42d4a9267f108
                                                              • Instruction ID: 9176de35ea023279dcebcf582bd9bd46f0ee33bccd63a24ae3a17bba76498e4e
                                                              • Opcode Fuzzy Hash: 37035e8c18fb300b07034f409d273679c424550fb77bd6e0e5d42d4a9267f108
                                                              • Instruction Fuzzy Hash: AA11C2B6D00349DFDB20DF9AC844A9EFBF4EB48320F10842ED559A7640C775A945CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 069EE9D4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,069EF33A), ref: 069EF427
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2461794968.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_69e0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemoryStatus
                                                              • String ID:
                                                              • API String ID: 1890195054-0
                                                              • Opcode ID: e49caf0883015b5768dae494c7796e15f7b29098781cd862540f66954c426698
                                                              • Instruction ID: ed7c296bde7fefbd80407e2e08dec77ccd387ce8d8e01c2ab0e148ca19a822eb
                                                              • Opcode Fuzzy Hash: e49caf0883015b5768dae494c7796e15f7b29098781cd862540f66954c426698
                                                              • Instruction Fuzzy Hash: 761144B1C0065A9BDB10DF9AC844BEEFBF4EB48320F10852AD918A7340D378A905CFE5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 069C32B8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,069C3295), ref: 069C331F
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2461740832.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_69c0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: CallbackDispatcherUser
                                                              • String ID:
                                                              • API String ID: 2492992576-0
                                                              • Opcode ID: 1a382f45763c5eed2e9da0c061201680db343d67001abe269e59c4d2b90047f9
                                                              • Instruction ID: ca84acd886b8e411182bf631a3da52a94025eeab4b2f0ea8902b892a85011f8e
                                                              • Opcode Fuzzy Hash: 1a382f45763c5eed2e9da0c061201680db343d67001abe269e59c4d2b90047f9
                                                              • Instruction Fuzzy Hash: 6C1132B5D002498FDB20DF9AD844BDEFBF8EB48324F20841AD968A3640C735A945CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 069CC848 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,069CC829,00000800), ref: 069CC8BA
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2461740832.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_69c0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: 5fb493faef57cb73e9a74d6994d3c46b45a0b548af0ada249541c3eb907afc8d
                                                              • Instruction ID: d9dd3cbce0655e348e142e557ccaf826c3189171a741168d3dc0c07fbe7980d3
                                                              • Opcode Fuzzy Hash: 5fb493faef57cb73e9a74d6994d3c46b45a0b548af0ada249541c3eb907afc8d
                                                              • Instruction Fuzzy Hash: 5D1103B6C0034A8FDB20CF9AC944B9EFBF5AB48320F14842ED959A7640C375A546CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 069EF3B8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,069EF33A), ref: 069EF427
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2461794968.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_69e0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemoryStatus
                                                              • String ID:
                                                              • API String ID: 1890195054-0
                                                              • Opcode ID: c53220c126ca8df41982e9d4dddd49a5e5f9eabcb451adc77fbe5eec7dc9426d
                                                              • Instruction ID: f495a216cea5b0c41dbd1fc05e4e2f2228c1b584fd35925d14e10ea7cafdb931
                                                              • Opcode Fuzzy Hash: c53220c126ca8df41982e9d4dddd49a5e5f9eabcb451adc77fbe5eec7dc9426d
                                                              • Instruction Fuzzy Hash: 861147B1C0025A8FDB10CFAAD544BDEFBF4EF48310F15856AD458A7240D3389905CFA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0106F308 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0106F376
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2455171343.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1060000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 385ba23333c6ed84b855eaf00c4c0ec19125dab7e723e68146328edaf102e506
                                                              • Instruction ID: 31fedb14b3402bd13b73ebcb52e6548c27c5813b7dcef17ba291921ad50ed57e
                                                              • Opcode Fuzzy Hash: 385ba23333c6ed84b855eaf00c4c0ec19125dab7e723e68146328edaf102e506
                                                              • Instruction Fuzzy Hash: 361104B5C002498FDB20DF9AD444ADEFFF4EF88310F14855AD4A9A7610C375A546CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0106DCDC Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0106F376
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2455171343.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1060000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 6ee9db5177790215063e452b840834a8978092f94e346433993fb2ceb6534b3a
                                                              • Instruction ID: 058aef309f7397f868aaf862ebaf6049b232bb1201ab3c184c66e85b86fd7dbb
                                                              • Opcode Fuzzy Hash: 6ee9db5177790215063e452b840834a8978092f94e346433993fb2ceb6534b3a
                                                              • Instruction Fuzzy Hash: DA1134B5C003498FDB10DF9AD444B9EFBF8EB48310F10846AD568B7210C375A505CFA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 069C3B80 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OleInitialize.OLE32(00000000), ref: 069C3BDD
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2461740832.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_69c0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: Initialize
                                                              • String ID:
                                                              • API String ID: 2538663250-0
                                                              • Opcode ID: 398c51ce1ebd395694c5481da5b11f48aaa991f62c07762b86af7fdfb78514ea
                                                              • Instruction ID: 86774e13367400b14ef4467e6cc15ea44738014771b87ff283e2d43b8b79b9a7
                                                              • Opcode Fuzzy Hash: 398c51ce1ebd395694c5481da5b11f48aaa991f62c07762b86af7fdfb78514ea
                                                              • Instruction Fuzzy Hash: C81133B5C003498FDB20DF9AC845BDEFBF8EB48320F208819D598A7200C378A945CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 069C1E8C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OleInitialize.OLE32(00000000), ref: 069C3BDD
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2461740832.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_69c0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: Initialize
                                                              • String ID:
                                                              • API String ID: 2538663250-0
                                                              • Opcode ID: 971589fbc126034deb91ce2873b86d6e34f8c7e37b00d3257bc8463162c8d1f5
                                                              • Instruction ID: cde2713bd836d98d55c9c5b2267c16c635e8777686305a5863d6438ce11e22e5
                                                              • Opcode Fuzzy Hash: 971589fbc126034deb91ce2873b86d6e34f8c7e37b00d3257bc8463162c8d1f5
                                                              • Instruction Fuzzy Hash: 391145B5C007498FDB20DF9AD445B9EFBF4EB48320F208419D519A3300C378A940CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 069C1E44 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,069C3295), ref: 069C331F
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2461740832.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_69c0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: CallbackDispatcherUser
                                                              • String ID:
                                                              • API String ID: 2492992576-0
                                                              • Opcode ID: ed9a09c68ee5e7681b0dcbba230752ad42945db30c4dff0d83fa76b11e7b6c3b
                                                              • Instruction ID: 6fbeee42810cc79ddc0641bf31d296cffd22471a0b3d9015b47f2d16de132334
                                                              • Opcode Fuzzy Hash: ed9a09c68ee5e7681b0dcbba230752ad42945db30c4dff0d83fa76b11e7b6c3b
                                                              • Instruction Fuzzy Hash: 541110B08003498FDB20DF9AD845BDEBBF4EB48320F208419D519A3240C775A944CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 069C334C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,069C3295), ref: 069C331F
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2461740832.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_69c0000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID: CallbackDispatcherUser
                                                              • String ID:
                                                              • API String ID: 2492992576-0
                                                              • Opcode ID: 935e977fbf126b2aadd60c0eef8620f92ed4cc37ec073bff5ef72fb95f92cc16
                                                              • Instruction ID: 162f8a02e00c1f488ba53aa992d03ff507584e35bbdee9ce615337cbfcfc4ae4
                                                              • Opcode Fuzzy Hash: 935e977fbf126b2aadd60c0eef8620f92ed4cc37ec073bff5ef72fb95f92cc16
                                                              • Instruction Fuzzy Hash: 31F0F6B2C043818EDB618B95D8053DDBFF0DB45325F54C48EC15997651D3395109CB52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0101D044 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2454639796.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_101d000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 35d028dbde4e3b48e49127c3554edeb3edddddad7ae75eff895d47c304687f94
                                                              • Instruction ID: 90587bc543beadecfc15ab777da4e030399640a2153736132ba463b862bb6072
                                                              • Opcode Fuzzy Hash: 35d028dbde4e3b48e49127c3554edeb3edddddad7ae75eff895d47c304687f94
                                                              • Instruction Fuzzy Hash: 3D2128715042049FDB16DF64D9C8B16BBA1FB84314F20C6ADE9890F246C73AD847CB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0101D20C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2454639796.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_101d000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4e49907fe4b1c636ce20b5d9c29e23902032e9b415e2bb3dc8ef5655382881df
                                                              • Instruction ID: 888ea5b24bdb23aac2f253be8f5def69b5af3f461655c11a6dcacb6329a0d532
                                                              • Opcode Fuzzy Hash: 4e49907fe4b1c636ce20b5d9c29e23902032e9b415e2bb3dc8ef5655382881df
                                                              • Instruction Fuzzy Hash: 9D214671604244DFDB11DF94D8C8B6ABBA5FB94334F20C6ADD8890B24AC37ED406CB62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0101D3BC Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2454639796.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_101d000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d24959587a2ceb7f85e13bc655948e0accd0d22931d7e57728d7ae7e42987b3d
                                                              • Instruction ID: 745e1d88ccaf758b876a2087035068bb215d54a141d9de3a0286018557b57696
                                                              • Opcode Fuzzy Hash: d24959587a2ceb7f85e13bc655948e0accd0d22931d7e57728d7ae7e42987b3d
                                                              • Instruction Fuzzy Hash: C4213775644300DFDB05DF54D5C8B56BBA1FB84314F20C5ADD8890F28AC73AE446CB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0101D207 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2454639796.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_101d000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bf2aa0ac69dbfc9ab00947b0048f034b327edea99ed69b312f674443a93577a4
                                                              • Instruction ID: c251d3fbfa2c8f11467a39f5c714311c22924a894352450104cf3630f9bd9e72
                                                              • Opcode Fuzzy Hash: bf2aa0ac69dbfc9ab00947b0048f034b327edea99ed69b312f674443a93577a4
                                                              • Instruction Fuzzy Hash: 7311B275504284CFDB12CF54D5C4B55FFA2FB84324F24C6AAD8894B656C33AD406CB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0101D3B7 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2454639796.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_101d000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                              • Instruction ID: ad656ae1c57a09ab81fd75263a02a80d62a230ab7a5c925bba567cbe9380e415
                                                              • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                              • Instruction Fuzzy Hash: 6C11D075544240CFCB06CF54D5C4B55BFA2FB44314F24C6ADD8894B256C33AE40ACF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0101D03F Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2454639796.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_101d000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                              • Instruction ID: cda24cf085172f2e9ec35266101a9c80975c5cad08de89907aa7704580f15144
                                                              • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                              • Instruction Fuzzy Hash: ED11D075504244DFCB16CF54C5C4B15BFA2FB44314F24C6ADE8894B256C33AD44ACF51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0100D8C5 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2454547398.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_100d000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9e2f8cc7b2f74c00fabfc84971cd387503080bef3a8f4f7cd5da466701151385
                                                              • Instruction ID: 247b183242bc5931ae3c0ab0e37c9b9355e4e36f037fc9993c47abd25c78f2b4
                                                              • Opcode Fuzzy Hash: 9e2f8cc7b2f74c00fabfc84971cd387503080bef3a8f4f7cd5da466701151385
                                                              • Instruction Fuzzy Hash: A501F731004344AAF7624A99DC84B2ABFD8DF45225F04C46AED880A2C2C2789841CBB1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0100D8C4 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2454547398.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_100d000_DHL_VTER000105453.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a2bf9dc2ecec26534af67a7484bc65b068f321023672aa98b17ba98101dfc5ca
                                                              • Instruction ID: 885161841703b613bdd3c40e394d17aa7b026708719a7038bd6447b0648157e0
                                                              • Opcode Fuzzy Hash: a2bf9dc2ecec26534af67a7484bc65b068f321023672aa98b17ba98101dfc5ca
                                                              • Instruction Fuzzy Hash: 38F06271404344AEFB518E5ADC84B66FFD8EB45734F18C59AED884A2C7C2799844CBB1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%